File name:

TradingView Premium (PCDesktop).zip.zip

Full analysis: https://app.any.run/tasks/22bba00e-5f39-4927-9ed5-1348eb770ee9
Verdict: Malicious activity
Threats:

Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.

Malware Trends Tracker     >>>
Analysis date: October 24, 2023, 14:16:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arkei
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FEEB49CB17BF674C31217CF940009EF6

SHA1:

11EE53BC004D41402430275D509325D6E60B7E50

SHA256:

D00CA86EF3D1210394357EFA76C710FEC914EC38ACAC76E63E0AB5226F7B2CCC

SSDEEP:

98304:9xbeMAIoIPZmjcUiTtDYxSbPTOxSt++dX8lWs2j85LOTGUSfPQaDvD5jwhdHsOYf:Ag3u8guTy6TG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ARKEI has been detected (YARA)

      • TradingView Premium (PCDesktop).exe (PID: 2252)
      • TradingView Premium (PCDesktop).exe (PID: 3708)
      • TradingView Premium (PCDesktop).exe (PID: 3156)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 1240)

    • Reads the Internet Settings

      • TradingView Premium (PCDesktop).exe (PID: 2252)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • TradingView Premium (PCDesktop).exe (PID: 2252)

    • Reads security settings of Internet Explorer

      • TradingView Premium (PCDesktop).exe (PID: 2252)

    • Reads settings of System Certificates

      • TradingView Premium (PCDesktop).exe (PID: 2252)

    • Checks Windows Trust Settings

      • TradingView Premium (PCDesktop).exe (PID: 2252)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 3932)
      • WinRAR.exe (PID: 2416)
      • TradingView Premium (PCDesktop).exe (PID: 2252)
      • TradingView Premium (PCDesktop).exe (PID: 3156)
      • TradingView Premium (PCDesktop).exe (PID: 3708)

    • Reads the computer name

      • TradingView Premium (PCDesktop).exe (PID: 2252)
      • TradingView Premium (PCDesktop).exe (PID: 3708)
      • TradingView Premium (PCDesktop).exe (PID: 3156)

    • Checks proxy server information

      • TradingView Premium (PCDesktop).exe (PID: 2252)

    • Checks supported languages

      • TradingView Premium (PCDesktop).exe (PID: 3708)
      • TradingView Premium (PCDesktop).exe (PID: 2252)
      • TradingView Premium (PCDesktop).exe (PID: 3156)

    • Reads the machine GUID from the registry

      • TradingView Premium (PCDesktop).exe (PID: 2252)
      • TradingView Premium (PCDesktop).exe (PID: 3156)
      • TradingView Premium (PCDesktop).exe (PID: 3708)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2416)
      • WinRAR.exe (PID: 3036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Arkei

(PID) Process(2252) TradingView Premium (PCDesktop).exe
C2 (3)https://t.me/scubytale
104.0.0.0
https://steamcommunity.com/profiles/76561199564671869
Strings (536)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local Storage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local Storage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
"os_crypt":{"encrypted_key":"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Data\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentVariableA
GetEnvironmentVariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
k|{mn
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
Cookies
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: FileZilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
"SA^/
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
0000*
MANIFEST-000001
CURRENT
*.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
(PID) Process(3156) TradingView Premium (PCDesktop).exe
C2 (3)https://t.me/scubytale
104.0.0.0
https://steamcommunity.com/profiles/76561199564671869
Strings (536)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local Storage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local Storage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
"os_crypt":{"encrypted_key":"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Data\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentVariableA
GetEnvironmentVariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
k|{mn
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
Cookies
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: FileZilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
"SA^/
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
0000*
MANIFEST-000001
CURRENT
*.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
(PID) Process(3708) TradingView Premium (PCDesktop).exe
C2 (3)https://t.me/scubytale
104.0.0.0
https://steamcommunity.com/profiles/76561199564671869
Strings (536)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local Storage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local Storage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
"os_crypt":{"encrypted_key":"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Data\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentVariableA
GetEnvironmentVariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
k|{mn
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
Cookies
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: FileZilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
"SA^/
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
0000*
MANIFEST-000001
CURRENT
*.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2023:10:24 09:28:54
ZipCRC: 0x2f63f4df
ZipCompressedSize: 7954010
ZipUncompressedSize: 9899500
ZipFileName: TradingView Premium (PCDesktop).zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs #ARKEI tradingview premium (pcdesktop).exe #ARKEI tradingview premium (pcdesktop).exe no specs #ARKEI tradingview premium (pcdesktop).exe

Process information

PID
CMD
Path
Indicators
Parent process
1240"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2252"C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\TradingView Premium (PCDesktop).exe" C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\TradingView Premium (PCDesktop).exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
installing_the_modules_for_synchronization
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
Arkei
(PID) Process(2252) TradingView Premium (PCDesktop).exe
C2 (3)https://t.me/scubytale
104.0.0.0
https://steamcommunity.com/profiles/76561199564671869
Strings (536)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local Storage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local Storage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
"os_crypt":{"encrypted_key":"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Data\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentVariableA
GetEnvironmentVariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
k|{mn
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
Cookies
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: FileZilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
"SA^/
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
0000*
MANIFEST-000001
CURRENT
*.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
2416"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\TradingView Premium (PCDesktop).zip" "C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3036"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb1240.49274\TradingView Premium (PCDesktop).zip"C:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3156"C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\TradingView Premium (PCDesktop).exe" C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\TradingView Premium (PCDesktop).exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
installing_the_modules_for_synchronization
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msctf.dll
Arkei
(PID) Process(3156) TradingView Premium (PCDesktop).exe
C2 (3)https://t.me/scubytale
104.0.0.0
https://steamcommunity.com/profiles/76561199564671869
Strings (536)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local Storage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local Storage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
"os_crypt":{"encrypted_key":"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Data\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentVariableA
GetEnvironmentVariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
k|{mn
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
Cookies
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: FileZilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
"SA^/
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
0000*
MANIFEST-000001
CURRENT
*.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
3708"C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\TradingView Premium (PCDesktop).exe" C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip\TradingView Premium (PCDesktop).exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
installing_the_modules_for_synchronization
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
Arkei
(PID) Process(3708) TradingView Premium (PCDesktop).exe
C2 (3)https://t.me/scubytale
104.0.0.0
https://steamcommunity.com/profiles/76561199564671869
Strings (536)kernel32.dll
GetUserNameA
advapi32.dll
GetComputerNameA
LocalAlloc
lstrcmpiW
VirtualFree
VirtualAlloc
VirtualAllocExNuma
GetCurrentProcess
ExitProcess
GetSystemTime
Sleep
GetProcAddress
lstrcatA
LoadLibraryA
JohnDoe
HAL9TH
Ledger Live
\Raven\
Raven Core
\Dogecoin\
Dogecoin
*wallet*.dat
wallet.dat
\Bitcoin\
Bitcoin Core Old
\Bitcoin\wallets\
Bitcoin Core
.finger-print.fp
simple-storage.json
Binance Desktop
loginusers.vdf
libraryfolders.vdf
DialogConfigOverlay*.vdf
DialogConfig.vdf
config.vdf
ssfn*
SteamPath
Software\Valve\Steam
C:\\\Windows\
C:\\Windows\
C:\Windows\
*%DRIVE_REMOVABLE%*
*%DRIVE_FIXED%*
*%RECENT%*
%DRIVE_REMOVABLE%
%DRIVE_FIXED%
%RECENT%
%PROGRAMFILES_86%
%PROGRAMFILES%
%DOCUMENTS%
%DESKTOP%
%USERPROFILE%
%LOCALAPPDATA%
%APPDATA%
\information.txt
[Software]
[Processes]
VideoCard:
RAM:
CPU Count:
Processor:
[Hardware]
TimeZone:
Local Time:
Keyboard Languages:
Display Language:
Display Resolution:
User Name:
Computer Name:
Windows:
Work Dir: In memory
Path:
HWID:
GUID:
MachineID:
Date:
Version:
sqlite3.dll
RoninWalletEdge
kjmoohlgokccodicjjfebfomlbljgfhk
IndexedDB
Sync Extension Settings
Local Extension Settings
UseMasterPassword
Security
Password
UserName
PortNumber
HostName
Soft: WinSCP
\Soft\Authy Desktop\
\Authy Desktop\Local Storage\leveldb\
\Soft\Authy Desktop Old\
\Authy Desktop\Local Storage\
*.localstorage
places.sqlite
formhistory.sqlite
cookies.sqlite
History
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Network
Password:
Login:
Host:
Soft:
"os_crypt":{"encrypted_key":"
\passwords.txt
\Soft\Telegram\
F8806DD0C461824F*
A92DAA6EA6F891F2*
A7FDF864FBC10B77*
D877F783D5D3EF8C*
key_datas
\Telegram Desktop\
Thunderbird
\Thunderbird\Profiles\
Brave
\BraveSoftware\Brave-Browser\User Data\
CryptoTab Browser
\CryptoTab Browser\User Data\
\Opera GX Stable\
\Opera Stable\
\Opera Software\
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_step
sqlite3_prepare_v2
sqlite3_open
GdipFree
GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipGetImageEncodersSize
SymMatchString
PathFindFileNameA
StrStrA
StrCmpCW
StrCmpCA
PathMatchSpecA
PathMatchSpecW
SHGetFolderPathA
SHFileOperationA
ShellExecuteExA
CloseWindow
GetWindowDC
GetWindowRect
GetHGlobalFromStream
CreateStreamOnHGlobal
CoInitialize
InternetCrackUrlA
AccessCheck
MapGenericMask
DuplicateToken
OpenProcessToken
GetFileSecurityA
RegEnumValueA
CryptBinaryToStringA
gdiplus.dll
dbghelp.dll
shlwapi.dll
shell32.dll
GetVolumeInformationA
GetWindowsDirectoryA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateEventA
OpenEventA
GetTickCount
SetEnvironmentVariableA
GetEnvironmentVariableA
GetFileInformationByHandle
CreateFileMappingA
FileTimeToSystemTime
UnmapViewOfFile
MapViewOfFile
LocalFileTimeToFileTime
GetFileAttributesW
GetFileAttributesA
WriteFile
SetFileTime
GetLocalTime
SystemTimeToFileTime
HeapFree
SetFilePointer
GetCurrentDirectoryA
DeleteFileA
CopyFileA
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetFileSizeEx
OpenProcess
GetCurrentProcessId
GetLocaleInfoA
FreeLibrary
GlobalSize
GlobalLock
lstrcpynA
GetLastError
FindClose
FindNextFileA
FindFirstFileA
MultiByteToWideChar
lstrcpyA
GetDriveTypeA
lstrlenA
GetLogicalDriveStringsA
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetProcessHeap
HeapAlloc
LocalFree
WideCharToMultiByte
GetSystemInfo
GetUserDefaultLocaleName
IsWow64Process
GlobalMemoryStatusEx
CreateThread
Discord Token:
dQw4w9WgXcQ:
\Soft\Discord\discord_tokens.txt
Session Storage
leveldb
Local Storage
Discord
\discord\
Wasabi Wallet
\WalletWasabi\Client\Wallets\
Blockstream Green
\Blockstream\Green\wallets\
she*.sqlite
Daedalus Mainnet
\Daedalus Mainnet\wallets\
Jaxx_Desktop
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
MaiarDeFiWallet
dngmlblcodfobpdpecaadgfbcggfjfnm
NamiWallet
lpfcbjknijpeeillifnkikgncikgfhdo
XdefiWallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
BoltX
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen (Atomic)
fhilaheimglignddkjgofkcbgekhenbh
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
ejbalbakoplchlghecdalmeeeajnimhm
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
Coin98
aeachknmefphepccionboohckonoeemg
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
k|{mn
dmkamcknogkgcdfhhbddcghachkejeap
Terra_Station
aiifbnbfobpmeekipheeijimdpnlpgpp
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
JaxxLiberty
cjelfplplebdjjenllpjcblmjkfcffne
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
GetSystemMetrics
EnumDisplayDevicesA
wsprintfA
GetDC
CharToOemA
GetKeyboardLayoutList
ReleaseDC
GetDesktopWindow
CoUninitialize
CoCreateInstance
CreateCompatibleDC
GetDeviceCaps
CreateDCA
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
DeleteUrlCacheEntry
InternetSetOptionA
InternetOpenUrlA
InternetSetFilePointer
HttpQueryInfoA
HttpAddRequestHeadersA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
wininet.dll
GetCurrentHwProfileA
RegGetValueA
RegEnumKeyExA
RegGetValueW
RegOpenKeyExW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
C:\ProgramData\nss3.dll
CryptStringToBinaryA
CryptUnprotectData
CRYPT32.DLL
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCRYPT.DLL
psapi.dll
user32.dll
ole32.dll
gdi32.dll
FALSE
Cookies
Local State
\Opera Software\Opera GX Stable\
OperaGX
\Opera Software\Opera Stable\
Opera
\Tencent\QQBrowser\User Data\
QQBrowser
\360Browser\Browser\User Data\
360 Browser
\Microsoft\Edge\User Data\
Microsoft Edge
\7Star\7Star\User Data\
7Star
\brave\
Brave_Old
\Chedot\User Data\
Chedot Browser
\TorBro\Profile\
TorBro Browser
\CentBrowser\User Data\
Cent Browser
\CocCoc\Browser\User Data\
CocCoc
\Vivaldi\User Data\
Vivaldi
\Epic Privacy Browser\User Data\
Epic Privacy Browser
\Comodo\Dragon\User Data\
Comodo Dragon
\Torch\User Data\
Torch
\Amigo\User Data\
Amigo
\Chromium\User Data\
Chromium
\Google\Chrome\User Data\
Google Chrome
\Moonchild Productions\Pale Moon\Profiles\
Pale Moon
\Mozilla\Firefox\Profiles\
Mozilla Firefox
Soft: FileZilla
<Pass encoding="base64">
<User>
<Port>
<Host>
\AppData\Roaming\FileZilla\recentservers.xml
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
SELECT url FROM urls
SELECT target_path, tab_url from downloads
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
"SA^/
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
encryptedPassword
encryptedUsername
usernameField
formSubmitURL
logins.json
Web Data
Cookies
Login Data
netfulfilled
mnpayments
mncache
governance
banlist
mempool
peers
fee_estimates
Local\Microsoft
Roaming\WinRAR
Local\NuGet
Local\Packages
MicrosoftEdge\Cookies
Recycle.Bin
Local\Temp
Recovery
msdownld.tmp
System Volume Information
Config.Msi
RECYCLE.BIN
C:\ProgramData\
\Monero\
SOFTWARE\monero-project\monero-core
wallet_path
*.config
*.wallet
\Coinomi\Coinomi\wallets\
Coinomi
app-store.json
\Binance\
Binance
0000*
MANIFEST-000001
CURRENT
*.log
\atomic\Local Storage\leveldb\
Atomic
file__0.localstorage
\jaxx\Local Storage\
Jaxx_Desktop_Old
multidoge.wallet
\MultiDoge\
MultiDoge
default_wallet
\ElectronCash\wallets\
ElectronCash
info.seco
seed.seco
passphrase.json
\Exodus\exodus.wallet\
window-state.json
exodus.conf.json
\Exodus\
Exodus
\Electrum-LTC\wallets\
ElectrumLTC
\Electrum\wallets\
Electrum
\Ethereum\
Ethereum"
keystore
Plugins
Wallets
3932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\TradingView Premium (PCDesktop).zip.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\comdlg32.dll
Total events
7 117
Read events
7 020
Write events
97
Delete events
0

Modification events

(PID) Process:(1240) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1240) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
80
Suspicious files
102
Text files
177
Unknown types
10

Dropped files

PID
Process
Filename
Type
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.pngimage
MD5:9D668FB893225B8AEB91FE21D2BBEE9A
SHA256:49D57607054D07581044A39025EA0FF623185D5E8117B7325084DB098795298D
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.pngimage
MD5:387DC16210273E62FFAE06972E45CBAC
SHA256:C6133633C005B1C344F4AE682811157A366AF0F9F637EE4FB65E896FFBF0D71E
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\mobile.csstext
MD5:C32EA1F5680C3FAA5B10A037C0471543
SHA256:F5FCECF622743134645E16015C3E8B03E83A2EB4DD00C4CD6D5DC287A016C1E8
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.pngimage
MD5:139B9F8B50309295D4632C927F2060D3
SHA256:ADB182BF32D80030963BFAE7079295B8C35085A85CF5A0FE28046DB1B4836E7F
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.pngimage
MD5:E61F2C0C8FCB00498F21B2F3DB1E3208
SHA256:983C3DE6ADC1D836B26E97BCB87CB29FB5B31B2FC87AE78563BD6E328907667B
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.pngimage
MD5:EBFE0256941F757936125A104DD0E47F
SHA256:61B9E46D291ED3D7800CBC899B7EDCB95327D16CD61085BB515381AF32BC1469
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.pngimage
MD5:9298AEDA82B7E456B4627E7F7876C72B
SHA256:3D9EF9C36B2407D3766FD183927E2778A1E4ABAAF2233910453BAFAF76E1F3DB
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.pngimage
MD5:4B92DDCABFD72C2E4CC1D4825542D8D9
SHA256:0307F13B51F07C8D10EDE9B29C8F43CB02024FCD2D69F04A26600A4244846AC0
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.pngimage
MD5:6BDAA44E692C036B6E478B5AB08B2687
SHA256:29043EC911594970261AB6C5E03DE903C1161ED13A25A377449C9C3B22134C28
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3036.054\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.pngimage
MD5:4284546507EDEED79552E7E3CF6CBE66
SHA256:40A22C997402DDB59E9E344C2D0A8C4CAFE64CF4B103584208863EEC05DFA897
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
11
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2252
TradingView Premium (PCDesktop).exe
GET
192.229.211.108:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
unknown
unknown
2252
TradingView Premium (PCDesktop).exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c3d6a251f87007c0
unknown
compressed
4.66 Kb
unknown
2252
TradingView Premium (PCDesktop).exe
GET
192.229.211.108:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2252
TradingView Premium (PCDesktop).exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
2252
TradingView Premium (PCDesktop).exe
23.55.153.106:443
steamcommunity.com
AKAMAI-AS
FR
unknown
2252
TradingView Premium (PCDesktop).exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2252
TradingView Premium (PCDesktop).exe
192.229.211.108:80
ocsp.digicert.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
steamcommunity.com
  • 23.55.153.106
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.211.108
whitelisted
crl4.digicert.com
  • 192.229.211.108
whitelisted

Threats

PID
Process
Class
Message
2252
TradingView Premium (PCDesktop).exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TradingView Premium (PCDesktop).zip.zip