File name:

TradingView Desktop (Pro+).zip

Full analysis: https://app.any.run/tasks/691afb07-b171-4774-8bcb-0d3810c5a499
Verdict: Malicious activity
Analysis date: June 18, 2024, 06:57:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
telegram
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

98F307821BF3FA62F416299785DFEB34

SHA1:

B7BAFC393A7E3D3A2038881833A53BB804E58944

SHA256:

ECA62135DA01C30871FF5F804E3C5AF01AFEF2849C8FA6A45FE81351645780B6

SSDEEP:

98304:Rhkai+J965iqYD1VweHM9pqMJScQeLwVmJjOPgFe2LJz4OrwuxuwSCwTs7vmn+zg:VY+f9tUa974iK7TJgQ7xA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3984)

    • VIDAR has been detected (YARA)

      • TradingView Desktop (Pro+).exe (PID: 864)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3984)

    • Reads the Internet Settings

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Reads security settings of Internet Explorer

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Checks Windows Trust Settings

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Reads settings of System Certificates

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • TradingView Desktop (Pro+).exe (PID: 864)

  • INFO

    • Manual execution by a user

      • TradingView Desktop (Pro+).exe (PID: 864)
      • wmpnscfg.exe (PID: 2204)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3984)

    • Reads the computer name

      • TradingView Desktop (Pro+).exe (PID: 864)
      • wmpnscfg.exe (PID: 2204)

    • Checks supported languages

      • TradingView Desktop (Pro+).exe (PID: 864)
      • wmpnscfg.exe (PID: 2204)

    • Checks proxy server information

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Reads the machine GUID from the registry

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Creates files in the program directory

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Reads the software policy settings

      • TradingView Desktop (Pro+).exe (PID: 864)

    • Creates files or folders in the user directory

      • TradingView Desktop (Pro+).exe (PID: 864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:04:10 18:29:28
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: SDK/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #VIDAR tradingview desktop (pro+).exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864"C:\Users\admin\Desktop\TradingView Desktop (Pro+).exe" C:\Users\admin\Desktop\TradingView Desktop (Pro+).exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Shell Extension
Version:
24.01
Modules
Images
c:\users\admin\desktop\tradingview desktop (pro+).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2204"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TradingView Desktop (Pro+).zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
7 651
Read events
7 581
Write events
64
Delete events
6

Modification events

(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\TradingView Desktop (Pro+).zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
22
Suspicious files
1
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
3984WinRAR.exeC:\Users\admin\Desktop\SDK\100\KeyFile\1033\sqlsysclrtypes_keyfile.dllexecutable
MD5:166A4EB063FBFF4D85B7647B9B3819B0
SHA256:C51A51D4E3734765D1352DBF09511E49A2773B3D6BD9A704EE664FB8E3059E42
3984WinRAR.exeC:\Users\admin\Desktop\SDK\100\SDK\Assemblies\Microsoft.SqlServer.Types.dllexecutable
MD5:E3F6937BBC9F71FE87A931ADFB92CECF
SHA256:E272E45652092622DB856DCA4E840389BE109ABCAEFD1F376B0043B450A801F5
3984WinRAR.exeC:\Users\admin\Desktop\SDK\Assemblies\Microsoft.SqlServer.ConnectionInfo.dllexecutable
MD5:72B11C28883297CAAFE65E7812266375
SHA256:D8A81E198A721AD8BAAAB4E4F90103A8407965454CA4FF46C966E9B0D948526D
3984WinRAR.exeC:\Users\admin\Desktop\SDK\Assemblies\Microsoft.SqlServer.ConnectionInfoExtended.dllexecutable
MD5:2AF76F89FB11CD819F2FB2B7247A6898
SHA256:6E034250B84721DD48CF90EB8B62DABC2A341A340EF7B7061CB4F5050A563628
3984WinRAR.exeC:\Users\admin\Desktop\SDK\100\KeyFile\1049\sqlsysclrtypes_keyfile.dllexecutable
MD5:166A4EB063FBFF4D85B7647B9B3819B0
SHA256:C51A51D4E3734765D1352DBF09511E49A2773B3D6BD9A704EE664FB8E3059E42
3984WinRAR.exeC:\Users\admin\Desktop\SDK\Assemblies\Microsoft.SqlServer.Management.XEventEnum.dllexecutable
MD5:9CBF86FBF930B0C7C13869CF61A45169
SHA256:7F81C53F48D114E1971BF0D53892AF4595B8E9AEBAA854A753F8C2A5D08EF8BD
3984WinRAR.exeC:\Users\admin\Desktop\SDK\Assemblies\Microsoft.SqlServer.Management.UtilityEnum.dllexecutable
MD5:85730AF402FF84288706EDB626E726FA
SHA256:96A9D99D31C5190E3880A7E9D6961CD4996CC76D5A3D560D1FB9C558228FC807
3984WinRAR.exeC:\Users\admin\Desktop\SDK\Assemblies\Microsoft.SqlServer.ServiceBrokerEnum.dllexecutable
MD5:EA2FB6EE4E5DA5C05315F80EF4B66DB2
SHA256:A22480335F902F373444900D424563DF8EE7FE87092C48EDCF96CE0C66E2DE9A
3984WinRAR.exeC:\Users\admin\Desktop\SDK\Assemblies\Microsoft.SqlServer.Management.XEvent.dllexecutable
MD5:9B7A765CE1BDEBB515690E72991488A7
SHA256:6D5FE7BA1077E37EC47E87B82D68BD49CC614FAEF72AB36D31B322E5B2BBE9BB
3984WinRAR.exeC:\Users\admin\Desktop\SDK\Assemblies\Microsoft.SqlServer.SmoExtended.dllexecutable
MD5:9CACCCBBDF4D35EBEA8344779ED7130A
SHA256:82E20463ECBE2EB8D1439A7D5BB98EDDFDBEB40CE49347C9CD8DF199AE7D3079
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
864
TradingView Desktop (Pro+).exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
864
TradingView Desktop (Pro+).exe
104.95.184.164:443
steamcommunity.com
AKAMAI-AS
DK
unknown
864
TradingView Desktop (Pro+).exe
95.217.135.112:443
Hetzner Online GmbH
FI
unknown

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
steamcommunity.com
  • 104.95.184.164
whitelisted

Threats

PID
Process
Class
Message
864
TradingView Desktop (Pro+).exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TradingView Desktop (Pro+).zip