Malware analysis https://pornopremiumlove.com/hdporno.php Malicious activity | ANY.RUN - Malware Sandbox Online

Add for printing

URL:	https://pornopremiumlove.com/hdporno.php
Full analysis:	https://app.any.run/tasks/f74d00d1-61a9-4351-aa75-67904a81dd5d
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Zloader is a banking trojan that uses webinjects and VNC clients to still banking credentials. This Trojan is based on leaked code from 2011, but despite its age, Zloader’s popularity has been only increasing through early 2020, when it relied on COVID-19 themed attacks. Malware Trends Tracker >>>
Analysis date:	August 05, 2021, 06:45:48
OS:	Windows 10 Professional (build: 16299, 64 bit)
Tags:	terdot zloader loader
Indicators:
MD5:	CB0631C9869844E7399BBCCB0C9C3D89
SHA1:	9B7AF70EB59FAE47C9F33AA63C2A12956A408341
SHA256:	D4B9839CF78E0456773F5C5CBBEC9083C315AF7A914B62BF17D38E715CCDF508
SSDEEP:	3:N8OuVdurLd9BgX+LV:2OuVAfVV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 900 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: on
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.431.16299.0 KB4103768
Adobe Acrobat Reader DC (20.013.20074)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (87.0.4280.88)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Microsoft Office Professional 2019 - de-de (16.0.12026.20264)
Microsoft Office Professional 2019 - en-us (16.0.12026.20264)
Microsoft Office Professional 2019 - es-es (16.0.12026.20264)
Microsoft Office Professional 2019 - it-it (16.0.12026.20264)
Microsoft Office Professional 2019 - ja-jp (16.0.12026.20264)
Microsoft Office Professional 2019 - ko-kr (16.0.12026.20264)
Microsoft Office Professional 2019 - pt-br (16.0.12026.20264)
Microsoft Office Professional 2019 - tr-tr (16.0.12026.20264)
Microsoft Office Professionnel 2019 - fr-fr (16.0.12026.20264)
Microsoft Office профессиональный 2019 - ru-ru (16.0.12026.20264)
Mozilla Firefox 84.0 (x64 en-US) (84.0)
Mozilla Maintenance Service (84.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.12026.20264)
Office 16 Click-to-Run Licensing Component (16.0.12026.20264)
Office 16 Click-to-Run Localization Component (16.0.12026.20264)
Opera 12.15 (12.15.1748)
QGA (2.14.32)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.60 (64-bit) (5.60.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

Client LanguagePack Package
Foundation Package
InternetExplorer Optional Package
KB4054022
KB4055237
KB4055994
KB4058043
KB4078408
KB4093110
KB4094276
KB4103729
KB4131372
KB4134661
KB4295110
KB4462930
KB4493478
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
NetFx3 OnDemand Package
ProfessionalEdition
QuickAssist Package
RollupFix

Add for printing

MALICIOUS
- Executes PowerShell scripts
  - cmd.exe (PID: 2164)
  - cmd.exe (PID: 5740)
- Loads dropped or rewritten executable
  - patch_service.exe (PID: 3200)
- Application was dropped or rewritten from another process
  - patch_service.exe (PID: 3200)
SUSPICIOUS
- Application launched itself
  - chrmstp.exe (PID: 6140)
  - cmd.exe (PID: 2164)
- Reads the computer name
  - chrmstp.exe (PID: 6140)
  - powershell.exe (PID: 412)
  - powershell.exe (PID: 5692)
  - powershell.exe (PID: 5924)
  - powershell.exe (PID: 1596)
  - patch_service.exe (PID: 3200)
- Starts Microsoft Installer
  - chrome.exe (PID: 3812)
- Checks supported languages
  - chrmstp.exe (PID: 6140)
  - cmd.exe (PID: 2164)
  - conhost.exe (PID: 5496)
  - cmd.exe (PID: 5740)
  - powershell.exe (PID: 1596)
  - powershell.exe (PID: 5692)
  - powershell.exe (PID: 5924)
  - powershell.exe (PID: 412)
  - patch_service.exe (PID: 3200)
- Executable content was dropped or overwritten
  - chrome.exe (PID: 3812)
  - msiexec.exe (PID: 5228)
- Reads the Windows organization settings
  - msiexec.exe (PID: 6108)
  - msiexec.exe (PID: 5228)
- Executed as Windows Service
  - msiexec.exe (PID: 5228)
- Reads Windows owner or organization settings
  - msiexec.exe (PID: 6108)
  - msiexec.exe (PID: 5228)
- Creates files in the Windows directory
  - msiexec.exe (PID: 5228)
- Drops a file with too old compile date
  - msiexec.exe (PID: 5228)
- Creates a directory in Program Files
  - msiexec.exe (PID: 5228)
- Drops a file that was compiled in debug mode
  - msiexec.exe (PID: 5228)
- Drops a file with a compile date too recent
  - msiexec.exe (PID: 5228)
  - chrome.exe (PID: 492)
- Creates files in the program directory
  - msiexec.exe (PID: 5228)
- Creates a software uninstall entry
  - msiexec.exe (PID: 5228)
- Starts CMD.EXE for commands execution
  - MsiExec.exe (PID: 5312)
  - cmd.exe (PID: 2164)
- Uses ICACLS.EXE to modify access control list
  - cmd.exe (PID: 2164)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2164)
- Reads Microsoft Outlook installation path
  - regsvr32.exe (PID: 6068)
INFO
- Reads the hosts file
  - chrome.exe (PID: 3812)
  - chrome.exe (PID: 492)
- Checks supported languages
  - chrome.exe (PID: 2156)
  - chrome.exe (PID: 492)
  - chrome.exe (PID: 3544)
  - chrome.exe (PID: 3812)
  - chrome.exe (PID: 3948)
  - chrome.exe (PID: 1080)
  - chrome.exe (PID: 420)
  - chrome.exe (PID: 1272)
  - chrome.exe (PID: 3656)
  - chrome.exe (PID: 5784)
  - chrome.exe (PID: 1808)
  - chrome.exe (PID: 5792)
  - chrome.exe (PID: 5148)
  - msiexec.exe (PID: 6108)
  - msiexec.exe (PID: 5228)
  - MsiExec.exe (PID: 3404)
  - MsiExec.exe (PID: 5312)
  - takeown.exe (PID: 5624)
  - taskkill.exe (PID: 1432)
  - regsvr32.exe (PID: 6068)
- Reads the computer name
  - chrome.exe (PID: 3812)
  - chrome.exe (PID: 2156)
  - chrome.exe (PID: 492)
  - chrome.exe (PID: 1808)
  - chrome.exe (PID: 5784)
  - chrome.exe (PID: 5148)
  - chrome.exe (PID: 5792)
  - msiexec.exe (PID: 6108)
  - msiexec.exe (PID: 5228)
  - MsiExec.exe (PID: 3404)
  - takeown.exe (PID: 5624)
  - MsiExec.exe (PID: 5312)
  - taskkill.exe (PID: 1432)
  - icacls.exe (PID: 1648)
- Application launched itself
  - chrome.exe (PID: 3812)
- Reads the software policy settings
  - chrome.exe (PID: 492)
  - chrome.exe (PID: 5792)
  - chrome.exe (PID: 3812)
  - msiexec.exe (PID: 6108)
  - msiexec.exe (PID: 5228)
  - powershell.exe (PID: 412)
  - powershell.exe (PID: 5924)
  - powershell.exe (PID: 1596)
  - powershell.exe (PID: 5692)
- Reads settings of System Certificates
  - chrome.exe (PID: 492)
  - chrome.exe (PID: 5792)
  - chrome.exe (PID: 3812)
  - msiexec.exe (PID: 6108)
  - msiexec.exe (PID: 5228)
  - powershell.exe (PID: 412)
  - powershell.exe (PID: 5692)
  - powershell.exe (PID: 1596)
  - powershell.exe (PID: 5924)
- Checks Windows Trust Settings
  - chrome.exe (PID: 3812)
  - msiexec.exe (PID: 5228)
  - powershell.exe (PID: 5692)
  - powershell.exe (PID: 1596)
  - powershell.exe (PID: 412)
  - powershell.exe (PID: 5924)
  - msiexec.exe (PID: 6108)
- Manual execution by user
  - regsvr32.exe (PID: 5944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

All screenshots are available in the full report

Add for printing

Total processes

234

Monitored processes

52

Malicious processes

3

Suspicious processes

5

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

412

powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows PowerShell

Exit code:

1

Version:

10.0.16299.15 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll

420

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,7099663551433034149,4101992967249282278,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

87.0.4280.88

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\87.0.4280.88\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll

492

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,7099663551433034149,4101992967249282278,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1792 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

0

Version:

87.0.4280.88

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\87.0.4280.88\chrome_elf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll

1080

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,7099663551433034149,4101992967249282278,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

87.0.4280.88

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\87.0.4280.88\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll

1272

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,7099663551433034149,4101992967249282278,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

87.0.4280.88

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\87.0.4280.88\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll

1432

taskkill /im smartscreen.exe /f

C:\WINDOWS\SysWOW64\taskkill.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Terminates Processes

Exit code:

128

Version:

10.0.16299.15 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll

1596

powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""

C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows PowerShell

Exit code:

1

Version:

10.0.16299.15 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll

1648

icacls "C:\WINDOWS\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18

C:\WINDOWS\SysWOW64\icacls.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Exit code:

2

Version:

10.0.16299.15 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll

1808

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1604,7099663551433034149,4101992967249282278,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

87.0.4280.88

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\87.0.4280.88\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\shcore.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll

2156

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,7099663551433034149,4101992967249282278,131072 --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

87.0.4280.88

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\87.0.4280.88\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

42 046

Read events

41 711

Write events

331

Delete events

4

Modification events


(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome
Operation:	write	Name:	UsageStatsInSample
Value: 1
(PID) Process:	(3812) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	metricsid
Value:
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	metricsid_installdate
Value: 0
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	metricsid_enableddate
Value: 0
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default
Operation:	write	Name:	software_reporter.reporting
Value: 30391358A13376DF0244C72A5702E4C8844C20E20CE984F107330BD45F24014A
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default
Operation:	write	Name:	module_blacklist_cache_md5_digest
Value: 45DF6FC706FCDC16E740CAD2557878F74CD70FF41322040C067901E0719C1536
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default
Operation:	write	Name:	media.storage_id_salt
Value: CA1DDE54259E5D5EEA618B03652520CE9BAE5BEFA4D30FCED2A117E0A93431A3
(PID) Process:	(3812) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default
Operation:	write	Name:	google.services.last_account_id
Value: 3BBBA1884C9922ADE9B6A5020CAE3B3DD0BCF4B8C6EB99ED74D8D00AC341C5FB

Add for printing

Executable files

32

Suspicious files

40

Text files

95

Unknown types

5

Dropped files

PID	Process	Filename		Type
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History-journal		—
		MD5:—	SHA256:—
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\First Run		—
		MD5:—	SHA256:—
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version		text
		MD5:—	SHA256:—
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences		text
		MD5:—	SHA256:—
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001		binary
		MD5:5AF87DFD673BA2115E2FCF5CFDB727AB	SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001		binary
		MD5:5AF87DFD673BA2115E2FCF5CFDB727AB	SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History		sqlite
		MD5:5F22E24DCF177F0133350F25D539884A	SHA256:EF37C2736E92336E5BA8AE60BCFBF857109B881BDC94BD50166EF1F342FF2697
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000001.dbtmp		text
		MD5:46295CAC801E5D4857D09837238A6394	SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT		text
		MD5:46295CAC801E5D4857D09837238A6394	SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
3812	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001		binary
		MD5:5AF87DFD673BA2115E2FCF5CFDB727AB	SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

207

TCP/UDP connections

109

DNS requests

107

Threats

6

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/hdporno.php	RU	html	57.2 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/images/images/wcts1411-1e242.jpg?nvb=20180823120133&nva=20180826064133&hash=0a1975b5dc25aa38d6ea8	RU	image	160 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/css/fonts/icomoon.woff	RU	woff	4.25 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/images/images/m017-10ba4.jpg?nvb=20180823120133&nva=20180826064133&hash=018a62f996fff96c5d9a0	RU	image	63.0 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/css/images/bg-top.jpg	RU	image	48.6 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/css/fonts/KFOoCniXp96ayzse5Q.ttf	RU	ttf	27.0 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/images/images/wcts326-10cd1.jpg?nvb=20180823120133&nva=20180826064133&hash=029960a6bcad549ba3743	RU	image	94.2 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/images/images/wtl1311-162de.jpg?nvb=20180823120133&nva=20180826064133&hash=07af61891132eaba987e1	RU	image	88.2 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/images/images/syl059-1ecb7.jpg?nvb=20180823120133&nva=20180826064133&hash=0453ad050056656049aed	RU	image	46.5 Kb	unknown
492	chrome.exe	GET	200	194.58.42.250:443	https://pornopremiumlove.com/images/images/fad1416-18b6c.jpg?nvb=20180823120133&nva=20180826064133&hash=023e0e471634c4a752783	RU	image	96.7 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
492	chrome.exe	172.217.16.141:443	accounts.google.com	Google Inc.	US	suspicious
492	chrome.exe	142.250.185.67:443	ssl.gstatic.com	Google Inc.	US	whitelisted
492	chrome.exe	142.250.184.227:443	fonts.gstatic.com	Google Inc.	US	whitelisted
3680	svchost.exe	40.126.31.143:443	—	Microsoft Corporation	US	suspicious
492	chrome.exe	142.250.185.110:443	sb-ssl.google.com	Google Inc.	US	whitelisted
3328	svchost.exe	51.103.5.159:443	client.wns.windows.com	Microsoft Corporation	GB	whitelisted
—	—	194.58.42.76:443	atclouroettfbquhfimp.com	Domain names registrar REG.RU, Ltd	RU	unknown
—	—	194.58.108.89:443	cmhxwbkplijrlvswubai.com	Domain names registrar REG.RU, Ltd	RU	unknown
—	—	172.217.18.99:443	update.googleapis.com	Google Inc.	US	whitelisted
—	—	84.15.64.13:80	r2---sn-cpux-8ovs.gvt1.com	UAB Bite Lietuva	LT	whitelisted

DNS requests

Domain	IP	Reputation
accounts.google.com	172.217.16.141	shared
pornopremiumlove.com	194.58.42.250	unknown
fonts.googleapis.com	142.250.185.106	whitelisted
image.ibb.co	152.228.223.13 145.239.131.60 145.239.131.51 146.59.152.166 145.239.131.55 146.59.152.166 152.228.223.13	suspicious
ssl.gstatic.com	142.250.185.67	whitelisted
fonts.gstatic.com	142.250.184.227	whitelisted
client.wns.windows.com	51.103.5.159 51.103.5.186	whitelisted
sb-ssl.google.com	142.250.185.110	whitelisted
atclouroettfbquhfimp.com	194.58.42.76	unknown
cmhxwbkplijrlvswubai.com	194.58.108.89	unknown

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE Observed ZLoader CnC Domain in SNI
—	—	A Network Trojan was detected	ET MALWARE Observed ZLoader CnC Domain in SNI
—	—	A Network Trojan was detected	ET MALWARE Observed ZLoader CnC Domain in SNI
—	—	A Network Trojan was detected	ET MALWARE Observed ZLoader CnC Domain in SNI
—	—	A Network Trojan was detected	ET MALWARE Observed ZLoader CnC Domain in SNI
—	—	A Network Trojan was detected	ET MALWARE Observed ZLoader CnC Domain in SNI

Add for printing

No debug info