Malware analysis PriMus-DCF_vusBIM(n)_IT.exe Malicious activity

Add for printing

File name:	PriMus-DCF_vusBIM(n)_IT.exe
Full analysis:	https://app.any.run/tasks/6a34dab0-8cd0-4584-817b-2ebaeb06f09d
Verdict:	Malicious activity
Threats:	Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil. Malware Trends Tracker >>>
Analysis date:	November 07, 2023, 09:16:58
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	metamorfo
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	2C0D031F1E43CEC609DBC8BBD2A90C24
SHA1:	C3DE242E8AF71179EA4785B9778FDED5768F41E3
SHA256:	1F607ADADCFE9F88E27144D8B0A98AA92B2A5BE4AB85FAC4ADE1E21735183497
SSDEEP:	98304:dsY3g0U1KVsLAxJ5SzQvA3j9V9LNdjXUg23XlyQY6Odgt5G+WAIDMXtgSwtWWvyz:nkY/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
  - INSTALLA.exe (PID: 3940)
- METAMORFO has been detected (YARA)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
- Creates a writable file the system directory
  - INSTALLA.exe (PID: 3940)
SUSPICIOUS
- Reads the Internet Settings
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
- Starts itself from another location
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
- Process requests binary or script from the Internet
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
- Drops 7-zip archiver for unpacking
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
- Executing commands from a ".bat" file
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
- Starts CMD.EXE for commands execution
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
- Process drops legitimate windows executable
  - INSTALLA.exe (PID: 3940)
- Reads the Windows owner or organization settings
  - INSTALLA.exe (PID: 3940)
INFO
- Checks supported languages
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
  - wmpnscfg.exe (PID: 3580)
  - INSTALLA.exe (PID: 3940)
  - certmgr.exe (PID: 3896)
  - certmgr.exe (PID: 3908)
  - certmgr.exe (PID: 3752)
  - certmgr.exe (PID: 3748)
- Reads the computer name
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
  - wmpnscfg.exe (PID: 3580)
  - INSTALLA.exe (PID: 3940)
- Checks proxy server information
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
- Create files in a temporary directory
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3472)
  - PriMus-DCF_vusBIM(n)_IT.exe (PID: 3420)
  - INSTALLA.exe (PID: 3940)
- Manual execution by a user
  - wmpnscfg.exe (PID: 3580)
- Reads the machine GUID from the registry
  - wmpnscfg.exe (PID: 3580)
  - INSTALLA.exe (PID: 3940)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:06:14 10:08:44+02:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	4507136
InitializedDataSize:	1641472
UninitializedDataSize:	-
EntryPoint:	0x44d9a4
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	2.1.1.2
ProductVersionNumber:	2.1.1.2
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Italian
CharacterSet:	Windows, Latin1
FileVersion:	2.1.1.2
ProductVersion:	2.1.1.2
ProductName:	ACCAStore
CompanyName:	ACCA software S.p.A.
LegalCopyright:	Copyright (c) ACCA software S.p.A. - Italy. All Rights Reserved
InternalName:	ACCAStore
OriginalFileName:	ACCAStore.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3420

"C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Resource\1_33512\PriMus-DCF_vusBIM(n)_IT.exe" "C:\Users\admin\AppData\Local\Temp\" {1ECC418F-F354-4A02-9808-70D08D7AF70F}

C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Resource\1_33512\PriMus-DCF_vusBIM(n)_IT.exe

PriMus-DCF_vusBIM(n)_IT.exe

User:

admin

Company:

ACCA software S.p.A.

Integrity Level:

HIGH

Exit code:

Version:

2.1.1.2

Modules

Images
c:\users\admin\appdata\local\temp\~accastoresetup\resource\1_33512\primus-dcf_vusbim(n)_it.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3460

"C:\Users\admin\AppData\Local\Temp\PriMus-DCF_vusBIM(n)_IT.exe"

C:\Users\admin\AppData\Local\Temp\PriMus-DCF_vusBIM(n)_IT.exe

—

explorer.exe

User:

admin

Company:

ACCA software S.p.A.

Integrity Level:

MEDIUM

Exit code:

3221226540

Version:

2.1.1.2

Modules

Images
c:\users\admin\appdata\local\temp\primus-dcf_vusbim(n)_it.exe
c:\windows\system32\ntdll.dll

3472

"C:\Users\admin\AppData\Local\Temp\PriMus-DCF_vusBIM(n)_IT.exe"

C:\Users\admin\AppData\Local\Temp\PriMus-DCF_vusBIM(n)_IT.exe

explorer.exe

User:

admin

Company:

ACCA software S.p.A.

Integrity Level:

HIGH

Exit code:

Version:

2.1.1.2

Modules

Images
c:\users\admin\appdata\local\temp\primus-dcf_vusbim(n)_it.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3580

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll

3748

C:\Users\admin\AppData\Local\Temp\{EBFE51C9-F9DF-4170-9917-AC4A1BBEB18B}\{F11E9A88-95E1-4387-A65A-6721A97A00FF}\certmgr.exe -add "C:\Users\admin\AppData\Local\Temp\{EBFE51C9-F9DF-4170-9917-AC4A1BBEB18B}\{F11E9A88-95E1-4387-A65A-6721A97A00FF}\verisign 3 SSL.cer" -s -r localMachine root

C:\Users\admin\AppData\Local\Temp\{EBFE51C9-F9DF-4170-9917-AC4A1BBEB18B}\{F11E9A88-95E1-4387-A65A-6721A97A00FF}\certmgr.exe

—

INSTALLA.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ECM Certificate Manager

Exit code:

Version:

5.131.1863.1

Modules

Images
c:\users\admin\appdata\local\temp\{ebfe51c9-f9df-4170-9917-ac4a1bbeb18b}\{f11e9a88-95e1-4387-a65a-6721a97a00ff}\certmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

3752

C:\Users\admin\AppData\Local\Temp\{EBFE51C9-F9DF-4170-9917-AC4A1BBEB18B}\{F11E9A88-95E1-4387-A65A-6721A97A00FF}\certmgr.exe

—

INSTALLA.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ECM Certificate Manager

Exit code:

Version:

5.131.1863.1

Modules

Images
c:\users\admin\appdata\local\temp\{ebfe51c9-f9df-4170-9917-ac4a1bbeb18b}\{f11e9a88-95e1-4387-a65a-6721a97a00ff}\certmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

3832

cmd.exe /C "C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~19502\.InstallInfo\AfterInstallFiles.bat"

C:\Windows\System32\cmd.exe

—

PriMus-DCF_vusBIM(n)_IT.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3852

cmd.exe /C "C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~19502\.InstallInfo\BeforeInstallFiles.bat"

C:\Windows\System32\cmd.exe

—

PriMus-DCF_vusBIM(n)_IT.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3896

C:\Users\admin\AppData\Local\Temp\{EBFE51C9-F9DF-4170-9917-AC4A1BBEB18B}\{F11E9A88-95E1-4387-A65A-6721A97A00FF}\certmgr.exe

—

INSTALLA.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ECM Certificate Manager

Exit code:

Version:

5.131.1863.1

Modules

Images
c:\users\admin\appdata\local\temp\{ebfe51c9-f9df-4170-9917-ac4a1bbeb18b}\{f11e9a88-95e1-4387-a65a-6721a97a00ff}\certmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

3908

C:\Users\admin\AppData\Local\Temp\{EBFE51C9-F9DF-4170-9917-AC4A1BBEB18B}\{F11E9A88-95E1-4387-A65A-6721A97A00FF}\certmgr.exe

—

INSTALLA.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ECM Certificate Manager

Exit code:

Version:

5.131.1863.1

Modules

Images
c:\users\admin\appdata\local\temp\{ebfe51c9-f9df-4170-9917-ac4a1bbeb18b}\{f11e9a88-95e1-4387-a65a-6721a97a00ff}\certmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

Add for printing

Total events

5 935

Read events

5 891

Write events

Delete events

Modification events


(PID) Process:	(3472) PriMus-DCF_vusBIM(n)_IT.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3472) PriMus-DCF_vusBIM(n)_IT.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3420) PriMus-DCF_vusBIM(n)_IT.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3420) PriMus-DCF_vusBIM(n)_IT.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3580) wmpnscfg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{13663918-1C5B-447B-885C-06645AE17A8E}\{EE5505AB-1166-4E2A-B547-5FC9427EF59E}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3580) wmpnscfg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{13663918-1C5B-447B-885C-06645AE17A8E}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3580) wmpnscfg.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{4C24943B-2879-4B5A-86E2-CCDEDCEAE82D}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3940) INSTALLA.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FBAB033B-CDD0-4C5E-81AB-AEA575CD1338}
Operation:	write	Name:	Compatibility Flags
Value: 1024
(PID) Process:	(3940) INSTALLA.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{17E3A1C3-EA8A-4970-AF29-7F54610B1D4C}
Operation:	write	Name:	Compatibility Flags
Value: 1024
(PID) Process:	(3940) INSTALLA.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{17E3A1C3-EA8A-4970-AF29-7F54610B1D4C}
Operation:	write	Name:	AlternateCLSID
Value: {3605B612-C3CF-4ab4-A426-2D853391DB2E}

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3472	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Log\PriMus-DCF.aclog		text
		MD5:571AA360C7E608D3DE6CBEE335319DDE	SHA256:D284569F795708FE3BEDA5472929450D8E3892B69A971398AA603DBA2C1CCECB
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\0_33512\PriMus-DCF_5300_Win32_IT_33512.info.parts		xml
		MD5:F576E222F1BD00BD580924569A659901	SHA256:D3C2C74307ACC3E2190C15D976323916BFCBC40853C6EA14EE6F0041B5C6C10C
3472	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\0_33512\PriMus-DCF_5300_Win32_IT_33512.info.parts		xml
		MD5:F576E222F1BD00BD580924569A659901	SHA256:D3C2C74307ACC3E2190C15D976323916BFCBC40853C6EA14EE6F0041B5C6C10C
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~D7DA4B78-8ABD-43A6-BC49-FD768214C8F0		text
		MD5:13536AB8A6448CB0030924F4CAB4164D	SHA256:A15E3F9888DAEB6F20CCDB5B741A1C74E8F74E0D9E873C967431EB70DF27CEB6
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\DataFiles\SignTool_Win32_XX_19502.data.parts		compressed
		MD5:7A9852CD3BE8800D0B02276476483849	SHA256:6474627BC5057C604183C8328892B18EB204AFC0F55C0AFB48C98E59B9729507
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~19502\.InstallInfo\AfterInstallFiles.txt		text
		MD5:0085E52CA1392706B2F1DFA9529F1019	SHA256:067D70B25C14891F10CDA75EDBF0B9879331BE0EF6AB81A4A30F58BE8C2B9600
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~19502\data1.cab		compressed
		MD5:919A17B10EEFA5125AB69B0F18BBA9BC	SHA256:63DB9865E7185C2C2A6D730A0B46E94A2C708A666AAE8857EFDAD7C752F89F81
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~19502\data2.cab		compressed
		MD5:25CC48AE92ACF880786BE7262A434771	SHA256:25B325C3B36A799ECF91B3CD957F0C30EDD56BA599FFBEE29F65284511D90F74
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~19502\layout.bin		binary
		MD5:46696C76347FCFB5C2E2FA2558A9A24F	SHA256:A28C7A02B6E4456EE23797DD9F46ABEE01D6AFA703BA1F46AA577A88914066EE
3420	PriMus-DCF_vusBIM(n)_IT.exe	C:\Users\admin\AppData\Local\Temp\~ACCAStoreSetup\Cache\1_33512\~19502\.InstallInfo\AfterUninstallFiles.txt		text
		MD5:1A2B182DE43282AFD2D6D387C984C612	SHA256:BCB962FD2848AABF8F1D9F4E9A53BF6875A496062B7312E200FC0BDCAEE10660

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3420	PriMus-DCF_vusBIM(n)_IT.exe	GET	—	13.224.194.21:80	http://download2.accasoftware.com/ACCAStore/Data/PW-CONV/0b/34/0b34a27993b14acd7533d81fc3bd42a64164992f31e5b7cd3d2a4285ea2f787c.data	unknown	—	—	unknown
3472	PriMus-DCF_vusBIM(n)_IT.exe	HEAD	200	13.224.194.21:80	http://download2.accasoftware.com/ACCAStore/Info/PriMus-DCF/53/Win32_IT/33512.info	unknown	—	—	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	HEAD	200	13.224.194.21:80	http://download2.accasoftware.com/ACCAStore/Info/PriMus-DCF/53/Win32_IT/33512.info	unknown	—	—	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	GET	200	52.210.6.236:80	http://secure.accasoftware.com/ACCAStoreSetup/REST/v4/SetLogSetup/9F4DFC24-9650-4667-A51A-98D8DEF3A7E1?IdProvider=00000000-0000-0000-0000-000000000000&IdLocalMachine=AF57C191-F389-4A5D-98F4-0945E393F866&IdCurrentUser=37594B5F-027E-4BDB-A9DC-B012D8718E1C&IdRilascio=33512&FileName=PriMus-DCF_vusBIM(n)_IT.exe&Info=stlgStartDataDownLoad&AppProgramName=PriMus-DCF&AppProgramType=&AppVersioneStr=usBIM(n)&AppVersione=53&AppLngExt=IT&Nome=PriMus-DCF_5300_Win32_IT&Stato=1110&VersioneSetup=2.1.1.2&TypeSetup=1&SyncOperation=0&Durata=0&DurataDwn=0&BytesDwn=0&CodError=0&Eccezioni=	unknown	binary	58 b	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	GET	200	52.210.6.236:80	http://secure.accasoftware.com/ACCAStoreSetup/REST/v4/SetLogSetup/9F4DFC24-9650-4667-A51A-98D8DEF3A7E1?IdProvider=00000000-0000-0000-0000-000000000000&IdLocalMachine=AF57C191-F389-4A5D-98F4-0945E393F866&IdCurrentUser=37594B5F-027E-4BDB-A9DC-B012D8718E1C&IdRilascio=33512&FileName=PriMus-DCF_vusBIM(n)_IT.exe&Info=stlgEndDataDownLoad&AppProgramName=PriMus-DCF&AppProgramType=&AppVersioneStr=usBIM(n)&AppVersione=53&AppLngExt=IT&Nome=PriMus-DCF_5300_Win32_IT&Stato=1111&VersioneSetup=2.1.1.2&TypeSetup=1&SyncOperation=0&Durata=0&DurataDwn=0&BytesDwn=0&CodError=0&Eccezioni=	unknown	binary	58 b	unknown
3472	PriMus-DCF_vusBIM(n)_IT.exe	GET	200	13.224.194.21:80	http://download2.accasoftware.com/ACCAStore/Info/PriMus-DCF/53/Win32_IT/33512.info	unknown	xml	1.94 Kb	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	GET	200	52.210.6.236:80	http://secure.accasoftware.com/ACCAStoreSetup/REST/v4/SetLogSetup/9F4DFC24-9650-4667-A51A-98D8DEF3A7E1?IdProvider=00000000-0000-0000-0000-000000000000&IdLocalMachine=AF57C191-F389-4A5D-98F4-0945E393F866&IdCurrentUser=37594B5F-027E-4BDB-A9DC-B012D8718E1C&IdRilascio=33512&FileName=PriMus-DCF_vusBIM(n)_IT.exe&Info=stlgAppRun%20PW-CONV%20%20v.6.35%20-%20IT%20-%20x86%20-%20(11.0.7.24142)%20%5BInstallDir:%20C:%5CACCA%5CPW-CONV%5C%5D&AppProgramName=PriMus-DCF&AppProgramType=&AppVersioneStr=usBIM(n)&AppVersione=53&AppLngExt=IT&Nome=PriMus-DCF_5300_Win32_IT&Stato=600&VersioneSetup=2.1.1.2&TypeSetup=1&SyncOperation=0&Durata=0&DurataDwn=0&BytesDwn=0&CodError=0&Eccezioni=	unknown	binary	58 b	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	HEAD	200	13.224.194.21:80	http://download2.accasoftware.com/ACCAStore/Data/PW-CONV/0b/34/0b34a27993b14acd7533d81fc3bd42a64164992f31e5b7cd3d2a4285ea2f787c.data	unknown	compressed	1.72 Mb	unknown
3472	PriMus-DCF_vusBIM(n)_IT.exe	GET	200	52.210.6.236:80	http://secure.accasoftware.com/ACCAStoreSetup/REST/v4/SetLogSetup/9F4DFC24-9650-4667-A51A-98D8DEF3A7E1?IdProvider=00000000-0000-0000-0000-000000000000&IdLocalMachine=AF57C191-F389-4A5D-98F4-0945E393F866&IdCurrentUser=37594B5F-027E-4BDB-A9DC-B012D8718E1C&IdRilascio=33512&FileName=PriMus-DCF_vusBIM(n)_IT.exe&Info=stlgExistsWebCD%20-InstallByWebCD-UpdateByWebCD&AppProgramName=PriMus-DCF&AppProgramType=&AppVersioneStr=usBIM(n)&AppVersione=53&AppLngExt=IT&Nome=PriMus-DCF_5300_Win32_IT&Stato=450&VersioneSetup=2.1.1.2&TypeSetup=1&SyncOperation=0&Durata=0&DurataDwn=0&BytesDwn=0&CodError=0&Eccezioni=	unknown	binary	58 b	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	GET	200	13.224.194.21:80	http://download2.accasoftware.com/ACCAStore/Info/PriMus-DCF/53/Win32_IT/33512.info	unknown	xml	1.94 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2588	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3472	PriMus-DCF_vusBIM(n)_IT.exe	13.224.194.21:80	download2.accasoftware.com	AMAZON-02	US	unknown
3472	PriMus-DCF_vusBIM(n)_IT.exe	52.210.6.236:80	secure.accasoftware.com	AMAZON-02	IE	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	13.224.194.21:80	download2.accasoftware.com	AMAZON-02	US	unknown
3420	PriMus-DCF_vusBIM(n)_IT.exe	52.210.6.236:80	secure.accasoftware.com	AMAZON-02	IE	unknown

DNS requests

Domain	IP	Reputation
download2.accasoftware.com	13.224.194.21 13.224.194.226 13.224.194.159 13.224.194.166	whitelisted
secure.accasoftware.com	52.210.6.236 52.208.12.93 54.217.113.158	unknown

Threats

PID	Process	Class	Message
3472	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
3472	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
3472	PriMus-DCF_vusBIM(n)_IT.exe	Potential Corporate Privacy Violation	ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
3420	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
3420	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
3420	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
3420	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
3420	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
3420	PriMus-DCF_vusBIM(n)_IT.exe	Potentially Bad Traffic	ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)

Add for printing

No debug info

General Info

PriMus-DCF_vusBIM(n)_IT.exe

2C0D031F1E43CEC609DBC8BBD2A90C24

C3DE242E8AF71179EA4785B9778FDED5768F41E3

1F607ADADCFE9F88E27144D8B0A98AA92B2A5BE4AB85FAC4ADE1E21735183497

98304:dsY3g0U1KVsLAxJ5SzQvA3j9V9LNdjXUg23XlyQY6Odgt5G+WAIDMXtgSwtWWvyz:nkY/

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

METAMORFO has been detected (YARA)

Creates a writable file the system directory

SUSPICIOUS

Reads the Internet Settings

Starts itself from another location

Process requests binary or script from the Internet

Drops 7-zip archiver for unpacking

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Process drops legitimate windows executable

Reads the Windows owner or organization settings

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Create files in a temporary directory

Manual execution by a user

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings