Malware analysis 4363463463464363463463463.exe Malicious activity

Add for printing

File name:	4363463463464363463463463.exe
Full analysis:	https://app.any.run/tasks/0af726b1-ebc7-43e3-91b9-6234d8d0aa86
Verdict:	Malicious activity
Threats:	AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 29, 2023, 19:34:40
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader hausbomber opendir dupzom trojan servstart rhadamanthys stealer risepro redline evasion phorpiex azorult lumma
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	2A94F3960C58C6E70826495F76D00B85
SHA1:	E2A1A5641295F5EBF01A37AC1C170AC0814BB71A
SHA256:	2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE
SSDEEP:	192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- HAUSBOMBER has been detected (YARA)
  - 4363463463464363463463463.exe (PID: 2064)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 2544)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 3260)
  - powershell.exe (PID: 4084)
  - powershell.exe (PID: 1972)
  - powershell.exe (PID: 4228)
  - powershell.exe (PID: 4348)
- Changes powershell execution policy (Bypass)
  - socks5-clean.exe (PID: 1628)
  - Archevod_XWorm.exe (PID: 3632)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 3260)
- Risepro uses scheduled tasks to run itself
  - cmd.exe (PID: 2368)
  - cmd.exe (PID: 3056)
- Create files in the Startup directory
  - rest.exe (PID: 2932)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 2368)
  - Archevod_XWorm.exe (PID: 3632)
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 3056)
  - Temp3.exe (PID: 4068)
  - Windows Security Client.exe (PID: 3116)
- Steals credentials from Web Browsers
  - RegAsm.exe (PID: 1408)
  - rest.exe (PID: 2932)
- Actions looks like stealing of personal data
  - dialer.exe (PID: 3652)
  - RegAsm.exe (PID: 1408)
  - rest.exe (PID: 2932)
- Creates or modifies Windows services
  - DefenderControl.exe (PID: 2988)
- Creates a writable file in the system directory
  - Temp3.exe (PID: 4068)
- Adds path to the Windows Defender exclusion list
  - Archevod_XWorm.exe (PID: 3632)
- Adds process to the Windows Defender exclusion list
  - Archevod_XWorm.exe (PID: 3632)
SUSPICIOUS
- Reads the Internet Settings
  - 4363463463464363463463463.exe (PID: 2064)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 2544)
  - ghjkl.exe (PID: 2804)
  - socks5-clean.exe (PID: 1628)
  - DNS2.exe (PID: 2772)
  - plink.exe (PID: 3656)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - VLTKNhatRac.exe (PID: 3312)
  - powershell.exe (PID: 2436)
  - 2k.exe (PID: 1816)
  - rest.exe (PID: 2932)
  - sysplorsv.exe (PID: 4044)
  - Temp3.exe (PID: 4068)
  - Archevod_XWorm.exe (PID: 3632)
  - DefenderControl.exe (PID: 2988)
  - powershell.exe (PID: 4084)
  - Windows Security Client.exe (PID: 3116)
  - MSASCui.exe (PID: 240)
  - powershell.exe (PID: 4228)
  - powershell.exe (PID: 1972)
  - powershell.exe (PID: 4348)
- The process creates files with name similar to system file names
  - PluginFlash.exe (PID: 584)
- The process executes VB scripts
  - PluginFlash.exe (PID: 584)
  - iexplore.exe (PID: 1236)
- Adds/modifies Windows certificates
  - 4363463463464363463463463.exe (PID: 2064)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 2532)
- Reads settings of System Certificates
  - 4363463463464363463463463.exe (PID: 2064)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 2544)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 2532)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - rest.exe (PID: 2932)
- Reads the Windows owner or organization settings
  - tuc2.tmp (PID: 796)
- The process executes Powershell scripts
  - socks5-clean.exe (PID: 1628)
- Starts POWERSHELL.EXE for commands execution
  - socks5-clean.exe (PID: 1628)
  - Archevod_XWorm.exe (PID: 3632)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 3652)
- Reads security settings of Internet Explorer
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
- Checks Windows Trust Settings
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
- Starts CMD.EXE for commands execution
  - rest.exe (PID: 2932)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 2436)
- Searches for installed software
  - RegAsm.exe (PID: 1408)
  - dialer.exe (PID: 3652)
  - rest.exe (PID: 2932)
- Reads browser cookies
  - dialer.exe (PID: 3652)
  - RegAsm.exe (PID: 1408)
- Accesses Microsoft Outlook profiles
  - dialer.exe (PID: 3652)
  - rest.exe (PID: 2932)
- Loads DLL from Mozilla Firefox
  - dialer.exe (PID: 3652)
- Reads the BIOS version
  - Update_new.exe (PID: 1812)
- Script adds exclusion path to Windows Defender
  - Archevod_XWorm.exe (PID: 3632)
- Script adds exclusion process to Windows Defender
  - Archevod_XWorm.exe (PID: 3632)
INFO
- Reads Environment values
  - 4363463463464363463463463.exe (PID: 2064)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 2544)
  - VLTKNhatRac.exe (PID: 3312)
  - rest.exe (PID: 2932)
  - RegAsm.exe (PID: 1408)
  - Temp3.exe (PID: 4068)
  - Windows Security Client.exe (PID: 3116)
- Checks supported languages
  - 4363463463464363463463463.exe (PID: 2064)
  - PluginFlash.exe (PID: 584)
  - vbc.exe (PID: 1836)
  - vbc.exe (PID: 1560)
  - tuc2.exe (PID: 632)
  - tuc2.tmp (PID: 796)
  - XViewAXControl.exe (PID: 2576)
  - XViewAXControl.exe (PID: 2644)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 1192)
  - ghjkl.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 2544)
  - BLduscfibj.exe (PID: 3016)
  - ghjkl.exe (PID: 1028)
  - BLduscfibj.exe (PID: 3208)
  - DefenderControl.exe (PID: 2988)
  - socks5-clean.exe (PID: 1628)
  - VLTKNhatRac.exe (PID: 3312)
  - 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 3328)
  - DNS2.exe (PID: 2772)
  - plink.exe (PID: 3656)
  - 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 1168)
  - a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe (PID: 3856)
  - 987123.exe (PID: 3980)
  - tidex_-_short_stuff.exe (PID: 1976)
  - a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe (PID: 1748)
  - Ulpktkx.exe (PID: 2628)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - hv.exe (PID: 1044)
  - newtpp.exe (PID: 2432)
  - rest.exe (PID: 2932)
  - flt_shovemydiscoupyourarse.exe (PID: 3020)
  - autorun.exe (PID: 2664)
  - VoidRAT.exe (PID: 3760)
  - RegAsm.exe (PID: 1408)
  - 2k.exe (PID: 4068)
  - sysplorsv.exe (PID: 4044)
  - rise.exe (PID: 1592)
  - e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe (PID: 844)
  - 2k.exe (PID: 1816)
  - e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe (PID: 1624)
  - PAETools.exe (PID: 3452)
  - cs_maltest.exe (PID: 2952)
  - 75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe (PID: 2728)
  - Archevod_XWorm.exe (PID: 3632)
  - Update_new.exe (PID: 1812)
  - Temp3.exe (PID: 4068)
  - NBYS%20AH.NET.exe (PID: 4080)
  - MSASCui.exe (PID: 240)
  - Windows Security Client.exe (PID: 3116)
- Drops the executable file immediately after the start
  - 4363463463464363463463463.exe (PID: 2064)
  - PluginFlash.exe (PID: 584)
  - tuc2.exe (PID: 632)
  - tuc2.tmp (PID: 796)
  - XViewAXControl.exe (PID: 2644)
  - ghjkl.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 1192)
  - BLduscfibj.exe (PID: 3208)
  - DNS2.exe (PID: 2772)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - 4363463463464363463463463.exe (PID: 2544)
  - rest.exe (PID: 2932)
  - newtpp.exe (PID: 2432)
  - Temp3.exe (PID: 4068)
  - dialer.exe (PID: 3652)
  - tuc6.exe (PID: 4944)
  - Archevod_XWorm.exe (PID: 3632)
  - tuc6.tmp (PID: 4968)
- Reads the computer name
  - 4363463463464363463463463.exe (PID: 2064)
  - PluginFlash.exe (PID: 584)
  - vbc.exe (PID: 1836)
  - tuc2.tmp (PID: 796)
  - XViewAXControl.exe (PID: 2644)
  - 4363463463464363463463463.exe (PID: 984)
  - ghjkl.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 2544)
  - BLduscfibj.exe (PID: 3016)
  - BLduscfibj.exe (PID: 3208)
  - DefenderControl.exe (PID: 2988)
  - socks5-clean.exe (PID: 1628)
  - VLTKNhatRac.exe (PID: 3312)
  - DNS2.exe (PID: 2772)
  - plink.exe (PID: 3656)
  - Ulpktkx.exe (PID: 2628)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - tidex_-_short_stuff.exe (PID: 1976)
  - hv.exe (PID: 1044)
  - rest.exe (PID: 2932)
  - flt_shovemydiscoupyourarse.exe (PID: 3020)
  - RegAsm.exe (PID: 1408)
  - autorun.exe (PID: 2664)
  - 2k.exe (PID: 1816)
  - sysplorsv.exe (PID: 4044)
  - NBYS%20AH.NET.exe (PID: 4080)
  - Update_new.exe (PID: 1812)
  - Archevod_XWorm.exe (PID: 3632)
  - Temp3.exe (PID: 4068)
  - MSASCui.exe (PID: 240)
  - Windows Security Client.exe (PID: 3116)
- Reads the machine GUID from the registry
  - 4363463463464363463463463.exe (PID: 2064)
  - PluginFlash.exe (PID: 584)
  - 4363463463464363463463463.exe (PID: 984)
  - ghjkl.exe (PID: 2804)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 2544)
  - BLduscfibj.exe (PID: 3016)
  - BLduscfibj.exe (PID: 3208)
  - VLTKNhatRac.exe (PID: 3312)
  - DNS2.exe (PID: 2772)
  - plink.exe (PID: 3656)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - rest.exe (PID: 2932)
  - RegAsm.exe (PID: 1408)
  - 2k.exe (PID: 1816)
  - NBYS%20AH.NET.exe (PID: 4080)
  - Update_new.exe (PID: 1812)
  - Archevod_XWorm.exe (PID: 3632)
  - sysplorsv.exe (PID: 4044)
  - Temp3.exe (PID: 4068)
  - Windows Security Client.exe (PID: 3116)
  - MSASCui.exe (PID: 240)
- Create files in a temporary directory
  - vbc.exe (PID: 1836)
  - tuc2.exe (PID: 632)
  - tuc2.tmp (PID: 796)
  - ghjkl.exe (PID: 2804)
  - socks5-clean.exe (PID: 1628)
  - DefenderControl.exe (PID: 2988)
  - 4363463463464363463463463.exe (PID: 1192)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - rest.exe (PID: 2932)
  - MSASCui.exe (PID: 240)
- Creates files or folders in the user directory
  - PluginFlash.exe (PID: 584)
  - DNS2.exe (PID: 2772)
  - BLduscfibj.exe (PID: 3208)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - rest.exe (PID: 2932)
  - Windows Security Client.exe (PID: 3116)
  - Archevod_XWorm.exe (PID: 3632)
- Process drops legitimate windows executable
  - tuc2.tmp (PID: 796)
  - 4363463463464363463463463.exe (PID: 2532)
  - Archevod_XWorm.exe (PID: 3632)
  - tuc6.tmp (PID: 4968)
- Creates files in the program directory
  - tuc2.tmp (PID: 796)
  - XViewAXControl.exe (PID: 2644)
  - DNS2.exe (PID: 2772)
  - rest.exe (PID: 2932)
- Drops 7-zip archiver for unpacking
  - tuc2.tmp (PID: 796)
  - tuc6.tmp (PID: 4968)
- Process requests binary or script from the Internet
  - 4363463463464363463463463.exe (PID: 2064)
  - 4363463463464363463463463.exe (PID: 984)
  - DNS2.exe (PID: 2772)
  - 4363463463464363463463463.exe (PID: 2544)
  - 4363463463464363463463463.exe (PID: 1192)
- Manual execution by a user
  - 4363463463464363463463463.exe (PID: 1388)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 2672)
  - 4363463463464363463463463.exe (PID: 2908)
  - 4363463463464363463463463.exe (PID: 2896)
  - 4363463463464363463463463.exe (PID: 1192)
  - 4363463463464363463463463.exe (PID: 2532)
  - 4363463463464363463463463.exe (PID: 2544)
- Application launched itself
  - ghjkl.exe (PID: 2804)
  - BLduscfibj.exe (PID: 3016)
  - 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 3328)
  - a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe (PID: 3856)
  - 2k.exe (PID: 4068)
  - e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe (PID: 844)
  - StringIds.exe (PID: 4996)
  - DV7HCk[$A%.exe (PID: 4536)
- Reads mouse settings
  - DefenderControl.exe (PID: 2988)
- Checks proxy server information
  - DNS2.exe (PID: 2772)
  - plink.exe (PID: 3656)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 864)
  - 2k.exe (PID: 1816)
  - sysplorsv.exe (PID: 4044)
- Connects to unusual port
  - DNS2.exe (PID: 2772)
  - powershell.exe (PID: 3260)
  - 4363463463464363463463463.exe (PID: 984)
  - 4363463463464363463463463.exe (PID: 2532)
  - VLTKNhatRac.exe (PID: 3312)
  - plink.exe (PID: 3656)
  - Ulpktkx.exe (PID: 2628)
  - rest.exe (PID: 2932)
  - rise.exe (PID: 1592)
  - RegAsm.exe (PID: 1408)
  - Update_new.exe (PID: 1812)
  - Windows Security Client.exe (PID: 3116)
- The Powershell connects to the Internet
  - powershell.exe (PID: 3260)
- Unusual connection from system programs
  - powershell.exe (PID: 3260)
- SERVSTART has been detected (SURICATA)
  - DNS2.exe (PID: 2772)
- DUPZOM has been detected (SURICATA)
  - DNS2.exe (PID: 2772)
- Starts itself from another location
  - DNS2.exe (PID: 2772)
  - newtpp.exe (PID: 2432)
  - Temp3.exe (PID: 4068)
- Reads CPU info
  - Ulpktkx.exe (PID: 2628)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 2436)
- Connects to the server without a host name
  - 4363463463464363463463463.exe (PID: 2544)
  - 4363463463464363463463463.exe (PID: 1192)
  - sysplorsv.exe (PID: 4044)
- The process executes via Task Scheduler
  - powershell.exe (PID: 2436)
  - StringIds.exe (PID: 4996)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 2436)
- RHADAMANTHYS has been detected (SURICATA)
  - dialer.exe (PID: 3652)
- Connects to FTP
  - VLTKNhatRac.exe (PID: 3312)
- RISEPRO has been detected (SURICATA)
  - rest.exe (PID: 2932)
- Connects to the CnC server
  - RegAsm.exe (PID: 1408)
  - rest.exe (PID: 2932)
  - sysplorsv.exe (PID: 4044)
- REDLINE has been detected (SURICATA)
  - RegAsm.exe (PID: 1408)
- Reads product name
  - RegAsm.exe (PID: 1408)
- Steals credentials
  - rest.exe (PID: 2932)
- Process checks are UAC notifies on
  - Update_new.exe (PID: 1812)
- Checks for external IP
  - rest.exe (PID: 2932)
  - Temp3.exe (PID: 4068)
  - Windows Security Client.exe (PID: 3116)
- PHORPIEX has been detected (SURICATA)
  - sysplorsv.exe (PID: 4044)
- Executed via WMI
  - DV7HCk[$A%.exe (PID: 4536)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:12:22 09:29:10+01:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	80
CodeSize:	5632
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0x3552
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	4363463463464363463463463.exe
LegalCopyright:
OriginalFileName:	4363463463464363463463463.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

168

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

240

"C:\Program Files\Windows Defender\MSASCui.exe"

C:\Program Files\Windows Defender\MSASCui.exe

DefenderControl.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Defender User Interface

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows defender\msascui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\program files\windows defender\mpclient.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll

584

"C:\Users\admin\Desktop\Files\PluginFlash.exe"

C:\Users\admin\Desktop\Files\PluginFlash.exe

—

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Description:

Title

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\files\pluginflash.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

632

"C:\Users\admin\Desktop\Files\tuc2.exe"

C:\Users\admin\Desktop\Files\tuc2.exe

—

4363463463464363463463463.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

XView ActiveX Control Setup

Exit code:

Version:

Modules

Images
c:\users\admin\desktop\files\tuc2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll

796

"C:\Users\admin\AppData\Local\Temp\is-2SCT5.tmp\tuc2.tmp" /SL5="$301BC,4176061,54272,C:\Users\admin\Desktop\Files\tuc2.exe"

C:\Users\admin\AppData\Local\Temp\is-2SCT5.tmp\tuc2.tmp

—

tuc2.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.52.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-2sct5.tmp\tuc2.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll

844

"C:\Users\admin\Desktop\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"

C:\Users\admin\Desktop\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe

—

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

864

"C:\Users\admin\Desktop\Files\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe"

C:\Users\admin\Desktop\Files\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe

4363463463464363463463463.exe

User:

admin

Company:

Qihoo 360 Technology Co. Ltd.

Integrity Level:

HIGH

Description:

360 Total Security Online Installer

Exit code:

Version:

6, 6, 0, 1054

Modules

Images
c:\users\admin\desktop\files\360ts_setup_mini_ww.marketator.cpi20230401_6.6.0.1054.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

984

"C:\Users\admin\Desktop\4363463463464363463463463.exe"

C:\Users\admin\Desktop\4363463463464363463463463.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\4363463463464363463463463.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1028

C:\Users\admin\Desktop\Files\ghjkl.exe

ghjkl.exe

User:

admin

Integrity Level:

HIGH

Exit code:

3221225477

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\files\ghjkl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll

1044

"C:\Users\admin\Desktop\Files\hv.exe"

C:\Users\admin\Desktop\Files\hv.exe

—

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Description:

for_the_best_streamers_with_optimization

Exit code:

Version:

1.1.0.0

Modules

Images
c:\users\admin\desktop\files\hv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1168

"C:\Users\admin\Desktop\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe"

C:\Users\admin\Desktop\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe

—

07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

Add for printing

Total events

51 636

Read events

51 054

Write events

561

Delete events

Modification events


(PID) Process:	(2064) 4363463463464363463463463.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2064) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:	write	Name:	Blob
Value: 530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD0F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:	(2064) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:	write	Name:	Blob
Value: 040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB028090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA9531400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:	(2064) 4363463463464363463463463.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2064) 4363463463464363463463463.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2064) 4363463463464363463463463.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2064) 4363463463464363463463463.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1236) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1236) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1236) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

211

Suspicious files

Text files

137

Unknown types

Dropped files

PID	Process	Filename		Type
632	tuc2.exe	C:\Users\admin\AppData\Local\Temp\is-2SCT5.tmp\tuc2.tmp		executable
		MD5:A7662827ECAEB4FC68334F6B8791B917	SHA256:05F159722D6905719D2D6F340981A293F40AB8A0D2D4A282C948066809D4AF6D
796	tuc2.tmp	C:\Program Files\XView ActiveX Control\is-U8IA6.tmp		executable
		MD5:45EAD995D376A520E0A1E2D76BD1741D	SHA256:D6CD6E60B90F5EFC23738D938BD8548F9037FD0B64DE56B9F33389122AEA5438
1236	iexplore.exe	C:\Users\admin\AppData\Local\Temp\admin8		text
		MD5:F5183BED252C9701477E9F70A52D8C46	SHA256:6A481A0B51BA759BF2664936C540C1108CB9397F4949B0C073A7EF4ADFF7CAE0
1236	iexplore.exe	C:\Users\admin\AppData\Local\Temp\admin7		text
		MD5:F5183BED252C9701477E9F70A52D8C46	SHA256:6A481A0B51BA759BF2664936C540C1108CB9397F4949B0C073A7EF4ADFF7CAE0
1236	iexplore.exe	C:\Users\admin\AppData\Roaming\adminlog.dat		text
		MD5:BF3DBA41023802CF6D3F8C5FD683A0C7	SHA256:4A8E75390856BF822F492F7F605CA0C21F1905172F6D3EF610162533C140507D
796	tuc2.tmp	C:\Program Files\XView ActiveX Control\bin\x86\is-TJESK.tmp		executable
		MD5:C7A50ACE28DDE05B897E000FA398BBCE	SHA256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
796	tuc2.tmp	C:\Users\admin\AppData\Local\Temp\is-0D14I.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
796	tuc2.tmp	C:\Program Files\XView ActiveX Control\bin\x86\bassape.dll		executable
		MD5:C7A50ACE28DDE05B897E000FA398BBCE	SHA256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
796	tuc2.tmp	C:\Program Files\XView ActiveX Control\bin\x86\basscd.dll		executable
		MD5:F0F973781B6A66ADF354B04A36C5E944	SHA256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
796	tuc2.tmp	C:\Program Files\XView ActiveX Control\bin\x86\is-DE783.tmp		executable
		MD5:19E08B7F7B379A9D1F370E2B5CC622BD	SHA256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

112

DNS requests

Threats

205

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2064	4363463463464363463463463.exe	GET	200	172.67.168.30:80	http://never.hitsturbo.com/order/tuc2.exe	unknown	executable	4.22 Mb	unknown
2064	4363463463464363463463463.exe	GET	200	212.27.63.115:80	http://habbotips.free.fr/PluginFlash.exe	unknown	executable	1.04 Mb	unknown
2064	4363463463464363463463463.exe	GET	200	91.215.85.223:80	http://partadino.ac.ug/ghjkl.exe	unknown	executable	1.36 Mb	unknown
984	4363463463464363463463463.exe	GET	200	103.255.237.239:80	http://kimyen.net/upload/VLTKNhatRac.exe	unknown	executable	1.19 Mb	unknown
2532	4363463463464363463463463.exe	GET	301	104.192.141.1:80	http://bitbucket.org/pavelalekseev11/346346/downloads/socks5-clean.exe	unknown	—	—	unknown
2544	4363463463464363463463463.exe	GET	200	185.172.128.8:80	http://185.172.128.8/hv.exe	unknown	executable	5.88 Mb	unknown
2532	4363463463464363463463463.exe	GET	200	164.155.231.101:16	http://164.155.231.101:16/DNS2.exe	unknown	executable	9.10 Kb	unknown
984	4363463463464363463463463.exe	GET	200	5.148.32.222:6789	http://5.148.32.222:6789/plink.exe	unknown	executable	312 Kb	unknown
984	4363463463464363463463463.exe	GET	200	5.133.65.53:80	http://5.133.65.53/Oracle/$77_loader.exe	unknown	executable	397 Kb	unknown
1192	4363463463464363463463463.exe	GET	200	184.24.77.195:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3c0a4383ae98b572	unknown	compressed	65.2 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2064	4363463463464363463463463.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2064	4363463463464363463463463.exe	212.27.63.115:80	habbotips.free.fr	Free SAS	FR	unknown
2064	4363463463464363463463463.exe	172.67.168.30:80	never.hitsturbo.com	CLOUDFLARENET	US	unknown
2064	4363463463464363463463463.exe	91.215.85.223:80	partadino.ac.ug	—	RU	unknown
984	4363463463464363463463463.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
984	4363463463464363463463463.exe	103.255.237.239:80	kimyen.net	VNPT Corp	VN	unknown
2064	4363463463464363463463463.exe	140.82.121.3:443	github.com	GITHUB	US	unknown

DNS requests

Domain	IP	Reputation
urlhaus.abuse.ch	151.101.2.49 151.101.66.49 151.101.130.49 151.101.194.49	whitelisted
habbotips.free.fr	212.27.63.115	unknown
never.hitsturbo.com	172.67.168.30 104.21.46.59	malicious
partadino.ac.ug	91.215.85.223	unknown
teemy.no-ip.org	—	unknown
kimyen.net	103.255.237.239	unknown
github.com	140.82.121.3	shared
raw.githubusercontent.com	185.199.108.133 185.199.110.133 185.199.109.133 185.199.111.133	shared
bitbucket.org	104.192.141.1	shared
bbuseruploads.s3.amazonaws.com	3.5.2.146 54.231.135.57 52.217.32.172 3.5.27.151 3.5.28.161 3.5.2.183 52.216.213.209 52.217.132.41	shared

Threats

PID	Process	Class	Message
2064	4363463463464363463463463.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2064	4363463463464363463463463.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2064	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2064	4363463463464363463463463.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2064	4363463463464363463463463.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2064	4363463463464363463463463.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2064	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2064	4363463463464363463463463.exe	Misc activity	ET INFO EXE - Served Attached HTTP
2064	4363463463464363463463463.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
2064	4363463463464363463463463.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent

21 ETPRO signatures available at the full report

Add for printing

Process	Message
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The request was aborted: Could not create SSL/TLS secure channel.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.exe	The specified executable is not a valid application for this OS platform.

General Info

4363463463464363463463463.exe

2A94F3960C58C6E70826495F76D00B85

E2A1A5641295F5EBF01A37AC1C170AC0814BB71A

2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE

192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

HAUSBOMBER has been detected (YARA)

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Run PowerShell with an invisible window

Risepro uses scheduled tasks to run itself

Create files in the Startup directory

Uses Task Scheduler to run other applications

Uses Task Scheduler to autorun other applications

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Creates or modifies Windows services

Creates a writable file in the system directory

Adds path to the Windows Defender exclusion list

Adds process to the Windows Defender exclusion list

SUSPICIOUS

Reads the Internet Settings

The process creates files with name similar to system file names

The process executes VB scripts

Adds/modifies Windows certificates

Reads settings of System Certificates

Reads the Windows owner or organization settings

The process executes Powershell scripts

Starts POWERSHELL.EXE for commands execution

The process checks if it is being run in the virtual environment

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Starts CMD.EXE for commands execution

Using PowerShell to operate with local accounts

Searches for installed software

Reads browser cookies

Accesses Microsoft Outlook profiles

Loads DLL from Mozilla Firefox

Reads the BIOS version

Script adds exclusion path to Windows Defender

Script adds exclusion process to Windows Defender

INFO

Reads Environment values

Checks supported languages

Drops the executable file immediately after the start

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Process drops legitimate windows executable

Creates files in the program directory

Drops 7-zip archiver for unpacking

Process requests binary or script from the Internet

Manual execution by a user

Application launched itself

Reads mouse settings

Checks proxy server information

Connects to unusual port

The Powershell connects to the Internet

Unusual connection from system programs

SERVSTART has been detected (SURICATA)

DUPZOM has been detected (SURICATA)

Starts itself from another location

Reads CPU info

Run PowerShell with an invisible window

Connects to the server without a host name

The process executes via Task Scheduler

Bypass execution policy to execute commands

RHADAMANTHYS has been detected (SURICATA)

Connects to FTP

RISEPRO has been detected (SURICATA)

Connects to the CnC server

REDLINE has been detected (SURICATA)

Reads product name

Steals credentials