Malware analysis 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe Malicious activity

Add for printing

File name:	1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe
Full analysis:	https://app.any.run/tasks/3d8fadba-a088-4158-acbd-422a2bca4f85
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 30, 2024, 05:18:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	amadey botnet stealer loader exfiltration risepro evasion redline meta metastealer opendir stealc
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	F70A70F653AE553A805FD21BC3092B13
SHA1:	095FF30ABDFDEAA91018556AB4EC92566AD708D4
SHA256:	1EC09530C1153453B1BD0989AF58808BC44E069C4608C878A64530BB08FA8840
SSDEEP:	98304:AFI5z1Mf0TjjgzB7J25XW3+5Q97hZacNw0XjAWvlgtQL1THbuUJyt6FuZJzIZf3H:Af

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - amert.exe (PID: 2480)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - jfesawdr.exe (PID: 5996)
  - work.exe (PID: 5288)
- AMADEY has been detected (SURICATA)
  - explorha.exe (PID: 2108)
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 3292)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - NewB.exe (PID: 4044)
- Connects to the CnC server
  - explorha.exe (PID: 2108)
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 3292)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - jok.exe (PID: 4116)
- Changes the autorun value in the registry
  - explorha.exe (PID: 2108)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - explorta.exe (PID: 3596)
  - NewB.exe (PID: 4044)
- AMADEY has been detected (YARA)
  - explorha.exe (PID: 2108)
  - rundll32.exe (PID: 3292)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - NewB.exe (PID: 4044)
  - rundll32.exe (PID: 3172)
- Steals credentials from Web Browsers
  - rundll32.exe (PID: 2264)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - rundll32.exe (PID: 5404)
  - jok.exe (PID: 4116)
- Actions looks like stealing of personal data
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 5404)
  - jok.exe (PID: 4116)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
- Unusual connection from system programs
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 3292)
  - rundll32.exe (PID: 5404)
  - rundll32.exe (PID: 3172)
- RISEPRO has been detected (YARA)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - explorta.exe (PID: 5292)
- Uses Task Scheduler to autorun other applications
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
- RISEPRO has been detected (SURICATA)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - explorta.exe (PID: 5292)
  - f94ac2d8d0.exe (PID: 2328)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
- Steals credentials
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
- Create files in the Startup directory
  - 300ab8057c.exe (PID: 588)
- Amadey has been detected
  - NewB.exe (PID: 4044)
  - NewB.exe (PID: 2300)
  - NewB.exe (PID: 1200)
  - NewB.exe (PID: 4748)
  - NewB.exe (PID: 2008)
- METASTEALER has been detected (SURICATA)
  - jok.exe (PID: 4116)
- REDLINE has been detected (SURICATA)
  - jok.exe (PID: 4116)
- STEALC has been detected (YARA)
  - RegAsm.exe (PID: 3792)
- REDLINE has been detected (YARA)
  - alexxxxxxxx.exe (PID: 5072)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - 94905f6096.exe (PID: 560)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - f94ac2d8d0.exe (PID: 4296)
  - amert.exe (PID: 4764)
  - chrosha.exe (PID: 4036)
  - NewB.exe (PID: 4044)
  - RegAsm.exe (PID: 3792)
  - work.exe (PID: 5288)
  - jfesawdr.exe (PID: 5996)
- Reads the Internet Settings
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - rundll32.exe (PID: 2264)
  - 94905f6096.exe (PID: 560)
  - rundll32.exe (PID: 3292)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2720)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2808)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - f94ac2d8d0.exe (PID: 4296)
  - amert.exe (PID: 4764)
  - chrosha.exe (PID: 4036)
  - NewB.exe (PID: 4044)
  - RegAsm.exe (PID: 3792)
  - rundll32.exe (PID: 5404)
  - jfesawdr.exe (PID: 5996)
  - rundll32.exe (PID: 3172)
  - work.exe (PID: 5288)
- Executable content was dropped or overwritten
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - amert.exe (PID: 2480)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - jfesawdr.exe (PID: 5996)
  - work.exe (PID: 5288)
- Reads the BIOS version
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - amert.exe (PID: 2480)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 1344)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - explorta.exe (PID: 5292)
  - amert.exe (PID: 4764)
  - f94ac2d8d0.exe (PID: 2328)
  - chrosha.exe (PID: 4036)
- Starts itself from another location
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - 300ab8057c.exe (PID: 588)
  - amert.exe (PID: 4764)
- Contacting a server suspected of hosting an CnC
  - explorha.exe (PID: 2108)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - explorta.exe (PID: 3596)
  - explorta.exe (PID: 5292)
  - chrosha.exe (PID: 4036)
  - f94ac2d8d0.exe (PID: 2328)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - NewB.exe (PID: 4044)
- Connects to the server without a host name
  - explorha.exe (PID: 2108)
  - rundll32.exe (PID: 3292)
  - chrosha.exe (PID: 4036)
  - explorta.exe (PID: 3596)
  - NewB.exe (PID: 4044)
- Process drops legitimate windows executable
  - explorha.exe (PID: 2108)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
- Potential Corporate Privacy Violation
  - explorha.exe (PID: 2108)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
- Process requests binary or script from the Internet
  - explorha.exe (PID: 2108)
  - chrosha.exe (PID: 4036)
- Starts a Microsoft application from unusual location
  - 300ab8057c.exe (PID: 588)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - swiiiii.exe (PID: 3028)
- Uses RUNDLL32.EXE to load library
  - explorha.exe (PID: 2108)
  - chrosha.exe (PID: 4036)
- Application launched itself
  - explorha.exe (PID: 2108)
  - explorta.exe (PID: 3596)
- Loads DLL from Mozilla Firefox
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 5404)
- Creates file in the systems drive root
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 5404)
- Accesses Microsoft Outlook profiles
  - rundll32.exe (PID: 2264)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - rundll32.exe (PID: 5404)
- Uses NETSH.EXE to obtain data on the network
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 5404)
- Starts POWERSHELL.EXE for commands execution
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 5404)
- The process connected to a server suspected of theft
  - rundll32.exe (PID: 2264)
- Gets file extension (POWERSHELL)
  - powershell.exe (PID: 2556)
  - powershell.exe (PID: 5920)
- Connects to unusual port
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - explorta.exe (PID: 5292)
  - f94ac2d8d0.exe (PID: 2328)
  - jok.exe (PID: 4116)
- Reads settings of System Certificates
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - f94ac2d8d0.exe (PID: 2328)
  - explorta.exe (PID: 5292)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - chrosha.exe (PID: 4036)
- Adds/modifies Windows certificates
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - f94ac2d8d0.exe (PID: 2328)
- Checks for external IP
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - explorta.exe (PID: 5292)
  - f94ac2d8d0.exe (PID: 2328)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
- Device Retrieving External IP Address Detected
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - explorta.exe (PID: 5292)
  - f94ac2d8d0.exe (PID: 2328)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
- Reads browser cookies
  - explorha.exe (PID: 1948)
  - jok.exe (PID: 4116)
- Searches for installed software
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - jok.exe (PID: 4116)
  - RegAsm.exe (PID: 3792)
- Windows Defender mutex has been found
  - RegAsm.exe (PID: 3792)
- Checks Windows Trust Settings
  - chrosha.exe (PID: 4036)
- Starts CMD.EXE for commands execution
  - jfesawdr.exe (PID: 5996)
- The executable file from the user directory is run by the CMD process
  - work.exe (PID: 5288)
- Executing commands from a ".bat" file
  - jfesawdr.exe (PID: 5996)
- The process executes via Task Scheduler
  - NewB.exe (PID: 2300)
  - NewB.exe (PID: 1200)
  - NewB.exe (PID: 4748)
  - NewB.exe (PID: 2008)
INFO
- Reads the computer name
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - wmpnscfg.exe (PID: 1652)
  - amert.exe (PID: 2480)
  - 94905f6096.exe (PID: 560)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2808)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2720)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - f94ac2d8d0.exe (PID: 4296)
  - amert.exe (PID: 4764)
  - chrosha.exe (PID: 4036)
  - swiiiii.exe (PID: 3028)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - explorta.exe (PID: 5292)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - f94ac2d8d0.exe (PID: 2328)
  - jok.exe (PID: 4116)
  - NewB.exe (PID: 4044)
  - swiiii.exe (PID: 4280)
  - RegAsm.exe (PID: 3792)
  - jfesawdr.exe (PID: 5996)
  - work.exe (PID: 5288)
- Checks supported languages
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - wmpnscfg.exe (PID: 1652)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - amert.exe (PID: 2480)
  - 94905f6096.exe (PID: 560)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 1344)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2720)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2808)
  - explorta.exe (PID: 3596)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - amert.exe (PID: 4764)
  - f94ac2d8d0.exe (PID: 4296)
  - explorta.exe (PID: 5292)
  - f94ac2d8d0.exe (PID: 2328)
  - swiiiii.exe (PID: 3028)
  - chrosha.exe (PID: 4036)
  - gold.exe (PID: 4060)
  - NewB.exe (PID: 4044)
  - jok.exe (PID: 4116)
  - alexxxxxxxx.exe (PID: 5072)
  - RegAsm.exe (PID: 3792)
  - swiiii.exe (PID: 4280)
  - jfesawdr.exe (PID: 5996)
  - work.exe (PID: 5288)
  - podaw.exe (PID: 4980)
  - NewB.exe (PID: 2300)
  - NewB.exe (PID: 1200)
  - NewB.exe (PID: 4748)
  - NewB.exe (PID: 2008)
- Create files in a temporary directory
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - amert.exe (PID: 2480)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - explorta.exe (PID: 5292)
  - f94ac2d8d0.exe (PID: 2328)
  - jfesawdr.exe (PID: 5996)
  - work.exe (PID: 5288)
- Reads the machine GUID from the registry
  - 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe (PID: 3976)
  - explorha.exe (PID: 2108)
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - jbc_xRuJlF_oyVDuzrXe.exe (PID: 2656)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - swiiiii.exe (PID: 3028)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - f94ac2d8d0.exe (PID: 2328)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - explorta.exe (PID: 5292)
  - NewB.exe (PID: 4044)
  - RegAsm.exe (PID: 3792)
  - jok.exe (PID: 4116)
- Checks proxy server information
  - explorha.exe (PID: 2108)
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 3292)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - NewB.exe (PID: 4044)
  - RegAsm.exe (PID: 3792)
  - rundll32.exe (PID: 5404)
  - rundll32.exe (PID: 3172)
- Creates files or folders in the user directory
  - explorha.exe (PID: 2108)
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
  - explorta.exe (PID: 3596)
  - chrosha.exe (PID: 4036)
  - jok.exe (PID: 4116)
- Manual execution by a user
  - wmpnscfg.exe (PID: 1652)
- Reads security settings of Internet Explorer
  - rundll32.exe (PID: 2264)
  - rundll32.exe (PID: 3292)
  - rundll32.exe (PID: 5404)
  - rundll32.exe (PID: 3172)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 2556)
  - powershell.exe (PID: 2556)
  - powershell.exe (PID: 5920)
  - powershell.exe (PID: 5920)
- Reads mouse settings
  - 94905f6096.exe (PID: 560)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2808)
  - ZTcrQYvGsmVpkvACp4jl.exe (PID: 2720)
  - f94ac2d8d0.exe (PID: 4296)
- Application launched itself
  - chrome.exe (PID: 2560)
  - msedge.exe (PID: 3268)
  - msedge.exe (PID: 3512)
  - msedge.exe (PID: 3456)
  - msedge.exe (PID: 3808)
  - msedge.exe (PID: 3424)
  - msedge.exe (PID: 3804)
  - chrome.exe (PID: 4984)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 2556)
  - powershell.exe (PID: 5920)
- The process uses the downloaded file
  - chrome.exe (PID: 3816)
  - chrome.exe (PID: 3668)
- Creates files in the program directory
  - 300ab8057c.exe (PID: 588)
  - explorha.exe (PID: 1948)
- Reads the software policy settings
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4396)
  - EkrCKh6jkOxFy8shKCxn.exe (PID: 4332)
  - f94ac2d8d0.exe (PID: 2328)
  - explorta.exe (PID: 5292)
  - chrosha.exe (PID: 4036)
- Reads product name
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - jok.exe (PID: 4116)
  - RegAsm.exe (PID: 3792)
- Reads Environment values
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - jok.exe (PID: 4116)
  - RegAsm.exe (PID: 3792)
- Reads CPU info
  - explorha.exe (PID: 1948)
  - 300ab8057c.exe (PID: 588)
  - RegAsm.exe (PID: 3792)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(2108) explorha.exe

C2193.233.132.56

URLhttp://193.233.132.56/Pneh2sXQk0/index.php

Version4.18

Options

Drop directory09fd851a4f

Drop nameexplorha.exe

Strings (113)------

Norton

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

un:

Programs

2019

cred.dll|clip.dll|

rundll32

0123456789

" && ren

ESET

CurrentBuild

AVG

" Content-Type: application/octet-stream

360TotalSecurity

-%lu

lv:

&& Exit"

09fd851a4f

vs:

"taskkill /f /im "

<d>

\App

Sophos

ProgramData\

/Plugins/

st=s

+++

kernel32.dll

Main

Rem

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

abcdefghijklmnopqrstuvwxyz0123456789-_

/Pneh2sXQk0/index.php

.jpg

ps1

%-lu

exe

Content-Type: multipart/form-data; boundary=----

sd:

%USERPROFILE%

VideoID

AVAST Software

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

?scr=1

Doctor Web

av:

SOFTWARE\Microsoft\Windows NT\CurrentVersion

" && timeout 1 && del

ar:

------

2022

shutdown -s -t 0

4.18

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

:::

193.233.132.56

S-%lu-

DefaultSettings.YResolution

explorha.exe

shell32.dll

Content-Type: application/x-www-form-urlencoded

ProductName

Content-Disposition: form-data; name="data"; filename="

pc:

2016

dll

Startup

-executionpolicy remotesigned -File "

GET

Comodo

dm:

Kaspersky Lab

Panda Security

<c>

-unicode-

cmd /C RMDIR /s/q

rundll32.exe

Bitdefender

&unit=

https://

cmd

bi:

\0000

Avira

WinDefender

SYSTEM\ControlSet001\Services\BasicDisplay\Video

random

og:

http://

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

os:

POST

id:

Powershell.exe

DefaultSettings.XResolution

GetNativeSystemInfo

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

ComputerName

(PID) Process(3292) rundll32.exe

C2193.233.132.56

Strings (2)/Pneh2sXQk0/index.php

193.233.132.56

(PID) Process(3596) explorta.exe

C2193.233.132.139

URLhttp://193.233.132.139/sev56rkm/index.php

Version4.20

Options

Drop directory5454e6f062

Drop nameexplorta.exe

Strings (113)explorta.exe

------

Norton

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

un:

Programs

193.233.132.139

2019

cred.dll|clip.dll|

rundll32

0123456789

" && ren

ESET

CurrentBuild

AVG

" Content-Type: application/octet-stream

360TotalSecurity

-%lu

lv:

&& Exit"

vs:

"taskkill /f /im "

<d>

\App

/sev56rkm/index.php

Sophos

ProgramData\

/Plugins/

st=s

+++

kernel32.dll

5454e6f062

Rem

Main

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

abcdefghijklmnopqrstuvwxyz0123456789-_

.jpg

ps1

%-lu

exe

Content-Type: multipart/form-data; boundary=----

sd:

%USERPROFILE%

VideoID

4.20

AVAST Software

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

?scr=1

Doctor Web

av:

SOFTWARE\Microsoft\Windows NT\CurrentVersion

" && timeout 1 && del

ar:

------

2022

shutdown -s -t 0

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

:::

S-%lu-

DefaultSettings.YResolution

shell32.dll

Content-Type: application/x-www-form-urlencoded

ProductName

Content-Disposition: form-data; name="data"; filename="

pc:

2016

dll

Startup

-executionpolicy remotesigned -File "

GET

Comodo

dm:

Kaspersky Lab

Panda Security

<c>

-unicode-

cmd /C RMDIR /s/q

rundll32.exe

Bitdefender

&unit=

https://

cmd

bi:

\0000

Avira

WinDefender

SYSTEM\ControlSet001\Services\BasicDisplay\Video

random

og:

http://

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

os:

POST

id:

Powershell.exe

DefaultSettings.XResolution

GetNativeSystemInfo

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

ComputerName

(PID) Process(4036) chrosha.exe

C2193.233.132.167

URLhttp://193.233.132.167/enigma/index.php

Version4.17

Options

Drop directory4d0ab15804

Drop namechrosha.exe

Strings (112)------

Norton

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

un:

Programs

2019

cred.dll|clip.dll|

rundll32

0123456789

" && ren

ESET

CurrentBuild

AVG

" Content-Type: application/octet-stream

360TotalSecurity

-%lu

lv:

&& Exit"

vs:

"taskkill /f /im "

<d>

\App

Sophos

ProgramData\

/Plugins/

st=s

+++

kernel32.dll

Main

Rem

chrosha.exe

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

abcdefghijklmnopqrstuvwxyz0123456789-_

.jpg

ps1

%-lu

exe

Content-Type: multipart/form-data; boundary=----

sd:

%USERPROFILE%

/enigma/index.php

VideoID

AVAST Software

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

?scr=1

Doctor Web

av:

SOFTWARE\Microsoft\Windows NT\CurrentVersion

" && timeout 1 && del

ar:

------

2022

shutdown -s -t 0

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

:::

S-%lu-

DefaultSettings.YResolution

shell32.dll

Content-Type: application/x-www-form-urlencoded

ProductName

Content-Disposition: form-data; name="data"; filename="

pc:

2016

4d0ab15804

dll

Startup

-executionpolicy remotesigned -File "

GET

Comodo

dm:

Kaspersky Lab

Panda Security

<c>

-unicode-

cmd /C RMDIR /s/q

rundll32.exe

Bitdefender

&unit=

https://

cmd

bi:

\0000

Avira

WinDefender

SYSTEM\ControlSet001\Services\BasicDisplay\Video

og:

http://

193.233.132.167

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

os:

POST

id:

4.17

Powershell.exe

DefaultSettings.XResolution

GetNativeSystemInfo

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

ComputerName

(PID) Process(4044) NewB.exe

C2185.172.128.19

URLhttp://185.172.128.19/ghsdh39s/index.php

Version4.12

Options

Drop directorycd1f156d67

Drop nameUtsysc.exe

Strings (126)------

Norton

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

un:

Programs

2019

cred.dll|clip.dll|

rundll32

0123456789

" && ren

ESET

CurrentBuild

AVG

" Content-Type: application/octet-stream

360TotalSecurity

-%lu

Utsysc.exe

lv:

&& Exit"

" /F

vs:

"taskkill /f /im "

<d>

\App

Sophos

ProgramData\

/Plugins/

..\

st=s

/Delete /TN "

+++

/ghsdh39s/index.php

kernel32.dll

echo Y|CACLS "

Main

Rem

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

abcdefghijklmnopqrstuvwxyz0123456789-_

.jpg

ps1

%-lu

exe

Content-Type: multipart/form-data; boundary=----

sd:

%USERPROFILE%

VideoID

185.172.128.19

/Create /SC MINUTE /MO 1 /TN

AVAST Software

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

?scr=1

Doctor Web

av:

SOFTWARE\Microsoft\Windows NT\CurrentVersion

" && timeout 1 && del

ar:

------

2022

/TR "

SCHTASKS

shutdown -s -t 0

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

:::

S-%lu-

DefaultSettings.YResolution

:N"

shell32.dll

Content-Type: application/x-www-form-urlencoded

ProductName

pc:

Content-Disposition: form-data; name="data"; filename="

2016

dll

Startup

-executionpolicy remotesigned -File "

GET

Comodo

dm:

Kaspersky Lab

Panda Security

<c>

-unicode-

cmd /C RMDIR /s/q

rundll32.exe

Bitdefender

&unit=

https://

cmd

4.12

" /P "

bi:

\0000

Avira

WinDefender

SYSTEM\ControlSet001\Services\BasicDisplay\Video

:F" /E

og:

http://

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

os:

POST

id:

&&Exit

Powershell.exe

DefaultSettings.XResolution

CACLS "

cd1f156d67

:R" /E

GetNativeSystemInfo

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

ComputerName

(PID) Process(3172) rundll32.exe

C2193.233.132.167

Strings (2)/enigma/index.php

193.233.132.167

Stealc

(PID) Process(3792) RegAsm.exe

C252.143.157.84

Strings (351)INSERT_KEY_HERE

GetProcAddress

LoadLibraryA

lstrcatA

OpenEventA

CreateEventA

CloseHandle

Sleep

GetUserDefaultLangID

VirtualAllocExNuma

VirtualFree

GetSystemInfo

VirtualAlloc

HeapAlloc

GetComputerNameA

lstrcpyA

GetProcessHeap

GetCurrentProcess

lstrlenA

ExitProcess

GlobalMemoryStatusEx

GetSystemTime

SystemTimeToFileTime

advapi32.dll

gdi32.dll

user32.dll

crypt32.dll

ntdll.dll

GetUserNameA

CreateDCA

GetDeviceCaps

ReleaseDC

CryptStringToBinaryA

sscanf

VMwareVMware

HAL9TH

JohnDoe

DISPLAY

%hu/%hu/%hu

http://52.143.157.84

/c73eed764cc59dcb.php

/84bad7132df89fd7/

pisun

GetEnvironmentVariableA

GetFileAttributesA

GlobalLock

HeapFree

GetFileSize

GlobalSize

CreateToolhelp32Snapshot

IsWow64Process

Process32Next

GetLocalTime

FreeLibrary

GetTimeZoneInformation

GetSystemPowerStatus

GetVolumeInformationA

GetWindowsDirectoryA

Process32First

GetLocaleInfoA

GetUserDefaultLocaleName

GetModuleFileNameA

DeleteFileA

FindNextFileA

LocalFree

FindClose

SetEnvironmentVariableA

LocalAlloc

GetFileSizeEx

ReadFile

SetFilePointer

WriteFile

CreateFileA

FindFirstFileA

CopyFileA

VirtualProtect

GetLogicalProcessorInformationEx

GetLastError

lstrcpynA

MultiByteToWideChar

GlobalFree

WideCharToMultiByte

GlobalAlloc

OpenProcess

TerminateProcess

GetCurrentProcessId

gdiplus.dll

ole32.dll

bcrypt.dll

wininet.dll

shlwapi.dll

shell32.dll

psapi.dll

rstrtmgr.dll

CreateCompatibleBitmap

SelectObject

BitBlt

DeleteObject

CreateCompatibleDC

GdipGetImageEncodersSize

GdipGetImageEncoders

GdipCreateBitmapFromHBITMAP

GdiplusStartup

GdiplusShutdown

GdipSaveImageToStream

GdipDisposeImage

GdipFree

GetHGlobalFromStream

CreateStreamOnHGlobal

CoUninitialize

CoInitialize

CoCreateInstance

BCryptGenerateSymmetricKey

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptSetProperty

BCryptDestroyKey

BCryptOpenAlgorithmProvider

GetWindowRect

GetDesktopWindow

GetDC

CloseWindow

wsprintfA

EnumDisplayDevicesA

GetKeyboardLayoutList

CharToOemW

wsprintfW

RegQueryValueExA

RegEnumKeyExA

RegOpenKeyExA

RegCloseKey

RegEnumValueA

CryptBinaryToStringA

CryptUnprotectData

SHGetFolderPathA

ShellExecuteExA

InternetOpenUrlA

InternetConnectA

InternetCloseHandle

InternetOpenA

HttpSendRequestA

HttpOpenRequestA

InternetReadFile

InternetCrackUrlA

StrCmpCA

StrStrA

StrCmpCW

PathMatchSpecA

GetModuleFileNameExA

RmStartSession

RmRegisterResources

RmGetList

RmEndSession

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

sqlite3_close

sqlite3_column_bytes

sqlite3_column_blob

encrypted_key

PATH

C:\ProgramData\nss3.dll

NSS_Init

NSS_Shutdown

PK11_GetInternalKeySlot

PK11_FreeSlot

PK11_Authenticate

PK11SDR_Decrypt

C:\ProgramData\

SELECT origin_url, username_value, password_value FROM logins

browser:

profile:

url:

password:

Opera

OperaGX

Network

.txt

SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies

TRUE

FALSE

autofill

SELECT name, value FROM autofill

history

SELECT url FROM urls LIMIT 1000

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

name:

month:

year:

card:

Web Data

History

logins.json

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

guid

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

SELECT fieldname, value FROM moz_formhistory

SELECT url FROM moz_places LIMIT 1000

cookies.sqlite

formhistory.sqlite

places.sqlite

plugins

Local Extension Settings

Sync Extension Settings

IndexedDB

Opera Stable

Opera GX Stable

CURRENT

chrome-extension_

_0.indexeddb.leveldb

Local State

profiles.ini

chrome

opera

firefox

wallets

%08lX%04lX%lu

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

x32

x64

%d/%d/%d %d:%d:%d

HARDWARE\DESCRIPTION\System\CentralProcessor\0

ProcessorNameString

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

DisplayVersion

Network Info:

- IP: IP?

- Country: ISO?

System Summary:

- HWID:

- OS:

- Architecture:

- UserName:

- Computer Name:

- Local Time:

- UTC:

- Language:

- Keyboards:

- Laptop:

- Running Path:

- CPU:

- Threads:

- Cores:

- RAM:

- Display Resolution:

- GPU:

User Agents:

Installed Apps:

All Users:

Current User:

Process List:

system_info.txt

freebl3.dll

mozglue.dll

msvcp140.dll

nss3.dll

softokn3.dll

vcruntime140.dll

\Temp\

.exe

runas

open

/c start

%DESKTOP%

%APPDATA%

%LOCALAPPDATA%

%USERPROFILE%

%DOCUMENTS%

%PROGRAMFILES%

%PROGRAMFILES_86%

%RECENT%

*.lnk

files

\discord\

\Local Storage\leveldb\CURRENT

\Local Storage\leveldb

\Telegram Desktop\

key_datas

D877F783D5D3EF8C*

map*

A7FDF864FBC10B77*

A92DAA6EA6F891F2*

F8806DD0C461824F*

Tox

*.tox

*.ini

Password

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\

00000001

00000002

00000003

00000004

\Outlook\accounts.txt

Pidgin

\.purple\

accounts.xml

dQw4w9WgXcQ

token:

Software\Valve\Steam

SteamPath

\config\

ssfn*

config.vdf

DialogConfig.vdf

DialogConfigOverlay*.vdf

libraryfolders.vdf

loginusers.vdf

\Steam\

sqlite3.dll

browsers

done

soft

\Discord\tokens.txt

/c timeout /t 5 & del /f /q "

" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\system32\cmd.exe

https

Content-Type: multipart/form-data; boundary=----

POST

HTTP/1.1

Content-Disposition: form-data; name="

hwid

build

token

file_name

file

message

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

screenshot.jpg

RedLine

(PID) Process(5072) alexxxxxxxx.exe

C2 (1)185.172.128.33:8970

Botnet@CLOUDYTTEAM

Options

ErrorMessage

Keys

XorHeartlets

No Malware configuration.

Add for printing

TRiD

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:03 06:02:23+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	329216
InitializedDataSize:	108032
UninitializedDataSize:	-
EntryPoint:	0x32d000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

176

Monitored processes

111

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

560

"C:\Users\admin\1000062002\94905f6096.exe"

C:\Users\admin\1000062002\94905f6096.exe

—

explorha.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\1000062002\94905f6096.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

588

"C:\Users\admin\AppData\Local\Temp\1000056001\300ab8057c.exe"

C:\Users\admin\AppData\Local\Temp\1000056001\300ab8057c.exe

explorha.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

CrossDeviceSettingsHost.exe

Exit code:

Version:

0.24032.58.0

Modules

Images
c:\users\admin\appdata\local\temp\1000056001\300ab8057c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

948

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1552 --field-trial-handle=1104,i,9890173630396074907,2735642200966965143,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

4294967295

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1060

schtasks /create /f /RU "admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\System32\schtasks.exe

—

300ab8057c.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1200

C:\Users\admin\AppData\Local\Temp\1000150001\NewB.exe

—

taskeng.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\1000150001\newb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

1344

"C:\Users\admin\AppData\Local\Temp\spanv5lkkXKbcFyq\jbc_xRuJlF_oyVDuzrXe.exe"

C:\Users\admin\AppData\Local\Temp\spanv5lkkXKbcFyq\jbc_xRuJlF_oyVDuzrXe.exe

300ab8057c.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\spanv5lkkxkbcfyq\jbc_xrujlf_oyvduzrxe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

1576

schtasks /create /f /RU "admin" /tr "C:\ProgramData\MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d LG" /sc ONLOGON /rl HIGHEST

C:\Windows\System32\schtasks.exe

—

explorha.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1652

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1948

"C:\Users\admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\admin\AppData\Local\Temp\09fd851a4f\explorha.exe

explorha.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\09fd851a4f\explorha.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

2008

C:\Users\admin\AppData\Local\Temp\1000150001\NewB.exe

—

taskeng.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\1000150001\newb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

Add for printing

Total events

94 351

Read events

93 288

Write events

851

Delete events

212

Modification events


(PID) Process:	(3976) 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3976) 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3976) 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3976) 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2108) explorha.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2108) explorha.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2108) explorha.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2108) explorha.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2108) explorha.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyServer
Value:
(PID) Process:	(2108) explorha.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyOverride
Value:

Add for printing

Executable files

Suspicious files

198

Text files

Unknown types

109

Dropped files

PID	Process	Filename		Type
2108	explorha.exe	C:\Users\admin\AppData\Local\Temp\1000056001\300ab8057c.exe		—
		MD5:—	SHA256:—
2560	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10959b.TMP		—
		MD5:—	SHA256:—
2560	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2108	explorha.exe	C:\Users\admin\1000062002\94905f6096.exe		executable
		MD5:16EF58799E98E0ADD3B504DA264354AE	SHA256:AEBC423D1511A0FCB868AAD7134343B9D991274F5BF75A6D6010480B13850310
2108	explorha.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\amert[1].exe		executable
		MD5:FDB5D35B4DAF6D8406FB18B893427C6D	SHA256:690595177F8C0B812A0A0FBB040DE6A71EEF9C3374DCFD1FD6212C9DF510215F
2108	explorha.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\random[1].exe		executable
		MD5:16EF58799E98E0ADD3B504DA264354AE	SHA256:AEBC423D1511A0FCB868AAD7134343B9D991274F5BF75A6D6010480B13850310
3976	1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe	C:\Users\admin\AppData\Local\Temp\09fd851a4f\explorha.exe		executable
		MD5:F70A70F653AE553A805FD21BC3092B13	SHA256:1EC09530C1153453B1BD0989AF58808BC44E069C4608C878A64530BB08FA8840
2556	powershell.exe	C:\Users\admin\AppData\Local\Temp\ait0hlbi.dyt.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
3976	1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe	C:\Windows\Tasks\explorha.job		binary
		MD5:D05BDD5E91573ADAEA70057FCC14D470	SHA256:3297B05525AB4592D4AB1BF16C3B8FD9E13641A8D298E6EEDF8A3EC1A7A2FB3D
2108	explorha.exe	C:\Users\admin\AppData\Local\Temp\1000059001\amert.exe		executable
		MD5:FDB5D35B4DAF6D8406FB18B893427C6D	SHA256:690595177F8C0B812A0A0FBB040DE6A71EEF9C3374DCFD1FD6212C9DF510215F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

137

DNS requests

Threats

221

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2108	explorha.exe	POST	200	193.233.132.56:80	http://193.233.132.56/Pneh2sXQk0/index.php	unknown	—	—	unknown
2108	explorha.exe	POST	200	193.233.132.56:80	http://193.233.132.56/Pneh2sXQk0/index.php	unknown	—	—	unknown
2108	explorha.exe	GET	200	193.233.132.167:80	http://193.233.132.167/cost/random.exe	unknown	—	—	unknown
2108	explorha.exe	POST	200	193.233.132.56:80	http://193.233.132.56/Pneh2sXQk0/index.php	unknown	—	—	unknown
2108	explorha.exe	GET	200	193.233.132.167:80	http://193.233.132.167/cost/sarra.exe	unknown	—	—	unknown
2108	explorha.exe	GET	200	193.233.132.167:80	http://193.233.132.167/mine/amert.exe	unknown	—	—	unknown
2108	explorha.exe	POST	200	193.233.132.56:80	http://193.233.132.56/Pneh2sXQk0/index.php	unknown	—	—	unknown
2108	explorha.exe	GET	200	193.233.132.167:80	http://193.233.132.167/mine/random.exe	unknown	—	—	unknown
2108	explorha.exe	POST	200	193.233.132.56:80	http://193.233.132.56/Pneh2sXQk0/index.php	unknown	—	—	unknown
2108	explorha.exe	GET	200	193.233.132.56:80	http://193.233.132.56/Pneh2sXQk0/Plugins/cred.dll	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	unknown
—	—	224.0.0.252:5355	—	—	—	unknown
2108	explorha.exe	193.233.132.56:80	—	ATT-INTERNET4	US	malicious
2108	explorha.exe	193.233.132.167:80	—	ATT-INTERNET4	US	malicious
2264	rundll32.exe	193.233.132.56:80	—	ATT-INTERNET4	US	malicious
2560	chrome.exe	239.255.255.250:1900	—	—	—	unknown
2376	chrome.exe	216.58.206.35:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
2376	chrome.exe	142.250.185.110:443	www.youtube.com	GOOGLE	US	whitelisted
2376	chrome.exe	74.125.133.84:443	accounts.google.com	GOOGLE	US	unknown

DNS requests

Domain	IP	Reputation
clientservices.googleapis.com	216.58.206.35	whitelisted
www.youtube.com	142.250.185.110 216.58.206.46 142.250.74.206 142.250.185.78 172.217.16.206 142.250.186.142 142.250.185.174 142.250.184.206 142.250.185.142 142.250.186.174 142.250.186.110 142.250.185.238 216.58.206.78 142.250.185.206 172.217.18.14 172.217.23.110	whitelisted
accounts.google.com	74.125.133.84	shared
consent.youtube.com	172.217.16.206	whitelisted
www.gstatic.com	172.217.18.3	whitelisted
fonts.googleapis.com	142.250.185.138	whitelisted
fonts.gstatic.com	142.250.186.131	whitelisted
www.google.com	142.250.185.100	whitelisted
update.googleapis.com	216.58.206.67 142.250.185.99	unknown
optimizationguide-pa.googleapis.com	142.250.185.170 172.217.16.202 172.217.16.138 142.250.186.42 142.250.74.202 142.250.186.138 142.250.186.74 142.250.184.234 142.250.184.202 142.250.185.234 142.250.185.202 142.250.181.234 142.250.186.106 142.250.186.170 172.217.18.10 216.58.206.74	whitelisted

Threats

PID	Process	Class	Message
2108	explorha.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 37
2108	explorha.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
2108	explorha.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 37
2108	explorha.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2108	explorha.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2108	explorha.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2108	explorha.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2108	explorha.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
—	—	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent

10 ETPRO signatures available at the full report

Add for printing

Process	Message
1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
explorha.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
300ab8057c.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
explorha.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
amert.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
explorha.exe	Dk43l_dwmk438*
explorha.exe	td ydrthrhfty
explorha.exe	ewetwertyer eytdryrtdy
300ab8057c.exe	Dk43l_dwmk438*
300ab8057c.exe	ewetwertyer eytdryrtdy

General Info

1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840.exe

F70A70F653AE553A805FD21BC3092B13

095FF30ABDFDEAA91018556AB4EC92566AD708D4

1EC09530C1153453B1BD0989AF58808BC44E069C4608C878A64530BB08FA8840

98304:AFI5z1Mf0TjjgzB7J25XW3+5Q97hZacNw0XjAWvlgtQL1THbuUJyt6FuZJzIZf3H:Af

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

AMADEY has been detected (SURICATA)

Connects to the CnC server

Changes the autorun value in the registry

AMADEY has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Unusual connection from system programs

RISEPRO has been detected (YARA)

Uses Task Scheduler to autorun other applications

RISEPRO has been detected (SURICATA)

Steals credentials

Create files in the Startup directory

Amadey has been detected

METASTEALER has been detected (SURICATA)

REDLINE has been detected (SURICATA)

STEALC has been detected (YARA)

REDLINE has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the Internet Settings

Executable content was dropped or overwritten

Reads the BIOS version

Starts itself from another location

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Process drops legitimate windows executable

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Starts a Microsoft application from unusual location

Uses RUNDLL32.EXE to load library

Application launched itself

Loads DLL from Mozilla Firefox

Creates file in the systems drive root

Accesses Microsoft Outlook profiles

Uses NETSH.EXE to obtain data on the network

Starts POWERSHELL.EXE for commands execution

The process connected to a server suspected of theft

Gets file extension (POWERSHELL)

Connects to unusual port

Reads settings of System Certificates

Adds/modifies Windows certificates

Checks for external IP

Device Retrieving External IP Address Detected

Reads browser cookies

Searches for installed software

Windows Defender mutex has been found

Checks Windows Trust Settings

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Executing commands from a ".bat" file

The process executes via Task Scheduler

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Manual execution by a user

Reads security settings of Internet Explorer

Checks whether the specified file exists (POWERSHELL)

Reads mouse settings

Application launched itself

Gets data length (POWERSHELL)

The process uses the downloaded file

Creates files in the program directory

Reads the software policy settings

Reads product name