analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

1.exe

Full analysis: https://app.any.run/tasks/b17652aa-0599-46c7-bdb3-267e9eda031a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 19:09:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
stealer
vidar
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

220C4C45EA065B2206DF70B22EF8F487

SHA1:

4007448FADB8CFC29A21C81920BBB0FB36ACEBE6

SHA256:

EE0A4E00992382159296EE165789910FC41B1BFEBD702A724E783300E72BA027

SSDEEP:

24576:YllR7+Gp0ZQV6oRH4C9z7hpeOV9Cy4DnXRKENC:ilR7+Gp0Zw6Ct7hIOrCF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • 1.exe (PID: 1972)
      • MBAMInstallerService.exe (PID: 2604)
      • MBAMService.exe (PID: 932)
      • mbam.exe (PID: 460)
      • mbamtray.exe (PID: 2692)

    • Stealing of credential data

      • 1.exe (PID: 1972)

    • Downloads executable files from the Internet

      • 1.exe (PID: 1972)

    • VIDAR was detected

      • 1.exe (PID: 1972)

    • Actions looks like stealing of personal data

      • 1.exe (PID: 1972)

    • Application was dropped or rewritten from another process

      • MBSetup-009996.009996.exe (PID: 2980)
      • MBSetup-009996.009996.exe (PID: 3396)
      • MBAMInstallerService.exe (PID: 2604)
      • MBAMService.exe (PID: 1648)
      • MBAMService.exe (PID: 932)
      • mbam.exe (PID: 460)
      • mbamtray.exe (PID: 2692)

    • Changes settings of System certificates

      • MBSetup-009996.009996.exe (PID: 3396)
      • certutil.exe (PID: 2976)
      • certutil.exe (PID: 3100)

  • SUSPICIOUS

    • Application launched itself

      • 1.exe (PID: 2580)
      • taskmgr.exe (PID: 3876)

    • Creates files in the user directory

      • 1.exe (PID: 1972)
      • mbam.exe (PID: 460)

    • Executable content was dropped or overwritten

      • 1.exe (PID: 1972)
      • chrome.exe (PID: 3972)
      • chrome.exe (PID: 2140)
      • MBSetup-009996.009996.exe (PID: 3396)
      • MBAMService.exe (PID: 932)
      • MBAMInstallerService.exe (PID: 2604)

    • Creates files in the program directory

      • 1.exe (PID: 1972)
      • MBSetup-009996.009996.exe (PID: 3396)
      • MBAMInstallerService.exe (PID: 2604)
      • MBAMService.exe (PID: 932)

    • Checks for external IP

      • 1.exe (PID: 1972)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2776)

    • Starts CMD.EXE for commands execution

      • 1.exe (PID: 1972)
      • MBAMInstallerService.exe (PID: 2604)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2140)

    • Adds / modifies Windows certificates

      • MBSetup-009996.009996.exe (PID: 3396)

    • Executed as Windows Service

      • MBAMInstallerService.exe (PID: 2604)
      • MBAMService.exe (PID: 932)

    • Removes files from Windows directory

      • certutil.exe (PID: 3100)
      • certutil.exe (PID: 2976)
      • MBAMService.exe (PID: 932)
      • MBAMInstallerService.exe (PID: 2604)

    • Creates files in the driver directory

      • MBAMInstallerService.exe (PID: 2604)
      • MBAMService.exe (PID: 932)

    • Changes IE settings (feature browser emulation)

      • MBAMInstallerService.exe (PID: 2604)

    • Modifies the open verb of a shell class

      • MBAMInstallerService.exe (PID: 2604)

    • Creates files in the Windows directory

      • certutil.exe (PID: 3100)
      • certutil.exe (PID: 2976)
      • MBAMService.exe (PID: 1648)
      • MBAMService.exe (PID: 932)
      • MBAMInstallerService.exe (PID: 2604)

    • Creates COM task schedule object

      • MBAMService.exe (PID: 932)

    • Creates or modifies windows services

      • MBAMService.exe (PID: 932)

    • Uses RUNDLL32.EXE to load library

      • mbamtray.exe (PID: 2692)
      • mbam.exe (PID: 460)

    • Reads Internet Cache Settings

      • rundll32.exe (PID: 2976)
      • rundll32.exe (PID: 1904)

    • Creates a software uninstall entry

      • MBAMInstallerService.exe (PID: 2604)

  • INFO

    • Manual execution by user

      • taskmgr.exe (PID: 2536)
      • chrome.exe (PID: 2140)
      • taskmgr.exe (PID: 3876)
      • taskmgr.exe (PID: 3788)

    • Application launched itself

      • chrome.exe (PID: 2140)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2140)

    • Reads the hosts file

      • chrome.exe (PID: 3972)
      • chrome.exe (PID: 2140)

    • Dropped object may contain Bitcoin addresses

      • chrome.exe (PID: 3972)
      • chrome.exe (PID: 2140)
      • MBAMInstallerService.exe (PID: 2604)
      • MBAMService.exe (PID: 932)

    • Reads settings of System Certificates

      • MBAMService.exe (PID: 932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:09:16 04:31:47+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 1081344
InitializedDataSize: 45056
UninitializedDataSize: -
EntryPoint: 0x1234
OSVersion: 4
ImageVersion: 9
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.0.0.0
ProductVersionNumber: 9.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Norwegian (Bokml)
CharacterSet: Unicode
CompanyName: ASus
ProductName: KIROeffect8
FileVersion: 9
ProductVersion: 9
InternalName: GRUCiolata
OriginalFileName: GRUCiolata.exe

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Sep-2009 02:31:47
Detected languages:
  • Norwegian - Norway (Bokmal)
CompanyName: ASus
ProductName: KIROeffect8
FileVersion: 9.00
ProductVersion: 9.00
InternalName: GRUCiolata
OriginalFilename: GRUCiolata.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 16-Sep-2009 02:31:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x001072C0
0x00108000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.09377
.data
0x00109000
0x00000A08
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0010A000
0x000093AA
0x0000A000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.67412

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.20399
540
Unicode (UTF 16LE)
Norwegian - Norway (Bokmal)
RT_VERSION
30001
6.02608
11320
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
5.11042
7336
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
5.93262
3240
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30004
6.26208
14920
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
66
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start 1.exe no specs #VIDAR 1.exe taskmgr.exe no specs cmd.exe no specs taskkill.exe no specs taskmgr.exe no specs taskmgr.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskmgr.exe no specs chrome.exe no specs chrome.exe no specs mbsetup-009996.009996.exe no specs mbsetup-009996.009996.exe mbaminstallerservice.exe cmd.exe no specs certutil.exe no specs cmd.exe no specs certutil.exe no specs cmd.exe no specs mbamservice.exe no specs mbamservice.exe mbamtray.exe rundll32.exe no specs mbam.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Users\admin\AppData\Local\Temp\1.exe" C:\Users\admin\AppData\Local\Temp\1.exeexplorer.exe
User:
admin
Company:
ASus
Integrity Level:
MEDIUM
Exit code:
0
Version:
9.00
1972"C:\Users\admin\AppData\Local\Temp\1.exe" C:\Users\admin\AppData\Local\Temp\1.exe
1.exe
User:
admin
Company:
ASus
Integrity Level:
MEDIUM
Exit code:
0
Version:
9.00
2536"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2776"C:\Windows\System32\cmd.exe" /c taskkill /im 1.exe /f & erase C:\Users\admin\AppData\Local\Temp\1.exe & exitC:\Windows\System32\cmd.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1932taskkill /im 1.exe /f C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3876"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
820"C:\Windows\system32\taskmgr.exe" /1C:\Windows\system32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2140"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
4032"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fc1a9d0,0x6fc1a9e0,0x6fc1a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1520"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2160 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 232
Read events
1 679
Write events
0
Delete events
0

Modification events

No data
Executable files
167
Suspicious files
345
Text files
874
Unknown types
59

Dropped files

PID
Process
Filename
Type
19721.exeC:\ProgramData\W5WKRWKFH02WDXTT23XIZ7T97\files\outlook.txt
MD5:
SHA256:
19721.exeC:\ProgramData\W5WKRWKFH02WDXTT23XIZ7T97\files\information.txt
MD5:
SHA256:
25801.exeC:\Users\admin\AppData\Local\Temp\~DF24D21399E8237AE8.TMPbinary
MD5:4F7FC209B54630E7E3F3878EB6FAC832
SHA256:04ADD4460829CC4BEE4438371D80C587C8D9E20D90B7DF1C913921DC354DBA34
19721.exeC:\ProgramData\W5WKRWKFH02WDXTT23XIZ7T97\AT_90059c37-1320-41a4-b58d-2b75a9850d2f3919598672.zipcompressed
MD5:4BFE1A4CA6DD953F835FA049B79F6B12
SHA256:9A77A6EE8A6D7D081B8F47395FD1841E174AE65231AA8CA7BCB375A1BB26631F
19721.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\line[1].txttext
MD5:CC4E1B846DC7B97ECC01F9A46CF16363
SHA256:69DF29C8686C6FBDB7FA657F56D2E88DEC45A920232F0D321D2EFB85F2EC99EE
19721.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\softokn3[1].dllexecutable
MD5:A2EE53DE9167BF0D6C019303B7CA84E5
SHA256:43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
19721.exeC:\ProgramData\W5WKRWKFH02WDXTT23XIZ7T97\files\passwords.txttext
MD5:AB5014605C2B83465EC4F1F4195F4DAE
SHA256:81A996659BA2C1B261FEF53D36217F30C229173BC0B91DFD4C06FC086590075D
19721.exeC:\ProgramData\W5WKRWKFH02WDXTT23XIZ7T97\ldsqlite
MD5:ACFE428573BC93A1C2D167FA95961BB0
SHA256:BEB40A8A26A3A77B8542DE111F274C42B9095C5152322DE1EA4E112308441338
19721.exeC:\ProgramData\softokn3.dllexecutable
MD5:A2EE53DE9167BF0D6C019303B7CA84E5
SHA256:43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
19721.exeC:\ProgramData\mozglue.dllexecutable
MD5:8F73C08A9660691143661BF7332C3C27
SHA256:3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
204
DNS requests
130
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1972
1.exe
GET
301
18.205.93.1:80
http://bitbucket.org/presscircle/cloud/downloads/setup_c.exe
US
shared
1972
1.exe
GET
301
18.205.93.1:80
http://bitbucket.org/miceants/files/downloads/setup_c.exe
US
shared
3972
chrome.exe
GET
200
185.180.12.141:80
http://r2---sn-n02xgoxufvg3-8pxe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-n02xgoxufvg3-8pxe&ms=nvh&mt=1575659002&mv=u&mvi=1&pl=24&shardbypass=yes
AT
crx
293 Kb
whitelisted
1972
1.exe
POST
200
185.244.149.55:80
http://ybookfli.net/
unknown
text
92 b
malicious
3972
chrome.exe
GET
302
172.217.18.174:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
529 b
whitelisted
3972
chrome.exe
GET
302
172.217.18.174:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
534 b
whitelisted
3972
chrome.exe
GET
200
92.122.213.201:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
57.4 Kb
whitelisted
3972
chrome.exe
GET
200
185.180.12.140:80
http://r1---sn-n02xgoxufvg3-8pxe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-n02xgoxufvg3-8pxe&ms=nvh&mt=1575659002&mv=u&mvi=0&pl=24&shardbypass=yes
AT
crx
862 Kb
whitelisted
1972
1.exe
GET
200
185.244.149.55:80
http://ybookfli.net/msvcp140.dll
unknown
executable
429 Kb
malicious
1972
1.exe
GET
200
185.244.149.55:80
http://ybookfli.net/mozglue.dll
unknown
executable
133 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3972
chrome.exe
172.217.18.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1972
1.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
3972
chrome.exe
172.217.23.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3972
chrome.exe
172.217.22.35:443
www.google.com.ua
Google Inc.
US
whitelisted
1972
1.exe
18.205.93.1:80
bitbucket.org
US
malicious
1972
1.exe
18.205.93.1:443
bitbucket.org
US
malicious
18.205.93.1:443
bitbucket.org
US
malicious
1972
1.exe
185.244.149.55:80
ybookfli.net
malicious
3972
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
3972
chrome.exe
172.217.21.238:443
ogs.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
ybookfli.net
  • 185.244.149.55
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
ip-api.com
  • 208.95.112.1
shared
bitbucket.org
  • 18.205.93.1
  • 18.205.93.2
  • 18.205.93.0
shared
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
accounts.google.com
  • 172.217.16.141
shared
www.google.com.ua
  • 172.217.22.35
whitelisted
fonts.googleapis.com
  • 172.217.23.106
whitelisted
www.gstatic.com
  • 216.58.210.3
whitelisted
fonts.gstatic.com
  • 172.217.22.99
whitelisted

Threats

PID
Process
Class
Message
1972
1.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1972
1.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
1972
1.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
1972
1.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
1972
1.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
1972
1.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
1972
1.exe
A Network Trojan was detected
ET TROJAN Vidar/Arkei Stealer Client Data Upload
1972
1.exe
A Network Trojan was detected
STEALER [PTsecurity] Generic Stealers activity (Nocturnal/Vidar)
1972
1.exe
A Network Trojan was detected
STEALER [PTsecurity] Stealer.Vidar
2 ETPRO signatures available at the full report
Process
Message
mbamtray.exe
QAxBase::setControl: requested control {F36AD0D0-B5F0-4C69-AF08-603D177FEF0E} could not be instantiated
mbamtray.exe
Code : -2147467259
mbamtray.exe
Code : -2147467259
mbamtray.exe
Description:
mbamtray.exe
Description:
mbamtray.exe
Help :
mbamtray.exe
Connect to the exception(int,QString,QString,QString) signal to catch this exception
mbamtray.exe
qt.scenegraph.general: Loading backend software
mbamtray.exe
void __thiscall PageStatusMonitor::OnRequestFinished(class QNetworkReply *) "Page: https://links.malwarebytes.com/link/3x_cart?affiliate=009996&uuid=81e0cbe954fffb2dd4e10325decf35d73a7107c5&x-source=trial-avail&x-action=comparison_chart&x-token_secret=jgQTeomKKCX-ohzCvjCx3kBoFTSELqVEnjpdujhGKxAWwRzt4h-KGvWhgzcBqySel1QrviDIFDE68IPKpbLb7if2I0YMo3J_PD-7EdccuYqkjk_QCd6_-9JbDSRzNvaS&ADDITIONAL_x-token_secret=jgQTeomKKCX-ohzCvjCx3kBoFTSELqVEnjpdujhGKxAWwRzt4h-KGvWhgzcBqySel1QrviDIFDE68IPKpbLb7if2I0YMo3J_PD-7EdccuYqkjk_QCd6_-9JbDSRzNvaS&x-prodcode=MBAM-C&lang=en&version=4.0.4.49 received code: 307"
mbamtray.exe
class QUrl __thiscall PageStatusMonitor::processRedirectUrl(const class QUrl &,const class QUrl &) const Potential Redirect is: "https://cleo.mb-internal.com/?x-source=trial-avail&ADDITIONAL_x-source=inproduct&ADDITIONAL_machineid=81e0cbe954fffb2dd4e10325decf35d73a7107c5&x-action=comparison_chart&ADDITIONAL_x-token_secret=jgQTeomKKCX-ohzCvjCx3kBoFTSELqVEnjpdujhGKxAWwRzt4h-KGvWhgzcBqySel1QrviDIFDE68IPKpbLb7if2I0YMo3J_PD-7EdccuYqkjk_QCd6_-9JbDSRzNvaS&x-token_secret=jgQTeomKKCX-ohzCvjCx3kBoFTSELqVEnjpdujhGKxAWwRzt4h-KGvWhgzcBqySel1QrviDIFDE68IPKpbLb7if2I0YMo3J_PD-7EdccuYqkjk_QCd6_-9JbDSRzNvaS&x-prodcode=MBAM-C&LANG=en&AFFILIATE=009996" Last Redirect is: ""
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.exe