File name:

test1.exe

Full analysis: https://app.any.run/tasks/96a99b59-fa62-43a2-a55d-844219d3b3c6
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 28, 2023, 20:39:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
bitrat
trojan
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

300B03A0E5ECD28E384BC904251BF529

SHA1:

6B0982FD08FF7DCC23E1700FC19B660A627CD8C4

SHA256:

FC7BED3B315ABD77F4A74A3FB63DE8EBC425DB0578A2995452E161A89D6E60A7

SSDEEP:

24576:9ndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzv5UCk2:lXDFBU2iIBb0xY/6sUYYSU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BITRAT detected by memory dumps

      • test1.exe (PID: 3400)

    • BITRAT was detected

      • test1.exe (PID: 3400)

    • Connects to the CnC server

      • test1.exe (PID: 3400)

  • SUSPICIOUS

    • Connects to unusual port

      • test1.exe (PID: 3400)

    • Reads the Internet Settings

      • wmplayer.exe (PID: 2652)
      • setup_wm.exe (PID: 2752)

  • INFO

    • Checks supported languages

      • test1.exe (PID: 3400)
      • wmplayer.exe (PID: 2652)
      • setup_wm.exe (PID: 2752)

    • Checks proxy server information

      • setup_wm.exe (PID: 2752)

    • Reads the computer name

      • test1.exe (PID: 3400)
      • wmplayer.exe (PID: 2652)
      • setup_wm.exe (PID: 2752)

    • The process checks LSA protection

      • test1.exe (PID: 3400)
      • wmplayer.exe (PID: 2652)
      • setup_wm.exe (PID: 2752)

    • Manual execution by a user

      • wmplayer.exe (PID: 2652)

    • Create files in a temporary directory

      • setup_wm.exe (PID: 2752)

    • Reads Environment values

      • setup_wm.exe (PID: 2752)

    • Reads the machine GUID from the registry

      • setup_wm.exe (PID: 2752)

    • Process checks computer location settings

      • setup_wm.exe (PID: 2752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

BitRat

(PID) Process(3400) test1.exe
C294.34.243.6
Ports4444
Options
TorProcesstor
CommunicationPassword81dc9bdb52d04dc20036dbd8313ed055
Version1.38
Keys
MD550e8261e0ad9d574
Strings (690)
(1)
(Build:
(Last bootup:
(max:
(x64)
(x86)
* CPU
* DONATE
* POOL #1
-a "
-incognito
-l "
GiB
Hz)</val2>
KiB
MHz)</val2>
MHz</val2>
Mbit/s
TiB
[Download]
algo
"message_id":
"text":"
"update_id":
$3^(
% Available (charging)
%)</size>
%|-1
&text=
)</val1>
)</val2>
+unning
--profile-directory=Default
-2147483643/
-2147483645/
-2147483646/
-2147483647/
-2147483648/
-2147483650
.dat
.enc
.json
.xml
.zip
.ziptebrv
/cam.
/clbtart.
/dlex
/free
/pwsY
/resync /nowait
/scr.
/sendMes
/sendMessage?chat_id=
/usb
/vol8
1|-1
78hf326f87
9HSA
9onnecting...
;CK_CMD|
;HIFT
;toppe{
</block>
</cpuusage>
</date>
</dep>
</desc>
</err>
</est>
</files>
</filesystem>
</icon>
</isprc>
</issys>
</label>
</lis>
</mod>
</name>
</path>
</pb>
</pid>
</pri>
</ramload>
</ramsize>
</server>
</silent>
</sizefree>
</sizetotal>
</sizeused>
</startup>
</state>
</sz>
</sz>s>
</tcp>
</threads>
</title>
</type>
</udp>
</v>zefro
</v>|
</val2>
</xml>
<F11]
<F12]
<F1]
<F3]
<F4]
<F9]
<apptype>
<attr>
<block>
<cpuusage>
<data>
<date>
<date>N/A</date>
<dep>
<desc>
<dirs>
<disp>
<err>patS
<filesystem>
<hwnd>
<icon>
<isprc>
<letter>
<lis>
<n>N/A</n>
<name>
<path>
<path>N/A</path>
<pb>N/A</pb>
<pid>
<ramfree>
<ramsize>
<server>
<silent>
<silent>N/A</silent>
<size>
<sizefree>
<state>
<sz>D
<sz>N/A</sz>
<tcp>
<threads>
<type>
<v>N/A</v>
<val1>Antivirus</val1>
<val1>BIOS</val1>
<val1>Graphic card (
<val1>Input locale</val1>
<val1>Installed RAM</val1>
<val1>Monitor (
<val1>OS architecture</val1>
<val1>OS install date</val1>
<val1>OS version</val1>
<val1>Operating system</val1>
<val1>PC domain</val1>
<val1>PC manufacturer</val1>
<val1>PC model</val1>
<val1>Platform type</val1>
<val1>Processor</val1>
<val1>RAM slot (
<val1>System locale</val1>
<val1>System uptime</val1>
<val1>Time zone</val1>
<val1>Username</val1>
<val2>
<xml>
=li_un
=on_close
?ocks5_srv_start
?rv_start
ADD
APPACTIVATE
AT
AVE_MARIA
Action: /cam
Action: /clsbrw
Action: /klg
Action: /msg
Action: /usb
Action: /vol
Action: /web
Adapter
Alerts disabled
Alerts enabled
All in One
Armenian
Attempting to launch browser...
Automatic
BS
Basque
Boot Start
Bot ID:
BuildNumber
Bulgarian
Bus Expansion Chassis
Business
CLOSED
Capacity
Caption
ChassisTypes
Closing virtual desktop...
Connecting...
CreateDesktop API failed!
CreateProcess API failed!
Critical error control
Croatian
Czech
DEL
DELETE_TCB
Danish
Datacenter
DelegateExecute
Desktop
Disabled
Disconnected
DisplayIcon
DisplayName
DisplayVersion
Docking Station
DriverVersion
END
ESC
Enterprise
EstimatedChargeRemaining
EstimatedRunTime
EstimatedSize
Estonian
Expansion Chassis
F1
F10
F12
F13
F14
F15
F16
F2
F3
F4
F5
F6
F7
F8
F9
FAIL (invalid arguments)
FAIL (invalid log size)
FIN_WAIT1
FIN_WAIT2
Faeroese
Failed to launch browser
File system driver
Finnish
FriendlyName
Fully charged (
Georgian
Gonnecting...
Gontinuing
Greek
Gujarati
H/dep>
H/disp>
H/mod>
H/path>
H/pb>
H/status>
H/title>
Hand Held
Hblock>
Hclass>
Hdep>
Hebrew
Hidden
Hindi
Hpath>
Hpid>
Htitle>
Hudp>
Hungarian
Hxml>
IELAY
INS
Icelandic
IelegateExecute
InstallDate
InstallLocation
Interactive process
Itarting
Itopping
JF10]
JF13]
JF14]
JF2]
JF5]
JF6]
JF7]
JF8]
Kazakh
Keep-alive
Kernel driver
Keylog:
Kli_dc
Kli_off
Kli_rc
Kli_sleep
Kyrgyz
LAST_ACK
LISTENING
Laptop
Lithuanian
Low Profile Desktop
Lplg\
Lunch Box
Macedonian
Main System Chassis
Malay - Brunei Darussalam
Manual
Manufacturer
Mate
MaxClockSpeed
Maximized
Mini Tower
Mocks5_srv_start
Mrv_list
No active
No clipboard
Normal
Norwegian - Bokmal
Norwegian - Nynorsk
Notebook
OSLanguage
Oitle
P |
Peripheral Chassis
Pizza Box
Polish
Portable
Portuguese - Brazilian
Portuguese - Standard
Powrprof.dll
Publisher
QuietUninstallString
RB_ST
Rack Mount Chassis
Recognizer driver
Remote browser started!
Remote browser stopped!
Romanian
RtlGetVersion
SC_PR_ST
SC_ST
SC_ST2
SELECT * FROM Win32_Processor
SELECT * From AntiVirusProduct
SYN_RCVD
SYN_SENT
ScreenHeight
ScreenWidth
Sealed-Case PC
Select * from Win32_BIOS
Select * from Win32_Battery
Select * from Win32_TimeZone
Serbian - Latin
Service ignores error
SetThreadDesktop API failed!
Severe error control
Slovak
Slovenian
Socket was unexpectedly closed!
Sorry, Chrome was not detected!
Spanish - Argentina
Spanish - Bolivia
Spanish - Chile
Spanish - Colombia
Spanish - Costa_Rica
Spanish - Dominican Republic
Spanish - Ecuador
Spanish - El Salvador
Spanish - Guatemala
Spanish - Honduras
Spanish - Mexican
Spanish - Modern Sort
Spanish - Nicaragua
Spanish - Panama
Spanish - Paraguay
Spanish - Peru
Spanish - Puerto Rico
Spanish - Traditional Sort
Spanish - Uruguay
Spanish - Venezuela
Speed
Starter
Status:
Status: FAIL (no available cam)
Status: OK
Storage Chassis
Sub Notebook
SubChassis
Swedish - Finland
Switching to virtual desktop...
Syriac
TIME_WAIT
TLS Handshake
Tamil
Tatar
Telugu
Thai[
UCBrowser.exe
Ukrainian
Unknown
Urdu</stv
User:
Uzbek - Cyrillic
V/data>
V/dirs>
V/hwnd>
V/name>
V/path>
V/pid>
V/size>
Vblock>
Vdir>
Verr>
Version
Vietnamese
Virtual Machine
Vissys>
Vmod>
Vpath>
Vpb>
Vsize>-1</size>
Vxml>
WC_PR_ST
Web Server
Win 10
Win 11
Win 2000
Win 8.1
Win XP
Win32
Win32 process
Win32 share process
Window:
Wisconnected
WmiQueryAllDataW
Zplg\
[BACKSPACE]
[CAPSLOCK]
[CLEAR]
[CLIPBOARD_END]
[CLIPBOARD_START]
[CTRL+@]
[CTRL+A]
[CTRL+B]
[CTRL+C]
[CTRL+D]
[CTRL+E]
[CTRL+F]
[CTRL+G]
[CTRL+H]
[CTRL+I]
[CTRL+J]
[CTRL+K]
[CTRL+L]
[CTRL+M]
[CTRL+N]
[CTRL+O]
[CTRL+P]
[CTRL+Q]
[CTRL+R]
[CTRL+S]
[CTRL+T]
[CTRL+U]
[CTRL+V]
[CTRL+W]
[CTRL+X]
[CTRL+Y]
[CTRL+Z]
[CTRL+[]
[CTRL+\]
[CTRL+]]
[CTRL+^]
[CTRL+_]
[DEL]
[DOWN]
[END]
[ENTER]
[ESC]
[EXECUTE]
[F15]
[F16]>
[HELP]
[HOME]
[INS]
[LEFT]
[MENU]
[NUMLOCK]
[NUMPAD_0]
[NUMPAD_1]
[NUMPAD_2]
[NUMPAD_3]
[NUMPAD_4]
[NUMPAD_5]
[NUMPAD_6]
[NUMPAD_7]
[NUMPAD_8]
[NUMPAD_9]
[NUMPAD_ADD]
[NUMPAD_DECIMAL]
[NUMPAD_DIVIDE]
[NUMPAD_MULTIPLY]
[NUMPAD_SEPARATOR]
[NUMPAD_SUBTRACT]
[PAGEDOWN]
[PAGEUP]
[PAUSE]
[PRTSCR]
[RIGHT]
[SCROLL]
[SELECT]
[SHIFT]
[TAB]
[UP]:
[nknown
\Google\C
\Google\Chrome\User Data
\Mozilla\Firefox
\Opera\Opera
\Torch\User Data
\b\d{2}[-]\d{2}[-]\d{4}\b
\plg
\plg\
\plg\inj64.exe
\plg\pid
\setup.exe
about:blank
alert
alert|
aud_rec_list
autoruns
autoruns_del
autoruns_req
browsers_clear
chrome.exe
cli_bsod
cli_hib
cli_log
cli_off
cli_rs
cli_sleep
cli_up
clipboard_get
con_list
crd_logins
crd_logins_report
crd_logins_report_req
crd_logins_req
crd_logins_start_tg
crd_logins_tg
data
date
ddos_stop
displayName
dl_dir_obj_count
dlexec
drives_get
files_delete
files_delete_dir_normal
files_delete_dir_secure
files_delete_end
files_delete_secure
files_delete_start
files_download_resume
files_get
files_search_path
files_upload
files_zip
files_zip_end
files_zip_start
firefox.exe
g0 Hz,
h<u~~h
h\
hsz
http://api.ipify.org
http://ip
http://ipecho.net/plain
http://ipinfo.io/ip
http://ipv4.icanhazip.com
http://wtfismyip.com/text
h}p~~h
iexplore.exe
image/jpeg
image/png
injdll
kersion:
klgoff_del
klgoff_dl_all
klgoff_dl_recent
klgoff_get
klgoff_list
klgonlinestart
klgonlinestop
max
miles_delete_start
miles_new_dir
miles_upload_dir
miles_zip_dir
miles_zip_end
mnk32
monitors_refresh
msedge.exe
msgbox
notes_get
notes_set
ntdll.dll
opera.exe
prc_kill
prc_list
prc_priority
prc_restart
prc_resume
prc_suspend
productState
reg_hkeys_get
reg_keys_get
rejected
remotebrowser_error
remotebrowser_info
remotebrowser_stop
root
scr_off
scr_on
screenlive_stop
settings
shell_stop
socks4r_stats
socks4r_stop
socks5_srv_stats
soft_list
soft_uninstall
speed
speedtest
srv_control
srv_list
srv_start
srv_uninstall
task_del
tasks_list
thtml
thumb_data
torch.exe
unk32
unknown
upnp_data
usb_spread
vivaldi.exe
vol_edit
w32tm.exe
wL_DL
wL_DL_RESUME
wd_kill
webcam_devices
webcam_start
webcam_stop
website_open
wnd_list
wnd_title
xmr64_mine_ready
xmr64_mine_req
xmr_mine_log
xmr_mine_ready
xmr_mine_req
xmr_mine_stats
xmrmine
{iles_delete_end
{iles_download
{iles_exec
{iles_rename
{iles_search
{iles_search_stop
{iles_zip
/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRgNNmf9XjPAEaZ6CQ6NJlHzgU1ck3qhq0LC7ULPi97...
3453664c6f384d45
4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200000000000000000000007E3100004B0000000000...
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ae51051780dba249353230ac2231a17a6352a0b2b436775b0ad0991b51f9120bd0195f2a7c716b7c67d3a04fedd8b89cacc53c68b0504d3e83db5ca16398b95063cb31752170d651c836d3b1a6ade268
c05906a88f3bd7056c26a98c7c590a37
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x3e2720
UninitializedDataSize: 2560000
InitializedDataSize: 4096
CodeSize: 1511424
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2021:06:30 02:16:18+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Jun-2021 02:16:18
TLS Callbacks: 1 callback(s) detected.

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000138

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 30-Jun-2021 02:16:18
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00271000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00272000
0x00171000
0x00170A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.93664
UPX2
0x003E3000
0x00001000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.0068

Imports

KERNEL32.DLL
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BITRAT test1.exe wmplayer.exe no specs setup_wm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2652"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1C:\Program Files\Windows Media Player\wmplayer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7601.23517 (win7sp1_ldr.160812-0732)
Modules
Images
c:\program files\windows media player\wmplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2752"C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1C:\Program Files\Windows Media Player\setup_wm.exe
wmplayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Configuration Utility
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\windows media player\setup_wm.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3400"C:\Users\admin\AppData\Local\Temp\test1.exe" C:\Users\admin\AppData\Local\Temp\test1.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\test1.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
BitRat
(PID) Process(3400) test1.exe
C294.34.243.6
Ports4444
Options
TorProcesstor
CommunicationPassword81dc9bdb52d04dc20036dbd8313ed055
Version1.38
Keys
MD550e8261e0ad9d574
Strings (690)
(1)
(Build:
(Last bootup:
(max:
(x64)
(x86)
* CPU
* DONATE
* POOL #1
-a "
-incognito
-l "
GiB
Hz)</val2>
KiB
MHz)</val2>
MHz</val2>
Mbit/s
TiB
[Download]
algo
"message_id":
"text":"
"update_id":
$3^(
% Available (charging)
%)</size>
%|-1
&text=
)</val1>
)</val2>
+unning
--profile-directory=Default
-2147483643/
-2147483645/
-2147483646/
-2147483647/
-2147483648/
-2147483650
.dat
.enc
.json
.xml
.zip
.ziptebrv
/cam.
/clbtart.
/dlex
/free
/pwsY
/resync /nowait
/scr.
/sendMes
/sendMessage?chat_id=
/usb
/vol8
1|-1
78hf326f87
9HSA
9onnecting...
;CK_CMD|
;HIFT
;toppe{
</block>
</cpuusage>
</date>
</dep>
</desc>
</err>
</est>
</files>
</filesystem>
</icon>
</isprc>
</issys>
</label>
</lis>
</mod>
</name>
</path>
</pb>
</pid>
</pri>
</ramload>
</ramsize>
</server>
</silent>
</sizefree>
</sizetotal>
</sizeused>
</startup>
</state>
</sz>
</sz>s>
</tcp>
</threads>
</title>
</type>
</udp>
</v>zefro
</v>|
</val2>
</xml>
<F11]
<F12]
<F1]
<F3]
<F4]
<F9]
<apptype>
<attr>
<block>
<cpuusage>
<data>
<date>
<date>N/A</date>
<dep>
<desc>
<dirs>
<disp>
<err>patS
<filesystem>
<hwnd>
<icon>
<isprc>
<letter>
<lis>
<n>N/A</n>
<name>
<path>
<path>N/A</path>
<pb>N/A</pb>
<pid>
<ramfree>
<ramsize>
<server>
<silent>
<silent>N/A</silent>
<size>
<sizefree>
<state>
<sz>D
<sz>N/A</sz>
<tcp>
<threads>
<type>
<v>N/A</v>
<val1>Antivirus</val1>
<val1>BIOS</val1>
<val1>Graphic card (
<val1>Input locale</val1>
<val1>Installed RAM</val1>
<val1>Monitor (
<val1>OS architecture</val1>
<val1>OS install date</val1>
<val1>OS version</val1>
<val1>Operating system</val1>
<val1>PC domain</val1>
<val1>PC manufacturer</val1>
<val1>PC model</val1>
<val1>Platform type</val1>
<val1>Processor</val1>
<val1>RAM slot (
<val1>System locale</val1>
<val1>System uptime</val1>
<val1>Time zone</val1>
<val1>Username</val1>
<val2>
<xml>
=li_un
=on_close
?ocks5_srv_start
?rv_start
ADD
APPACTIVATE
AT
AVE_MARIA
Action: /cam
Action: /clsbrw
Action: /klg
Action: /msg
Action: /usb
Action: /vol
Action: /web
Adapter
Alerts disabled
Alerts enabled
All in One
Armenian
Attempting to launch browser...
Automatic
BS
Basque
Boot Start
Bot ID:
BuildNumber
Bulgarian
Bus Expansion Chassis
Business
CLOSED
Capacity
Caption
ChassisTypes
Closing virtual desktop...
Connecting...
CreateDesktop API failed!
CreateProcess API failed!
Critical error control
Croatian
Czech
DEL
DELETE_TCB
Danish
Datacenter
DelegateExecute
Desktop
Disabled
Disconnected
DisplayIcon
DisplayName
DisplayVersion
Docking Station
DriverVersion
END
ESC
Enterprise
EstimatedChargeRemaining
EstimatedRunTime
EstimatedSize
Estonian
Expansion Chassis
F1
F10
F12
F13
F14
F15
F16
F2
F3
F4
F5
F6
F7
F8
F9
FAIL (invalid arguments)
FAIL (invalid log size)
FIN_WAIT1
FIN_WAIT2
Faeroese
Failed to launch browser
File system driver
Finnish
FriendlyName
Fully charged (
Georgian
Gonnecting...
Gontinuing
Greek
Gujarati
H/dep>
H/disp>
H/mod>
H/path>
H/pb>
H/status>
H/title>
Hand Held
Hblock>
Hclass>
Hdep>
Hebrew
Hidden
Hindi
Hpath>
Hpid>
Htitle>
Hudp>
Hungarian
Hxml>
IELAY
INS
Icelandic
IelegateExecute
InstallDate
InstallLocation
Interactive process
Itarting
Itopping
JF10]
JF13]
JF14]
JF2]
JF5]
JF6]
JF7]
JF8]
Kazakh
Keep-alive
Kernel driver
Keylog:
Kli_dc
Kli_off
Kli_rc
Kli_sleep
Kyrgyz
LAST_ACK
LISTENING
Laptop
Lithuanian
Low Profile Desktop
Lplg\
Lunch Box
Macedonian
Main System Chassis
Malay - Brunei Darussalam
Manual
Manufacturer
Mate
MaxClockSpeed
Maximized
Mini Tower
Mocks5_srv_start
Mrv_list
No active
No clipboard
Normal
Norwegian - Bokmal
Norwegian - Nynorsk
Notebook
OSLanguage
Oitle
P |
Peripheral Chassis
Pizza Box
Polish
Portable
Portuguese - Brazilian
Portuguese - Standard
Powrprof.dll
Publisher
QuietUninstallString
RB_ST
Rack Mount Chassis
Recognizer driver
Remote browser started!
Remote browser stopped!
Romanian
RtlGetVersion
SC_PR_ST
SC_ST
SC_ST2
SELECT * FROM Win32_Processor
SELECT * From AntiVirusProduct
SYN_RCVD
SYN_SENT
ScreenHeight
ScreenWidth
Sealed-Case PC
Select * from Win32_BIOS
Select * from Win32_Battery
Select * from Win32_TimeZone
Serbian - Latin
Service ignores error
SetThreadDesktop API failed!
Severe error control
Slovak
Slovenian
Socket was unexpectedly closed!
Sorry, Chrome was not detected!
Spanish - Argentina
Spanish - Bolivia
Spanish - Chile
Spanish - Colombia
Spanish - Costa_Rica
Spanish - Dominican Republic
Spanish - Ecuador
Spanish - El Salvador
Spanish - Guatemala
Spanish - Honduras
Spanish - Mexican
Spanish - Modern Sort
Spanish - Nicaragua
Spanish - Panama
Spanish - Paraguay
Spanish - Peru
Spanish - Puerto Rico
Spanish - Traditional Sort
Spanish - Uruguay
Spanish - Venezuela
Speed
Starter
Status:
Status: FAIL (no available cam)
Status: OK
Storage Chassis
Sub Notebook
SubChassis
Swedish - Finland
Switching to virtual desktop...
Syriac
TIME_WAIT
TLS Handshake
Tamil
Tatar
Telugu
Thai[
UCBrowser.exe
Ukrainian
Unknown
Urdu</stv
User:
Uzbek - Cyrillic
V/data>
V/dirs>
V/hwnd>
V/name>
V/path>
V/pid>
V/size>
Vblock>
Vdir>
Verr>
Version
Vietnamese
Virtual Machine
Vissys>
Vmod>
Vpath>
Vpb>
Vsize>-1</size>
Vxml>
WC_PR_ST
Web Server
Win 10
Win 11
Win 2000
Win 8.1
Win XP
Win32
Win32 process
Win32 share process
Window:
Wisconnected
WmiQueryAllDataW
Zplg\
[BACKSPACE]
[CAPSLOCK]
[CLEAR]
[CLIPBOARD_END]
[CLIPBOARD_START]
[CTRL+@]
[CTRL+A]
[CTRL+B]
[CTRL+C]
[CTRL+D]
[CTRL+E]
[CTRL+F]
[CTRL+G]
[CTRL+H]
[CTRL+I]
[CTRL+J]
[CTRL+K]
[CTRL+L]
[CTRL+M]
[CTRL+N]
[CTRL+O]
[CTRL+P]
[CTRL+Q]
[CTRL+R]
[CTRL+S]
[CTRL+T]
[CTRL+U]
[CTRL+V]
[CTRL+W]
[CTRL+X]
[CTRL+Y]
[CTRL+Z]
[CTRL+[]
[CTRL+\]
[CTRL+]]
[CTRL+^]
[CTRL+_]
[DEL]
[DOWN]
[END]
[ENTER]
[ESC]
[EXECUTE]
[F15]
[F16]>
[HELP]
[HOME]
[INS]
[LEFT]
[MENU]
[NUMLOCK]
[NUMPAD_0]
[NUMPAD_1]
[NUMPAD_2]
[NUMPAD_3]
[NUMPAD_4]
[NUMPAD_5]
[NUMPAD_6]
[NUMPAD_7]
[NUMPAD_8]
[NUMPAD_9]
[NUMPAD_ADD]
[NUMPAD_DECIMAL]
[NUMPAD_DIVIDE]
[NUMPAD_MULTIPLY]
[NUMPAD_SEPARATOR]
[NUMPAD_SUBTRACT]
[PAGEDOWN]
[PAGEUP]
[PAUSE]
[PRTSCR]
[RIGHT]
[SCROLL]
[SELECT]
[SHIFT]
[TAB]
[UP]:
[nknown
\Google\C
\Google\Chrome\User Data
\Mozilla\Firefox
\Opera\Opera
\Torch\User Data
\b\d{2}[-]\d{2}[-]\d{4}\b
\plg
\plg\
\plg\inj64.exe
\plg\pid
\setup.exe
about:blank
alert
alert|
aud_rec_list
autoruns
autoruns_del
autoruns_req
browsers_clear
chrome.exe
cli_bsod
cli_hib
cli_log
cli_off
cli_rs
cli_sleep
cli_up
clipboard_get
con_list
crd_logins
crd_logins_report
crd_logins_report_req
crd_logins_req
crd_logins_start_tg
crd_logins_tg
data
date
ddos_stop
displayName
dl_dir_obj_count
dlexec
drives_get
files_delete
files_delete_dir_normal
files_delete_dir_secure
files_delete_end
files_delete_secure
files_delete_start
files_download_resume
files_get
files_search_path
files_upload
files_zip
files_zip_end
files_zip_start
firefox.exe
g0 Hz,
h<u~~h
h\
hsz
http://api.ipify.org
http://ip
http://ipecho.net/plain
http://ipinfo.io/ip
http://ipv4.icanhazip.com
http://wtfismyip.com/text
h}p~~h
iexplore.exe
image/jpeg
image/png
injdll
kersion:
klgoff_del
klgoff_dl_all
klgoff_dl_recent
klgoff_get
klgoff_list
klgonlinestart
klgonlinestop
max
miles_delete_start
miles_new_dir
miles_upload_dir
miles_zip_dir
miles_zip_end
mnk32
monitors_refresh
msedge.exe
msgbox
notes_get
notes_set
ntdll.dll
opera.exe
prc_kill
prc_list
prc_priority
prc_restart
prc_resume
prc_suspend
productState
reg_hkeys_get
reg_keys_get
rejected
remotebrowser_error
remotebrowser_info
remotebrowser_stop
root
scr_off
scr_on
screenlive_stop
settings
shell_stop
socks4r_stats
socks4r_stop
socks5_srv_stats
soft_list
soft_uninstall
speed
speedtest
srv_control
srv_list
srv_start
srv_uninstall
task_del
tasks_list
thtml
thumb_data
torch.exe
unk32
unknown
upnp_data
usb_spread
vivaldi.exe
vol_edit
w32tm.exe
wL_DL
wL_DL_RESUME
wd_kill
webcam_devices
webcam_start
webcam_stop
website_open
wnd_list
wnd_title
xmr64_mine_ready
xmr64_mine_req
xmr_mine_log
xmr_mine_ready
xmr_mine_req
xmr_mine_stats
xmrmine
{iles_delete_end
{iles_download
{iles_exec
{iles_rename
{iles_search
{iles_search_stop
{iles_zip
/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRgNNmf9XjPAEaZ6CQ6NJlHzgU1ck3qhq0LC7ULPi97...
3453664c6f384d45
4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200000000000000000000007E3100004B0000000000...
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ae51051780dba249353230ac2231a17a6352a0b2b436775b0ad0991b51f9120bd0195f2a7c716b7c67d3a04fedd8b89cacc53c68b0504d3e83db5ca16398b95063cb31752170d651c836d3b1a6ade268
c05906a88f3bd7056c26a98c7c590a37
Total events
2 066
Read events
1 978
Write events
88
Delete events
0

Modification events

(PID) Process:(3400) test1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
test1.exe
(PID) Process:(2652) wmplayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2652) wmplayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2652) wmplayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2652) wmplayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2752) setup_wm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions
Operation:writeName:DesktopShortcut
Value:
no
(PID) Process:(2752) setup_wm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2752) setup_wm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003E010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2752) setup_wm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2752) setup_wm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
0
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752setup_wm.exeC:\Users\admin\AppData\Local\Temp\wmsetup.logtext
MD5:
SHA256:
2752setup_wm.exeC:\Users\admin\AppData\Local\Temp\tmp84500.WMC\allservices.xmlxml
MD5:DF03E65B8E082F24DAB09C57BC9C6241
SHA256:155B9C588061C71832AF329FAFA5678835D9153B8FBB7592195AE953D0C455BA
2752setup_wm.exeC:\Users\admin\AppData\Local\Temp\tmp85765.WMC\serviceinfo.xmltext
MD5:D58DA90D6DC51F97CB84DFBFFE2B2300
SHA256:93ACDB79543D9248CA3FCA661F3AC287E6004E4B3DAFD79D4C4070794FFBF2AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2752
setup_wm.exe
GET
302
2.21.20.154:80
http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&version=12.0.7601.17514&locale=409&userlocale=409&geoid=f4&parch=x86&arch=x86
DE
whitelisted
2752
setup_wm.exe
GET
200
2.21.20.140:80
http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&version=12.0.7601.17514&locale=409&userlocale=409&geoid=f4&parch=x86&arch=x86
DE
xml
546 b
whitelisted
2752
setup_wm.exe
GET
200
2.21.20.140:80
http://onlinestores.metaservices.microsoft.com/bing/bing.xml
DE
text
523 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3400
test1.exe
94.34.243.6:4444
Tiscali SpA
IT
malicious
2752
setup_wm.exe
2.21.20.154:80
redir.metaservices.microsoft.com
Akamai International B.V.
DE
suspicious
2752
setup_wm.exe
2.21.20.140:80
onlinestores.metaservices.microsoft.com
Akamai International B.V.
DE
malicious

DNS requests

Domain
IP
Reputation
redir.metaservices.microsoft.com
  • 2.21.20.154
  • 2.21.20.148
whitelisted
onlinestores.metaservices.microsoft.com
  • 2.21.20.140
  • 2.21.20.142
whitelisted

Threats

PID
Process
Class
Message
3400
test1.exe
A Network Trojan was detected
ET TROJAN Observed Malicious SSL Cert (BitRAT CnC)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
test1.exe