analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Disk Image File.ico

Full analysis: https://app.any.run/tasks/cf01c4b2-c828-4e3f-a0d6-b3909bd681ab
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 03, 2021, 19:21:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MIME: image/x-icon
File info: MS Windows icon resource - 14 icons, 256x256, 16 colors with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
MD5:

581EE046C1B7AB20C9E8F832C03283A2

SHA1:

2ECB0E179A866F7C6849000843FC06B14F39662A

SHA256:

FBF9D5063336BC7CFB9CDE7473B7F849A8D41717940F2BD00BD2FAC7DCA714C6

SSDEEP:

1536:SDVgfV/Ka6Kbp75R0LDgMH0xGA4LeWHNWqzxiPHUmDv3K30:cgQRKh5RugyAUMHx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Bonzify.exe (PID: 912)
      • Bonzify.exe (PID: 3492)
      • INSTALLER.exe (PID: 4064)
      • WannaCrypt0r.exe (PID: 2908)
      • INSTALLER.exe (PID: 3748)
      • PCToaster.exe (PID: 3288)
      • PCToaster.exe (PID: 3816)
      • @[email protected] (PID: 3700)
      • @[email protected] (PID: 3000)
      • taskhsvc.exe (PID: 3068)
      • taskdl.exe (PID: 3340)
      • PCToaster.exe (PID: 2780)
      • PCToaster.exe (PID: 952)
      • @[email protected] (PID: 912)
      • taskdl.exe (PID: 3716)

    • Drops executable file immediately after starts

      • INSTALLER.exe (PID: 4064)
      • INSTALLER.exe (PID: 3748)
      • WannaCrypt0r.exe (PID: 2908)

    • Registers / Runs the DLL via REGSVR32.EXE

      • INSTALLER.exe (PID: 4064)
      • INSTALLER.exe (PID: 3748)

    • Changes the autorun value in the registry

      • INSTALLER.exe (PID: 3748)

    • Writes file to Word startup folder

      • WannaCrypt0r.exe (PID: 2908)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3628)
      • regsvr32.exe (PID: 3844)
      • Bonzify.exe (PID: 3492)
      • regsvr32.exe (PID: 2576)
      • AgentSvr.exe (PID: 4000)
      • regsvr32.exe (PID: 2680)
      • regsvr32.exe (PID: 3244)
      • regsvr32.exe (PID: 2272)
      • INSTALLER.exe (PID: 3748)
      • INSTALLER.exe (PID: 4064)
      • taskhsvc.exe (PID: 3068)
      • SearchProtocolHost.exe (PID: 2128)
      • conhost.exe (PID: 2224)
      • conhost.exe (PID: 3616)
      • consent.exe (PID: 1024)
      • attrib.exe (PID: 1568)
      • consent.exe (PID: 3908)
      • conhost.exe (PID: 4088)
      • conhost.exe (PID: 3116)
      • diskpart.exe (PID: 3992)
      • @[email protected] (PID: 912)

    • Modifies files in Chrome extension folder

      • WannaCrypt0r.exe (PID: 2908)

    • Steals credentials from Web Browsers

      • WannaCrypt0r.exe (PID: 2908)

    • Actions looks like stealing of personal data

      • WannaCrypt0r.exe (PID: 2908)

    • WannaCry Ransomware was detected

      • WannaCrypt0r.exe (PID: 2908)
      • cmd.exe (PID: 3816)

    • Changes AppInit_DLLs value (autorun option)

      • Bonzify.exe (PID: 3492)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • chrome.exe (PID: 2160)
      • chrome.exe (PID: 2532)
      • INSTALLER.exe (PID: 4064)
      • Bonzify.exe (PID: 3492)
      • INSTALLER.exe (PID: 3748)
      • @[email protected] (PID: 3000)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2160)
      • chrome.exe (PID: 2532)
      • Bonzify.exe (PID: 3492)
      • INSTALLER.exe (PID: 4064)
      • INSTALLER.exe (PID: 3748)
      • WannaCrypt0r.exe (PID: 2908)
      • @[email protected] (PID: 3000)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2532)

    • Starts Internet Explorer

      • rundll32.exe (PID: 1948)

    • Creates files in the Windows directory

      • Bonzify.exe (PID: 3492)
      • INSTALLER.exe (PID: 4064)
      • INSTALLER.exe (PID: 3748)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1544)

    • Starts CMD.EXE for commands execution

      • Bonzify.exe (PID: 3492)
      • WannaCrypt0r.exe (PID: 2908)

    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 1544)
      • WannaCrypt0r.exe (PID: 2908)

    • Drops a file with too old compile date

      • Bonzify.exe (PID: 3492)
      • INSTALLER.exe (PID: 4064)
      • INSTALLER.exe (PID: 3748)
      • WannaCrypt0r.exe (PID: 2908)
      • @[email protected] (PID: 3000)

    • Removes files from Windows directory

      • INSTALLER.exe (PID: 4064)
      • INSTALLER.exe (PID: 3748)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 3096)
      • regsvr32.exe (PID: 3148)
      • regsvr32.exe (PID: 3844)
      • regsvr32.exe (PID: 3244)
      • regsvr32.exe (PID: 2476)
      • regsvr32.exe (PID: 2272)
      • regsvr32.exe (PID: 2576)
      • regsvr32.exe (PID: 2680)
      • regsvr32.exe (PID: 3628)

    • Creates a software uninstall entry

      • INSTALLER.exe (PID: 3748)

    • Drops a file with a compile date too recent

      • INSTALLER.exe (PID: 3748)

    • Executed via COM

      • AgentSvr.exe (PID: 4000)

    • Uses ATTRIB.EXE to modify file attributes

      • WannaCrypt0r.exe (PID: 2908)
      • javaw.exe (PID: 2136)

    • Creates files like Ransomware instruction

      • WannaCrypt0r.exe (PID: 2908)

    • Creates files in the program directory

      • WannaCrypt0r.exe (PID: 2908)

    • Creates files in the user directory

      • WannaCrypt0r.exe (PID: 2908)
      • taskhsvc.exe (PID: 3068)

    • Executes JAVA applets

      • PCToaster.exe (PID: 3816)

  • INFO

    • Manual execution by user

      • chrome.exe (PID: 2532)
      • WinRAR.exe (PID: 2676)
      • WinRAR.exe (PID: 2548)
      • Bonzify.exe (PID: 912)
      • WinRAR.exe (PID: 3736)
      • rundll32.exe (PID: 1948)
      • rundll32.exe (PID: 1640)
      • rundll32.exe (PID: 2960)
      • Bonzify.exe (PID: 3492)
      • WannaCrypt0r.exe (PID: 2908)
      • PCToaster.exe (PID: 3288)
      • PCToaster.exe (PID: 3816)
      • PCToaster.exe (PID: 2780)
      • PCToaster.exe (PID: 952)

    • Reads the hosts file

      • chrome.exe (PID: 2532)
      • chrome.exe (PID: 2160)

    • Application launched itself

      • chrome.exe (PID: 2532)
      • iexplore.exe (PID: 2820)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1592)

    • Changes internet zones settings

      • iexplore.exe (PID: 2820)

    • Creates files in the user directory

      • iexplore.exe (PID: 1592)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1592)

    • Dropped object may contain Bitcoin addresses

      • Bonzify.exe (PID: 3492)
      • WannaCrypt0r.exe (PID: 2908)
      • taskhsvc.exe (PID: 3068)

    • Dropped object may contain URL to Tor Browser

      • WannaCrypt0r.exe (PID: 2908)

    • Dropped object may contain TOR URL's

      • WannaCrypt0r.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ico | Windows Icon (36.3)
.ico | Windows Icon (even big) (36.3)
.mpg/mpeg | MPEG Video (27.2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
102
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start rundll32.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs rundll32.exe no specs rundll32.exe no specs iexplore.exe no specs iexplore.exe rundll32.exe no specs bonzify.exe no specs bonzify.exe cmd.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs agentsvr.exe no specs grpconv.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs grpconv.exe no specs agentsvr.exe #WANNACRY wannacrypt0r.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs pctoaster.exe no specs @[email protected] #WANNACRY cmd.exe no specs @[email protected] no specs pctoaster.exe javaw.exe no specs taskhsvc.exe conhost.exe no specs searchprotocolhost.exe no specs pctoaster.exe no specs attrib.exe no specs pctoaster.exe no specs conhost.exe no specs consent.exe no specs consent.exe no specs diskpart.exe no specs conhost.exe no specs taskdl.exe no specs @[email protected] no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2392"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\AppData\Local\Temp\Disk Image File.icoC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
2532"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
3840"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6bd2a9d0,0x6bd2a9e0,0x6bd2a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
3712"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2576 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2424"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,15222848274186966134,7008346503686790717,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1364075826142220611 --mojo-platform-channel-handle=1028 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2160"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,15222848274186966134,7008346503686790717,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=2193777467634792737 --mojo-platform-channel-handle=1532 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2336"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,15222848274186966134,7008346503686790717,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11571438589519118890 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2248"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,15222848274186966134,7008346503686790717,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15837617316347065663 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2444 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1444"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,15222848274186966134,7008346503686790717,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8712717962664538956 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1768"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,15222848274186966134,7008346503686790717,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=17489407508890539014 --mojo-platform-channel-handle=3344 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
4 219
Read events
3 603
Write events
593
Delete events
23

Modification events

(PID) Process:(2392) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
rundll32.exe
(PID) Process:(2392) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer
Operation:writeName:MainWndPos
Value:
6000000034000000A00400008002000000000000
(PID) Process:(2532) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2532) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2532) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2532) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2532) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2532) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(3712) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2532-13261951321814000
Value:
259
(PID) Process:(2532) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
Executable files
41
Suspicious files
585
Text files
446
Unknown types
23

Dropped files

PID
Process
Filename
Type
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6068C05A-9E4.pma
MD5:
SHA256:
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\0b612839-8fb6-4141-8247-bfbe2296be03.tmp
MD5:
SHA256:
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:E815400F953EA8DB8A98D52737C9A50D
SHA256:E9F064927A191500B7365F51C9CD0763A6A8E68A8B866ACED39AA0E72C3EAD85
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RFd3d19.TMPtext
MD5:FB5B20517A0D1F7DAD485989565BEE5E
SHA256:99405F66EDBEB2306F4D0B4469DCADFF5293B5E1549C588CCFACEA439BB3B101
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RFd3d86.TMPtext
MD5:67F45CAA18C889645F50CD6216C81E65
SHA256:33ED82CDDDFFD55A5059C147C6CD20F66C6712314F890A39576D3C10914D0029
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFd3d09.TMPtext
MD5:D4322EEBAC92D1B8F7A6F5E39F6264B7
SHA256:A3EEDF21B850DCC7CE5AE04395ECDD2D29DA4EA549C8A185DD9E8B552A87B8C2
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:C2DDBA63E4A2BD2E39A8B6C2C6384AAE
SHA256:6D5C1C78341C6F84911055D970ADDB0EC3499F8BF7FADE062122A22209CE67D9
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFd3d09.TMPtext
MD5:C2DDBA63E4A2BD2E39A8B6C2C6384AAE
SHA256:6D5C1C78341C6F84911055D970ADDB0EC3499F8BF7FADE062122A22209CE67D9
2532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:67F45CAA18C889645F50CD6216C81E65
SHA256:33ED82CDDDFFD55A5059C147C6CD20F66C6712314F890A39576D3C10914D0029
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
58
DNS requests
34
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1592
iexplore.exe
GET
301
2.16.186.27:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=PetrWrap(Wiper)
unknown
whitelisted
1592
iexplore.exe
GET
302
104.111.242.51:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=PetrWrap(Wiper)
NL
whitelisted
1592
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2160
chrome.exe
GET
302
142.250.186.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
520 b
whitelisted
2160
chrome.exe
GET
200
173.194.139.6:80
http://r1---sn-aigzrn7k.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=102.129.202.10&mm=28&mn=sn-aigzrn7k&ms=nvh&mt=1617477379&mv=m&mvi=1&pl=25&shardbypass=yes
US
crx
242 Kb
whitelisted
1592
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2160
chrome.exe
142.250.186.67:443
www.gstatic.com
Google Inc.
US
whitelisted
2160
chrome.exe
172.217.16.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.185.67:443
www.google.com.ua
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.186.131:443
www.google.co.uk
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.186.78:80
redirector.gvt1.com
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.74.206:443
clients2.google.com
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.185.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.185.206:443
ogs.google.com.ua
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.186.65:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
2160
chrome.exe
142.250.186.142:443
apis.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.16.131
whitelisted
accounts.google.com
  • 172.217.23.109
shared
www.google.com.ua
  • 142.250.185.67
whitelisted
fonts.googleapis.com
  • 142.250.185.170
whitelisted
www.gstatic.com
  • 142.250.186.67
whitelisted
fonts.gstatic.com
  • 172.217.16.131
whitelisted
apis.google.com
  • 142.250.186.142
whitelisted
ogs.google.com.ua
  • 142.250.185.206
whitelisted
www.google.com
  • 142.250.185.228
whitelisted
www.google.co.uk
  • 142.250.186.131
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 716
Misc activity
ET POLICY TLS possible TOR SSL traffic
Misc activity
ET POLICY TLS possible TOR SSL traffic
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 568
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 755
Misc activity
ET POLICY TLS possible TOR SSL traffic
Misc activity
ET POLICY TLS possible TOR SSL traffic
Process
Message
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Disk Image File.ico