Malware analysis Sеtup[1].exe Malicious activity | ANY.RUN

Add for printing

File name:	Sеtup[1].exe
Full analysis:	https://app.any.run/tasks/6960887b-edd1-44eb-a62b-5534718a65c9
Verdict:	Malicious activity
Threats:	CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 08, 2024, 10:19:37
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer cryptbot crypto-regex
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	45B55D1E5D2BF60CC572F541AE6FA7D1
SHA1:	2329F56147A299BCDBF20520E626CC8253E49A8D
SHA256:	039F5C692BA1C67C6E9B475738F40F4311E5E5625E4390D5E51685F6B4E548B8
SSDEEP:	49152:CwJiOl9WvzyDyVJw4uRlghHh57fyy8nsEHQwUUjtdAITeWMN2Fi6NTMJ4kpCMclV:PrQmBmCnr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - Sеtup[1].exe (PID: 7068)
- Connects to the CnC server
  - Sеtup[1].exe (PID: 7068)
- CRYPTBOT has been detected (SURICATA)
  - Sеtup[1].exe (PID: 7068)
- Uses Task Scheduler to run other applications
  - Sеtup[1].exe (PID: 7068)
- CRYPTBOT has been detected (YARA)
  - Sеtup[1].exe (PID: 7068)
SUSPICIOUS
- Searches for installed software
  - Sеtup[1].exe (PID: 7068)
- Reads security settings of Internet Explorer
  - Sеtup[1].exe (PID: 7068)
- The process executes via Task Scheduler
  - service123.exe (PID: 5552)
  - PLUGScheduler.exe (PID: 2924)
  - service123.exe (PID: 804)
- Found regular expressions for crypto-addresses (YARA)
  - service123.exe (PID: 4692)
INFO
- Checks supported languages
  - Sеtup[1].exe (PID: 7068)
  - service123.exe (PID: 5552)
  - PLUGScheduler.exe (PID: 2924)
  - service123.exe (PID: 804)
  - identity_helper.exe (PID: 4184)
  - service123.exe (PID: 4692)
- Create files in a temporary directory
  - Sеtup[1].exe (PID: 7068)
- Manual execution by a user
  - Taskmgr.exe (PID: 2684)
  - Taskmgr.exe (PID: 4068)
  - Taskmgr.exe (PID: 6332)
  - Taskmgr.exe (PID: 6424)
  - msedge.exe (PID: 4836)
- Reads the computer name
  - Sеtup[1].exe (PID: 7068)
  - PLUGScheduler.exe (PID: 2924)
  - identity_helper.exe (PID: 4184)
- Reads CPU info
  - Sеtup[1].exe (PID: 7068)
- Reads the machine GUID from the registry
  - service123.exe (PID: 4692)
  - service123.exe (PID: 5552)
  - service123.exe (PID: 804)
- Reads the software policy settings
  - slui.exe (PID: 3160)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 4068)
  - Taskmgr.exe (PID: 6424)
- Process checks computer location settings
  - Sеtup[1].exe (PID: 7068)
- Creates files in the program directory
  - PLUGScheduler.exe (PID: 2924)
- Reads Environment values
  - identity_helper.exe (PID: 4184)
- Application launched itself
  - msedge.exe (PID: 4836)
- The process uses the downloaded file
  - Sеtup[1].exe (PID: 7068)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

CryptBot

(PID) Process(7068) Sеtup[1].exe

C2 (1)fivev5sb.top

Strings (364)CreateDCA

GetTempPathW

InternetOpenA

GetCurrentProcess

sprintf

IsWow64Process2

InternetOpenUrlW

WinHttpConnect

realloc

MoveFileA

CreateDCW

WinHttpReceiveResponse

WinHttpOpenRequest

/zip.php

GetModuleFileNameExW

GetSystemDirectoryA

GetSystemMetrics

DuplicateHandle

An error occurred while starting the application (0xc000007b). To exit the application, click OK.

ScreenShot.jpeg

VirtualFreeEx

ExpandEnvironmentStringsW

GetDriveTypeW

msvcrt.dll

WideCharToMultiByte

_swprintf

socket

swprintf_s

swprintf

bind

GetCurrentThread

RegQueryValueExW

kernel32.dll

StrStrIA

ExtractFilesW

Process32NextW

MoveFileExW

RegQueryInfoKeyA

_snwprintf

analforeverlovyu.top

shlwapi.dll

\ServiceData\Clip.au3

WinHttpReadData

GetUserNameW

InternetReadFileExW

RmGetList

PathIsDirectoryW

WinHttpReadDataEx

WinHttpAddRequestHeaders

ExitProcess

ShellExecuteA

FCIDestroy

Apps

GetConsoleMode

CreateDirectoryA

wnsprintfA

Sleep

shell32.dll

FindNextFileA

InternetCloseHandle

RegQueryValueExA

RemoveDirectoryW

URLDownloadToFileA

winsqlite3.dll

CreateFileW

GetLastError

BitBlt

ReadConsoleA

InternetOpenUrlA

LocalFree

wininet.dll

VirtualAlloc

HttpQueryInfoA

GetDiskFreeSpaceExW

WinHttpSendRequest

LoadLibraryW

GetFileAttributesA

CloseHandle

GetLogicalDriveStringsW

WaitForSingleObject

POST

LoadLibraryA

SHUnicodeToAnsi

IStream_Read

GetDriveTypeA

CreateFileMappingW

GetCurrentDirectoryA

GetTickCount

GdipGetImageEncoders

fivev5sb.top

crypt32.dll

LoadLibraryExW

GdipSaveImageToFile

GetLocalTime

QueryPerformanceCounter

GetEnvironmentVariableW

CopyFileW

CreateFileMappingA

RegOpenKeyExA

HeapCreate

GetSystemDirectoryW

CopyFileExW

System Error

ole32.dll

CreateMutexA

SetFilePointerEx

ExitThread

GetSystemInfo

GetUserNameA

Temp

"encrypted_key":"

GetModuleHandleExW

InternetConnectW

GdiplusShutdown

GetComputerNameW

UserProfile

DPAPI

FindFirstFileNameA

ReleaseDC

CreateRemoteThread

RegOpenKeyExW

RegEnumKeyExA

vswprintf

CoUninitialize

GetFileInformationByHandle

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

send

SHAnsiToUnicode

GlobalMemoryStatusEx

WinExec

DISPLAY

SleepEx

inet_addr

PathFileExistsA

URLDownloadToFileW

\sgGKCqIIoz

LocalAlloc

Content-Length: %lu

PathFileExistsW

StrStrIW

sprintf_s

EnumDisplaySettingsA

CreateThread

SetFilePointer

FileTimeToSystemTime

GetTempFileNameW

GetSystemWow64DirectoryA

GetKeyboardLayoutList

CreateProcessW

GET

HeapAlloc

ws2_32.dll

GetProcessHeap

UserID.txt

GetDeviceCaps

GetModuleHandleExA

malloc

gdiplus.dll

SHGetFolderPathA

printf

GetLocaleInfoW

listen

AppData

WSACleanup

SelectObject

GdiplusStartup

Others

SetErrorMode

abs

GetProcAddress

NULL

SaveImageToStream

ReadFile

GetFileAttributesW

InternetOpenW

InternetConnectA

WinHttpOpen

gdi32.dll

GetDiskFreeSpaceExA

HttpOpenRequestW

CreateStreamOnHGlobal

RegEnumKeyExW

HttpOpenRequestA

Process32FirstW

CreateCompatibleBitmap

GetModuleHandleA

WriteFile

GetEnvironmentVariableA

InternetReadFile

InternetReadFileExA

FindFirstFileExW

winhttp.dll

GetModuleFileNameW

HeapReAlloc

FCIFlushFolder

RmEndSession

rstrtmgr.dll

$CREEN.JPEG

Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko

WriteConsoleA

GdipSaveImageToStream

Debug.txt

recvfrom

/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f

RegQueryInfoKeyW

DeleteObject

Desktop

WinHttpQueryOption

MoveFileW

WinHttpCrackUrl

clock

RmRegisterResources

InternetCrackUrlW

vsnprintf

_wtoi

\ServiceData

GdipGetImageEncodersSize

urlmon.dll

ShellExecuteW

_vscwprintf

IsWow64Process

GdipLoadImageFromFile

ExpandEnvironmentStringsA

CreateDirectoryW

GetModuleFileNameExA

FreeLibrary

OpenThread

MoveFileExA

user32.dll

HeapSize

FCIAddFile

ntdll.dll

log.txt

FindNextFileNameA

Browsers

\ServiceData\Clip.exe

free

IStream_Reset

LocalAppData

GetCurrentDirectoryW

wsprintfW

GetModuleHandleW

curl/8.0.1

closesocket

wsprintfA

SHGetFolderPathW

HttpQueryInfoW

advapi32.dll

WriteConsoleW

GetDIBits

WinHttpQueryHeaders

RtlGetVersion

HTTP

EnumDisplaySettingsW

Extract

WSAGetLastError

GetTickCount64

/gate.php

WSAStartup

FCICreate

ReadConsoleW

_vscprintf

End.txt

HeapFree

RemoveDirectoryA

WinHttpCloseHandle

DeleteDC

Process32NextA

GetExitCodeThread

CreateMutexW

MultiByteToWideChar

VirtualProtectEx

GetVolumeInformationA

GetProcessId

GetTimeZoneInformation

calloc

GetObjectW

VirtualAllocEx

GetFileSize

SystemTimeToFileTime

IsBadReadPtr

FileTimeToDosDateTime

HttpSendRequestW

GetFileSizeEx

URLOpenBlockingStreamA

wprintf

GetFileAttributesExA

CreateCompatibleDC

GetLocaleInfoA

GetTempPathA

GetTempFileNameA

GetUserDefaultLocaleName

IStream_Size

atoi

DeleteFileW

SHCreateMemStream

LoadLibraryExA

GetThreadId

CopyFileA

DeleteFileA

TerminateProcess

CreateRemoteThreadEx

GetObjectA

recv

FCIFlushCabinet

/v1/upload.php

VirtualProtect

CreateProcessA

MessageBoxW

FindFirstFileW

CoInitialize

GetBitmapBits

ReleaseMutex

FindNextFileW

FindFirstFileNameW

_snprintf

GetLogicalDriveStringsA

FindFirstFileExA

CopyFileExA

MessageBoxA

wnsprintfW

cabinet.dll

CreateToolhelp32Snapshot

PathIsDirectoryA

GetCommandLineW

URLOpenBlockingStreamW

Files

WinHttpSetOption

Wallets

advpack.dll

MapViewOfFile

GetNativeSystemInfo

FindFirstFileA

CryptUnprotectData

_snwprintf_s

RmStartSession

LkgwUi

strtod

CreateFileA

RegCloseKey

HTTPS

FindNextFileNameW

GetModuleFileNameA

OpenProcess

User's Computer Information.txt

StretchBlt

GetCommandLineA

HttpSendRequestA

VirtualFree

GetFileAttributesExW

Process32FirstA

UnmapViewOfFile

isspace

GetVolumeInformationW

GdipCreateBitmapFromHBITMAP

/index.php

GetSystemWow64DirectoryW

FindClose

GetComputerNameA

InternetCrackUrlA

ComSpec

htons

ExtractFilesA

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.3)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:09:07 05:42:21+00:00
ImageFileCharacteristics:	Executable, No line numbers, 32-bit
PEType:	PE32
LinkerVersion:	2.35
CodeSize:	4701184
InitializedDataSize:	5919232
UninitializedDataSize:	6743040
EntryPoint:	0x14b0
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

331

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

628

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6876 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

712

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5640 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

804

"C:\Users\admin\AppData\Local\Temp\/service123.exe"

C:\Users\admin\AppData\Local\Temp\service123.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\service123.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

840

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4904 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

920

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6780 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1104

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6552 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll

1116

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Windows\SysWOW64\schtasks.exe

—

Sеtup[1].exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1240

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8040 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1380

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6848 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1948

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6832 --field-trial-handle=2248,i,3181521190861897720,8576478171496076135,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

10 084

Read events

10 043

Write events

Delete events

Modification events


(PID) Process:	(4068) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	delete value	Name:	Preferences
Value:
(PID) Process:	(4068) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	write	Name:	Preferences
Value: 0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AAC14FF77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AAC14FF77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AAC14FF77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AAC14FF77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000ABC14FF77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028ABC14FF77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050ABC14FF77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AAC14FF77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070ABC14FF77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088ABC14FF77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8ABC14FF77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8ABC14FF77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0ABC14FF77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010ACC14FF77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AAC14FF77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AAC14FF77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040ACC14FF77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068ACC14FF77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090ACC14FF77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8ACC14FF77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8ACC14FF77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8ACC14FF77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028ABC14FF77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AAC14FF77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020ADC14FF77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040ADC14FF77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068ADC14FF77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050ABC14FF77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AAC14FF77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070ABC14FF77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088ABC14FF77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8ABC14FF77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8ABC14FF77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AAC14FF77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AEC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AEC14FF77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AEC14FF77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AEC14FF77F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:	(4068) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	write	Name:	Preferences
Value: 0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B000000340000007D0400008C020000E80300000000000000000000000000000F000000010000000000000058AAC14FF77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AAC14FF77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AAC14FF77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AAC14FF77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000ABC14FF77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028ABC14FF77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050ABC14FF77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AAC14FF77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070ABC14FF77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088ABC14FF77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8ABC14FF77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8ABC14FF77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0ABC14FF77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010ACC14FF77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AAC14FF77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AAC14FF77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040ACC14FF77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068ACC14FF77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090ACC14FF77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8ACC14FF77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8ACC14FF77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8ACC14FF77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028ABC14FF77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AAC14FF77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020ADC14FF77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040ADC14FF77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068ADC14FF77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AAC14FF77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050ABC14FF77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AAC14FF77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070ABC14FF77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088ABC14FF77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8ABC14FF77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8ABC14FF77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AAC14FF77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0ADC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AEC14FF77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AEC14FF77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AEC14FF77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AEC14FF77F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:	(6424) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	delete value	Name:	Preferences
Value:
(PID) Process:	(6424) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	write	Name:	Preferences
Value: 0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B000000340000007D0400008C020000E80300000000000000000000000000000F000000010000000000000058AAC733F67F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AAC733F67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AAC733F67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AAC733F67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AAC733F67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000ABC733F67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028ABC733F67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050ABC733F67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AAC733F67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070ABC733F67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088ABC733F67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8ABC733F67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8ABC733F67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0ABC733F67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010ACC733F67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AAC733F67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AAC733F67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AAC733F67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040ACC733F67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068ACC733F67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090ACC733F67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8ACC733F67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8ACC733F67F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8ACC733F67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028ABC733F67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AAC733F67F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020ADC733F67F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040ADC733F67F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068ADC733F67F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AAC733F67F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050ABC733F67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AAC733F67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070ABC733F67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088ABC733F67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8ABC733F67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8ABC733F67F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AAC733F67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088ADC733F67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8ADC733F67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0ADC733F67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AEC733F67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AEC733F67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AEC733F67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AEC733F67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:	(4836) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(4836) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(4836) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(4836) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(4836) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 0871874E2F802F00

Add for printing

Executable files

Suspicious files

786

Text files

171

Unknown types

Dropped files

PID	Process	Filename		Type
7068	Sеtup[1].exe	C:\Users\admin\AppData\Local\Temp\service123.exe		—
		MD5:—	SHA256:—
7068	Sеtup[1].exe	C:\Users\admin\AppData\Local\Temp\mIdfrbQqhwRAaUGgUzvu.dll		—
		MD5:—	SHA256:—
2924	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.036.etl		etl
		MD5:FA358BFEE9B4E1FFB7394D13CBBC4898	SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
2924	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.015.etl		etl
		MD5:B787593A02A4E0A601164A65952D0CB9	SHA256:3594AD496D8E1771BCC3E8B6F68B4C2B4190A9A331FB43F068A7DF4E1894E2CF
4068	Taskmgr.exe	C:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock		text
		MD5:F49655F856ACB8884CC0ACE29216F511	SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
2924	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.034.etl		etl
		MD5:673727AF7C6805E869C9F8BE1E468F4A	SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B
2924	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.033.etl		etl
		MD5:079890A8EC8D5CB6523FCEC2209780AA	SHA256:0E12D2D76DD738CE196BED522E35F75E2CC91294F78CDDCBE8CE7787AAA70049
2924	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.016.etl		etl
		MD5:F9485F2BA891697F8B6CF8FB1E7F42C0	SHA256:69146D4AAEFB8609745B6CA780B48ABC66054AA3CDB8061248CF7B32F3B32617
2924	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.028.etl		etl
		MD5:C8834D365FAE073DEDE1F1620454CE71	SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
2924	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.032.etl		etl
		MD5:2F36C598EBFF5B5CDD898C9691D6BCCB	SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

179

DNS requests

156

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3708	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7068	Sеtup[1].exe	POST	200	80.249.144.180:80	http://fivev5sb.top/v1/upload.php	unknown	—	—	unknown
7068	Sеtup[1].exe	POST	200	80.249.144.180:80	http://fivev5sb.top/v1/upload.php	unknown	—	—	unknown
7068	Sеtup[1].exe	POST	200	80.249.144.180:80	http://fivev5sb.top/v1/upload.php	unknown	—	—	unknown
5316	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5316	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2508	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2508	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1188	svchost.exe	GET	206	2.19.126.157:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/33525f64-900e-472b-82f7-b2841f9be572?P1=1726385722&P2=404&P3=2&P4=IoduhWFVq%2bMRCq1BVqDAVlQwzaxIIj5C3fg5Iqeqk%2fgQ5qDJX0vgGqzp5pNAoXpLczIH91DkebYPlX1D6Gd5Zw%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6248	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3708	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3708	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6248	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
www.microsoft.com	88.221.169.152 184.30.21.171	whitelisted
google.com	216.58.206.78	whitelisted
login.live.com	20.190.160.22 20.190.160.20 40.126.32.138 40.126.32.68 40.126.32.136 40.126.32.140 20.190.160.17 40.126.32.76 40.126.32.134 20.190.160.14 40.126.32.133	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
fivev5sb.top	80.249.144.180	malicious
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
7068	Sеtup[1].exe	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
7068	Sеtup[1].exe	A Network Trojan was detected	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
7068	Sеtup[1].exe	A Network Trojan was detected	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
7068	Sеtup[1].exe	A Network Trojan was detected	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Add for printing

No debug info

General Info

Sеtup[1].exe

45B55D1E5D2BF60CC572F541AE6FA7D1

2329F56147A299BCDBF20520E626CC8253E49A8D

039F5C692BA1C67C6E9B475738F40F4311E5E5625E4390D5E51685F6B4E548B8

49152:CwJiOl9WvzyDyVJw4uRlghHh57fyy8nsEHQwUUjtdAITeWMN2Fi6NTMJ4kpCMclV:PrQmBmCnr

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Connects to the CnC server

CRYPTBOT has been detected (SURICATA)

Uses Task Scheduler to run other applications

CRYPTBOT has been detected (YARA)

SUSPICIOUS

Searches for installed software

Reads security settings of Internet Explorer

The process executes via Task Scheduler

Found regular expressions for crypto-addresses (YARA)

INFO

Checks supported languages

Create files in a temporary directory

Manual execution by a user

Reads the computer name

Reads CPU info

Reads the machine GUID from the registry

Reads the software policy settings

Reads security settings of Internet Explorer

Process checks computer location settings

Creates files in the program directory

Reads Environment values

Application launched itself

The process uses the downloaded file

Malware configuration

CryptBot

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings