Malware analysis https://abbaspc.net Malicious activity

Add for printing

URL:	https://abbaspc.net
Full analysis:	https://app.any.run/tasks/ae4ac2bf-5b8d-4368-aa27-bca3e22ee4bd
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	June 18, 2023, 21:33:45
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	stealer vidar
Indicators:
MD5:	E1EE041D9D4D2E7E2736E95DEA432F98
SHA1:	DDBD88A9CE2CA47C7115782AE47C042D980E9B30
SHA256:	EE1062B2B1AED2A130CD1E646AE306935384D1632CE069B1F3F5FB41F87825A6
SSDEEP:	3:N8lLAR:2RAR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Snapseed.exe (PID: 644)
- Steals credentials from Web Browsers
  - Snapseed.exe (PID: 644)
- Steals credentials
  - Snapseed.exe (PID: 644)
- Actions looks like stealing of personal data
  - Snapseed.exe (PID: 644)
- Loads dropped or rewritten executable
  - Snapseed.exe (PID: 644)
- Starts CMD.EXE for self-deleting
  - Snapseed.exe (PID: 644)
SUSPICIOUS
- Reads the Windows owner or organization settings
  - Setup.tmp (PID: 1672)
- Executable content was dropped or overwritten
  - Setup.tmp (PID: 1672)
  - Setup.exe (PID: 2164)
  - Snapseed.exe (PID: 644)
- Reads the Internet Settings
  - Setup.tmp (PID: 1672)
  - Snapseed.exe (PID: 644)
- Checks Windows Trust Settings
  - Snapseed.exe (PID: 644)
- Reads security settings of Internet Explorer
  - Snapseed.exe (PID: 644)
- Reads settings of System Certificates
  - Snapseed.exe (PID: 644)
- Connects to unusual port
  - Snapseed.exe (PID: 644)
- Reads browser cookies
  - Snapseed.exe (PID: 644)
- Searches for installed software
  - Snapseed.exe (PID: 644)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - Snapseed.exe (PID: 644)
- Starts CMD.EXE for commands execution
  - Snapseed.exe (PID: 644)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 1664)
INFO
- Executable content was dropped or overwritten
  - firefox.exe (PID: 2436)
- The process uses the downloaded file
  - firefox.exe (PID: 2436)
  - WinRAR.exe (PID: 3060)
- Checks supported languages
  - Setup.tmp (PID: 1672)
  - Setup.exe (PID: 2164)
  - Snapseed.exe (PID: 644)
- Create files in a temporary directory
  - Setup.exe (PID: 2164)
  - Setup.tmp (PID: 1672)
- The process checks LSA protection
  - Setup.tmp (PID: 1672)
  - Snapseed.exe (PID: 644)
- Reads the computer name
  - Setup.tmp (PID: 1672)
  - Snapseed.exe (PID: 644)
- Application launched itself
  - firefox.exe (PID: 2436)
- Application was dropped or rewritten from another process
  - Setup.tmp (PID: 1672)
- Reads the machine GUID from the registry
  - Snapseed.exe (PID: 644)
- Creates files or folders in the user directory
  - Setup.tmp (PID: 1672)
  - Snapseed.exe (PID: 644)
- Checks proxy server information
  - Snapseed.exe (PID: 644)
- Creates files in the program directory
  - Snapseed.exe (PID: 644)
- Reads product name
  - Snapseed.exe (PID: 644)
- Reads Environment values
  - Snapseed.exe (PID: 644)
- Reads CPU info
  - Snapseed.exe (PID: 644)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

584

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.0.1240642811\1846926680" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1196 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

67.0.4

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\dbghelp.dll

644

"C:\Users\admin\AppData\Local\Temp\is-0BNDS.tmp\XRECODE 3 Pro\Snapseed.exe"

C:\Users\admin\AppData\Local\Temp\is-0BNDS.tmp\XRECODE 3 Pro\Snapseed.exe

Setup.tmp

User:

admin

Company:

Piriform Software Ltd

Integrity Level:

MEDIUM

Description:

Recuva Installer

Exit code:

Version:

1.53.0.1087

Modules

Images
c:\users\admin\appdata\local\temp\is-0bnds.tmp\xrecode 3 pro\snapseed.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1664

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\admin\AppData\Local\Temp\is-0BNDS.tmp\XRECODE 3 Pro\Snapseed.exe" & exit

C:\Windows\SysWOW64\cmd.exe

—

Snapseed.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1672

"C:\Users\admin\AppData\Local\Temp\is-N8HT2.tmp\Setup.tmp" /SL5="$801D2,47029741,832512,C:\Users\admin\AppData\Local\Temp\Rar$EXb3060.9248\Setup.exe"

C:\Users\admin\AppData\Local\Temp\is-N8HT2.tmp\Setup.tmp

Setup.exe

User:

admin

Company:

xrecode3

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-n8ht2.tmp\setup.tmp
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mpr.dll

2164

"C:\Users\admin\AppData\Local\Temp\Rar$EXb3060.9248\Setup.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb3060.9248\Setup.exe

WinRAR.exe

User:

admin

Company:

xrecode3

Integrity Level:

MEDIUM

Description:

XRECODE 3 Pro Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb3060.9248\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\wow64.dll

2436

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://abbaspc.net"

C:\Program Files\Mozilla Firefox\firefox.exe

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

67.0.4

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\dbghelp.dll

2572

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.13.833571589\1501462999" -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 2896 -prefsLen 5823 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2908 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

67.0.4

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll

2580

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.20.967949157\215745495" -childID 3 -isForBrowser -prefsHandle 2632 -prefMapHandle 3372 -prefsLen 6545 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3476 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

67.0.4

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll

2608

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.27.1381246008\1972007794" -childID 4 -isForBrowser -prefsHandle 3704 -prefMapHandle 3712 -prefsLen 6545 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3724 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

67.0.4

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll

2684

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.3.1891261432\243552053" -childID 1 -isForBrowser -prefsHandle 1696 -prefMapHandle 1724 -prefsLen 1 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1796 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

67.0.4

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll

Add for printing

Total events

7 329

Read events

7 269

Write events

Delete events

Modification events


(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 0000000000000000
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3060) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(3060) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip

Add for printing

Executable files

173

Suspicious files

266

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\prefs-1.js		text
		MD5:1759FBCEFAC92AE1A7B8E457ACF71748	SHA256:5DA473B0E0C84BE5B289DC97C259B98F674E17AF49F4723B4A90F73AA972B739
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\entries\F39080A333DADB9E30EFE89B7E9E1E65C7000049		binary
		MD5:93135F59DDC0521ACC3E3F4E91462C27	SHA256:82959AFE0BFE23C9F80EDADC63AC1B616FCC87EB01984118693EEB0624828A15
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\NLTXVM~1.DEF\cert9.db		binary
		MD5:819BE7B9493F08F28B444C7F182EEA06	SHA256:553C7D534AE88558DF0868C3E94354D597892AFBA2869EB8BAF32146C2FA5EDE
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\entries\C6E9F6ED815F933E1BE8907D751B229F9BFD6A9B		binary
		MD5:0395501CCA9A672BF0BDBE72EA88E53A	SHA256:15483887BA0B1957FD57A00E01DCDFF4E3A802D55244193F30B1A9E5B47DE328
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\prefs.js		text
		MD5:1759FBCEFAC92AE1A7B8E457ACF71748	SHA256:5DA473B0E0C84BE5B289DC97C259B98F674E17AF49F4723B4A90F73AA972B739
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\urlCache-current.bin		binary
		MD5:6BED2A248268034CA1F73B2925365DE2	SHA256:A45996AA907815E86366A17ED448F75A584D7B600AA9398E14DE21DFAD3D613A
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

169

Threats

913

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2436	firefox.exe	GET	301	104.26.14.242:80	http://abbaspc.net/wp-content/uploads/2019/04/logo_AbbasPC.Net_.png	US	—	—	malicious
2436	firefox.exe	GET	200	104.26.14.242:80	http://abbaspc.net/.well-known/http-opportunistic	US	binary	92 b	malicious
2436	firefox.exe	POST	200	142.250.74.195:80	http://ocsp.pki.goog/gts1c3	US	binary	472 b	whitelisted
2436	firefox.exe	GET	200	23.55.161.211:80	http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip	US	compressed	442 Kb	whitelisted
2436	firefox.exe	POST	200	184.24.77.59:80	http://r3.o.lencr.org/	US	binary	503 b	shared
2436	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	US	binary	471 b	whitelisted
2436	firefox.exe	POST	200	184.24.77.59:80	http://r3.o.lencr.org/	US	binary	503 b	shared
2436	firefox.exe	POST	200	184.24.77.59:80	http://r3.o.lencr.org/	US	binary	503 b	shared
2436	firefox.exe	POST	200	142.250.74.195:80	http://ocsp.pki.goog/gts1c3	US	der	472 b	whitelisted
2436	firefox.exe	POST	200	142.250.74.195:80	http://ocsp.pki.goog/gts1c3	US	binary	472 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
328	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2436	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
2436	firefox.exe	104.26.14.242:443	abbaspc.net	CLOUDFLARENET	US	shared
2436	firefox.exe	184.24.77.59:80	r3.o.lencr.org	Akamai International B.V.	DE	suspicious
2436	firefox.exe	34.117.65.55:443	push.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	suspicious
2436	firefox.exe	192.0.77.2:443	i0.wp.com	AUTOMATTIC	US	suspicious
2436	firefox.exe	13.32.121.112:443	snippets.cdn.mozilla.net	AMAZON-02	US	unknown
2436	firefox.exe	52.41.158.136:443	shavar.services.mozilla.com	AMAZON-02	US	unknown
2436	firefox.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
detectportal.firefox.com	34.107.221.82	whitelisted
abbaspc.net	104.26.14.242 104.26.15.242 172.67.69.237 2606:4700:20::681a:ef2 2606:4700:20::ac43:45ed 2606:4700:20::681a:ff2	malicious
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
search.services.mozilla.com	34.160.46.54	whitelisted
search.r53-2.services.mozilla.com	34.160.46.54	whitelisted
r3.o.lencr.org	184.24.77.59 184.24.77.60 184.24.77.53 184.24.77.83 184.24.77.58 184.24.77.56 184.24.77.52 184.24.77.82 184.24.77.45 2.16.241.15 2.16.241.8	shared
stats.wp.com	192.0.76.3	whitelisted
a1887.dscq.akamai.net	184.24.77.45 184.24.77.82 184.24.77.52 184.24.77.56 184.24.77.58 184.24.77.83 184.24.77.53 184.24.77.60 184.24.77.59 2a02:26f0:3500:e::1732:835c 2a02:26f0:3500:e::1732:8353 2.16.241.8 2.16.241.15 2a02:26f0:780::5f65:3672 2a02:26f0:780::5f65:3683 2a02:26f0:780::210:ca79 2a02:26f0:480:e::210:f10f 2a02:26f0:480:e::210:f108	whitelisted
push.services.mozilla.com	34.117.65.55	whitelisted
autopush.prod.mozaws.net	34.117.65.55	whitelisted

Threats

PID	Process	Class	Message
328	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
328	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
328	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
328	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
328	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
328	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2436	firefox.exe	Generic Protocol Command Decode	SURICATA STREAM ESTABLISHED packet out of window
2436	firefox.exe	Generic Protocol Command Decode	SURICATA STREAM ESTABLISHED invalid ack
2436	firefox.exe	Generic Protocol Command Decode	SURICATA STREAM Packet with invalid ack
2436	firefox.exe	Generic Protocol Command Decode	SURICATA STREAM ESTABLISHED packet out of window

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

https://abbaspc.net

E1EE041D9D4D2E7E2736E95DEA432F98

DDBD88A9CE2CA47C7115782AE47C042D980E9B30

EE1062B2B1AED2A130CD1E646AE306935384D1632CE069B1F3F5FB41F87825A6

3:N8lLAR:2RAR

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Steals credentials from Web Browsers

Steals credentials

Actions looks like stealing of personal data

Loads dropped or rewritten executable

Starts CMD.EXE for self-deleting

SUSPICIOUS

Reads the Windows owner or organization settings

Executable content was dropped or overwritten

Reads the Internet Settings

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Reads settings of System Certificates

Connects to unusual port

Reads browser cookies

Searches for installed software

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Checks supported languages

Create files in a temporary directory

The process checks LSA protection

Reads the computer name

Application launched itself

Application was dropped or rewritten from another process

Reads the machine GUID from the registry

Creates files or folders in the user directory

Checks proxy server information

Creates files in the program directory

Reads product name

Reads Environment values

Reads CPU info

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections