Malware analysis 4363463463464363463463463.exe Malicious activity

Add for printing

File name:	4363463463464363463463463.exe
Full analysis:	https://app.any.run/tasks/05fedc06-23a0-4ce4-a364-32f815d12b11
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. LokiBot wurde im Jahr 2015 entwickelt, um Informationen aus einer Vielzahl von Anwendungen zu stehlen. Trotz ihres Alters ist diese Malware bei Cyberkriminellen immer noch recht beliebt. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019. Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Socks5systemz is a botnet that utilizes its infection capabilities to establish a network of compromised devices. These devices are then used to forward malicious traffic. The criminals behind this malware sell access to the infected endpoints to other threat actors. Socks5systemz maintains control over thousands of devices and communicates with them using specific commands. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	February 12, 2024, 13:14:54
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir hausbomber loader evasion keylogger rat remcos remote purplefox backdoor ammyy kelihos trojan phorpiex rhadamanthys stealer redline amadey botnet payload raccoon recordbreaker asyncrat arechclient2 risepro azorult xworm gh0st quasar dcrat lokibot stealc nitol banload arkei gh0stcringe metastealer vidar gcleaner socks5systemz proxy python ramnit
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	2A94F3960C58C6E70826495F76D00B85
SHA1:	E2A1A5641295F5EBF01A37AC1C170AC0814BB71A
SHA256:	2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE
SSDEEP:	192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 1112)
  - Temp2.exe (PID: 1820)
  - inst77player_1.0.0.1.exe (PID: 1928)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 3132)
  - dusers.exe (PID: 4388)
  - Users.exe (PID: 4460)
  - peinf.exe (PID: 3200)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 4536)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3764)
  - lve.exe (PID: 5012)
  - 60466831.exe (PID: 4920)
  - sunset1.exe (PID: 5268)
  - csc.exe (PID: 5288)
  - 4363463463464363463463463.exe (PID: 3224)
  - MartDrum.exe (PID: 5504)
  - cmd.exe (PID: 5712)
  - 4363463463464363463463463.exe (PID: 1656)
  - Fighting.pif (PID: 5744)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3516)
  - ghjkl.exe (PID: 5816)
  - 7e207560.exe (PID: 5476)
  - 4363463463464363463463463.exe (PID: 1736)
  - BBLb.exe (PID: 5884)
  - 177219156.exe (PID: 5464)
  - conhost.exe (PID: 968)
  - PCSupport.exe (PID: 5280)
  - plugins.exe (PID: 4876)
  - 313513996.exe (PID: 4236)
  - cp.exe (PID: 4608)
  - PrntScrnOfAMZOrderID.jpg.exe (PID: 4892)
  - 4363463463464363463463463.exe (PID: 4056)
  - loader.exe (PID: 6272)
  - rhsgn_protected.exe (PID: 7888)
  - ARA.exe (PID: 8132)
  - 4363463463464363463463463.exe (PID: 4152)
  - setup294.exe (PID: 7576)
  - buding.exe (PID: 7836)
  - ama.exe (PID: 6040)
  - Msblockreview.exe (PID: 7880)
  - miner.exe (PID: 6784)
  - Project_8.exe (PID: 7924)
  - fw.exe (PID: 6084)
  - dvchost.exe (PID: 5620)
  - plug.exe (PID: 5584)
  - v4install.exe (PID: 4116)
  - server.exe (PID: 5544)
  - npp86Installerx64.exe (PID: 7664)
  - RegAsm.exe (PID: 6048)
  - smell-the-roses.exe (PID: 7588)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - ._cache_server.exe (PID: 8076)
  - look2.exe (PID: 6920)
  - agentServerComponent.exe (PID: 5192)
  - InstallSetup4.exe (PID: 5128)
  - HD_._cache_server.exe (PID: 6940)
  - Winlock.exe (PID: 4260)
  - tpeinf.exe (PID: 4736)
  - latestroc.exe (PID: 6520)
  - NINJA.exe (PID: 7100)
  - cluton.exe (PID: 5336)
  - %E6%9A%97%E5%B7%B7%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%8A%A9%E6%89%8B.exe (PID: 4020)
  - june.exe (PID: 3872)
  - june.tmp (PID: 5744)
  - Synaptics.exe (PID: 7476)
  - amert.exe (PID: 6248)
  - AxCat.Top (PID: 7796)
  - toolmaxpartitionwizardbootable.exe (PID: 5536)
  - cluton.exe (PID: 6736)
  - 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 7428)
  - ladas.exe (PID: 3992)
  - ax.exe (PID: 2440)
  - _VTI_CNF.exe (PID: 6732)
  - pocketrar350sc.exe (PID: 6876)
  - costa.exe (PID: 4676)
  - more.exe (PID: 5296)
  - xzw.exe (PID: 6624)
  - win.exe (PID: 6008)
  - stub.exe (PID: 6676)
  - stub.exe (PID: 8264)
  - svchost.exe (PID: 8584)
  - RegAsm.exe (PID: 4840)
  - svchost.com (PID: 8812)
  - svchosl.exe (PID: 8092)
  - STAR.exe (PID: 9340)
  - more.exe (PID: 9084)
  - NancyMfg.exe (PID: 9220)
  - dayroc.exe (PID: 9376)
  - svchost.com (PID: 5696)
  - stub.exe (PID: 2248)
  - pxd.exe (PID: 5380)
  - cluton.exe (PID: 3276)
  - Helper.exe (PID: 6768)
  - stub.exe (PID: 8188)
  - Amadey.exe (PID: 8756)
  - 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 7088)
  - svchost.com (PID: 12084)
  - DCRatBuild.exe (PID: 9148)
  - jxszdjp.exe (PID: 6504)
  - jxszdjpSrv.exe (PID: 7184)
- Actions looks like stealing of personal data
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1112)
  - svchost.exe (PID: 6660)
  - dialer.exe (PID: 5624)
  - jsc.exe (PID: 5452)
  - ._cache_server.exe (PID: 8076)
  - kehu.exe (PID: 4896)
  - RegAsm.exe (PID: 8036)
  - crypted.exe (PID: 3588)
  - cluton.exe (PID: 6736)
  - RegAsm.exe (PID: 6048)
  - dialer.exe (PID: 5180)
  - RegAsm.exe (PID: 5708)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 2636)
  - Synaptics.exe (PID: 7476)
  - bott.exe (PID: 9356)
  - STAR.exe (PID: 9340)
  - msedge.exe (PID: 8392)
  - msedge.exe (PID: 9832)
  - msedge.exe (PID: 9876)
  - msedge.exe (PID: 9720)
  - msedge.exe (PID: 8496)
  - svchost.com (PID: 8812)
  - msedge.exe (PID: 8212)
  - msedge.exe (PID: 8888)
  - stub.exe (PID: 8264)
  - chrome.exe (PID: 8828)
  - msedge.exe (PID: 4304)
  - chrome.exe (PID: 7832)
  - msedge.exe (PID: 7800)
  - chrome.exe (PID: 3828)
  - chrome.exe (PID: 6772)
  - chrome.exe (PID: 9228)
  - chrome.exe (PID: 2532)
  - firefox.exe (PID: 9740)
  - firefox.exe (PID: 8224)
  - firefox.exe (PID: 6488)
  - ladas.exe (PID: 3992)
- HAUSBOMBER has been detected (YARA)
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 4536)
  - 4363463463464363463463463.exe (PID: 3132)
- Creates a writable file in the system directory
  - Temp2.exe (PID: 1820)
  - 7e207560.exe (PID: 5476)
  - look2.exe (PID: 6920)
  - HD_._cache_server.exe (PID: 6940)
  - Winlock.exe (PID: 4260)
  - _VTI_CNF.exe (PID: 6732)
  - svchosl.exe (PID: 8092)
- Uses Task Scheduler to autorun other applications
  - Temp2.exe (PID: 1820)
  - asg.exe (PID: 2804)
  - RegAsm.exe (PID: 6048)
  - ladas.exe (PID: 3992)
  - cmd.exe (PID: 4900)
  - Client-built.exe (PID: 10216)
- Changes the autorun value in the registry
  - 60466831.exe (PID: 4920)
  - 177219156.exe (PID: 5464)
  - buildcosta.exe (PID: 8024)
  - 313513996.exe (PID: 4236)
  - Utsysc.exe (PID: 7952)
  - npp86Installerx64.exe (PID: 7664)
  - RegAsm.exe (PID: 6048)
  - server.exe (PID: 5544)
  - HD_._cache_server.exe (PID: 6940)
  - NINJA.exe (PID: 7100)
  - Winlock.exe (PID: 4260)
  - ladas.exe (PID: 3992)
  - _VTI_CNF.exe (PID: 6732)
  - win.exe (PID: 6008)
  - clip.exe (PID: 8272)
- Remcos is detected
  - 6.exe (PID: 5084)
- Changes Security Center notification settings
  - 60466831.exe (PID: 4920)
  - 177219156.exe (PID: 5464)
  - 313513996.exe (PID: 4236)
- Starts Visual C# compiler
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
- Deletes the SafeBoot registry key
  - 7e207560.exe (PID: 5448)
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 5588)
  - findstr.exe (PID: 5664)
- Create files in the Startup directory
  - cmd.exe (PID: 5784)
  - dllhost.exe (PID: 4660)
  - Winlock.exe (PID: 4260)
  - svchost.com (PID: 8812)
- REDLINE has been detected (YARA)
  - heaoyam78.exe (PID: 3252)
  - vbc.exe (PID: 5716)
  - kehu.exe (PID: 4896)
  - 1.exe (PID: 5880)
- PURPLEFOX has been detected (SURICATA)
  - lve.exe (PID: 5012)
- Connects to the CnC server
  - lve.exe (PID: 5012)
  - 60466831.exe (PID: 4920)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
  - 177219156.exe (PID: 5464)
  - fw.exe (PID: 6084)
  - kehu.exe (PID: 4896)
  - Utsysc.exe (PID: 7952)
  - jsc.exe (PID: 5452)
  - RegAsm.exe (PID: 6048)
  - buding.exe (PID: 7836)
  - RegAsm.exe (PID: 8036)
  - 4w5G.exe (PID: 6140)
  - build6_unencrypted.exe (PID: 4144)
  - HD_._cache_server.exe (PID: 6940)
  - nsm2742.tmp (PID: 6484)
  - svchosl.exe (PID: 8092)
  - syncUpd.exe (PID: 6520)
  - ladas.exe (PID: 3992)
  - RegAsm.exe (PID: 5708)
  - 5-jd_mn.exe (PID: 7804)
  - xzw.exe (PID: 6624)
  - timeSync.exe (PID: 9764)
  - bott.exe (PID: 9356)
- REMCOS has been detected (SURICATA)
  - 6.exe (PID: 5084)
- KELIHOS has been detected (SURICATA)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3516)
- Adds path to the Windows Defender exclusion list
  - InstallSetup2.exe (PID: 4896)
  - build6_unencrypted.exe (PID: 4144)
  - more.exe (PID: 5296)
  - images.exe (PID: 7536)
  - svchost.com (PID: 4784)
- PHORPIEX has been detected (SURICATA)
  - 4363463463464363463463463.exe (PID: 2088)
  - 60466831.exe (PID: 4920)
  - 313513996.exe (PID: 4236)
  - 177219156.exe (PID: 5464)
  - 4363463463464363463463463.exe (PID: 3768)
- UAC/LUA settings modification
  - InstallSetup2.exe (PID: 4896)
  - miner.exe (PID: 6784)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7248)
  - powershell.exe (PID: 7480)
  - powershell.exe (PID: 6212)
  - powershell.exe (PID: 7628)
  - powershell.exe (PID: 5628)
  - powershell.exe (PID: 8616)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 7248)
  - powershell.exe (PID: 7480)
  - powershell.exe (PID: 4848)
  - powershell.exe (PID: 5628)
- Amadey has been detected
  - buildcosta.exe (PID: 8024)
  - buildcosta.exe (PID: 6568)
  - buildcosta.exe (PID: 8000)
  - buildcosta.exe (PID: 7232)
  - buildcosta.exe (PID: 9028)
- AMMYY has been detected (SURICATA)
  - 7e207560.exe (PID: 5476)
- Adds process to the Windows Defender exclusion list
  - miner.exe (PID: 6784)
  - build6_unencrypted.exe (PID: 4144)
- Raccoon mutex has been detected
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
- Steals credentials
  - svchost.exe (PID: 6660)
  - RegAsm.exe (PID: 6048)
  - ladas.exe (PID: 3992)
- QUASAR has been detected (YARA)
  - asg.exe (PID: 2804)
- ASYNCRAT has been detected (MUTEX)
  - jsc.exe (PID: 6572)
  - more.exe (PID: 9084)
- RHADAMANTHYS has been detected (SURICATA)
  - dialer.exe (PID: 5624)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 4628)
  - wscript.exe (PID: 5304)
- AMADEY has been detected (SURICATA)
  - buildcosta.exe (PID: 8024)
  - Utsysc.exe (PID: 7952)
- RACCOON has been detected (SURICATA)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
- Changes powershell execution policy (Bypass)
  - build6_unencrypted.exe (PID: 4144)
  - socks5-clean.exe (PID: 2368)
  - EchoNavigator.exe (PID: 5948)
- REDLINE has been detected (SURICATA)
  - kehu.exe (PID: 4896)
  - RegAsm.exe (PID: 8036)
  - RegAsm.exe (PID: 5708)
  - STAR.exe (PID: 9340)
  - bott.exe (PID: 9356)
- Steals credentials from Web Browsers
  - RegAsm.exe (PID: 8036)
  - RegAsm.exe (PID: 6048)
  - cluton.exe (PID: 6736)
  - ladas.exe (PID: 3992)
  - STAR.exe (PID: 9340)
  - kehu.exe (PID: 4896)
  - firefox.exe (PID: 9740)
  - firefox.exe (PID: 8224)
- ARECHCLIENT2 has been detected (SURICATA)
  - jsc.exe (PID: 5452)
- RISEPRO has been detected (SURICATA)
  - RegAsm.exe (PID: 6048)
  - ladas.exe (PID: 3992)
  - zara.exe (PID: 6616)
  - RetailerRise.exe (PID: 8908)
  - dota.exe (PID: 4464)
- DcRAT is detected
  - agentServerComponent.exe (PID: 5192)
- AZORULT has been detected (SURICATA)
  - 4w5G.exe (PID: 6140)
  - 5-jd_mn.exe (PID: 7804)
- RISEPRO has been detected (YARA)
  - pixxxxx.exe (PID: 5892)
- REMCOS has been detected (YARA)
  - 6.exe (PID: 5084)
- NITOL has been detected (YARA)
  - lve.exe (PID: 5012)
- XWORM has been detected (SURICATA)
  - build6_unencrypted.exe (PID: 4144)
- ASYNCRAT has been detected (YARA)
  - jsc.exe (PID: 6572)
  - reo.exe (PID: 3680)
- GH0ST has been detected (SURICATA)
  - HD_._cache_server.exe (PID: 6940)
  - 32.exe (PID: 5328)
- ARKEI has been detected (YARA)
  - build.exe (PID: 7200)
- Changes the login/logoff helper path in the registry
  - Winlock.exe (PID: 4260)
  - _VTI_CNF.exe (PID: 6732)
  - pxd.exe (PID: 9220)
- Disables the Run the Start menu
  - Winlock.exe (PID: 4260)
- Lokibot is detected
  - cluton.exe (PID: 6736)
  - svchost.com (PID: 8812)
  - stub.exe (PID: 8264)
- XWORM has been detected (YARA)
  - build6_unencrypted.exe (PID: 4144)
- METASTEALER has been detected (YARA)
  - RegAsm.exe (PID: 8036)
  - vbc.exe (PID: 392)
- VIDAR has been detected (YARA)
  - r.exe (PID: 7840)
- Unusual connection from system programs
  - vbc.exe (PID: 392)
  - vbc.exe (PID: 9492)
- Creates or modifies Windows services
  - DefenderControl.exe (PID: 6924)
- STEALC has been detected (SURICATA)
  - nsm2742.tmp (PID: 6484)
  - syncUpd.exe (PID: 6520)
  - timeSync.exe (PID: 9764)
- Modify registry editing tools (regedit)
  - _VTI_CNF.exe (PID: 6732)
- Task Manager has been disabled (taskmgr)
  - _VTI_CNF.exe (PID: 6732)
- BANLOAD has been detected (SURICATA)
  - svchosl.exe (PID: 8092)
- Starts CMD.EXE for self-deleting
  - a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe (PID: 6044)
  - svchost.com (PID: 4112)
- GH0STCRINGE has been detected (SURICATA)
  - xzw.exe (PID: 6624)
- The DLL Hijacking
  - msedge.exe (PID: 6984)
  - msedge.exe (PID: 4900)
- GCLEANER has been detected (SURICATA)
  - inte.exe (PID: 9972)
SUSPICIOUS
- Adds/modifies Windows certificates
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 3528)
  - svchost.exe (PID: 6660)
  - Helper.exe (PID: 6768)
- Reads the Internet Settings
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - Temp2.exe (PID: 1820)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - asg.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 4152)
  - peinf.exe (PID: 3200)
  - 4363463463464363463463463.exe (PID: 4352)
  - dusers.exe (PID: 4388)
  - Users.exe (PID: 4460)
  - 4363463463464363463463463.exe (PID: 4536)
  - baseline.exe (PID: 4708)
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - 60466831.exe (PID: 4920)
  - 7e207560.exe (PID: 5448)
  - MartDrum.exe (PID: 5504)
  - sunset1.exe (PID: 5268)
  - Client.exe (PID: 4828)
  - ghjkl.exe (PID: 5816)
  - fu.exe (PID: 4128)
  - InstallSetup2.exe (PID: 4896)
  - well.exe (PID: 2192)
  - buildcosta.exe (PID: 8024)
  - powershell.exe (PID: 6292)
  - conhost.exe (PID: 968)
  - miner.exe (PID: 6784)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
  - InstallUtil.exe (PID: 2092)
  - powershell.exe (PID: 7248)
  - cmd.exe (PID: 5480)
  - 177219156.exe (PID: 5464)
  - powershell.exe (PID: 6116)
  - 313513996.exe (PID: 4236)
  - fw.exe (PID: 6084)
  - loader.exe (PID: 6272)
  - data64_6.exe (PID: 5072)
  - rhsgn_protected.exe (PID: 7888)
  - ARA.exe (PID: 8132)
  - inst77player.exe (PID: 7776)
  - setup294.exe (PID: 7576)
  - control.exe (PID: 5840)
  - wscript.exe (PID: 4628)
  - ama.exe (PID: 6040)
  - Utsysc.exe (PID: 7952)
  - Msblockreview.exe (PID: 7880)
  - buding.exe (PID: 7836)
  - build.exe (PID: 7200)
  - Payload.exe (PID: 1824)
  - dvchost.exe (PID: 5620)
  - build6_unencrypted.exe (PID: 4144)
  - cmd.exe (PID: 4468)
  - powershell.exe (PID: 6212)
  - powershell.exe (PID: 7480)
  - v4install.exe (PID: 4116)
  - 4w5G.exe (PID: 6140)
  - npp.8.6.2.Installer.x64.exe (PID: 7064)
  - powershell.exe (PID: 7628)
  - r.exe (PID: 7840)
  - wscript.exe (PID: 5304)
  - RegAsm.exe (PID: 6048)
  - beacon_test.exe (PID: 6060)
  - server.exe (PID: 5544)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - tpeinf.exe (PID: 4736)
  - InstallSetup4.exe (PID: 5128)
  - latestroc.exe (PID: 6520)
  - Winlock.exe (PID: 4260)
  - cluton.exe (PID: 6736)
  - nsm2742.tmp (PID: 6484)
  - more.exe (PID: 5296)
  - PCclear_Eng_mini.exe (PID: 3116)
  - svchosl.exe (PID: 8092)
  - gookcom.exe (PID: 6156)
  - ax.exe (PID: 2440)
  - syncUpd.exe (PID: 6520)
  - pocketrar350sc.exe (PID: 6876)
  - xzw.exe (PID: 6624)
  - fortnite3.exe (PID: 4968)
  - ladas.exe (PID: 3992)
  - costa.exe (PID: 4676)
  - socks5-clean.exe (PID: 2368)
  - a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe (PID: 6044)
  - 5-jd_mn.exe (PID: 7804)
  - _VTI_CNF.exe (PID: 6732)
  - univ.exe (PID: 7160)
  - stub.exe (PID: 8264)
  - clip.exe (PID: 8272)
  - powershell.exe (PID: 4116)
  - RegAsm.exe (PID: 4840)
  - stub.exe (PID: 8704)
  - EeVneYhUHXJTJhA2iMcq.exe (PID: 8216)
  - powershell.exe (PID: 8616)
  - timeSync.exe (PID: 9764)
  - stub.exe (PID: 9472)
  - more.exe (PID: 9084)
  - STAR.exe (PID: 9340)
  - stub.exe (PID: 8224)
  - stub.exe (PID: 4836)
  - _XKFlpw8lp76NqGHGAb4.exe (PID: 6652)
  - porn.exe (PID: 8528)
  - NancyMfg.exe (PID: 9220)
  - stub.exe (PID: 9556)
  - dayroc.exe (PID: 9376)
  - images.exe (PID: 7536)
  - stub.exe (PID: 2248)
  - msedge.exe (PID: 8392)
  - Update_new.exe (PID: 6728)
  - inte.exe (PID: 9972)
  - msedge.exe (PID: 9876)
  - explorgu.exe (PID: 10072)
  - msedge.exe (PID: 8496)
  - stub.exe (PID: 8188)
  - Journal.exe (PID: 7276)
  - pxd.exe (PID: 9220)
  - chrome.exe (PID: 6772)
  - stub.exe (PID: 6424)
  - chrome.exe (PID: 8828)
  - RegAsm.exe (PID: 5700)
  - chrome.exe (PID: 2532)
  - explorgu.exe (PID: 8868)
  - stub.exe (PID: 10636)
  - stub.exe (PID: 11300)
- Connects to unusual port
  - 4363463463464363463463463.exe (PID: 3660)
  - heaoyam78.exe (PID: 3252)
  - 4363463463464363463463463.exe (PID: 3764)
  - asg.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 3132)
  - baseline.exe (PID: 4708)
  - lve.exe (PID: 5012)
  - 6.exe (PID: 5084)
  - 4363463463464363463463463.exe (PID: 3440)
  - 60466831.exe (PID: 4920)
  - jsc.exe (PID: 6572)
  - 4363463463464363463463463.exe (PID: 572)
  - 177219156.exe (PID: 5464)
  - Recorder.exe (PID: 6712)
  - kehu.exe (PID: 4896)
  - Screensaver.exe (PID: 6152)
  - fw.exe (PID: 6084)
  - Payload.exe (PID: 1824)
  - jsc.exe (PID: 5452)
  - RegAsm.exe (PID: 6048)
  - pixxxxx.exe (PID: 5892)
  - RegAsm.exe (PID: 8036)
  - 4363463463464363463463463.exe (PID: 4536)
  - 1.exe (PID: 5880)
  - HD_._cache_server.exe (PID: 6940)
  - reo.exe (PID: 3680)
  - vbc.exe (PID: 392)
  - lux32.exe (PID: 3156)
  - build6_unencrypted.exe (PID: 4144)
  - 32.exe (PID: 5328)
  - ladas.exe (PID: 3992)
  - 4363463463464363463463463.exe (PID: 2088)
  - easy.exe (PID: 7664)
  - RegAsm.exe (PID: 6176)
  - 4363463463464363463463463.exe (PID: 2660)
  - powershell.exe (PID: 4848)
  - 4363463463464363463463463.exe (PID: 3768)
  - RegAsm.exe (PID: 5708)
  - file.exe (PID: 2808)
  - win.exe (PID: 6008)
  - zara.exe (PID: 6616)
  - xzw.exe (PID: 6624)
  - Update_new.exe (PID: 6728)
  - STAR.exe (PID: 9340)
  - vbc.exe (PID: 9492)
  - bott.exe (PID: 9356)
  - powershell.exe (PID: 5628)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 3528)
  - RetailerRise.exe (PID: 8908)
  - dota.exe (PID: 4464)
  - Journal.exe (PID: 7276)
  - svchosl.exe (PID: 8092)
- Reads settings of System Certificates
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4536)
  - Client.exe (PID: 4828)
  - InstallUtil.exe (PID: 2092)
  - data64_6.exe (PID: 5072)
  - build.exe (PID: 7200)
  - RegAsm.exe (PID: 6048)
  - r.exe (PID: 7840)
  - Winlock.exe (PID: 4260)
  - ladas.exe (PID: 3992)
  - zara.exe (PID: 6616)
  - dota.exe (PID: 4464)
  - Update_new.exe (PID: 6728)
  - RetailerRise.exe (PID: 8908)
  - Helper.exe (PID: 6768)
  - RegAsm.exe (PID: 5700)
- Process requests binary or script from the Internet
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3764)
  - PCSupport.exe (PID: 5280)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4536)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 3132)
  - svchosl.exe (PID: 8092)
  - 4363463463464363463463463.exe (PID: 1112)
  - ladas.exe (PID: 3992)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 3224)
- Reads security settings of Internet Explorer
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 2088)
  - peinf.exe (PID: 3200)
  - 4363463463464363463463463.exe (PID: 3132)
  - dusers.exe (PID: 4388)
  - Users.exe (PID: 4460)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3768)
  - 60466831.exe (PID: 4920)
  - MartDrum.exe (PID: 5504)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 2636)
  - 7e207560.exe (PID: 5476)
  - 4363463463464363463463463.exe (PID: 3516)
  - ghjkl.exe (PID: 5816)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 1404)
  - fu.exe (PID: 4128)
  - InstallSetup2.exe (PID: 4896)
  - well.exe (PID: 2192)
  - buildcosta.exe (PID: 8024)
  - conhost.exe (PID: 968)
  - miner.exe (PID: 6784)
  - InstallUtil.exe (PID: 2092)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
  - 313513996.exe (PID: 4236)
  - 4363463463464363463463463.exe (PID: 4056)
  - fw.exe (PID: 6084)
  - 4363463463464363463463463.exe (PID: 3560)
  - rhsgn_protected.exe (PID: 7888)
  - loader.exe (PID: 6272)
  - ARA.exe (PID: 8132)
  - inst77player.exe (PID: 7776)
  - 4363463463464363463463463.exe (PID: 4152)
  - setup294.exe (PID: 7576)
  - ama.exe (PID: 6040)
  - Utsysc.exe (PID: 7952)
  - Msblockreview.exe (PID: 7880)
  - buding.exe (PID: 7836)
  - build.exe (PID: 7200)
  - dvchost.exe (PID: 5620)
  - build6_unencrypted.exe (PID: 4144)
  - v4install.exe (PID: 4116)
  - 4w5G.exe (PID: 6140)
  - r.exe (PID: 7840)
  - server.exe (PID: 5544)
  - RegAsm.exe (PID: 6048)
  - 4363463463464363463463463.exe (PID: 4536)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - tpeinf.exe (PID: 4736)
  - InstallSetup4.exe (PID: 5128)
  - latestroc.exe (PID: 6520)
  - Winlock.exe (PID: 4260)
  - 177219156.exe (PID: 5464)
  - nsm2742.tmp (PID: 6484)
  - more.exe (PID: 5296)
  - PCclear_Eng_mini.exe (PID: 3116)
  - gookcom.exe (PID: 6156)
  - ax.exe (PID: 2440)
  - syncUpd.exe (PID: 6520)
  - pocketrar350sc.exe (PID: 6876)
  - fortnite3.exe (PID: 4968)
  - xzw.exe (PID: 6624)
  - ladas.exe (PID: 3992)
  - costa.exe (PID: 4676)
  - socks5-clean.exe (PID: 2368)
  - a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe (PID: 6044)
  - 5-jd_mn.exe (PID: 7804)
  - _VTI_CNF.exe (PID: 6732)
  - univ.exe (PID: 7160)
  - Suaeweq.exe (PID: 7116)
  - stub.exe (PID: 8264)
  - Suaeweq.exe (PID: 8624)
  - RegAsm.exe (PID: 4840)
  - stub.exe (PID: 8704)
  - timeSync.exe (PID: 9764)
  - stub.exe (PID: 9472)
  - more.exe (PID: 9084)
  - STAR.exe (PID: 9340)
  - stub.exe (PID: 8224)
  - stub.exe (PID: 4836)
  - EeVneYhUHXJTJhA2iMcq.exe (PID: 8216)
  - _XKFlpw8lp76NqGHGAb4.exe (PID: 6652)
  - porn.exe (PID: 8528)
  - NancyMfg.exe (PID: 9220)
  - stub.exe (PID: 9556)
  - dayroc.exe (PID: 9376)
  - images.exe (PID: 7536)
  - stub.exe (PID: 2248)
  - inte.exe (PID: 9972)
  - explorgu.exe (PID: 10072)
  - Helper.exe (PID: 6768)
  - stub.exe (PID: 8188)
  - Journal.exe (PID: 7276)
  - stub.exe (PID: 6424)
  - explorgu.exe (PID: 8868)
  - stub.exe (PID: 10636)
  - stub.exe (PID: 11300)
- Executable content was dropped or overwritten
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 1112)
  - Temp2.exe (PID: 1820)
  - 4363463463464363463463463.exe (PID: 572)
  - inst77player_1.0.0.1.exe (PID: 1928)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 3132)
  - dusers.exe (PID: 4388)
  - Users.exe (PID: 4460)
  - peinf.exe (PID: 3200)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 3528)
  - lve.exe (PID: 5012)
  - 4363463463464363463463463.exe (PID: 3764)
  - 60466831.exe (PID: 4920)
  - sunset1.exe (PID: 5268)
  - csc.exe (PID: 5288)
  - 4363463463464363463463463.exe (PID: 3224)
  - MartDrum.exe (PID: 5504)
  - cmd.exe (PID: 5712)
  - 4363463463464363463463463.exe (PID: 1656)
  - Fighting.pif (PID: 5744)
  - 4363463463464363463463463.exe (PID: 2636)
  - dllhost.exe (PID: 4660)
  - 7e207560.exe (PID: 5476)
  - 4363463463464363463463463.exe (PID: 3516)
  - ghjkl.exe (PID: 5816)
  - 4363463463464363463463463.exe (PID: 1736)
  - BBLb.exe (PID: 5884)
  - 177219156.exe (PID: 5464)
  - 4363463463464363463463463.exe (PID: 1404)
  - conhost.exe (PID: 968)
  - plugins.exe (PID: 4876)
  - 313513996.exe (PID: 4236)
  - cp.exe (PID: 4608)
  - PrntScrnOfAMZOrderID.jpg.exe (PID: 4892)
  - svchost.exe (PID: 6660)
  - 4363463463464363463463463.exe (PID: 4056)
  - PCSupport.exe (PID: 5280)
  - loader.exe (PID: 6272)
  - rhsgn_protected.exe (PID: 7888)
  - ARA.exe (PID: 8132)
  - 4363463463464363463463463.exe (PID: 4152)
  - setup294.exe (PID: 7576)
  - buding.exe (PID: 7836)
  - ama.exe (PID: 6040)
  - Msblockreview.exe (PID: 7880)
  - miner.exe (PID: 6784)
  - Project_8.exe (PID: 7924)
  - fw.exe (PID: 6084)
  - dvchost.exe (PID: 5620)
  - plug.exe (PID: 5584)
  - v4install.exe (PID: 4116)
  - server.exe (PID: 5544)
  - npp86Installerx64.exe (PID: 7664)
  - dialer.exe (PID: 5624)
  - RegAsm.exe (PID: 6048)
  - smell-the-roses.exe (PID: 7588)
  - ._cache_server.exe (PID: 8076)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - look2.exe (PID: 6920)
  - InstallSetup4.exe (PID: 5128)
  - HD_._cache_server.exe (PID: 6940)
  - agentServerComponent.exe (PID: 5192)
  - Winlock.exe (PID: 4260)
  - tpeinf.exe (PID: 4736)
  - latestroc.exe (PID: 6520)
  - NINJA.exe (PID: 7100)
  - cluton.exe (PID: 5336)
  - june.exe (PID: 3872)
  - %E6%9A%97%E5%B7%B7%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%8A%A9%E6%89%8B.exe (PID: 4020)
  - june.tmp (PID: 5744)
  - Synaptics.exe (PID: 7476)
  - AxCat.Top (PID: 7796)
  - amert.exe (PID: 6248)
  - toolmaxpartitionwizardbootable.exe (PID: 5536)
  - cluton.exe (PID: 6736)
  - 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 7428)
  - ladas.exe (PID: 3992)
  - ax.exe (PID: 2440)
  - pocketrar350sc.exe (PID: 6876)
  - _VTI_CNF.exe (PID: 6732)
  - costa.exe (PID: 4676)
  - more.exe (PID: 5296)
  - dialer.exe (PID: 5180)
  - xzw.exe (PID: 6624)
  - win.exe (PID: 6008)
  - stub.exe (PID: 6676)
  - stub.exe (PID: 8264)
  - clip.exe (PID: 8272)
  - svchost.exe (PID: 8584)
  - RegAsm.exe (PID: 4840)
  - svchost.com (PID: 8812)
  - svchosl.exe (PID: 8092)
  - STAR.exe (PID: 9340)
  - more.exe (PID: 9084)
  - NancyMfg.exe (PID: 9220)
  - dayroc.exe (PID: 9376)
  - pxd.exe (PID: 5380)
  - svchost.com (PID: 5696)
  - stub.exe (PID: 2248)
  - Helper.exe (PID: 6768)
  - cluton.exe (PID: 3276)
  - stub.exe (PID: 8188)
  - Amadey.exe (PID: 8756)
  - svchost.com (PID: 12084)
  - 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 7088)
  - jxszdjp.exe (PID: 6504)
  - jxszdjpSrv.exe (PID: 7184)
  - DCRatBuild.exe (PID: 9148)
- Application launched itself
  - f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe (PID: 1340)
  - d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe (PID: 392)
  - Client.exe (PID: 4808)
  - Gsoymaq.exe (PID: 5028)
  - 7e207560.exe (PID: 5456)
  - cmd.exe (PID: 5548)
  - cmd.exe (PID: 5572)
  - ghjkl.exe (PID: 5816)
  - BBLb.exe (PID: 6128)
  - asdfg.exe (PID: 6140)
  - native.exe (PID: 7468)
  - 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 6168)
  - lumma.exe (PID: 6284)
  - e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe (PID: 6832)
  - PrntScrnOfAMZOrderID.jpg.exe (PID: 6540)
  - AttributeString.exe (PID: 3264)
  - InstallUtil.exe (PID: 6344)
  - 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 7888)
  - 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe (PID: 6204)
  - 4w5G.exe (PID: 4400)
  - 1e3d458e7ef866069259cb3b13b761e46f6278c3fca69ca846baca650b4e0f72.exe (PID: 1056)
  - ghjk.exe (PID: 5372)
  - cluton.exe (PID: 5336)
  - net.exe (PID: 5776)
  - a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe (PID: 6132)
  - 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe (PID: 2420)
  - c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe (PID: 3828)
  - 5-jd_mn.exe (PID: 5264)
  - Suaeweq.exe (PID: 7116)
  - more.exe (PID: 5296)
  - msedge.exe (PID: 8392)
  - msedge.exe (PID: 9720)
  - msedge.exe (PID: 9876)
  - msedge.exe (PID: 8888)
  - msedge.exe (PID: 8496)
  - msedge.exe (PID: 7800)
  - chrome.exe (PID: 8828)
  - chrome.exe (PID: 6772)
  - chrome.exe (PID: 2532)
  - pxd.exe (PID: 5380)
  - cluton.exe (PID: 3276)
  - images.exe (PID: 7536)
- Starts itself from another location
  - Temp2.exe (PID: 1820)
  - 177219156.exe (PID: 5464)
  - ama.exe (PID: 6040)
  - RegAsm.exe (PID: 6048)
  - clip.exe (PID: 8272)
  - svchost.com (PID: 9320)
  - stub.exe (PID: 8704)
  - stub.exe (PID: 9472)
  - svchost.com (PID: 9752)
  - stub.exe (PID: 8224)
  - stub.exe (PID: 4836)
  - svchost.com (PID: 8456)
  - svchost.com (PID: 1412)
  - stub.exe (PID: 9556)
  - stub.exe (PID: 2248)
  - svchost.com (PID: 5696)
  - stub.exe (PID: 8188)
  - svchost.com (PID: 8404)
  - stub.exe (PID: 6424)
  - stub.exe (PID: 10636)
  - svchost.com (PID: 10340)
  - svchost.com (PID: 10996)
  - stub.exe (PID: 11300)
  - svchost.com (PID: 2572)
  - stub.exe (PID: 11808)
  - stub.exe (PID: 10404)
  - svchost.com (PID: 11488)
  - jxszdjpSrv.exe (PID: 7184)
- The process creates files with name similar to system file names
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3132)
  - Msblockreview.exe (PID: 7880)
  - 4363463463464363463463463.exe (PID: 4152)
  - NINJA.exe (PID: 7100)
  - 4363463463464363463463463.exe (PID: 2504)
  - ax.exe (PID: 2440)
  - _VTI_CNF.exe (PID: 6732)
  - win.exe (PID: 6008)
  - stub.exe (PID: 6676)
  - clip.exe (PID: 8272)
- Executing commands from a ".bat" file
  - dusers.exe (PID: 4388)
  - Users.exe (PID: 4460)
  - conhost.exe (PID: 968)
  - wscript.exe (PID: 4628)
  - Msblockreview.exe (PID: 7880)
  - dvchost.exe (PID: 5620)
  - plug.exe (PID: 5584)
  - wscript.exe (PID: 5304)
  - BroomSetup.exe (PID: 4240)
  - more.exe (PID: 9084)
  - svchost.com (PID: 8296)
  - wscript.exe (PID: 9516)
- Starts CMD.EXE for commands execution
  - dusers.exe (PID: 4388)
  - Users.exe (PID: 4460)
  - cmd.exe (PID: 5548)
  - MartDrum.exe (PID: 5504)
  - cmd.exe (PID: 5572)
  - conhost.exe (PID: 968)
  - wscript.exe (PID: 4628)
  - Msblockreview.exe (PID: 7880)
  - dvchost.exe (PID: 5620)
  - plug.exe (PID: 5584)
  - wscript.exe (PID: 5304)
  - Winlock.exe (PID: 4260)
  - NINJA.exe (PID: 7100)
  - BroomSetup.exe (PID: 4240)
  - _VTI_CNF.exe (PID: 6732)
  - a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe (PID: 6044)
  - svchost.com (PID: 7348)
  - more.exe (PID: 9084)
  - svchost.com (PID: 8296)
  - svchost.com (PID: 4112)
  - fcc.exe (PID: 11136)
  - wscript.exe (PID: 9516)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 4436)
  - cmd.exe (PID: 4568)
  - cmd.exe (PID: 5572)
  - cmd.exe (PID: 3096)
- Starts application with an unusual extension
  - cmd.exe (PID: 4568)
  - cmd.exe (PID: 5572)
  - %E6%9A%97%E5%B7%B7%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%8A%A9%E6%89%8B.exe (PID: 4020)
  - InstallSetup4.exe (PID: 5128)
  - cmd.exe (PID: 6860)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 2896)
  - RegAsm.exe (PID: 4840)
  - stub.exe (PID: 8704)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 2660)
  - stub.exe (PID: 9472)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 1656)
  - more.exe (PID: 9084)
  - 4363463463464363463463463.exe (PID: 2504)
  - STAR.exe (PID: 9340)
  - ladas.exe (PID: 3992)
  - stub.exe (PID: 8224)
  - stub.exe (PID: 4836)
  - EeVneYhUHXJTJhA2iMcq.exe (PID: 8216)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3528)
  - NancyMfg.exe (PID: 9220)
  - _XKFlpw8lp76NqGHGAb4.exe (PID: 6652)
  - dayroc.exe (PID: 9376)
  - stub.exe (PID: 9556)
  - porn.exe (PID: 8528)
  - stub.exe (PID: 2248)
  - explorgu.exe (PID: 10072)
  - inte.exe (PID: 9972)
  - stub.exe (PID: 8188)
  - 4363463463464363463463463.exe (PID: 1404)
  - stub.exe (PID: 6424)
  - explorgu.exe (PID: 8868)
  - stub.exe (PID: 10636)
  - 4363463463464363463463463.exe (PID: 3224)
  - stub.exe (PID: 11300)
  - explorgu.exe (PID: 10932)
  - RegAsm.exe (PID: 11432)
  - stub.exe (PID: 11808)
  - 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 7088)
  - 4363463463464363463463463.exe (PID: 3132)
  - explorgu.exe (PID: 11936)
  - images.exe (PID: 7536)
  - stub.exe (PID: 10404)
  - explorgu.exe (PID: 10456)
  - explorgu.exe (PID: 8356)
  - a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe (PID: 10132)
- The executable file from the user directory is run by the CMD process
  - wmild.exe (PID: 4676)
  - wmild.exe (PID: 4696)
  - Fighting.pif (PID: 5744)
  - Msblockreview.exe (PID: 7880)
  - agentServerComponent.exe (PID: 5192)
  - images.exe (PID: 7536)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 4568)
  - cmd.exe (PID: 4876)
- Checks for external IP
  - Temp2.exe (PID: 1820)
  - asg.exe (PID: 2804)
  - 7e207560.exe (PID: 5476)
  - RegAsm.exe (PID: 6048)
  - ladas.exe (PID: 3992)
  - zara.exe (PID: 6616)
  - RetailerRise.exe (PID: 8908)
  - dota.exe (PID: 4464)
- Executes as Windows Service
  - Gsoymaq.exe (PID: 5028)
  - 7e207560.exe (PID: 5456)
  - Suaeweq.exe (PID: 7116)
  - svchost.exe (PID: 8584)
  - VSSVC.exe (PID: 11748)
- Connects to the server without a host name
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4536)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 2088)
  - buding.exe (PID: 7836)
  - 4363463463464363463463463.exe (PID: 1112)
  - ladas.exe (PID: 3992)
  - 4363463463464363463463463.exe (PID: 3764)
  - build.exe (PID: 7200)
  - buildcosta.exe (PID: 8024)
- Writes files like Keylogger logs
  - 4363463463464363463463463.exe (PID: 3768)
  - 6.exe (PID: 5084)
  - Synaptics.exe (PID: 7476)
- Creates or modifies Windows services
  - lve.exe (PID: 5012)
  - look2.exe (PID: 6920)
  - _VTI_CNF.exe (PID: 6732)
  - xzw.exe (PID: 6624)
  - svchosl.exe (PID: 8092)
- Reads Internet Explorer settings
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - pocketrar350sc.exe (PID: 6876)
- Uses .NET C# to load dll
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
- Process drops legitimate windows executable
  - 4363463463464363463463463.exe (PID: 4352)
  - Fighting.pif (PID: 5744)
  - rhsgn_protected.exe (PID: 7888)
  - fw.exe (PID: 6084)
  - RegAsm.exe (PID: 6048)
  - 4363463463464363463463463.exe (PID: 3768)
  - june.tmp (PID: 5744)
  - AxCat.Top (PID: 7796)
  - stub.exe (PID: 6676)
  - clip.exe (PID: 8272)
  - pxd.exe (PID: 5380)
  - stub.exe (PID: 8264)
  - 4363463463464363463463463.exe (PID: 3224)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 5572)
- Get information on the list of running processes
  - cmd.exe (PID: 5572)
- Drops a file with a rarely used extension (PIF)
  - Fighting.pif (PID: 5744)
  - cmd.exe (PID: 5712)
- Checks Windows Trust Settings
  - 7e207560.exe (PID: 5476)
  - InstallUtil.exe (PID: 2092)
  - build.exe (PID: 7200)
  - r.exe (PID: 7840)
  - Winlock.exe (PID: 4260)
  - Helper.exe (PID: 6768)
- The process executes VB scripts
  - new.exe (PID: 5676)
  - %40Natsu338_alice.exe (PID: 5168)
  - NINJA.exe (PID: 7100)
  - c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe (PID: 2228)
  - 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 7088)
  - jjj.exe (PID: 5592)
  - tel.exe (PID: 3204)
- Uses RUNDLL32.EXE to load library
  - 7e207560.exe (PID: 5476)
  - control.exe (PID: 5840)
- Creates a software uninstall entry
  - inst77player_1.0.0.1.exe (PID: 1928)
- Script adds exclusion path to Windows Defender
  - InstallSetup2.exe (PID: 4896)
  - miner.exe (PID: 6784)
  - build6_unencrypted.exe (PID: 4144)
  - more.exe (PID: 5296)
- Starts POWERSHELL.EXE for commands execution
  - InstallSetup2.exe (PID: 4896)
  - miner.exe (PID: 6784)
  - build6_unencrypted.exe (PID: 4144)
  - gookcom.exe (PID: 6156)
  - more.exe (PID: 5296)
  - socks5-clean.exe (PID: 2368)
  - EchoNavigator.exe (PID: 5948)
  - svchost.com (PID: 4784)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 5624)
  - rundll32.exe (PID: 5720)
  - dialer.exe (PID: 5180)
  - 4363463463464363463463463.exe (PID: 2636)
- The process executes via Task Scheduler
  - powershell.exe (PID: 7248)
  - buildcosta.exe (PID: 6568)
  - AttributeString.exe (PID: 3264)
  - powershell.exe (PID: 7480)
  - buildcosta.exe (PID: 8000)
  - Utsysc.exe (PID: 7796)
  - buildcosta.exe (PID: 7232)
  - system.exe (PID: 4880)
  - Utsysc.exe (PID: 2644)
  - buildcosta.exe (PID: 9028)
  - Utsysc.exe (PID: 9016)
  - system.exe (PID: 9000)
  - system.exe (PID: 6360)
  - buildcosta.exe (PID: 3688)
  - Utsysc.exe (PID: 10228)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 6292)
  - powershell.exe (PID: 6116)
  - powershell.exe (PID: 7248)
  - powershell.exe (PID: 6212)
  - powershell.exe (PID: 7480)
  - powershell.exe (PID: 7628)
  - powershell.exe (PID: 4116)
- Drops 7-zip archiver for unpacking
  - conhost.exe (PID: 968)
  - dvchost.exe (PID: 5620)
- Script adds exclusion process to Windows Defender
  - miner.exe (PID: 6784)
  - build6_unencrypted.exe (PID: 4144)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 5480)
  - cmd.exe (PID: 4468)
- Starts a Microsoft application from unusual location
  - jsc.exe (PID: 6572)
  - npp86Installerx64.exe (PID: 7664)
  - lumma1234.exe (PID: 5364)
- Accesses Microsoft Outlook profiles
  - svchost.exe (PID: 6660)
  - dialer.exe (PID: 5624)
  - RegAsm.exe (PID: 6048)
  - cluton.exe (PID: 6736)
  - dialer.exe (PID: 5180)
  - ladas.exe (PID: 3992)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - InstallUtil.exe (PID: 2092)
  - data64_6.exe (PID: 5072)
  - build.exe (PID: 7200)
  - r.exe (PID: 7840)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 4628)
  - wscript.exe (PID: 5304)
- Executed via WMI
  - schtasks.exe (PID: 7140)
  - schtasks.exe (PID: 4328)
  - schtasks.exe (PID: 7924)
  - schtasks.exe (PID: 3948)
  - schtasks.exe (PID: 7052)
  - schtasks.exe (PID: 4560)
  - schtasks.exe (PID: 2740)
  - schtasks.exe (PID: 2560)
  - schtasks.exe (PID: 5500)
  - schtasks.exe (PID: 6116)
  - schtasks.exe (PID: 7360)
  - schtasks.exe (PID: 3964)
  - schtasks.exe (PID: 6444)
  - schtasks.exe (PID: 7088)
  - schtasks.exe (PID: 6616)
  - schtasks.exe (PID: 6608)
  - schtasks.exe (PID: 7300)
  - schtasks.exe (PID: 4880)
  - schtasks.exe (PID: 6856)
  - schtasks.exe (PID: 4936)
  - schtasks.exe (PID: 1496)
  - schtasks.exe (PID: 3812)
  - schtasks.exe (PID: 7556)
  - schtasks.exe (PID: 7552)
  - schtasks.exe (PID: 7384)
  - schtasks.exe (PID: 7444)
  - schtasks.exe (PID: 6988)
  - schtasks.exe (PID: 6960)
  - schtasks.exe (PID: 7212)
  - schtasks.exe (PID: 6272)
  - schtasks.exe (PID: 6776)
  - schtasks.exe (PID: 5664)
  - schtasks.exe (PID: 7420)
  - schtasks.exe (PID: 6672)
  - schtasks.exe (PID: 6172)
  - schtasks.exe (PID: 7916)
  - schtasks.exe (PID: 3276)
  - schtasks.exe (PID: 4984)
  - schtasks.exe (PID: 5636)
  - schtasks.exe (PID: 4260)
  - schtasks.exe (PID: 4696)
  - schtasks.exe (PID: 6048)
  - schtasks.exe (PID: 7660)
  - schtasks.exe (PID: 6924)
  - schtasks.exe (PID: 8044)
  - 4w5G.exe (PID: 4400)
  - 5-jd_mn.exe (PID: 5264)
- Loads DLL from Mozilla Firefox
  - dialer.exe (PID: 5624)
  - cluton.exe (PID: 6736)
  - dialer.exe (PID: 5180)
  - firefox.exe (PID: 9740)
  - firefox.exe (PID: 8224)
  - firefox.exe (PID: 6488)
- Reads browser cookies
  - dialer.exe (PID: 5624)
  - jsc.exe (PID: 5452)
  - RegAsm.exe (PID: 6048)
  - RegAsm.exe (PID: 8036)
  - dialer.exe (PID: 5180)
  - STAR.exe (PID: 9340)
  - kehu.exe (PID: 4896)
  - RegAsm.exe (PID: 5708)
- Probably delay the execution using 'w32tm.exe'
  - cmd.exe (PID: 7816)
- Searches for installed software
  - dialer.exe (PID: 5624)
  - jsc.exe (PID: 5452)
  - RegAsm.exe (PID: 6048)
  - RegAsm.exe (PID: 8036)
  - kehu.exe (PID: 4896)
  - crypted.exe (PID: 3588)
  - dialer.exe (PID: 5180)
  - ladas.exe (PID: 3992)
  - STAR.exe (PID: 9340)
  - RegAsm.exe (PID: 5708)
- Reads the date of Windows installation
  - server.exe (PID: 5544)
- Suspicious files were dropped or overwritten
  - look2.exe (PID: 6920)
- Creates files in the driver directory
  - Winlock.exe (PID: 4260)
- Detected use of alternative data streams (AltDS)
  - NINJA.exe (PID: 7100)
- Reads Mozilla Firefox installation path
  - cluton.exe (PID: 6736)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 6596)
- Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
  - wscript.exe (PID: 6596)
- Reads the Windows owner or organization settings
  - june.tmp (PID: 5744)
  - Helper.exe (PID: 6768)
- Executes WMI query (SCRIPT)
  - wscript.exe (PID: 6596)
- Reads the BIOS version
  - amert.exe (PID: 6248)
  - ladas.exe (PID: 3992)
  - %E6%85%95%E8%AF%BE%E7%BD%91%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%B7%A5%E5%85%B7_2015.exe (PID: 2196)
  - zara.exe (PID: 6616)
  - Update_new.exe (PID: 6728)
  - RetailerRise.exe (PID: 8908)
  - _XKFlpw8lp76NqGHGAb4.exe (PID: 6652)
  - explorgu.exe (PID: 10072)
  - explorgu.exe (PID: 8868)
  - explorgu.exe (PID: 10932)
- Windows Defender mutex has been found
  - nsm2742.tmp (PID: 6484)
  - syncUpd.exe (PID: 6520)
  - timeSync.exe (PID: 9764)
- Base64-obfuscated command line is found
  - gookcom.exe (PID: 6156)
- Suspicious use of symmetric encryption in PowerShell
  - gookcom.exe (PID: 6156)
- Potential TCP-based PowerShell reverse shell connection
  - gookcom.exe (PID: 6156)
- Reads Microsoft Outlook installation path
  - pocketrar350sc.exe (PID: 6876)
- The Powershell connects to the Internet
  - powershell.exe (PID: 4848)
  - powershell.exe (PID: 8616)
  - powershell.exe (PID: 5628)
- Unusual connection from system programs
  - powershell.exe (PID: 4848)
  - powershell.exe (PID: 8616)
  - powershell.exe (PID: 5628)
- The process executes Powershell scripts
  - socks5-clean.exe (PID: 2368)
  - EchoNavigator.exe (PID: 5948)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 4552)
  - cmd.exe (PID: 1044)
- Uses ROUTE.EXE to obtain the routing table information
  - win.exe (PID: 6008)
- The process hides Powershell's copyright startup banner
  - EchoNavigator.exe (PID: 5948)
- The process bypasses the loading of PowerShell profile settings
  - EchoNavigator.exe (PID: 5948)
- The process hide an interactive prompt from the user
  - EchoNavigator.exe (PID: 5948)
- Drops a system driver (possible attempt to evade defenses)
  - svchosl.exe (PID: 8092)
- Changes the Home page of Internet Explorer
  - svchosl.exe (PID: 8092)
- Changes the title of the Internet Explorer window
  - svchosl.exe (PID: 8092)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 7804)
- The process drops C-runtime libraries
  - pxd.exe (PID: 5380)
- Loads Python modules
  - pxd.exe (PID: 9220)
- The process verifies whether the antivirus software is installed
  - pxd.exe (PID: 9220)
INFO
- Reads the machine GUID from the registry
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - heaoyam78.exe (PID: 3252)
  - Temp2.exe (PID: 1820)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 3516)
  - asg.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 1404)
  - SuburbansKamacite.exe (PID: 2960)
  - peinf.exe (PID: 3200)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4536)
  - baseline.exe (PID: 4708)
  - Client.exe (PID: 4808)
  - InstallSetup2.exe (PID: 4896)
  - daissss.exe (PID: 4932)
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - 6.exe (PID: 5084)
  - cvtres.exe (PID: 5316)
  - 60466831.exe (PID: 4920)
  - csc.exe (PID: 5288)
  - Client.exe (PID: 4828)
  - 1234daisaaaaa.exe (PID: 5996)
  - 7e207560.exe (PID: 5476)
  - html.exe (PID: 5764)
  - vbc.exe (PID: 5716)
  - ghjkl.exe (PID: 5816)
  - BBLb.exe (PID: 6128)
  - BBLb.exe (PID: 5884)
  - asdfg.exe (PID: 6140)
  - native.exe (PID: 7468)
  - plugins.exe (PID: 4876)
  - buildcosta.exe (PID: 8024)
  - Windows.exe (PID: 4464)
  - InstallUtil.exe (PID: 2092)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
  - 177219156.exe (PID: 5464)
  - 313513996.exe (PID: 4236)
  - miner.exe (PID: 6784)
  - AttributeString.exe (PID: 6300)
  - fw.exe (PID: 6084)
  - WatchDog.exe (PID: 7976)
  - AttributeString.exe (PID: 3264)
  - jsc.exe (PID: 6572)
  - data64_6.exe (PID: 5072)
  - InstallUtil.exe (PID: 6344)
  - InstallUtil.exe (PID: 7528)
  - inst77player.exe (PID: 7776)
  - Msblockreview.exe (PID: 7880)
  - ama.exe (PID: 6040)
  - kehu.exe (PID: 4896)
  - Utsysc.exe (PID: 7952)
  - buding.exe (PID: 7836)
  - build.exe (PID: 7200)
  - dw20.exe (PID: 1056)
  - hv.exe (PID: 7672)
  - Payload.exe (PID: 1824)
  - wmprph.exe (PID: 6820)
  - wmplayer.exe (PID: 4776)
  - build6_unencrypted.exe (PID: 4144)
  - jsc.exe (PID: 5452)
  - RegAsm.exe (PID: 6048)
  - RegAsm.exe (PID: 8036)
  - server.exe (PID: 5544)
  - 4w5G.exe (PID: 4400)
  - npp.8.6.2.Installer.x64.exe (PID: 7064)
  - 4w5G.exe (PID: 6140)
  - vbc.exe (PID: 392)
  - r.exe (PID: 7840)
  - beacon_test.exe (PID: 6060)
  - 1.exe (PID: 5880)
  - 288c47bbc1871b439df19ff4df68f076.exe (PID: 4584)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - agentServerComponent.exe (PID: 5192)
  - reo.exe (PID: 3680)
  - tpeinf.exe (PID: 4736)
  - InstallSetup4.exe (PID: 5128)
  - ed.exe (PID: 1428)
  - 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 6916)
  - ghjk.exe (PID: 5372)
  - SystemUpdate.exe (PID: 8160)
  - NINJA.exe (PID: 7100)
  - cluton.exe (PID: 6736)
  - Winlock.exe (PID: 4260)
  - hncc.exe (PID: 7688)
  - more.exe (PID: 5296)
  - nsm2742.tmp (PID: 6484)
  - AK1.exe (PID: 4592)
  - PCclear_Eng_mini.exe (PID: 3116)
  - T1_Net.exe (PID: 7424)
  - gookcom.exe (PID: 6156)
  - net.exe (PID: 5776)
  - Temp1.exe (PID: 7976)
  - 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 7428)
  - goldpricesup12.exe (PID: 8076)
  - ladas.exe (PID: 3992)
  - RegAsm.exe (PID: 6176)
  - easy.exe (PID: 7664)
  - syncUpd.exe (PID: 6520)
  - RegAsm.exe (PID: 5708)
  - costa.exe (PID: 4676)
  - NBYS%20AH.NET.exe (PID: 764)
  - pocketrar350sc.exe (PID: 6876)
  - l.exe (PID: 5000)
  - xzw.exe (PID: 6624)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 5556)
  - 5-jd_mn.exe (PID: 5264)
  - dsdasda.exe (PID: 7028)
  - _VTI_CNF.exe (PID: 6732)
  - 5-jd_mn.exe (PID: 7804)
  - file.exe (PID: 2808)
  - univ.exe (PID: 7160)
  - cayV0Deo9jSt417.exe (PID: 5812)
  - Suaeweq.exe (PID: 7116)
  - csaff.exe (PID: 7572)
  - VLTKBacdau.exe (PID: 6592)
  - zara.exe (PID: 6616)
  - Update_new.exe (PID: 6728)
  - EchoNavigator.exe (PID: 5948)
  - Suaeweq.exe (PID: 8624)
  - STAR.exe (PID: 9340)
  - bott.exe (PID: 9356)
  - vbc.exe (PID: 9492)
  - light.exe (PID: 4240)
  - more.exe (PID: 9084)
  - timeSync.exe (PID: 9764)
  - RegAsm.exe (PID: 4840)
  - porn.exe (PID: 8528)
  - images.exe (PID: 7536)
  - msedge.exe (PID: 8392)
  - msedge.exe (PID: 9876)
  - msedge.exe (PID: 8496)
  - d21cbe21e38b385a41a68c5e6dd32f4c.exe (PID: 9168)
  - dota.exe (PID: 4464)
  - RetailerRise.exe (PID: 8908)
  - inte.exe (PID: 9972)
  - svchosl.exe (PID: 8092)
  - Helper.exe (PID: 6768)
  - pxd.exe (PID: 9220)
  - chrome.exe (PID: 8828)
  - chrome.exe (PID: 6772)
  - firefox.exe (PID: 9740)
  - chrome.exe (PID: 2532)
  - Journal.exe (PID: 7276)
  - cluton.exe (PID: 7396)
  - RegAsm.exe (PID: 5700)
  - M5traider.exe (PID: 9912)
  - Amadey.exe (PID: 8756)
  - Horpxuoxm.exe (PID: 11364)
- Reads the computer name
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - tidex_-_short_stuff.exe (PID: 3036)
  - Temp2.exe (PID: 1820)
  - 4363463463464363463463463.exe (PID: 572)
  - heaoyam78.exe (PID: 3252)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4056)
  - chdyz.exe (PID: 3708)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3516)
  - asg.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - inst77player_1.0.0.1.exe (PID: 1928)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 3768)
  - SuburbansKamacite.exe (PID: 2960)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 1404)
  - peinf.exe (PID: 3200)
  - 4363463463464363463463463.exe (PID: 4352)
  - dusers.exe (PID: 4388)
  - Users.exe (PID: 4460)
  - 4363463463464363463463463.exe (PID: 4536)
  - wmild.exe (PID: 4696)
  - baseline.exe (PID: 4708)
  - wmild.exe (PID: 4676)
  - Client.exe (PID: 4808)
  - Client.exe (PID: 4828)
  - plugins.exe (PID: 4876)
  - daissss.exe (PID: 4932)
  - lve.exe (PID: 5012)
  - InstallSetup2.exe (PID: 4896)
  - 6.exe (PID: 5084)
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - Gsoymaq.exe (PID: 5028)
  - Gsoymaq.exe (PID: 5056)
  - PCSupport.exe (PID: 5280)
  - 60466831.exe (PID: 4920)
  - 7e207560.exe (PID: 5456)
  - 7e207560.exe (PID: 5476)
  - 7e207560.exe (PID: 5448)
  - MartDrum.exe (PID: 5504)
  - Fighting.pif (PID: 5744)
  - sunset1.exe (PID: 5268)
  - 1234daisaaaaa.exe (PID: 5996)
  - html.exe (PID: 5764)
  - vbc.exe (PID: 5716)
  - ghjkl.exe (PID: 5816)
  - BBLb.exe (PID: 6128)
  - BBLb.exe (PID: 5884)
  - asdfg.exe (PID: 6140)
  - fu.exe (PID: 4128)
  - well.exe (PID: 2192)
  - miner.exe (PID: 6784)
  - lve.exe (PID: 4336)
  - native.exe (PID: 7468)
  - buildcosta.exe (PID: 8024)
  - conhost.exe (PID: 968)
  - InstallUtil.exe (PID: 2092)
  - Windows.exe (PID: 4464)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
  - winvnc.exe (PID: 7644)
  - 177219156.exe (PID: 5464)
  - cp.exe (PID: 4608)
  - 313513996.exe (PID: 4236)
  - PrntScrnOfAMZOrderID.jpg.exe (PID: 4892)
  - hv.exe (PID: 7672)
  - jsc.exe (PID: 6572)
  - WatchDog.exe (PID: 7976)
  - AttributeString.exe (PID: 6300)
  - fw.exe (PID: 6084)
  - AttributeString.exe (PID: 3264)
  - data64_6.exe (PID: 5072)
  - loader.exe (PID: 6272)
  - InstallUtil.exe (PID: 6344)
  - InstallUtil.exe (PID: 7528)
  - rhsgn_protected.exe (PID: 7888)
  - ARA.exe (PID: 8132)
  - inst77player.exe (PID: 7776)
  - setup294.exe (PID: 7576)
  - Msblockreview.exe (PID: 7880)
  - ama.exe (PID: 6040)
  - kehu.exe (PID: 4896)
  - Utsysc.exe (PID: 7952)
  - 4c6358aa.exe (PID: 3872)
  - dw20.exe (PID: 1056)
  - buding.exe (PID: 7836)
  - build.exe (PID: 7200)
  - build6_unencrypted.exe (PID: 4144)
  - Payload.exe (PID: 1824)
  - jsc.exe (PID: 5452)
  - dvchost.exe (PID: 5620)
  - v4install.exe (PID: 4116)
  - ce0b953269c74bc.exe (PID: 3592)
  - RegAsm.exe (PID: 8036)
  - RegAsm.exe (PID: 6048)
  - server.exe (PID: 5544)
  - npp.8.6.2.Installer.x64.exe (PID: 7064)
  - 4w5G.exe (PID: 4400)
  - 4w5G.exe (PID: 6140)
  - vbc.exe (PID: 392)
  - r.exe (PID: 7840)
  - lumma123142124.exe (PID: 5360)
  - beacon_test.exe (PID: 6060)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - 1.exe (PID: 5880)
  - i.exe (PID: 4324)
  - 288c47bbc1871b439df19ff4df68f076.exe (PID: 4584)
  - look2.exe (PID: 6920)
  - agentServerComponent.exe (PID: 5192)
  - InstallSetup4.exe (PID: 5128)
  - reo.exe (PID: 3680)
  - HD_._cache_server.exe (PID: 6940)
  - IEUpdater70.exe (PID: 7232)
  - BroomSetup.exe (PID: 4240)
  - tpeinf.exe (PID: 4736)
  - patch.exe (PID: 6324)
  - lumma1234.exe (PID: 5364)
  - Synaptics.exe (PID: 7476)
  - Winlock.exe (PID: 4260)
  - InstallSetup8.exe (PID: 6264)
  - latestroc.exe (PID: 6520)
  - ._cache_server.exe (PID: 8076)
  - 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 6916)
  - ed.exe (PID: 1428)
  - crypted.exe (PID: 3588)
  - NINJA.exe (PID: 7100)
  - ghjk.exe (PID: 5372)
  - SystemUpdate.exe (PID: 8160)
  - cluton.exe (PID: 5336)
  - StealerClient_Sharp_1_4.exe (PID: 7596)
  - cluton.exe (PID: 6736)
  - amert.exe (PID: 6248)
  - DefenderControl.exe (PID: 6924)
  - hncc.exe (PID: 7688)
  - june.tmp (PID: 5744)
  - nsm2742.tmp (PID: 6484)
  - more.exe (PID: 5296)
  - empty.exe (PID: 1980)
  - PCclear_Eng_mini.exe (PID: 3116)
  - AK1.exe (PID: 4592)
  - empty.exe (PID: 2396)
  - empty.exe (PID: 4704)
  - toolmaxpartitionwizardbootable.exe (PID: 5536)
  - 32.exe (PID: 5328)
  - T1_Net.exe (PID: 7424)
  - net.exe (PID: 5776)
  - gookcom.exe (PID: 6156)
  - goldpricesup12.exe (PID: 8076)
  - 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 7428)
  - svchosl.exe (PID: 8092)
  - Temp1.exe (PID: 7976)
  - system.exe (PID: 4880)
  - jopacrypt.exe (PID: 6212)
  - ladas.exe (PID: 3992)
  - easy.exe (PID: 7664)
  - Helper.exe (PID: 6768)
  - Goldprime.exe (PID: 5000)
  - RegAsm.exe (PID: 6176)
  - _VTI_CNF.exe (PID: 6732)
  - syncUpd.exe (PID: 6520)
  - RegAsm.exe (PID: 5708)
  - ax.exe (PID: 2440)
  - socks5-clean.exe (PID: 2368)
  - pocketrar350sc.exe (PID: 6876)
  - costa.exe (PID: 4676)
  - fortnite3.exe (PID: 4968)
  - NBYS%20AH.NET.exe (PID: 764)
  - xzw.exe (PID: 6624)
  - l.exe (PID: 5000)
  - empty.exe (PID: 7888)
  - a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe (PID: 6044)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 5556)
  - 5-jd_mn.exe (PID: 5264)
  - dsdasda.exe (PID: 7028)
  - 5-jd_mn.exe (PID: 7804)
  - file.exe (PID: 2808)
  - %E4%BA%94%E5%91%B3%E4%BC%A0%E5%A5%87.exe (PID: 7656)
  - univ.exe (PID: 7160)
  - for.exe (PID: 4720)
  - win.exe (PID: 6008)
  - Suaeweq.exe (PID: 7116)
  - cayV0Deo9jSt417.exe (PID: 5812)
  - svchost.exe (PID: 6964)
  - EchoNavigator.exe (PID: 5948)
  - VLTKBacdau.exe (PID: 6592)
  - RegAsm.exe (PID: 4840)
  - Update_new.exe (PID: 6728)
  - csaff.exe (PID: 7572)
  - zara.exe (PID: 6616)
  - stub.exe (PID: 8264)
  - svchost.exe (PID: 8584)
  - Suaeweq.exe (PID: 8624)
  - more.exe (PID: 9084)
  - stub.exe (PID: 8704)
  - STAR.exe (PID: 9340)
  - bott.exe (PID: 9356)
  - system.exe (PID: 9000)
  - vbc.exe (PID: 9492)
  - EeVneYhUHXJTJhA2iMcq.exe (PID: 8216)
  - stub.exe (PID: 9472)
  - timeSync.exe (PID: 9764)
  - light.exe (PID: 4240)
  - dota.exe (PID: 4464)
  - stub.exe (PID: 8224)
  - stub.exe (PID: 4836)
  - Amadey.exe (PID: 8756)
  - qemu-ga.exe (PID: 5588)
  - _XKFlpw8lp76NqGHGAb4.exe (PID: 6652)
  - msedge.exe (PID: 9720)
  - msedge.exe (PID: 9876)
  - 321.exe (PID: 7332)
  - msedge.exe (PID: 8392)
  - dayroc.exe (PID: 9376)
  - images.exe (PID: 7536)
  - NancyMfg.exe (PID: 9220)
  - porn.exe (PID: 8528)
  - stub.exe (PID: 9556)
  - msedge.exe (PID: 8496)
  - msedge.exe (PID: 8888)
  - chrome.exe (PID: 8828)
  - msedge.exe (PID: 7800)
  - 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 7088)
  - chrome.exe (PID: 6772)
  - crypted_d786fd3e.exe (PID: 2420)
  - d21cbe21e38b385a41a68c5e6dd32f4c.exe (PID: 9168)
  - explorgu.exe (PID: 10072)
  - chrome.exe (PID: 2532)
  - stub.exe (PID: 2248)
  - 5d3e8177e87cc.exe (PID: 10028)
  - RetailerRise.exe (PID: 8908)
  - inte.exe (PID: 9972)
  - msedge.exe (PID: 9232)
  - bin.exe (PID: 7732)
  - stub.exe (PID: 8188)
  - msedge.exe (PID: 6984)
  - pxd.exe (PID: 9220)
  - firefox.exe (PID: 9740)
  - cluton.exe (PID: 3276)
  - Journal.exe (PID: 7276)
  - msedge.exe (PID: 8280)
  - firefox.exe (PID: 8224)
  - RegAsm.exe (PID: 5700)
  - explorgu.exe (PID: 8868)
  - msedge.exe (PID: 4900)
  - stub.exe (PID: 6424)
  - firefox.exe (PID: 6488)
  - M5traider.exe (PID: 9912)
  - DCRatBuild.exe (PID: 9148)
  - chrome.exe (PID: 10244)
  - chrome.exe (PID: 10412)
  - chrome.exe (PID: 6808)
  - chrome.exe (PID: 7552)
  - chrome.exe (PID: 10324)
  - stub.exe (PID: 10636)
  - chrome.exe (PID: 6812)
  - Horpxuoxm.exe (PID: 11364)
  - RegAsm.exe (PID: 11432)
  - explorgu.exe (PID: 10932)
  - stub.exe (PID: 11300)
- Checks supported languages
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 1112)
  - f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe (PID: 1340)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - tidex_-_short_stuff.exe (PID: 3036)
  - f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe (PID: 3272)
  - Temp2.exe (PID: 1820)
  - 4363463463464363463463463.exe (PID: 572)
  - heaoyam78.exe (PID: 3252)
  - d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe (PID: 392)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4056)
  - chdyz.exe (PID: 3708)
  - 4363463463464363463463463.exe (PID: 2636)
  - d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe (PID: 2832)
  - 4363463463464363463463463.exe (PID: 3516)
  - asg.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - SuburbansKamacite.exe (PID: 2960)
  - inst77player_1.0.0.1.exe (PID: 1928)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 3768)
  - peinf.exe (PID: 3200)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 4352)
  - Users.exe (PID: 4460)
  - dusers.exe (PID: 4388)
  - 4363463463464363463463463.exe (PID: 4536)
  - chcp.com (PID: 4608)
  - wmild.exe (PID: 4696)
  - baseline.exe (PID: 4708)
  - wmild.exe (PID: 4676)
  - Client.exe (PID: 4808)
  - Client.exe (PID: 4828)
  - plugins.exe (PID: 4876)
  - InstallSetup2.exe (PID: 4896)
  - lve.exe (PID: 5012)
  - Gsoymaq.exe (PID: 5028)
  - 60466831.exe (PID: 4920)
  - daissss.exe (PID: 4932)
  - Gsoymaq.exe (PID: 5056)
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - 6.exe (PID: 5084)
  - sunset1.exe (PID: 5268)
  - PCSupport.exe (PID: 5280)
  - csc.exe (PID: 5288)
  - cvtres.exe (PID: 5316)
  - 7e207560.exe (PID: 5456)
  - 7e207560.exe (PID: 5476)
  - MartDrum.exe (PID: 5504)
  - 7e207560.exe (PID: 5448)
  - html.exe (PID: 5764)
  - Fighting.pif (PID: 5744)
  - 1234daisaaaaa.exe (PID: 5996)
  - pixxxxx.exe (PID: 5892)
  - new.exe (PID: 5676)
  - vbc.exe (PID: 5716)
  - ghjkl.exe (PID: 5816)
  - BBLb.exe (PID: 5884)
  - cp.exe (PID: 4608)
  - 26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe (PID: 4840)
  - BBLb.exe (PID: 6128)
  - asdfg.exe (PID: 6140)
  - asdfg.exe (PID: 5696)
  - fu.exe (PID: 4128)
  - conhost.exe (PID: 968)
  - 177219156.exe (PID: 5464)
  - lve.exe (PID: 4336)
  - well.exe (PID: 2192)
  - miner.exe (PID: 6784)
  - native.exe (PID: 7468)
  - buildcosta.exe (PID: 8024)
  - native.exe (PID: 8072)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
  - 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 6168)
  - mode.com (PID: 5888)
  - lumma.exe (PID: 6284)
  - Windows.exe (PID: 4464)
  - winvnc.exe (PID: 7644)
  - InstallUtil.exe (PID: 2092)
  - 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 5560)
  - lumma.exe (PID: 8188)
  - 313513996.exe (PID: 4236)
  - buildcosta.exe (PID: 6568)
  - e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe (PID: 6280)
  - 1637428485.exe (PID: 7020)
  - e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe (PID: 6832)
  - 891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe (PID: 7668)
  - PrntScrnOfAMZOrderID.jpg.exe (PID: 6540)
  - PrntScrnOfAMZOrderID.jpg.exe (PID: 4892)
  - brg.exe (PID: 3996)
  - hv.exe (PID: 7672)
  - 897619190.exe (PID: 2508)
  - w-12.exe (PID: 7232)
  - WatchDog.exe (PID: 7976)
  - jsc.exe (PID: 6572)
  - AttributeString.exe (PID: 6300)
  - fw.exe (PID: 6084)
  - cs_maltest.exe (PID: 7612)
  - AttributeString.exe (PID: 3264)
  - data64_6.exe (PID: 5072)
  - InstallUtil.exe (PID: 6344)
  - InstallUtil.exe (PID: 7528)
  - 659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe (PID: 7132)
  - loader.exe (PID: 6272)
  - ARA.exe (PID: 8132)
  - rhsgn_protected.exe (PID: 7888)
  - setup294.exe (PID: 7576)
  - inst77player.exe (PID: 7776)
  - 2458719656.exe (PID: 2864)
  - ama.exe (PID: 6040)
  - buding.exe (PID: 7836)
  - Msblockreview.exe (PID: 7880)
  - kehu.exe (PID: 4896)
  - Utsysc.exe (PID: 7952)
  - Recorder.exe (PID: 6712)
  - Screensaver.exe (PID: 6152)
  - dvchost.exe (PID: 5620)
  - 4c6358aa.exe (PID: 3872)
  - Project_8.exe (PID: 7924)
  - build.exe (PID: 7200)
  - 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe (PID: 6204)
  - %E5%A4%A9%E9%99%8D%E6%BF%80%E5%85%89%E7%82%AE-%E5%9B%BE%E5%83%8F%E7%95%8C%E9%9D%A2%E7%89%88.exe (PID: 6188)
  - dw20.exe (PID: 1056)
  - Payload.exe (PID: 1824)
  - 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 7888)
  - wmprph.exe (PID: 6820)
  - build6_unencrypted.exe (PID: 4144)
  - npp86Installerx64.exe (PID: 7664)
  - jsc.exe (PID: 5452)
  - 648b5vt13485v134322685vt.exe (PID: 6240)
  - v4install.exe (PID: 4116)
  - wmplayer.exe (PID: 4776)
  - 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 4736)
  - plug.exe (PID: 5584)
  - mode.com (PID: 5636)
  - RegAsm.exe (PID: 6048)
  - 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe (PID: 5244)
  - ce0b953269c74bc.exe (PID: 3592)
  - PAETools.exe (PID: 5348)
  - server.exe (PID: 5544)
  - RegAsm.exe (PID: 8036)
  - 4w5G.exe (PID: 4400)
  - 4w5G.exe (PID: 6140)
  - i.exe (PID: 4324)
  - npp.8.6.2.Installer.x64.exe (PID: 7064)
  - r.exe (PID: 7840)
  - %40Natsu338_alice.exe (PID: 5168)
  - vbc.exe (PID: 392)
  - lumma123142124.exe (PID: 5360)
  - patch.exe (PID: 6324)
  - beacon_test.exe (PID: 6060)
  - Utsysc.exe (PID: 7796)
  - buildcosta.exe (PID: 8000)
  - smell-the-roses.exe (PID: 7588)
  - 1.exe (PID: 5880)
  - RegAsm.exe (PID: 4764)
  - ._cache_server.exe (PID: 8076)
  - osminogs.exe (PID: 3544)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - look2.exe (PID: 6920)
  - InstallSetup4.exe (PID: 5128)
  - 288c47bbc1871b439df19ff4df68f076.exe (PID: 4584)
  - agentServerComponent.exe (PID: 5192)
  - HD_._cache_server.exe (PID: 6940)
  - 1e3d458e7ef866069259cb3b13b761e46f6278c3fca69ca846baca650b4e0f72.exe (PID: 1056)
  - BroomSetup.exe (PID: 4240)
  - 1e3d458e7ef866069259cb3b13b761e46f6278c3fca69ca846baca650b4e0f72.exe (PID: 2812)
  - Winlock.exe (PID: 4260)
  - reo.exe (PID: 3680)
  - 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe (PID: 6960)
  - tpeinf.exe (PID: 4736)
  - IEUpdater70.exe (PID: 7232)
  - Synaptics.exe (PID: 7476)
  - RegAsm.exe (PID: 7048)
  - 129009574.exe (PID: 5868)
  - latestroc.exe (PID: 6520)
  - lumma1234.exe (PID: 5364)
  - toolspub1.exe (PID: 8016)
  - 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 6916)
  - InstallSetup8.exe (PID: 6264)
  - StealerClient_Cpp_1_4.exe (PID: 7616)
  - crypted.exe (PID: 3588)
  - %E6%9A%97%E5%B7%B7%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%8A%A9%E6%89%8B.exe (PID: 4020)
  - ed.exe (PID: 1428)
  - lux32.exe (PID: 3156)
  - NINJA.exe (PID: 7100)
  - ghjk.exe (PID: 5372)
  - ghjk.exe (PID: 1056)
  - SystemUpdate.exe (PID: 8160)
  - StealerClient_Sharp_1_4.exe (PID: 7596)
  - cluton.exe (PID: 5336)
  - cluton.exe (PID: 6736)
  - june.exe (PID: 3872)
  - june.tmp (PID: 5744)
  - AxCat.Top (PID: 7796)
  - pinguin.exe (PID: 7264)
  - DefenderControl.exe (PID: 6924)
  - amert.exe (PID: 6248)
  - nsm2742.tmp (PID: 6484)
  - hncc.exe (PID: 7688)
  - 590722974.exe (PID: 6416)
  - more.exe (PID: 5296)
  - PCclear_Eng_mini.exe (PID: 3116)
  - empty.exe (PID: 1980)
  - toolmaxpartitionwizardbootable.exe (PID: 5536)
  - AK1.exe (PID: 4592)
  - empty.exe (PID: 2396)
  - T1_Net.exe (PID: 7424)
  - 987123.exe (PID: 4052)
  - fileren.exe (PID: 5944)
  - toolmaxpartitionwizardbootable.exe (PID: 6112)
  - 2935318218.exe (PID: 7544)
  - toolspub1.exe (PID: 6632)
  - 32.exe (PID: 5328)
  - 2351816076.exe (PID: 1028)
  - empty.exe (PID: 4704)
  - net.exe (PID: 5776)
  - cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe (PID: 4768)
  - net.exe (PID: 4852)
  - gookcom.exe (PID: 6156)
  - 138208871.exe (PID: 6248)
  - chcp.com (PID: 8188)
  - Temp1.exe (PID: 7976)
  - ladas.exe (PID: 3992)
  - svchosl.exe (PID: 8092)
  - goldpricesup12.exe (PID: 8076)
  - 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 7428)
  - Utsysc.exe (PID: 2644)
  - buildcosta.exe (PID: 7232)
  - system.exe (PID: 4880)
  - jopacrypt.exe (PID: 6212)
  - qt51crk.exe (PID: 1420)
  - socks5-clean.exe (PID: 2368)
  - %E6%85%95%E8%AF%BE%E7%BD%91%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%B7%A5%E5%85%B7_2015.exe (PID: 2196)
  - a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe (PID: 6132)
  - _VTI_CNF.exe (PID: 6732)
  - RegAsm.exe (PID: 6176)
  - Helper.exe (PID: 6768)
  - ax.exe (PID: 2440)
  - a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe (PID: 6352)
  - adm_atu.exe (PID: 3196)
  - easy.exe (PID: 7664)
  - Goldprime.exe (PID: 5000)
  - syncUpd.exe (PID: 6520)
  - 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe (PID: 2420)
  - pocketrar350sc.exe (PID: 6876)
  - xzw.exe (PID: 6624)
  - RegAsm.exe (PID: 5708)
  - 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe (PID: 1988)
  - costa.exe (PID: 4676)
  - fortnite3.exe (PID: 4968)
  - NBYS%20AH.NET.exe (PID: 764)
  - %E4%BA%94%E5%91%B3%E4%BC%A0%E5%A5%87.exe (PID: 7656)
  - c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe (PID: 3828)
  - a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe (PID: 6044)
  - l.exe (PID: 5000)
  - c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe (PID: 6612)
  - dsdasda.exe (PID: 7028)
  - empty.exe (PID: 7888)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 5556)
  - 5-jd_mn.exe (PID: 5264)
  - hack1226.exe (PID: 4428)
  - 5-jd_mn.exe (PID: 7804)
  - file.exe (PID: 2808)
  - %EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe (PID: 6612)
  - for.exe (PID: 4720)
  - univ.exe (PID: 7160)
  - 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 7088)
  - csaff.exe (PID: 7572)
  - win.exe (PID: 6008)
  - zara.exe (PID: 6616)
  - Suaeweq.exe (PID: 7116)
  - svchost.exe (PID: 5232)
  - RegAsm.exe (PID: 4840)
  - stub.exe (PID: 6676)
  - cayV0Deo9jSt417.exe (PID: 5812)
  - Update_new.exe (PID: 6728)
  - VLTKBacdau.exe (PID: 6592)
  - EeVneYhUHXJTJhA2iMcq.exe (PID: 8216)
  - stub.exe (PID: 8264)
  - EchoNavigator.exe (PID: 5948)
  - svchost.exe (PID: 6964)
  - stub.exe (PID: 8552)
  - svchost.exe (PID: 8584)
  - svchost.exe (PID: 8576)
  - Suaeweq.exe (PID: 8624)
  - stub.exe (PID: 8704)
  - svchost.com (PID: 8764)
  - svchost.com (PID: 8848)
  - 901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe (PID: 8604)
  - svchost.com (PID: 8812)
  - svchost.com (PID: 8984)
  - buildcosta.exe (PID: 9028)
  - Utsysc.exe (PID: 9016)
  - svchost.com (PID: 8920)
  - RetailerRise.exe (PID: 8908)
  - system.exe (PID: 9000)
  - svchost.com (PID: 9140)
  - svchost.com (PID: 9172)
  - more.exe (PID: 9084)
  - c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe (PID: 2228)
  - stub.exe (PID: 9472)
  - svchost.com (PID: 9320)
  - STAR.exe (PID: 9340)
  - bott.exe (PID: 9356)
  - svchost.com (PID: 9548)
  - light.exe (PID: 4240)
  - svchost.com (PID: 9640)
  - vbc.exe (PID: 9492)
  - timeSync.exe (PID: 9764)
  - svchost.com (PID: 9844)
  - svchost.com (PID: 9752)
  - svchost.com (PID: 9780)
  - svchost.com (PID: 9908)
  - svchost.com (PID: 9984)
  - 83f32a3d2dc9e3d9903f395a20b8ddd74a1f35487c6dffd67d9d9a014961f9d0.exe (PID: 9916)
  - svchost.com (PID: 10020)
  - svchost.com (PID: 10028)
  - svchost.com (PID: 10084)
  - taskhost.exe (PID: 8664)
  - stub.exe (PID: 8224)
  - svchost.com (PID: 8244)
  - b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe (PID: 5388)
  - 23.exe (PID: 8580)
  - porn.exe (PID: 8528)
  - news_01.exe (PID: 8684)
  - svchost.com (PID: 7348)
  - dota.exe (PID: 4464)
  - svchost.com (PID: 3200)
  - Amadey.exe (PID: 8756)
  - svchost.com (PID: 2320)
  - svchost.com (PID: 6132)
  - DCRatBuild.exe (PID: 9148)
  - NancyMfg.exe (PID: 9220)
  - svchost.com (PID: 8456)
  - svchost.com (PID: 8352)
  - stub.exe (PID: 4836)
  - svchost.com (PID: 7196)
  - svchost.com (PID: 1412)
  - qemu-ga.exe (PID: 5588)
  - _XKFlpw8lp76NqGHGAb4.exe (PID: 6652)
  - msedge.exe (PID: 9876)
  - msedge.exe (PID: 9832)
  - svchost.com (PID: 6676)
  - stub.exe (PID: 9556)
  - msedge.exe (PID: 9720)
  - 321.exe (PID: 7332)
  - svchost.com (PID: 4512)
  - msedge.exe (PID: 8392)
  - svchost.com (PID: 8480)
  - images.exe (PID: 7536)
  - svchost.com (PID: 4404)
  - dayroc.exe (PID: 9376)
  - msedge.exe (PID: 8888)
  - svchost.com (PID: 10112)
  - svchost.com (PID: 8296)
  - msedge.exe (PID: 8496)
  - svchost.com (PID: 9320)
  - msedge.exe (PID: 8212)
  - svchost.com (PID: 4840)
  - svchost.com (PID: 6372)
  - msedge.exe (PID: 7800)
  - chrome.exe (PID: 8828)
  - svchost.com (PID: 10004)
  - svchost.com (PID: 9680)
  - svchost.com (PID: 4656)
  - radbxnzdxbd.exe (PID: 9748)
  - nine.exe (PID: 3392)
  - stub.exe (PID: 6244)
  - chrome.exe (PID: 7832)
  - svchost.com (PID: 5332)
  - svchost.exe (PID: 8164)
  - msedge.exe (PID: 4304)
  - svchost.com (PID: 6808)
  - explorgu.exe (PID: 10072)
  - crypted_d786fd3e.exe (PID: 2420)
  - svchost.com (PID: 9052)
  - chrome.exe (PID: 3828)
  - d21cbe21e38b385a41a68c5e6dd32f4c.exe (PID: 9168)
  - svchost.com (PID: 6512)
  - msedge.exe (PID: 9344)
  - stub.exe (PID: 2248)
  - chrome.exe (PID: 6772)
  - svchost.com (PID: 10148)
  - msedge.exe (PID: 2560)
  - chrome.exe (PID: 2532)
  - svchost.com (PID: 5140)
  - 5d3e8177e87cc.exe (PID: 10028)
  - svchost.com (PID: 9960)
  - inte.exe (PID: 9972)
  - chrome.exe (PID: 9228)
  - svchost.com (PID: 5696)
  - svchost.com (PID: 7196)
  - msedge.exe (PID: 6984)
  - pxd.exe (PID: 5380)
  - bin.exe (PID: 7732)
  - stub.exe (PID: 8188)
  - pxd.exe (PID: 9220)
  - msedge.exe (PID: 9232)
  - cluton.exe (PID: 3276)
  - firefox.exe (PID: 9740)
  - svchost.com (PID: 7076)
  - svchost.com (PID: 3448)
  - msedge.exe (PID: 4900)
  - msedge.exe (PID: 8280)
  - svchost.com (PID: 6716)
  - svchost.com (PID: 4112)
  - Journal.exe (PID: 7276)
  - firefox.exe (PID: 8224)
  - svchost.com (PID: 8404)
  - svchost.com (PID: 7828)
  - svchost.com (PID: 6480)
  - explorgu.exe (PID: 8868)
  - cluton.exe (PID: 7396)
  - StealerClient_Cpp_1_3_1.exe (PID: 6904)
  - firefox.exe (PID: 6488)
  - svchost.com (PID: 9104)
  - M5traider.exe (PID: 9912)
  - stub.exe (PID: 6424)
  - RegAsm.exe (PID: 5700)
  - svchost.com (PID: 2644)
  - chrome.exe (PID: 10244)
  - chrome.exe (PID: 6812)
  - chrome.exe (PID: 6808)
  - chrome.exe (PID: 7552)
  - chrome.exe (PID: 10412)
  - svchost.com (PID: 10608)
  - svchost.com (PID: 10628)
  - svchost.com (PID: 10340)
  - chrome.exe (PID: 10324)
  - chrome.exe (PID: 10420)
  - svchost.com (PID: 10996)
  - svchost.com (PID: 10964)
  - explorgu.exe (PID: 10932)
  - stub.exe (PID: 10636)
  - svchost.com (PID: 11252)
  - Horpxuoxm.exe (PID: 11364)
  - svchost.com (PID: 11392)
  - svchost.com (PID: 11404)
  - stub.exe (PID: 11300)
  - svchost.com (PID: 11376)
  - RegAsm.exe (PID: 11432)
  - svchost.com (PID: 11480)
  - svchost.com (PID: 11488)
  - HS_yNUj4kkl017kSMz41.exe (PID: 11520)
  - 2014-06-12_djylh.exe (PID: 11528)
- Reads Environment values
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4056)
  - Temp2.exe (PID: 1820)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3516)
  - chdyz.exe (PID: 3708)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 1736)
  - asg.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4536)
  - 6.exe (PID: 5084)
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - Client.exe (PID: 4828)
  - Windows.exe (PID: 4464)
  - miner.exe (PID: 6784)
  - data64_6.exe (PID: 5072)
  - Msblockreview.exe (PID: 7880)
  - InstallUtil.exe (PID: 2092)
  - jsc.exe (PID: 5452)
  - kehu.exe (PID: 4896)
  - RegAsm.exe (PID: 8036)
  - 4w5G.exe (PID: 6140)
  - npp.8.6.2.Installer.x64.exe (PID: 7064)
  - RegAsm.exe (PID: 6048)
  - agentServerComponent.exe (PID: 5192)
  - reo.exe (PID: 3680)
  - r.exe (PID: 7840)
  - RegAsm.exe (PID: 5708)
  - ladas.exe (PID: 3992)
  - Helper.exe (PID: 6768)
  - 5-jd_mn.exe (PID: 7804)
  - STAR.exe (PID: 9340)
  - bott.exe (PID: 9356)
  - Update_new.exe (PID: 6728)
  - RegAsm.exe (PID: 5700)
- Manual execution by a user
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1836)
  - 4363463463464363463463463.exe (PID: 2960)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 3912)
  - 4363463463464363463463463.exe (PID: 2592)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 712)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 3556)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 2828)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 668)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 2512)
  - 4363463463464363463463463.exe (PID: 292)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3972)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 2580)
  - 4363463463464363463463463.exe (PID: 2324)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 924)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 1504)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 292)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 3952)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 3444)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 3744)
  - 4363463463464363463463463.exe (PID: 4116)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 4316)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4496)
  - 4363463463464363463463463.exe (PID: 4536)
  - cmd.exe (PID: 5784)
  - msedge.exe (PID: 2192)
  - msedge.exe (PID: 6424)
  - firefox.exe (PID: 6488)
  - firefox.exe (PID: 6864)
  - firefox.exe (PID: 7316)
  - msedge.exe (PID: 6148)
  - jsc.exe (PID: 6572)
- Reads the software policy settings
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 3660)
  - 4363463463464363463463463.exe (PID: 1656)
  - 4363463463464363463463463.exe (PID: 2504)
  - 4363463463464363463463463.exe (PID: 1112)
  - 4363463463464363463463463.exe (PID: 3224)
  - 4363463463464363463463463.exe (PID: 2660)
  - 4363463463464363463463463.exe (PID: 572)
  - 4363463463464363463463463.exe (PID: 3440)
  - 4363463463464363463463463.exe (PID: 3560)
  - 4363463463464363463463463.exe (PID: 4056)
  - 4363463463464363463463463.exe (PID: 2636)
  - 4363463463464363463463463.exe (PID: 3516)
  - 4363463463464363463463463.exe (PID: 3528)
  - 4363463463464363463463463.exe (PID: 3132)
  - 4363463463464363463463463.exe (PID: 2088)
  - 4363463463464363463463463.exe (PID: 3764)
  - 4363463463464363463463463.exe (PID: 1736)
  - 4363463463464363463463463.exe (PID: 1404)
  - 4363463463464363463463463.exe (PID: 3768)
  - 4363463463464363463463463.exe (PID: 4152)
  - 4363463463464363463463463.exe (PID: 4352)
  - 4363463463464363463463463.exe (PID: 4536)
  - Client.exe (PID: 4828)
  - 7e207560.exe (PID: 5476)
  - InstallUtil.exe (PID: 2092)
  - data64_6.exe (PID: 5072)
  - build.exe (PID: 7200)
  - RegAsm.exe (PID: 6048)
  - r.exe (PID: 7840)
  - Winlock.exe (PID: 4260)
  - ladas.exe (PID: 3992)
  - zara.exe (PID: 6616)
  - dota.exe (PID: 4464)
  - Update_new.exe (PID: 6728)
  - RetailerRise.exe (PID: 8908)
  - Helper.exe (PID: 6768)
  - RegAsm.exe (PID: 5700)
- Create files in a temporary directory
  - 4363463463464363463463463.exe (PID: 1656)
  - inst77player_1.0.0.1.exe (PID: 1928)
  - peinf.exe (PID: 3200)
  - sunset1.exe (PID: 5268)
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - cvtres.exe (PID: 5316)
  - csc.exe (PID: 5288)
  - MartDrum.exe (PID: 5504)
  - ghjkl.exe (PID: 5816)
  - 60466831.exe (PID: 4920)
  - conhost.exe (PID: 968)
  - plugins.exe (PID: 4876)
  - 177219156.exe (PID: 5464)
  - cp.exe (PID: 4608)
  - Fighting.pif (PID: 5744)
  - 313513996.exe (PID: 4236)
  - loader.exe (PID: 6272)
  - rhsgn_protected.exe (PID: 7888)
  - setup294.exe (PID: 7576)
  - buding.exe (PID: 7836)
  - ama.exe (PID: 6040)
  - Msblockreview.exe (PID: 7880)
  - dvchost.exe (PID: 5620)
  - miner.exe (PID: 6784)
  - npp86Installerx64.exe (PID: 7664)
  - Project_8.exe (PID: 7924)
  - jsc.exe (PID: 5452)
  - RegAsm.exe (PID: 6048)
  - 288c47bbc1871b439df19ff4df68f0776.exe (PID: 3172)
  - smell-the-roses.exe (PID: 7588)
  - ._cache_server.exe (PID: 8076)
  - InstallSetup4.exe (PID: 5128)
  - Winlock.exe (PID: 4260)
  - tpeinf.exe (PID: 4736)
  - latestroc.exe (PID: 6520)
  - NINJA.exe (PID: 7100)
  - cluton.exe (PID: 5336)
  - june.exe (PID: 3872)
  - june.tmp (PID: 5744)
  - Synaptics.exe (PID: 7476)
  - DefenderControl.exe (PID: 6924)
  - amert.exe (PID: 6248)
  - 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 7428)
  - adm_atu.exe (PID: 3196)
  - ladas.exe (PID: 3992)
  - pocketrar350sc.exe (PID: 6876)
  - socks5-clean.exe (PID: 2368)
  - costa.exe (PID: 4676)
  - more.exe (PID: 5296)
  - l.exe (PID: 5000)
  - stub.exe (PID: 8264)
  - zara.exe (PID: 6616)
  - EchoNavigator.exe (PID: 5948)
  - STAR.exe (PID: 9340)
  - porn.exe (PID: 8528)
  - more.exe (PID: 9084)
  - dayroc.exe (PID: 9376)
  - NancyMfg.exe (PID: 9220)
  - dota.exe (PID: 4464)
  - pxd.exe (PID: 5380)
  - bin.exe (PID: 7732)
  - pxd.exe (PID: 9220)
  - cluton.exe (PID: 3276)
  - firefox.exe (PID: 9740)
  - Amadey.exe (PID: 8756)
- Creates files or folders in the user directory
  - asg.exe (PID: 2804)
  - peinf.exe (PID: 3200)
  - Users.exe (PID: 4460)
  - PCSupport.exe (PID: 5280)
  - Fighting.pif (PID: 5744)
  - dllhost.exe (PID: 4660)
  - 60466831.exe (PID: 4920)
  - BBLb.exe (PID: 5884)
  - inst77player_1.0.0.1.exe (PID: 1928)
  - InstallUtil.exe (PID: 2092)
  - PrntScrnOfAMZOrderID.jpg.exe (PID: 4892)
  - 313513996.exe (PID: 4236)
  - ARA.exe (PID: 8132)
  - build.exe (PID: 7200)
  - v4install.exe (PID: 4116)
  - dialer.exe (PID: 5624)
  - RegAsm.exe (PID: 6048)
  - r.exe (PID: 7840)
  - reo.exe (PID: 3680)
  - tpeinf.exe (PID: 4736)
  - InstallSetup4.exe (PID: 5128)
  - Winlock.exe (PID: 4260)
  - NINJA.exe (PID: 7100)
  - cluton.exe (PID: 6736)
  - 177219156.exe (PID: 5464)
  - june.tmp (PID: 5744)
  - BroomSetup.exe (PID: 4240)
  - ladas.exe (PID: 3992)
  - ax.exe (PID: 2440)
  - more.exe (PID: 5296)
  - Helper.exe (PID: 6768)
  - dialer.exe (PID: 5180)
  - _VTI_CNF.exe (PID: 6732)
  - univ.exe (PID: 7160)
  - clip.exe (PID: 8272)
  - RegAsm.exe (PID: 4840)
  - more.exe (PID: 9084)
  - msedge.exe (PID: 8392)
  - msedge.exe (PID: 9876)
  - msedge.exe (PID: 8496)
  - inte.exe (PID: 9972)
  - chrome.exe (PID: 6772)
  - chrome.exe (PID: 8828)
  - chrome.exe (PID: 2532)
  - firefox.exe (PID: 9740)
- Checks proxy server information
  - peinf.exe (PID: 3200)
  - baseline.exe (PID: 4708)
  - 60466831.exe (PID: 4920)
  - 7e207560.exe (PID: 5448)
  - 7e207560.exe (PID: 5476)
  - buildcosta.exe (PID: 8024)
  - InstallUtil.exe (PID: 2092)
  - 2-3-1_2023-12-14_13-35.exe (PID: 5336)
  - 177219156.exe (PID: 5464)
  - 313513996.exe (PID: 4236)
  - fw.exe (PID: 6084)
  - inst77player.exe (PID: 7776)
  - Utsysc.exe (PID: 7952)
  - buding.exe (PID: 7836)
  - build.exe (PID: 7200)
  - Payload.exe (PID: 1824)
  - 4w5G.exe (PID: 6140)
  - r.exe (PID: 7840)
  - beacon_test.exe (PID: 6060)
  - tpeinf.exe (PID: 4736)
  - InstallSetup4.exe (PID: 5128)
  - Winlock.exe (PID: 4260)
  - nsm2742.tmp (PID: 6484)
  - PCclear_Eng_mini.exe (PID: 3116)
  - syncUpd.exe (PID: 6520)
  - pocketrar350sc.exe (PID: 6876)
  - fortnite3.exe (PID: 4968)
  - xzw.exe (PID: 6624)
  - ladas.exe (PID: 3992)
  - 5-jd_mn.exe (PID: 7804)
  - _VTI_CNF.exe (PID: 6732)
  - univ.exe (PID: 7160)
  - Suaeweq.exe (PID: 7116)
  - Suaeweq.exe (PID: 8624)
  - timeSync.exe (PID: 9764)
  - inte.exe (PID: 9972)
  - svchosl.exe (PID: 8092)
  - Journal.exe (PID: 7276)
  - pxd.exe (PID: 9220)
- Creates files in the program directory
  - lve.exe (PID: 5012)
  - %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5064)
  - 7e207560.exe (PID: 5448)
  - sunset1.exe (PID: 5268)
  - 7e207560.exe (PID: 5476)
  - rundll32.exe (PID: 5584)
  - inst77player_1.0.0.1.exe (PID: 1928)
  - Msblockreview.exe (PID: 7880)
  - dw20.exe (PID: 1056)
  - RegAsm.exe (PID: 6048)
  - server.exe (PID: 5544)
  - toolmaxpartitionwizardbootable.exe (PID: 5536)
  - ladas.exe (PID: 3992)
  - xzw.exe (PID: 6624)
  - win.exe (PID: 6008)
  - toolmaxpartitionwizardbootable.exe (PID: 6112)
- Reads product name
  - 6.exe (PID: 5084)
  - Msblockreview.exe (PID: 7880)
  - InstallUtil.exe (PID: 2092)
  - kehu.exe (PID: 4896)
  - jsc.exe (PID: 5452)
  - RegAsm.exe (PID: 8036)
  - 4w5G.exe (PID: 6140)
  - RegAsm.exe (PID: 6048)
  - agentServerComponent.exe (PID: 5192)
  - r.exe (PID: 7840)
  - RegAsm.exe (PID: 5708)
  - ladas.exe (PID: 3992)
  - 5-jd_mn.exe (PID: 7804)
  - STAR.exe (PID: 9340)
  - bott.exe (PID: 9356)
- Reads CPU info
  - lve.exe (PID: 5012)
  - RegAsm.exe (PID: 6048)
  - HD_._cache_server.exe (PID: 6940)
  - 32.exe (PID: 5328)
  - ladas.exe (PID: 3992)
  - xzw.exe (PID: 6624)
  - firefox.exe (PID: 9740)
  - firefox.exe (PID: 8224)
  - firefox.exe (PID: 6488)
- Process checks computer location settings
  - 7e207560.exe (PID: 5476)
  - msedge.exe (PID: 8392)
  - msedge.exe (PID: 9876)
  - msedge.exe (PID: 8496)
- Reads mouse settings
  - Fighting.pif (PID: 5744)
  - fu.exe (PID: 4128)
  - well.exe (PID: 2192)
  - NINJA.exe (PID: 7100)
  - DefenderControl.exe (PID: 6924)
  - system.exe (PID: 4880)
  - EeVneYhUHXJTJhA2iMcq.exe (PID: 8216)
  - system.exe (PID: 9000)
- Application launched itself
  - msedge.exe (PID: 5824)
  - msedge.exe (PID: 2192)
  - msedge.exe (PID: 4144)
  - msedge.exe (PID: 6100)
  - msedge.exe (PID: 5812)
  - msedge.exe (PID: 5908)
  - msedge.exe (PID: 6084)
  - msedge.exe (PID: 6024)
  - chrome.exe (PID: 5288)
  - msedge.exe (PID: 5924)
  - chrome.exe (PID: 2408)
  - chrome.exe (PID: 4248)
  - firefox.exe (PID: 6488)
  - msedge.exe (PID: 6424)
  - firefox.exe (PID: 7316)
  - chrome.exe (PID: 6968)
  - msedge.exe (PID: 6148)
  - firefox.exe (PID: 6808)
  - firefox.exe (PID: 6864)
  - firefox.exe (PID: 7456)
  - msedge.exe (PID: 9584)
  - msedge.exe (PID: 9932)
  - msedge.exe (PID: 5932)
  - msedge.exe (PID: 8696)
- Drops the executable file immediately after the start
  - dllhost.exe (PID: 4660)
  - svchost.exe (PID: 6660)
  - dialer.exe (PID: 5624)
  - dialer.exe (PID: 5180)
  - clip.exe (PID: 8272)
- Process checks whether UAC notifications are on
  - InstallSetup2.exe (PID: 4896)
  - miner.exe (PID: 6784)
  - Update_new.exe (PID: 6728)
  - RetailerRise.exe (PID: 8908)
- Reads the Internet Settings
  - explorer.exe (PID: 2112)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 2112)
  - control.exe (PID: 5840)
  - clip.exe (PID: 8272)
- Creates a software uninstall entry
  - june.tmp (PID: 5744)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Remcos

(PID) Process(5084) 6.exe

C2 (9)hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

BotnetRemoteHost

Options

Connect_interval1

Install_flagFalse

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\ShellGY99V

Setup_path%APPDATA%

Copy_filesonic.exe

Startup_valuefuckuuuuu

Hide_fileFalse

Mutex_namegsgjdwg-1J0WWM

Keylog_flag1

Keylog_path%APPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogTrue

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_namenotepad;solitaire;

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path%APPDATA%

Audio_dirMicRecords

Connect_delay0

Copy_diryakkk

Keylog_dirchrome

Max_keylog_file20000

RedLine

(PID) Process(5716) vbc.exe

C2 (2)chardhesha.xyz:81

jalocliche.xyz:81

Botneteasy11211

Options

ErrorMessage

Keys

XorScleral

(PID) Process(4896) kehu.exe

C2 (1)156.251.19.27:20399

Botnet202424

Options

ErrorMessage

Keys

XorArchest

AsyncRat

(PID) Process(6572) jsc.exe

C2 (1)leetman.dynuddns.com

Ports (1)1337

BotnetLoad_Man

Version| Edit 3LOSH RAT

Options

AutoRunfalse

MutexAsyncMutex_6SI8asdasd2casOkPnk

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...

Server_SignatureIbuNhUBHIZ1xEnw2W+T0ktoQBPdl2eN+bFbGaSHnaXQWdBpXBtFcIPy9Kvo76G+Bqot+Mhbmdi45iMXnMd/XtW6hGIYpm1b65Yu9aW89anhCDFxtvTtQRtStn+mEI4HyLyQ/jEWSFx3J4uWsqaYt6M+nvgmrQd92SvWtxYC4AJ39P922sacmFLSsAsiSPJzJL4w3h+xlDMy6z6hQ9AASDqgU6h3bTNcR5v4xdNZyL0zg8dZzseqPd7WHqbIUXp2jf0UV01UrQWDnisTbZw52CbUDPjUOBD1GaOSf220w3MsM...

Keys

AES0ddff9ba1c73ebea6f3d16e8d8ccf4ed931b5562a16813d6bd25abaa5389e284

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

(PID) Process(3680) reo.exe

C2 (1)82.115.223.244

Ports (1)4449

BotnetDefault

VersionVenom RAT + HVNC + Stealer + Grabber v6.0.3

Options

AutoRunfalse

Mutexfnpxcekdvtg

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Cert1MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcN...

Server_SignatureR5JBH2qOF7T5fwa7g4eE4qJ0CTWyADGjVvVqEpZLxqOz7ijIknIV9ddo6ba7ZkTKoBhHhGTgyJ6VkPBFfLs2Z002xZYx/yjole+Ba20yb0ZFTo0rvIGTC2W07sVYXYuBPDufInu02QMD/V3ZMybsQNohmDOnbjhQMcN3WkLsCWY=

Keys

AES3a20c7b13b8c19efdcfc7fdc4d6ed716151cf871d53115133cc297be7f298f08

SaltVenomRATByVenom

Arkei

(PID) Process(7200) build.exe

C2 (1)https://t.me/deadftx

Strings (31)46"-vli

2>SR'

IF6FU5*

CQHBTE'#K

TG;4NC

^!onp?

ikj

=ecd"

w=!{tzn

JLXAB

cF2RY\^NH

uibydg

0qz-myG@

c48e{vejsfCo

R0/^5#!9LWP*U?GA2

3WQ98F8WRA'10/I\?

HU%QQ2DK\Y1]!3FV9

>+=OF_V]EO!#5U+

pdb<-\

\% lj3E$

N*JWA1

> ZH@V

"E0@Q1\_OSM]$

DU\ACTQZ*

1D<_ZEMMVEV

-EXH-U@:

eD3U69$NCBTE<

UDJT*SMX)4

K YC-/B4A-:

FDRPQ

^VYGWU

XWorm

(PID) Process(4144) build6_unencrypted.exe

C2163.5.215.245:9049

Keys

AESNk227ETNaBDg!

Options

Splitter<Agent>

USB drop name

Mutexr3SLo8kx59hai6gX

MetaStealer

(PID) Process(8036) RegAsm.exe

C2 (1)94.103.94.25:13581

Options

ErrorMessage

(PID) Process(392) vbc.exe

C2 (1)5.42.65.101:48790

Botnet1006580135-26990097-alice

Options

ErrorMessage

Keys

XorPyrometry

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:12:22 08:29:10+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	80
CodeSize:	5632
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0x3552
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	4363463463464363463463463.exe
LegalCopyright:
OriginalFileName:	4363463463464363463463463.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

1 096

Monitored processes

817

Malicious processes

210

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 --field-trial-handle=1244,i,13418507892519645740,5026939748068687425,131072 /prefetch:3

C:\Program Files\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

292

"C:\Users\admin\Desktop\4363463463464363463463463.exe"

C:\Users\admin\Desktop\4363463463464363463463463.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

3221226540

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\4363463463464363463463463.exe
c:\windows\system32\ntdll.dll

292

"C:\Users\admin\Desktop\4363463463464363463463463.exe"

C:\Users\admin\Desktop\4363463463464363463463463.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

3221226540

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\4363463463464363463463463.exe
c:\windows\system32\ntdll.dll

392

"C:\Users\admin\Desktop\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"

C:\Users\admin\Desktop\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe

—

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

392

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

%40Natsu338_alice.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Visual Basic Command Line Compiler

Exit code:

Version:

14.8.3761.0

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

MetaStealer

(PID) Process(392) vbc.exe

C2 (1)5.42.65.101:48790

Botnet1006580135-26990097-alice

Options

ErrorMessage

Keys

XorPyrometry

572

"C:\Users\admin\Desktop\4363463463464363463463463.exe"

C:\Users\admin\Desktop\4363463463464363463463463.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\4363463463464363463463463.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

668

"C:\Users\admin\Desktop\4363463463464363463463463.exe"

C:\Users\admin\Desktop\4363463463464363463463463.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

3221226540

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\4363463463464363463463463.exe
c:\windows\system32\ntdll.dll

712

"C:\Users\admin\Desktop\4363463463464363463463463.exe"

C:\Users\admin\Desktop\4363463463464363463463463.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

3221226540

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\4363463463464363463463463.exe
c:\windows\system32\ntdll.dll

764

"C:\Users\admin\Desktop\Files\NBYS%20AH.NET.exe"

C:\Users\admin\Desktop\Files\NBYS%20AH.NET.exe

4363463463464363463463463.exe

User:

admin

Company:

Uludağ Bilişim Yazılım Departmanı

Integrity Level:

HIGH

Description:

NBYS® Aile Hekimliği

Exit code:

Version:

1.0.5.36

Modules

Images
c:\users\admin\desktop\files\nbys%20ah.net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

924

"C:\Users\admin\Desktop\4363463463464363463463463.exe"

C:\Users\admin\Desktop\4363463463464363463463463.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

3221226540

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\4363463463464363463463463.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

562 264

Read events

558 126

Write events

3 664

Delete events

474

Modification events


(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(3660) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value:

Add for printing

Executable files

1 209

Suspicious files

301

Text files

357

Unknown types

293

Dropped files

PID	Process	Filename		Type
2504	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\tidex_-_short_stuff.exe		executable
		MD5:674D01A41B61E42F0B7761712261E5DC	SHA256:3142397BA09A68329F93013AEEE8EA89C84C01A4E6F337502D8F13F8DA74660F
2660	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\Temp2.exe		executable
		MD5:5EBE890F034F15D9500328551B76A01E	SHA256:3588657707CD5B04586693C6600BE0159B321B258F48953F824FAA876F6B8566
2896	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe		executable
		MD5:8E34D5CF7E39F355CDAA0A9BA0533901	SHA256:F4438ED05971A15D70C9683DC9E1A55C583EA8C61039E9E85EB391CA6E3FA0AE
2504	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\installer.exe		executable
		MD5:35F8F2EAFED24B3A8EB9C20052C5363F	SHA256:CF4EA810CEB42145982FAD4073F906AE5EC6FC8F23DEDB223029452AFC68496A
3128	ntvdm.exe	C:\Users\admin\AppData\Local\Temp\scs1DF4.tmp		text
		MD5:4C361DEA398F7AEEF49953BDC0AB4A9B	SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
3128	ntvdm.exe	C:\Users\admin\AppData\Local\Temp\scs1DE3.tmp		text
		MD5:8CF6DDB5AA59B49F34B967CD46F013B6	SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C
1656	4363463463464363463463463.exe	C:\Users\admin\AppData\Local\Temp\Cab23DE.tmp		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2896	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\heaoyam78.exe		executable
		MD5:48761F8B0576E7BED627120FF51B4863	SHA256:CC499FFFBAB36B8CF303FA4F9BC26799497C0DFA94EB71EF1480BA774D71637A
1656	4363463463464363463463463.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1656	4363463463464363463463463.exe	C:\Users\admin\AppData\Local\Temp\Tar23DF.tmp		cat
		MD5:9C0C641C06238516F27941AA1166D427	SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

271

TCP/UDP connections

1 370

DNS requests

346

Threats

1 193

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3660	4363463463464363463463463.exe	GET	—	156.38.232.50:5030	http://156.38.232.50:5030/downloads/installer.exe	unknown	—	—	unknown
2504	4363463463464363463463463.exe	GET	200	88.212.202.2:80	http://websound.ru/issues/151_155/tidex_-_short_stuff.exe	unknown	executable	14.0 Kb	unknown
1112	4363463463464363463463463.exe	GET	200	47.110.247.171:80	http://47.110.247.171/chdyz/chdyz.exe	unknown	executable	1.00 Mb	unknown
1656	4363463463464363463463463.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?663998b41945c375	unknown	compressed	65.2 Kb	unknown
1820	Temp2.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/	unknown	binary	293 b	unknown
2896	4363463463464363463463463.exe	GET	200	194.4.49.187:80	http://194.4.49.187/fire/discord.exe	unknown	executable	816 Kb	unknown
3708	chdyz.exe	POST	200	47.110.247.171:80	http://47.110.247.171/login/verup.php	unknown	binary	1 b	unknown
4056	4363463463464363463463463.exe	GET	200	185.172.128.154:80	http://185.172.128.154/hv.exe	unknown	executable	5.45 Mb	unknown
3708	chdyz.exe	POST	200	47.110.247.171:80	http://47.110.247.171/login/login.php	unknown	text	9.23 Kb	unknown
2896	4363463463464363463463463.exe	GET	200	104.192.108.21:80	http://softdl.360tpcdn.com/inst77player/inst77player_1.0.0.1.exe	unknown	executable	281 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3660	4363463463464363463463463.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3660	4363463463464363463463463.exe	156.38.232.50:5030	—	xneelo	ZA	unknown
2896	4363463463464363463463463.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
2896	4363463463464363463463463.exe	140.82.121.3:443	github.com	GITHUB	US	unknown
1656	4363463463464363463463463.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
2896	4363463463464363463463463.exe	185.199.110.133:443	raw.githubusercontent.com	FASTLY	US	unknown
1656	4363463463464363463463463.exe	209.203.48.58:443	fetchdesignprint.co.za	Vox-Telecom	ZA	unknown

DNS requests

Domain	IP	Reputation
urlhaus.abuse.ch	185.88.60.242 151.101.2.49 151.101.66.49 151.101.130.49 151.101.194.49	whitelisted
github.com	140.82.121.3 140.82.121.4	shared
raw.githubusercontent.com	185.199.110.133 185.199.108.133 185.199.109.133 185.199.111.133	shared
fetchdesignprint.co.za	209.203.48.58	unknown
websound.ru	88.212.202.2	malicious
youronestophalalshop.com	192.124.249.175	malicious
ctldl.windowsupdate.com	93.184.221.240	whitelisted
softdl.360tpcdn.com	104.192.108.21 104.192.108.17 104.192.108.20	unknown
bitbucket.org	104.192.141.1	shared
bbuseruploads.s3.amazonaws.com	52.216.220.9 3.5.27.139 52.216.49.57 52.217.227.193 52.216.61.209 52.216.179.115 52.217.195.73 52.216.27.68 3.5.24.104 52.217.118.65 3.5.25.88 3.5.0.160 52.216.93.139 16.182.69.9 16.182.72.177 54.231.193.153 52.216.38.121 54.231.196.177 3.5.20.133 52.216.250.12 54.231.162.9 3.5.9.171 52.217.121.65 52.217.196.65 54.231.225.193 52.217.43.124 52.216.40.105 52.217.114.105 52.217.123.177 3.5.29.217 52.217.89.84 3.5.20.136 16.182.65.153 52.216.39.1 52.217.229.49 52.216.219.249 52.217.33.196 54.231.133.177 52.216.9.219 3.5.19.210 52.217.164.57 3.5.6.127 52.216.57.73 52.217.163.33 52.216.222.41 52.216.170.131 52.216.43.225 52.217.168.137 52.217.112.201 16.182.64.41 3.5.8.118 52.217.118.193 52.216.28.84 52.217.32.132 52.216.248.60 3.5.28.221	shared

Threats

PID	Process	Class	Message
3660	4363463463464363463463463.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
3660	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1112	4363463463464363463463463.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
1112	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2504	4363463463464363463463463.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2504	4363463463464363463463463.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2504	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2504	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2504	4363463463464363463463463.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2504	4363463463464363463463463.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

95 ETPRO signatures available at the full report

Add for printing

Process	Message
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
2-3-1_2023-12-14_13-35.exe	tw0xu14w8
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
2-3-1_2023-12-14_13-35.exe	t1f98jrxw
2-3-1_2023-12-14_13-35.exe	tabqa92dv
2-3-1_2023-12-14_13-35.exe	tgwabdohg

General Info

4363463463464363463463463.exe

2A94F3960C58C6E70826495F76D00B85

E2A1A5641295F5EBF01A37AC1C170AC0814BB71A

2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE

192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

HAUSBOMBER has been detected (YARA)

Creates a writable file in the system directory

Uses Task Scheduler to autorun other applications

Changes the autorun value in the registry

Remcos is detected

Changes Security Center notification settings

Starts Visual C# compiler

Deletes the SafeBoot registry key

Antivirus name has been found in the command line (generic signature)

Create files in the Startup directory

REDLINE has been detected (YARA)

PURPLEFOX has been detected (SURICATA)

Connects to the CnC server

REMCOS has been detected (SURICATA)

KELIHOS has been detected (SURICATA)

Adds path to the Windows Defender exclusion list

PHORPIEX has been detected (SURICATA)

UAC/LUA settings modification

Bypass execution policy to execute commands

Run PowerShell with an invisible window

Amadey has been detected

AMMYY has been detected (SURICATA)

Adds process to the Windows Defender exclusion list

Raccoon mutex has been detected

Steals credentials

QUASAR has been detected (YARA)

ASYNCRAT has been detected (MUTEX)

RHADAMANTHYS has been detected (SURICATA)

Uses sleep, probably for evasion detection (SCRIPT)

AMADEY has been detected (SURICATA)

RACCOON has been detected (SURICATA)

Changes powershell execution policy (Bypass)

REDLINE has been detected (SURICATA)

Steals credentials from Web Browsers

ARECHCLIENT2 has been detected (SURICATA)

RISEPRO has been detected (SURICATA)

DcRAT is detected

AZORULT has been detected (SURICATA)

RISEPRO has been detected (YARA)

REMCOS has been detected (YARA)

NITOL has been detected (YARA)

XWORM has been detected (SURICATA)

ASYNCRAT has been detected (YARA)

GH0ST has been detected (SURICATA)

ARKEI has been detected (YARA)

Changes the login/logoff helper path in the registry

Disables the Run the Start menu

Lokibot is detected

XWORM has been detected (YARA)

METASTEALER has been detected (YARA)

VIDAR has been detected (YARA)

Unusual connection from system programs

Creates or modifies Windows services

STEALC has been detected (SURICATA)

Modify registry editing tools (regedit)

Task Manager has been disabled (taskmgr)

BANLOAD has been detected (SURICATA)

Starts CMD.EXE for self-deleting

GH0STCRINGE has been detected (SURICATA)

The DLL Hijacking

GCLEANER has been detected (SURICATA)

SUSPICIOUS

Adds/modifies Windows certificates

Reads the Internet Settings

Connects to unusual port

Reads settings of System Certificates

Process requests binary or script from the Internet