File name:

4363463463464363463463463.bin

Full analysis: https://app.any.run/tasks/2d7f0912-4d74-4d42-ae45-88b794854435
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: December 26, 2023, 16:13:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
hausbomber
phorpiex
trojan
evasion
amadey
botnet
stealer
opendir
redline
asyncrat
stealc
socks5systemz
proxy
marsstealer
arkei
raccoon
remcos
arechclient2
backdoor
purplefox
keylogger
metasploit
nitol
dcrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

2A94F3960C58C6E70826495F76D00B85

SHA1:

E2A1A5641295F5EBF01A37AC1C170AC0814BB71A

SHA256:

2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE

SSDEEP:

192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HAUSBOMBER has been detected (YARA)

      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • 4363463463464363463463463.bin.exe (PID: 1740)

    • Connects to the CnC server

      • sysplorsv.exe (PID: 2792)
      • timeSync.exe (PID: 7856)
      • cloudpanelcrt.exe (PID: 2760)
      • csen.exe (PID: 14988)
      • AppLaunch.exe (PID: 14988)
      • RegAsm.exe (PID: 21824)
      • lve.exe (PID: 23040)
      • nsaC0EF.tmp (PID: 25404)

    • PHORPIEX has been detected (SURICATA)

      • sysplorsv.exe (PID: 2792)
      • 4363463463464363463463463.bin.exe (PID: 1740)

    • Changes the autorun value in the registry

      • Fineone.exe (PID: 3252)
      • Utsysc.exe (PID: 4024)
      • CoinSurf.WPF.exe (PID: 16204)
      • svchost.exe (PID: 28316)
      • jusched.exe (PID: 29272)
      • WinlockerBuilderv5.exe (PID: 28744)

    • Uses Task Scheduler to run other applications

      • Fineone.exe (PID: 3252)
      • Utsysc.exe (PID: 4024)
      • XRJNZC.exe (PID: 19404)
      • svchost.exe (PID: 28316)

    • AMADEY has been detected (SURICATA)

      • Fineone.exe (PID: 3252)
      • Utsysc.exe (PID: 4024)

    • Actions looks like stealing of personal data

      • fcc.exe (PID: 392)
      • etopt.exe (PID: 1380)
      • rundll32.exe (PID: 5416)
      • AppLaunch.exe (PID: 14988)
      • RegAsm.exe (PID: 21824)
      • vbc.exe (PID: 22380)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 4024)

    • Steals credentials from Web Browsers

      • fcc.exe (PID: 392)
      • rundll32.exe (PID: 5416)
      • AppLaunch.exe (PID: 14988)
      • vbc.exe (PID: 22380)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 4024)

    • Unusual connection from system programs

      • wscript.exe (PID: 4024)
      • vbc.exe (PID: 1316)
      • vbc.exe (PID: 2316)
      • rundll32.exe (PID: 5416)
      • rundll32.exe (PID: 5780)
      • vbc.exe (PID: 22380)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 4024)

    • REDLINE has been detected (YARA)

      • vbc.exe (PID: 1316)
      • vbc.exe (PID: 2316)
      • AppLaunch.exe (PID: 14988)
      • vbc.exe (PID: 24276)

    • ASYNCRAT has been detected (YARA)

      • windows.exe (PID: 1772)

    • STEALC has been detected (SURICATA)

      • timeSync.exe (PID: 7856)
      • nsaC0EF.tmp (PID: 25404)

    • SOCKS5SYSTEMZ has been detected (SURICATA)

      • cloudpanelcrt.exe (PID: 2760)

    • ARKEI has been detected (YARA)

      • data64_1.exe (PID: 2676)

    • MARSSTEALER has been detected (YARA)

      • data64_1.exe (PID: 2676)

    • REDLINE has been detected (SURICATA)

      • AppLaunch.exe (PID: 14988)
      • vbc.exe (PID: 22380)

    • RACCOON has been detected (YARA)

      • 1230.exe (PID: 15676)

    • REMCOS has been detected (YARA)

      • 6.exe (PID: 15112)

    • ARECHCLIENT2 has been detected (SURICATA)

      • RegAsm.exe (PID: 21824)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 21352)
      • wscript.exe (PID: 22896)
      • wscript.exe (PID: 24292)

    • Adds path to the Windows Defender exclusion list

      • savesinto.exe (PID: 21512)
      • Rby1.exe (PID: 22660)

    • PURPLEFOX has been detected (SURICATA)

      • lve.exe (PID: 23040)

    • Changes powershell execution policy (Bypass)

      • socks5-clean.exe (PID: 24372)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 23268)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 23268)

    • UAC/LUA settings modification

      • Rby1.exe (PID: 22660)

    • METASPLOIT has been detected (SURICATA)

      • 4363463463464363463463463.bin.exe (PID: 2080)

    • NITOL has been detected (YARA)

      • lve.exe (PID: 23040)

    • DCRAT has been detected (YARA)

      • WmiPrvSE.exe (PID: 23144)

    • Changes the login/logoff helper path in the registry

      • Otte-Locker.exe (PID: 28160)
      • upx_compresser.exe (PID: 29460)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 28316)

    • Creates a writable file in the system directory

      • Temp3.exe (PID: 28944)

    • Uses Task Scheduler to autorun other applications

      • Temp3.exe (PID: 28944)
      • Windows Security Client.exe (PID: 29316)

  • SUSPICIOUS

    • Reads the Internet Settings

      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 7120.exe (PID: 1216)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • npp.exe (PID: 1560)
      • sysplorsv.exe (PID: 2792)
      • 937228412.exe (PID: 3044)
      • Opolis.exe (PID: 968)
      • Fineone.exe (PID: 3252)
      • 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 4068)
      • 2667019473.exe (PID: 3776)
      • ama.exe (PID: 3828)
      • Utsysc.exe (PID: 4024)
      • %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E7%BB%88%E7%AB%AF_sos.exe (PID: 4396)
      • rundll32.exe (PID: 5416)
      • rundll32.exe (PID: 5780)
      • etopt.exe (PID: 1380)
      • timeSync.exe (PID: 7856)
      • up.exe (PID: 7820)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • VLTKBacdau.exe (PID: 8664)
      • data64_1.exe (PID: 2676)
      • cloudpanelcrt.exe (PID: 2760)
      • Update.exe (PID: 12412)
      • CoinSurf.WPF.exe (PID: 12948)
      • 1230.exe (PID: 15676)
      • CoinSurf.WPF.exe (PID: 16204)
      • Update.exe (PID: 15584)
      • Update_new.exe (PID: 12340)
      • AppLaunch.exe (PID: 14988)
      • VLTKNhatRac.exe (PID: 17712)
      • 7112.exe (PID: 2960)
      • cp.exe (PID: 18948)
      • XRJNZC.exe (PID: 19404)
      • plink.exe (PID: 19800)
      • wscript.exe (PID: 21352)
      • route.exe (PID: 20364)
      • savesinto.exe (PID: 21512)
      • powershell.exe (PID: 23716)
      • powershell.exe (PID: 23748)
      • powershell.exe (PID: 23692)
      • powershell.exe (PID: 23700)
      • powershell.exe (PID: 23708)
      • powershell.exe (PID: 23772)
      • powershell.exe (PID: 23740)
      • powershell.exe (PID: 23732)
      • powershell.exe (PID: 23824)
      • powershell.exe (PID: 23756)
      • powershell.exe (PID: 23724)
      • powershell.exe (PID: 23764)
      • dusers.exe (PID: 23548)
      • powershell.exe (PID: 23816)
      • WmiPrvSE.exe (PID: 23144)
      • socks5-clean.exe (PID: 24372)
      • Users.exe (PID: 23628)
      • Rby1.exe (PID: 22660)
      • powershell.exe (PID: 16332)
      • InstallUtil.exe (PID: 11260)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • cmd.exe (PID: 24348)
      • nsaC0EF.tmp (PID: 25404)
      • tungbot.exe  (PID: 28128)
      • Temp3.exe (PID: 28944)
      • WinlockerBuilderv5.exe (PID: 28744)
      • svshost.exe (PID: 29280)
      • upx_compresser.exe (PID: 29460)
      • jusched.exe (PID: 29272)

    • Reads settings of System Certificates

      • 4363463463464363463463463.bin.exe (PID: 1740)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • CoinSurf.WPF.exe (PID: 12948)
      • Update_new.exe (PID: 12340)
      • CoinSurf.WPF.exe (PID: 16204)
      • AppLaunch.exe (PID: 14988)
      • InstallUtil.exe (PID: 11260)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)

    • Adds/modifies Windows certificates

      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 796)

    • Connects to the server without a host name

      • 4363463463464363463463463.bin.exe (PID: 1740)
      • sysplorsv.exe (PID: 2792)
      • 937228412.exe (PID: 3044)
      • Fineone.exe (PID: 3252)
      • 2667019473.exe (PID: 3776)
      • Utsysc.exe (PID: 4024)
      • rundll32.exe (PID: 5416)
      • rundll32.exe (PID: 5780)
      • timeSync.exe (PID: 7856)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 796)

    • Process requests binary or script from the Internet

      • 4363463463464363463463463.bin.exe (PID: 1740)
      • npp.exe (PID: 1560)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • Opolis.exe (PID: 968)
      • Utsysc.exe (PID: 4024)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)

    • Reads the Windows owner or organization settings

      • tuc6.tmp (PID: 2736)
      • tuc2.tmp (PID: 1904)
      • adobe.tmp (PID: 3204)
      • tuc7.tmp (PID: 2504)
      • tuc5.tmp (PID: 2852)
      • tuc3.tmp (PID: 4892)
      • tuc4.tmp (PID: 7828)
      • %E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp (PID: 29228)

    • Searches for installed software

      • tuc2.tmp (PID: 1904)
      • adobe.tmp (PID: 3204)
      • tuc7.tmp (PID: 2504)
      • tuc5.tmp (PID: 2852)
      • tuc3.tmp (PID: 4892)
      • tuc4.tmp (PID: 7828)
      • CoinSurf.WPF.exe (PID: 12948)
      • CoinSurf.WPF.exe (PID: 16204)
      • AppLaunch.exe (PID: 14988)
      • RegAsm.exe (PID: 21824)
      • vbc.exe (PID: 22380)

    • Connects to unusual port

      • windows.exe (PID: 1772)
      • build_2023-12-19_21-29.exe (PID: 980)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • fcc.exe (PID: 392)
      • vbc.exe (PID: 1316)
      • vbc.exe (PID: 2316)
      • sysplorsv.exe (PID: 2792)
      • etopt.exe (PID: 1380)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • up.exe (PID: 7820)
      • VLTKBacdau.exe (PID: 8664)
      • cloudpanelcrt.exe (PID: 2760)
      • Update_new.exe (PID: 12340)
      • 6.exe (PID: 15112)
      • VLTKNhatRac.exe (PID: 17712)
      • plink.exe (PID: 19800)
      • RegAsm.exe (PID: 21824)
      • vbc.exe (PID: 22380)
      • lve.exe (PID: 23040)
      • Screensaver.exe (PID: 23928)
      • powershell.exe (PID: 23268)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • tungbot.exe  (PID: 28128)

    • Checks for external IP

      • 937228412.exe (PID: 3044)
      • 2667019473.exe (PID: 3776)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • Temp3.exe (PID: 28944)

    • The process executes VB scripts

      • tel.exe (PID: 4016)
      • 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 4068)
      • jjj.exe (PID: 2120)
      • pdf.exe (PID: 22300)
      • WmiPrvSE.exe (PID: 23144)
      • new.exe (PID: 23392)

    • Reads browser cookies

      • fcc.exe (PID: 392)
      • AppLaunch.exe (PID: 14988)
      • RegAsm.exe (PID: 21824)
      • vbc.exe (PID: 22380)

    • Starts CMD.EXE for commands execution

      • fcc.exe (PID: 392)
      • cp.exe (PID: 18948)
      • wscript.exe (PID: 21352)
      • savesinto.exe (PID: 21512)
      • dusers.exe (PID: 23548)
      • Users.exe (PID: 23628)

    • Connects to SMTP port

      • 937228412.exe (PID: 3044)
      • 2667019473.exe (PID: 3776)

    • Uses RUNDLL32.EXE to load library

      • Utsysc.exe (PID: 4024)

    • Loads DLL from Mozilla Firefox

      • rundll32.exe (PID: 5416)

    • Uses NETSH.EXE to obtain data on the network

      • rundll32.exe (PID: 5416)

    • Accesses Microsoft Outlook profiles

      • rundll32.exe (PID: 5416)

    • Starts POWERSHELL.EXE for commands execution

      • rundll32.exe (PID: 5416)
      • savesinto.exe (PID: 21512)
      • socks5-clean.exe (PID: 24372)
      • Rby1.exe (PID: 22660)

    • The process verifies whether the antivirus software is installed

      • etopt.exe (PID: 1380)

    • Reads Microsoft Outlook installation path

      • up.exe (PID: 7820)

    • Reads Internet Explorer settings

      • up.exe (PID: 7820)

    • Connects to FTP

      • VLTKBacdau.exe (PID: 8664)
      • VLTKNhatRac.exe (PID: 17712)

    • Checks Windows Trust Settings

      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • CoinSurf.WPF.exe (PID: 12948)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)

    • Reads security settings of Internet Explorer

      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • CoinSurf.WPF.exe (PID: 12948)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)

    • Reads the BIOS version

      • Update_new.exe (PID: 12340)

    • The process creates files with name similar to system file names

      • Update.exe (PID: 12412)
      • CoinSurf.WPF.exe (PID: 12948)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • savesinto.exe (PID: 21512)
      • icsys.icn.exe (PID: 28140)
      • spoolsv.exe (PID: 28300)
      • svchost.exe (PID: 28316)
      • WinlockerBuilderv5.exe (PID: 28744)
      • upx_compresser.exe (PID: 29460)

    • Creates a software uninstall entry

      • CoinSurf.WPF.exe (PID: 12948)
      • CoinSurf.WPF.exe (PID: 16204)
      • u9KKdnYh9PdX8YuCuE3Ueul5.exe (PID: 27856)

    • Executing commands from a ".bat" file

      • cp.exe (PID: 18948)
      • wscript.exe (PID: 21352)
      • savesinto.exe (PID: 21512)
      • dusers.exe (PID: 23548)
      • Users.exe (PID: 23628)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 19104)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 21352)

    • Uses TASKKILL.EXE to kill process

      • lve.exe (PID: 23040)
      • cmd.exe (PID: 24348)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 23748)
      • powershell.exe (PID: 23692)
      • powershell.exe (PID: 23716)
      • powershell.exe (PID: 23724)
      • powershell.exe (PID: 23700)
      • powershell.exe (PID: 23708)
      • powershell.exe (PID: 23772)
      • powershell.exe (PID: 23732)
      • powershell.exe (PID: 23740)
      • powershell.exe (PID: 23824)
      • powershell.exe (PID: 23756)
      • powershell.exe (PID: 23816)
      • powershell.exe (PID: 23764)
      • powershell.exe (PID: 16332)

    • Script adds exclusion path to Windows Defender

      • savesinto.exe (PID: 21512)
      • Rby1.exe (PID: 22660)

    • Creates or modifies Windows services

      • lve.exe (PID: 23040)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 23936)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 22956)
      • cmd.exe (PID: 24348)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 24292)
      • wscript.exe (PID: 22896)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 24292)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 22896)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 24292)

    • Starts application with an unusual extension

      • cmd.exe (PID: 24348)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • tungbot.exe (PID: 28068)

    • The process executes Powershell scripts

      • socks5-clean.exe (PID: 24372)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 24348)

    • Unusual connection from system programs

      • powershell.exe (PID: 23268)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 23268)

    • Changes the desktop background image

      • Otte-Locker.exe (PID: 28160)

    • Process creates executable files without a name

      • WinlockerBuilderv5.exe (PID: 28744)
      • jusched.exe (PID: 29272)

    • The process checks if it is being run in the virtual environment

      • WinlockerBuilderv5.exe (PID: 28744)
      • jusched.exe (PID: 29272)

  • INFO

    • Drops the executable file immediately after the start

      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • tuc6.exe (PID: 1880)
      • npp.exe (PID: 1560)
      • cloudpanelcrt.exe (PID: 2568)
      • tuc2.exe (PID: 1424)
      • tuc2.tmp (PID: 1904)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • tuc6.tmp (PID: 2736)
      • 57872092.exe (PID: 2404)
      • Opolis.exe (PID: 968)
      • adobe.exe (PID: 3256)
      • adobe.tmp (PID: 3204)
      • 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 4068)
      • tuc7.exe (PID: 2484)
      • tuc7.tmp (PID: 2504)
      • tuc5.exe (PID: 2940)
      • tuc5.tmp (PID: 2852)
      • ama.exe (PID: 3828)
      • tuc3.exe (PID: 4880)
      • Utsysc.exe (PID: 4024)
      • tuc3.tmp (PID: 4892)
      • etopt.exe (PID: 1380)
      • tuc4.tmp (PID: 7828)
      • tuc4.exe (PID: 7800)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • Cheat.exe (PID: 8476)
      • csaff.exe (PID: 14288)
      • Update.exe (PID: 12412)
      • CoinSurf.WPF.exe (PID: 12948)
      • cp.exe (PID: 18948)
      • hv.exe (PID: 19640)
      • route.exe (PID: 20364)
      • savesinto.exe (PID: 21512)
      • lve.exe (PID: 23040)
      • dusers.exe (PID: 23548)
      • WmiPrvSE.exe (PID: 23144)
      • Users.exe (PID: 23628)
      • InstallUtil.exe (PID: 11260)
      • HEdpiTWQQlsQhrfS8XyM4Jo0.exe (PID: 25616)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • tungbot.exe (PID: 28068)
      • u9KKdnYh9PdX8YuCuE3Ueul5.exe (PID: 27856)
      • explorer.exe (PID: 28272)
      • spoolsv.exe (PID: 28300)
      • icsys.icn.exe (PID: 28140)
      • %E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe (PID: 29160)
      • svchost.exe (PID: 28316)
      • jusched.exe (PID: 29272)

    • Reads the computer name

      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • windows.exe (PID: 1772)
      • 7120.exe (PID: 1216)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • tuc6.tmp (PID: 2736)
      • npp.exe (PID: 1560)
      • cloudpanelcrt.exe (PID: 2568)
      • tuc2.tmp (PID: 1904)
      • build_2023-12-19_21-29.exe (PID: 980)
      • sysplorsv.exe (PID: 2792)
      • Opolis.exe (PID: 968)
      • 937228412.exe (PID: 3044)
      • OSM-Client.exe (PID: 3104)
      • adobe.tmp (PID: 3204)
      • Fineone.exe (PID: 3252)
      • kb^fr_ouverture.exe (PID: 3356)
      • fcc.exe (PID: 392)
      • vbc.exe (PID: 1316)
      • 2667019473.exe (PID: 3776)
      • tuc7.tmp (PID: 2504)
      • vbc.exe (PID: 2316)
      • ama.exe (PID: 3828)
      • tuc5.tmp (PID: 2852)
      • Utsysc.exe (PID: 4024)
      • 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 4068)
      • %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E7%BB%88%E7%AB%AF_sos.exe (PID: 4396)
      • tuc3.tmp (PID: 4892)
      • etopt.exe (PID: 1380)
      • up.exe (PID: 7820)
      • tuc4.tmp (PID: 7828)
      • VLTKBacdau.exe (PID: 8664)
      • timeSync.exe (PID: 7856)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • Cheat.tmp (PID: 8036)
      • data64_1.exe (PID: 2676)
      • Update_new.exe (PID: 12340)
      • cloudpanelcrt.exe (PID: 2760)
      • Update.exe (PID: 12412)
      • csaff.exe (PID: 14240)
      • CoinSurf.WPF.exe (PID: 12948)
      • Update.exe (PID: 15584)
      • 1230.exe (PID: 15676)
      • CoinSurf.WPF.exe (PID: 15444)
      • AppLaunch.exe (PID: 14988)
      • CoinSurf.WPF.exe (PID: 16204)
      • 6.exe (PID: 15112)
      • VLTKNhatRac.exe (PID: 17712)
      • 7112.exe (PID: 2960)
      • cp.exe (PID: 18948)
      • XRJNZC.exe (PID: 19404)
      • hv.exe (PID: 19640)
      • RegAsm.exe (PID: 21824)
      • plink.exe (PID: 19800)
      • vbc.exe (PID: 22380)
      • pdf.exe (PID: 22300)
      • route.exe (PID: 20364)
      • savesinto.exe (PID: 21512)
      • lve.exe (PID: 23040)
      • Vnloubk.exe (PID: 23312)
      • Vnloubk.exe (PID: 20768)
      • WmiPrvSE.exe (PID: 23144)
      • dusers.exe (PID: 23548)
      • Users.exe (PID: 23628)
      • socks5-clean.exe (PID: 24372)
      • wmild.exe (PID: 23792)
      • vbc.exe (PID: 24276)
      • wmild.exe (PID: 23292)
      • Rby1.exe (PID: 22660)
      • InstallUtil.exe (PID: 11260)
      • tidex_-_short_stuff.exe (PID: 24332)
      • wmild.exe (PID: 25316)
      • BroomSetup.exe (PID: 24888)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • nsaC0EF.tmp (PID: 25404)
      • O4DZLnetrqSDxICNAaEOQbyF.exe (PID: 26040)
      • WiUK1tguKP0xk2jOeUkJ6fzv.exe (PID: 25992)
      • u9KKdnYh9PdX8YuCuE3Ueul5.exe (PID: 27856)
      • Otte-Locker.exe (PID: 28160)
      • tungbot.exe  (PID: 28128)
      • svchost.exe (PID: 28316)
      • WinlockerBuilderv5.exe (PID: 28744)
      • Temp3.exe (PID: 28944)
      • Windows Security Client.exe (PID: 29316)
      • jusched.exe (PID: 29272)
      • svshost.exe (PID: 29280)
      • %E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp (PID: 29228)
      • WinlockerBuilderv5.exe (PID: 29408)
      • upx_compresser.exe (PID: 29460)
      • taskhost.exe (PID: 29632)

    • Create files in a temporary directory

      • 4363463463464363463463463.bin.exe (PID: 2080)
      • tuc6.exe (PID: 1880)
      • npp.exe (PID: 1560)
      • tuc2.exe (PID: 1424)
      • tuc6.tmp (PID: 2736)
      • Opolis.exe (PID: 968)
      • tuc2.tmp (PID: 1904)
      • sysplorsv.exe (PID: 2792)
      • OSM-Client.exe (PID: 3104)
      • adobe.exe (PID: 3256)
      • adobe.tmp (PID: 3204)
      • 2667019473.exe (PID: 3776)
      • tuc7.exe (PID: 2484)
      • tuc7.tmp (PID: 2504)
      • tuc5.exe (PID: 2940)
      • ama.exe (PID: 3828)
      • tuc5.tmp (PID: 2852)
      • Utsysc.exe (PID: 4024)
      • tuc3.exe (PID: 4880)
      • tuc3.tmp (PID: 4892)
      • 937228412.exe (PID: 3044)
      • etopt.exe (PID: 1380)
      • tuc4.tmp (PID: 7828)
      • tuc4.exe (PID: 7800)
      • up.exe (PID: 7820)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • Cheat.exe (PID: 8476)
      • Update.exe (PID: 12412)
      • CoinSurf.WPF.exe (PID: 12948)
      • cp.exe (PID: 18948)
      • hv.exe (PID: 19640)
      • RegAsm.exe (PID: 21824)
      • savesinto.exe (PID: 21512)
      • WmiPrvSE.exe (PID: 23144)
      • socks5-clean.exe (PID: 24372)
      • explorer.exe (PID: 6208)
      • InstallUtil.exe (PID: 11260)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • HEdpiTWQQlsQhrfS8XyM4Jo0.exe (PID: 25616)
      • tungbot.exe (PID: 28068)
      • icsys.icn.exe (PID: 28140)
      • u9KKdnYh9PdX8YuCuE3Ueul5.exe (PID: 27856)
      • explorer.exe (PID: 28272)
      • spoolsv.exe (PID: 28300)
      • svchost.exe (PID: 28316)
      • spoolsv.exe (PID: 28344)
      • %E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe (PID: 29160)
      • WinlockerBuilderv5.exe (PID: 28744)
      • svshost.exe (PID: 29280)
      • jusched.exe (PID: 29272)

    • Reads the machine GUID from the registry

      • windows.exe (PID: 1772)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • npp.exe (PID: 1560)
      • build_2023-12-19_21-29.exe (PID: 980)
      • sysplorsv.exe (PID: 2792)
      • 937228412.exe (PID: 3044)
      • Opolis.exe (PID: 968)
      • Fineone.exe (PID: 3252)
      • vbc.exe (PID: 1316)
      • 2667019473.exe (PID: 3776)
      • vbc.exe (PID: 2316)
      • Utsysc.exe (PID: 4024)
      • ama.exe (PID: 3828)
      • %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E7%BB%88%E7%AB%AF_sos.exe (PID: 4396)
      • etopt.exe (PID: 1380)
      • up.exe (PID: 7820)
      • timeSync.exe (PID: 7856)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • data64_1.exe (PID: 2676)
      • cloudpanelcrt.exe (PID: 2760)
      • Update_new.exe (PID: 12340)
      • csaff.exe (PID: 14240)
      • Update.exe (PID: 12412)
      • CoinSurf.WPF.exe (PID: 12948)
      • CoinSurf.WPF.exe (PID: 15444)
      • Update.exe (PID: 15584)
      • VLTKBacdau.exe (PID: 8664)
      • 1230.exe (PID: 15676)
      • CoinSurf.WPF.exe (PID: 16204)
      • AppLaunch.exe (PID: 14988)
      • VLTKNhatRac.exe (PID: 17712)
      • plink.exe (PID: 19800)
      • hv.exe (PID: 19640)
      • pdf.exe (PID: 22300)
      • RegAsm.exe (PID: 21824)
      • vbc.exe (PID: 22380)
      • savesinto.exe (PID: 21512)
      • WmiPrvSE.exe (PID: 23144)
      • vbc.exe (PID: 24276)
      • Rby1.exe (PID: 22660)
      • InstallUtil.exe (PID: 11260)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • nsaC0EF.tmp (PID: 25404)
      • O4DZLnetrqSDxICNAaEOQbyF.exe (PID: 26040)
      • WiUK1tguKP0xk2jOeUkJ6fzv.exe (PID: 25992)
      • tungbot.exe (PID: 28068)
      • icsys.icn.exe (PID: 28140)
      • Otte-Locker.exe (PID: 28160)
      • tungbot.exe  (PID: 28128)
      • u9KKdnYh9PdX8YuCuE3Ueul5.exe (PID: 27856)
      • explorer.exe (PID: 28272)
      • spoolsv.exe (PID: 28300)
      • spoolsv.exe (PID: 28344)
      • WinlockerBuilderv5.exe (PID: 28744)
      • svchost.exe (PID: 28316)
      • Temp3.exe (PID: 28944)
      • Windows Security Client.exe (PID: 29316)
      • jusched.exe (PID: 29272)
      • upx_compresser.exe (PID: 29460)

    • Checks supported languages

      • 7120.exe (PID: 1216)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • npp.exe (PID: 1560)
      • windows.exe (PID: 1772)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • tuc6.exe (PID: 1880)
      • tuc6.tmp (PID: 2736)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • cloudpanelcrt.exe (PID: 2568)
      • cloudpanelcrt.exe (PID: 2760)
      • tuc2.exe (PID: 1424)
      • 57872092.exe (PID: 2404)
      • tuc2.tmp (PID: 1904)
      • build_2023-12-19_21-29.exe (PID: 980)
      • 659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe (PID: 2292)
      • sysplorsv.exe (PID: 2792)
      • Opolis.exe (PID: 968)
      • 987123.exe (PID: 3036)
      • 937228412.exe (PID: 3044)
      • OSM-Client.exe (PID: 3104)
      • adobe.exe (PID: 3256)
      • adobe.tmp (PID: 3204)
      • Fineone.exe (PID: 3252)
      • kb^fr_ouverture.exe (PID: 3356)
      • 2667019473.exe (PID: 3776)
      • 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe (PID: 4068)
      • tel.exe (PID: 4016)
      • fcc.exe (PID: 392)
      • vbc.exe (PID: 1316)
      • tuc7.exe (PID: 2484)
      • tuc7.tmp (PID: 2504)
      • vbc.exe (PID: 2316)
      • tuc5.exe (PID: 2940)
      • tuc5.tmp (PID: 2852)
      • ama.exe (PID: 3828)
      • Utsysc.exe (PID: 4024)
      • jjj.exe (PID: 2120)
      • %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E7%BB%88%E7%AB%AF_sos.exe (PID: 4396)
      • tuc3.exe (PID: 4880)
      • tuc3.tmp (PID: 4892)
      • etopt.exe (PID: 1380)
      • Utsysc.exe (PID: 6248)
      • Fineone.exe (PID: 6240)
      • 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe (PID: 6448)
      • 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe (PID: 6776)
      • tuc4.exe (PID: 7800)
      • up.exe (PID: 7820)
      • tuc4.tmp (PID: 7828)
      • timeSync.exe (PID: 7856)
      • VLTKBacdau.exe (PID: 8664)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • Cheat.exe (PID: 8476)
      • data64_1.exe (PID: 2676)
      • Cheat.tmp (PID: 8036)
      • Fineone.exe (PID: 9540)
      • Update_new.exe (PID: 12340)
      • Utsysc.exe (PID: 2896)
      • csaff.exe (PID: 14288)
      • csaff.exe (PID: 14240)
      • CoinSurf.WPF.exe (PID: 12948)
      • Update.exe (PID: 12412)
      • csen.exe (PID: 14988)
      • csen.exe (PID: 15248)
      • CoinSurf.WPF.exe (PID: 15444)
      • csen.exe (PID: 12944)
      • Update.exe (PID: 15584)
      • 1230.exe (PID: 15676)
      • csen.exe (PID: 15468)
      • CoinSurf.WPF.exe (PID: 16204)
      • SynapseExploit.exe (PID: 12756)
      • AppLaunch.exe (PID: 14988)
      • csen.exe (PID: 14044)
      • 6.exe (PID: 15112)
      • VLTKNhatRac.exe (PID: 17712)
      • 7112.exe (PID: 2960)
      • cp.exe (PID: 18948)
      • Fineone.exe (PID: 19376)
      • Utsysc.exe (PID: 19364)
      • XRJNZC.exe (PID: 19404)
      • hv.exe (PID: 19640)
      • b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe (PID: 19884)
      • 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 16716)
      • 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 13232)
      • cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe (PID: 17980)
      • RegAsm.exe (PID: 21824)
      • plink.exe (PID: 19800)
      • pdf.exe (PID: 22300)
      • vbc.exe (PID: 22380)
      • c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe (PID: 22404)
      • route.exe (PID: 20364)
      • dart.exe (PID: 20052)
      • savesinto.exe (PID: 21512)
      • c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe (PID: 22716)
      • Vnloubk.exe (PID: 23312)
      • lve.exe (PID: 23040)
      • Vnloubk.exe (PID: 20768)
      • WmiPrvSE.exe (PID: 23144)
      • dusers.exe (PID: 23548)
      • Users.exe (PID: 23628)
      • socks5-clean.exe (PID: 24372)
      • new.exe (PID: 23392)
      • Screensaver.exe (PID: 23928)
      • wmild.exe (PID: 23792)
      • vbc.exe (PID: 24276)
      • chcp.com (PID: 22396)
      • InstallUtil.exe (PID: 11260)
      • Rby1.exe (PID: 22660)
      • wmild.exe (PID: 23292)
      • 9QJfkfHSWBwacUcyDAW8LtYW.exe (PID: 24796)
      • tidex_-_short_stuff.exe (PID: 24332)
      • w-12.exe (PID: 23332)
      • toolspub2.exe (PID: 24308)
      • toolspub2.exe (PID: 24628)
      • BroomSetup.exe (PID: 24888)
      • wmild.exe (PID: 25316)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • nsaC0EF.tmp (PID: 25404)
      • HEdpiTWQQlsQhrfS8XyM4Jo0.exe (PID: 25616)
      • O4DZLnetrqSDxICNAaEOQbyF.exe (PID: 26040)
      • Utsysc.exe (PID: 25816)
      • Fineone.exe (PID: 25832)
      • WiUK1tguKP0xk2jOeUkJ6fzv.exe (PID: 25992)
      • u9KKdnYh9PdX8YuCuE3Ueul5.exe (PID: 27856)
      • XRJNZC.exe (PID: 25804)
      • tungbot.exe (PID: 28068)
      • icsys.icn.exe (PID: 28140)
      • Otte-Locker.exe (PID: 28160)
      • tungbot.exe  (PID: 28128)
      • explorer.exe (PID: 28272)
      • spoolsv.exe (PID: 28300)
      • svchost.exe (PID: 28316)
      • spoolsv.exe (PID: 28344)
      • WinlockerBuilderv5.exe (PID: 28744)
      • Temp3.exe (PID: 28944)
      • %E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe (PID: 29160)
      • %E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp (PID: 29228)
      • Windows Security Client.exe (PID: 29316)
      • jusched.exe (PID: 29272)
      • WinlockerBuilderv5.exe (PID: 29408)
      • svshost.exe (PID: 29280)
      • upx_compresser.exe (PID: 29460)
      • taskhost.exe (PID: 29596)
      • upx_compresser.exe (PID: 29440)
      • taskhost.exe (PID: 29632)

    • Manual execution by a user

      • 4363463463464363463463463.bin.exe (PID: 2192)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • 4363463463464363463463463.bin.exe (PID: 1936)
      • WinRAR.exe (PID: 5760)
      • WinRAR.exe (PID: 5496)
      • msedge.exe (PID: 12136)
      • csaff.exe (PID: 14288)
      • msedge.exe (PID: 17820)
      • WinRAR.exe (PID: 20364)
      • WinRAR.exe (PID: 21088)

    • Reads Environment values

      • 4363463463464363463463463.bin.exe (PID: 1740)
      • 4363463463464363463463463.bin.exe (PID: 2080)
      • 4363463463464363463463463.bin.exe (PID: 796)
      • up.exe (PID: 7820)
      • VLTKBacdau.exe (PID: 8664)
      • CoinSurf.WPF.exe (PID: 12948)
      • Update_new.exe (PID: 12340)
      • CoinSurf.WPF.exe (PID: 16204)
      • AppLaunch.exe (PID: 14988)
      • 6.exe (PID: 15112)
      • VLTKNhatRac.exe (PID: 17712)
      • RegAsm.exe (PID: 21824)
      • vbc.exe (PID: 22380)
      • savesinto.exe (PID: 21512)
      • WmiPrvSE.exe (PID: 23144)
      • InstallUtil.exe (PID: 11260)
      • tungbot.exe  (PID: 28128)
      • WinlockerBuilderv5.exe (PID: 28744)
      • Temp3.exe (PID: 28944)
      • jusched.exe (PID: 29272)

    • Process drops legitimate windows executable

      • tuc6.tmp (PID: 2736)
      • tuc2.tmp (PID: 1904)
      • adobe.tmp (PID: 3204)
      • tuc7.tmp (PID: 2504)
      • tuc5.tmp (PID: 2852)
      • tuc3.tmp (PID: 4892)
      • 4363463463464363463463463.bin.exe (PID: 1740)
      • tuc4.tmp (PID: 7828)
      • Update.exe (PID: 12412)
      • CoinSurf.WPF.exe (PID: 12948)
      • jusched.exe (PID: 29272)

    • Creates files in the program directory

      • tuc6.tmp (PID: 2736)
      • cloudpanelcrt.exe (PID: 2568)
      • tuc2.tmp (PID: 1904)
      • adobe.tmp (PID: 3204)
      • tuc7.tmp (PID: 2504)
      • tuc5.tmp (PID: 2852)
      • tuc3.tmp (PID: 4892)
      • etopt.exe (PID: 1380)
      • cloudpanelcrt.exe (PID: 2760)
      • tuc4.tmp (PID: 7828)
      • CoinSurf.WPF.exe (PID: 12948)
      • cp.exe (PID: 18948)
      • savesinto.exe (PID: 21512)
      • lve.exe (PID: 23040)

    • Checks proxy server information

      • npp.exe (PID: 1560)
      • sysplorsv.exe (PID: 2792)
      • 937228412.exe (PID: 3044)
      • Fineone.exe (PID: 3252)
      • 2667019473.exe (PID: 3776)
      • Utsysc.exe (PID: 4024)
      • %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E7%BB%88%E7%AB%AF_sos.exe (PID: 4396)
      • rundll32.exe (PID: 5416)
      • rundll32.exe (PID: 5780)
      • etopt.exe (PID: 1380)
      • timeSync.exe (PID: 7856)
      • up.exe (PID: 7820)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • data64_1.exe (PID: 2676)
      • cloudpanelcrt.exe (PID: 2760)
      • 1230.exe (PID: 15676)
      • plink.exe (PID: 19800)
      • explorer.exe (PID: 6208)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • nsaC0EF.tmp (PID: 25404)

    • Creates files or folders in the user directory

      • npp.exe (PID: 1560)
      • sysplorsv.exe (PID: 2792)
      • 937228412.exe (PID: 3044)
      • fcc.exe (PID: 392)
      • 2667019473.exe (PID: 3776)
      • Utsysc.exe (PID: 4024)
      • up.exe (PID: 7820)
      • etopt.exe (PID: 1380)
      • 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 10104)
      • Update.exe (PID: 12412)
      • csaff.exe (PID: 14288)
      • CoinSurf.WPF.exe (PID: 12948)
      • Update.exe (PID: 15584)
      • CoinSurf.WPF.exe (PID: 16204)
      • Users.exe (PID: 23628)
      • InstallUtil.exe (PID: 11260)
      • lIvfiq221cf5b7jvEzPY9Chg.exe (PID: 24856)
      • svchost.exe (PID: 28316)

    • Drops 7-zip archiver for unpacking

      • tuc6.tmp (PID: 2736)
      • tuc2.tmp (PID: 1904)
      • adobe.tmp (PID: 3204)
      • tuc7.tmp (PID: 2504)
      • tuc5.tmp (PID: 2852)
      • tuc3.tmp (PID: 4892)
      • tuc4.tmp (PID: 7828)

    • Process drops SQLite DLL files

      • tuc6.tmp (PID: 2736)
      • tuc2.tmp (PID: 1904)
      • adobe.tmp (PID: 3204)
      • tuc7.tmp (PID: 2504)
      • tuc5.tmp (PID: 2852)
      • tuc3.tmp (PID: 4892)
      • tuc4.tmp (PID: 7828)

    • Starts itself from another location

      • 57872092.exe (PID: 2404)
      • ama.exe (PID: 3828)
      • tungbot.exe (PID: 28068)
      • explorer.exe (PID: 28272)
      • spoolsv.exe (PID: 28300)
      • icsys.icn.exe (PID: 28140)
      • svchost.exe (PID: 28316)
      • Temp3.exe (PID: 28944)
      • WinlockerBuilderv5.exe (PID: 28744)
      • upx_compresser.exe (PID: 29460)

    • Steals credentials

      • rundll32.exe (PID: 5416)

    • The process executes via Task Scheduler

      • Utsysc.exe (PID: 6248)
      • Fineone.exe (PID: 6240)
      • Utsysc.exe (PID: 2896)
      • Fineone.exe (PID: 9540)
      • Fineone.exe (PID: 19376)
      • Utsysc.exe (PID: 19364)
      • XRJNZC.exe (PID: 25804)
      • Fineone.exe (PID: 25832)
      • Utsysc.exe (PID: 25816)

    • Application launched itself

      • 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe (PID: 6448)
      • msedge.exe (PID: 12136)
      • msedge.exe (PID: 17820)
      • msedge.exe (PID: 17548)
      • 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 13232)
      • c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe (PID: 22404)
      • Vnloubk.exe (PID: 23312)
      • toolspub2.exe (PID: 24308)
      • upx_compresser.exe (PID: 29440)
      • taskhost.exe (PID: 29596)
      • upx_compresser.exe (PID: 29768)

    • Reads product name

      • up.exe (PID: 7820)
      • AppLaunch.exe (PID: 14988)
      • 6.exe (PID: 15112)
      • RegAsm.exe (PID: 21824)
      • vbc.exe (PID: 22380)
      • savesinto.exe (PID: 21512)
      • WmiPrvSE.exe (PID: 23144)

    • Process checks are UAC notifies on

      • Update_new.exe (PID: 12340)
      • Rby1.exe (PID: 22660)

    • Writes files like Keylogger logs

      • 6.exe (PID: 15112)
      • 4363463463464363463463463.bin.exe (PID: 2080)

    • Executed via WMI

      • schtasks.exe (PID: 22544)
      • schtasks.exe (PID: 20796)
      • schtasks.exe (PID: 20776)
      • schtasks.exe (PID: 21352)
      • schtasks.exe (PID: 22604)
      • schtasks.exe (PID: 22560)
      • schtasks.exe (PID: 22640)
      • schtasks.exe (PID: 22576)
      • schtasks.exe (PID: 22624)
      • schtasks.exe (PID: 22876)
      • schtasks.exe (PID: 22936)
      • schtasks.exe (PID: 22948)
      • schtasks.exe (PID: 22916)
      • schtasks.exe (PID: 22972)
      • schtasks.exe (PID: 22668)
      • schtasks.exe (PID: 22824)
      • schtasks.exe (PID: 22992)
      • schtasks.exe (PID: 23004)
      • schtasks.exe (PID: 22804)
      • schtasks.exe (PID: 22744)
      • schtasks.exe (PID: 22860)
      • schtasks.exe (PID: 22788)
      • schtasks.exe (PID: 22700)
      • schtasks.exe (PID: 22760)
      • schtasks.exe (PID: 22896)
      • schtasks.exe (PID: 22840)
      • schtasks.exe (PID: 22684)
      • schtasks.exe (PID: 23112)
      • schtasks.exe (PID: 23152)
      • schtasks.exe (PID: 23204)
      • schtasks.exe (PID: 23236)
      • schtasks.exe (PID: 23276)
      • schtasks.exe (PID: 23320)
      • schtasks.exe (PID: 23356)
      • schtasks.exe (PID: 23028)
      • schtasks.exe (PID: 23072)
      • schtasks.exe (PID: 23096)
      • schtasks.exe (PID: 23056)
      • schtasks.exe (PID: 23128)
      • schtasks.exe (PID: 23336)
      • schtasks.exe (PID: 23440)
      • schtasks.exe (PID: 23416)
      • schtasks.exe (PID: 23480)
      • schtasks.exe (PID: 23528)
      • schtasks.exe (PID: 23500)
      • schtasks.exe (PID: 23512)
      • schtasks.exe (PID: 23672)
      • schtasks.exe (PID: 23552)
      • schtasks.exe (PID: 23568)
      • schtasks.exe (PID: 23588)
      • schtasks.exe (PID: 23600)
      • schtasks.exe (PID: 23624)
      • schtasks.exe (PID: 23640)
      • schtasks.exe (PID: 23656)
      • schtasks.exe (PID: 23376)
      • schtasks.exe (PID: 23388)
      • schtasks.exe (PID: 23464)

    • Executes as Windows Service

      • Vnloubk.exe (PID: 23312)

    • Reads CPU info

      • lve.exe (PID: 23040)

    • The executable file from the user directory is run by the CMD process

      • wmild.exe (PID: 23792)
      • wmild.exe (PID: 23292)
      • wmild.exe (PID: 25316)

    • Reads the Internet Settings

      • explorer.exe (PID: 6208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(1316) vbc.exe
C2 (1)51.210.137.6:47909
BotnetLogsDiller Cloud (Telegram: @logsdillabot)
Options
ErrorMessage
Keys
XorConformity
(PID) Process(2316) vbc.exe
C2 (1)149.28.205.74:2470
Botnetsocicalbot
Options
ErrorMessage
Keys
XorOvercloud
(PID) Process(14988) AppLaunch.exe
C2 (1)45.15.156.167:80
Botnet@ssmvw2
Options
ErrorMessageClick Close to exit the program. Error code: 1142
Keys
XorEucalypti

AsyncRat

(PID) Process(1772) windows.exe
C2 (2)127.0.0.1
185.169.180.209
Ports (1)1604
BotnetDefault
Version1.0.7
Options
AutoRunfalse
MutexDcRatMutex_qwqdanchun
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIICKTCCAZKgAwIBAgIVAJLa5o5uunlhTPkS6D+ElxUOlWixMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBWRldmlsMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjIxMjA3MTIyMDQ2WhcNMzMwOTE1MTIyMDQ2WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA...
Server_Signaturea/vMif/Q/wROCLRLshsH5tdoi+Vlji48gVFCa2VO+0Mi3MT8STZSGo95k4fDVFGiTiIGr7B2EhGwgMykEzcIVzPu+MHddHH9o1DoVp70IcluTvaqbnwP6R0/XXw895bcG1+IddLTw9afHFS1e3DA9Lea3idYXBHpMtuN0qmg/i0=
Keys
AES3090d3c207571fa6adc20ce48c901a29e80712e1d8b4ac5e633b2fa213ce8d20
SaltDcRatByqwqdanchun

Arkei

(PID) Process(2676) data64_1.exe
C2 (1)http://gg.gemkan.online/gate.php
Strings (618)LoadLibraryA
GetProcAddress
ExitProcess
advapi32.dll
crypt32.dll
GetTickCount
Sleep
GetUserDefaultLangID
CreateMutexA
GetLastError
HeapAlloc
GetProcessHeap
GetComputerNameA
VirtualProtect
GetCurrentProcess
VirtualAllocExNuma
GetUserNameA
CryptStringToBinaryA
HAL9TH
JohnDoe
21/04/2022 20:00:00
http://
Default
%hu/%hu/%hu %hu:%hu:%hu
open
sqlite3.dll
C:\ProgramData\sqlite3.dll
freebl3.dll
C:\ProgramData\freebl3.dll
mozglue.dll
C:\ProgramData\mozglue.dll
msvcp140.dll
C:\ProgramData\msvcp140.dll
nss3.dll
C:\ProgramData\nss3.dll
softokn3.dll
C:\ProgramData\softokn3.dll
vcruntime140.dll
C:\ProgramData\vcruntime140.dll
.zip
Tag:
IP: IP?
Country: Country?
Working Path:
Local Time:
TimeZone:
Display Language:
Keyboard Languages:
Is Laptop:
Processor:
Installed RAM:
OS:
(
Bit)
Videocard:
Display Resolution:
PC name:
User name:
Domain name:
MachineID:
GUID:
Installed Software:
system.txt
Grabber\%s.zip
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DESKTOP%
Wallets\
Ethereum
\Ethereum\
keystore
Electrum
\Electrum\wallets\
*.*
ElectrumLTC
\Electrum-LTC\wallets\
Exodus
\Exodus\
exodus.conf.json
window-state.json
\Exodus\exodus.wallet\
passphrase.json
seed.seco
info.seco
ElectronCash
\ElectronCash\wallets\
default_wallet
MultiDoge
\MultiDoge\
multidoge.wallet
JAXX
\jaxx\Local Storage\
file__0.localstorage
Atomic
\atomic\Local Storage\leveldb\
000003.log
CURRENT
LOCK
LOG
MANIFEST-000001
0000*
Binance
\Binance\
app-store.json
Coinomi
\Coinomi\Coinomi\wallets\
*.wallet
*.config
*wallet*.dat
GetSystemTime
lstrcatA
SystemTimeToFileTime
ntdll.dll
sscanf
memset
memcpy
wininet.dll
user32.dll
gdi32.dll
netapi32.dll
psapi.dll
bcrypt.dll
vaultcli.dll
shlwapi.dll
shell32.dll
gdiplus.dll
ole32.dll
dbghelp.dll
CreateFileA
WriteFile
CloseHandle
GetFileSize
lstrlenA
LocalAlloc
GlobalFree
ReadFile
OpenProcess
SetFilePointer
SetEndOfFile
GetCurrentProcessId
GetLocalTime
GetTimeZoneInformation
GetUserDefaultLocaleName
LocalFree
GetSystemPowerStatus
GetSystemInfo
GlobalMemoryStatusEx
IsWow64Process
GetTempPathA
GetLocaleInfoA
GetFileSizeEx
GetFileAttributesA
FindFirstFileA
FindNextFileA
FindClose
GetCurrentDirectoryA
CopyFileA
DeleteFileA
lstrcmpW
GlobalAlloc
FreeLibrary
SetCurrentDirectoryA
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
FileTimeToSystemTime
GetFileInformationByHandle
GlobalLock
GlobalSize
WideCharToMultiByte
GetWindowsDirectoryA
GetVolumeInformationA
GetVersionExA
GetModuleFileNameA
CreateFileW
CreateFileMappingW
MultiByteToWideChar
CreateThread
GetEnvironmentVariableA
SetEnvironmentVariableA
lstrcpyA
lstrcpynA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetCloseHandle
InternetReadFile
InternetSetOptionA
InternetOpenUrlA
InternetCrackUrlA
wsprintfA
CharToOemW
GetKeyboardLayoutList
EnumDisplayDevicesA
ReleaseDC
GetDC
GetSystemMetrics
GetDesktopWindow
GetWindowRect
GetWindowDC
CloseWindow
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
GetCurrentHwProfileA
RegEnumKeyExA
RegGetValueA
CreateDCA
GetDeviceCaps
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
StretchBlt
GetObjectW
GetDIBits
SaveDC
CreateDIBSection
DeleteDC
RestoreDC
DsRoleGetPrimaryDomainInformation
GetModuleFileNameExA
CryptUnprotectData
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptDecrypt
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItemWin8
VaultGetItemWin7
VaultFree
StrCmpCA
StrStrA
PathMatchSpecA
SHGetFolderPathA
ShellExecuteExA
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
CreateStreamOnHGlobal
GetHGlobalFromStream
SymMatchString
HEAD
HTTP/1.1
GET
POST
file
Content-Type: multipart/form-data; boundary=----
Content-Disposition: form-data; name="
Content-Disposition: form-data; name="file"; filename="
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
SOFT:
PROF: ?
PROF:
HOST:
USER:
PASS:
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
"}
PATH
PATH=
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
SELECT origin_url, username_value, password_value FROM logins
Cookies\%s_%s.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill\%s_%s.txt
SELECT name, value FROM autofill
CC\%s_%s.txt
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Card number:
Name on card:
Expiration date:
History\%s_%s.txt
SELECT url FROM urls
Downloads\%s_%s.txt
SELECT target_path, tab_url from downloads
Login Data
Cookies
Web Data
History
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
cookies.sqlite
formhistory.sqlite
places.sqlite
\Local State
..\profiles.ini
C:\ProgramData\
Chrome
\Google\Chrome\User Data
ChromeBeta
\Google\Chrome Beta\User Data
ChromeCanary
\Google\Chrome SxS\User Data
Chromium
\Chromium\User Data
Edge_Chromium
\Microsoft\Edge\User Data
Kometa
\Kometa\User Data
Amigo
\Amigo\User Data
Torch
\Torch\User Data
Orbitum
\Orbitum\User Data
Comodo
\Comodo\Dragon\User Data
Nichrome
\Nichrome\User Data
Maxthon5
\Maxthon5\Users
Sputnik
\Sputnik\User Data
EPB
\Epic Privacy Browser\User Data
Vivaldi
\Vivaldi\User Data
CocCoc
\CocCoc\Browser\User Data
Uran
\uCozMedia\Uran\User Data
QIP
\QIP Surf\User Data
Cent
\CentBrowser\User Data
Elements
\Elements Browser\User Data
TorBro
\TorBro\Profile
CryptoTab
\CryptoTab Browser\User Data
Brave
\BraveSoftware\Brave-Browser\User Data
Opera
\Opera Software\Opera Stable\
OperaGX
\Opera Software\Opera GX Stable\
OperaNeon
\Opera Software\Opera Neon\User Data
Firefox
\Mozilla\Firefox\Profiles\
SlimBrowser
\FlashPeak\SlimBrowser\Profiles\
PaleMoon
\Moonchild Productions\Pale Moon\Profiles\
Waterfox
\Waterfox\Profiles\
Cyberfox
\8pecxstudios\Cyberfox\Profiles\
BlackHawk
\NETGATE Technologies\BlackHawk\Profiles\
IceCat
\Mozilla\icecat\Profiles\
KMeleon
\K-Meleon\
Thunderbird
\Thunderbird\Profiles\
passwords.txt
ibnejdfjmmkpcnlpebklmnkoeoihofec
TronLink
nkbihfbeogaeaoehlefnkodbefgpgknn
MetaMask
fhbohimaelbohpjbbldcngcnapndodjp
Binance Chain Wallet
ffnbelfdoeiohenkjibnmadjiehjhajb
Yoroi
jbdaocneiiinmjbjlgalhcelgbejmnid
Nifty Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Math Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase Wallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
Guarda
blnieiiffboillknjnepogjhkgnoapac
EQUAL Wallet
cjelfplplebdjjenllpjcblmjkfcffne
Jaxx Liberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitApp Wallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
nlbmnnijcnlegkjjpcfjclmcfggfefdm
MEW CX
nanjmdknhkinifnkgdcggcfnhdaammmj
GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Saturn Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Ronin Wallet
cphhlgmgameodnhkjdmkpanlelnlohao
NeoLine
nhnkbkgjikgcigadomkphalanndcapjk
Clover Wallet
kpfopkelmapcoipemfendmdcghnegimn
Liquality Wallet
aiifbnbfobpmeekipheeijimdpnlpgpp
Terra Station
dmkamcknogkgcdfhhbddcghachkejeap
Keplr
fhmfendgdocmcbmfikdcogofphimnkno
Sollet
cnmamaachppnkjgnildpdmkaakejnhae
Auro Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Polymesh Wallet
flpiciilemghbmfalicajoolhkkenfel
ICONex
nknhiehlklippafakaeklbeglecifhad
Nabox Wallet
hcflpincpppdclinealmandijcmnkbgn
KHC
ookjlbkiijinhpmnjffcofjonbfbgaoc
Temple
mnfifefkajgofkcjkemidiaecocnkjeh
TezBox
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet
nlgbhdfgdhgbiamfdfmbikcdghidoadd
Byone
infeboajgfhgbjpjbeppbkgnabfdkdaf
OneKey
cihmoadaighcejopammfbmddcmdekcje
LeafWallet
lodccjjbdhfakaekdiahmedfbieldgik
DAppPlay
ijmpgkjfkbfhoebgogflfebnmejmfbml
BitClip
lkcjlnjfpbikmcmbachjpdbijejflpcm
Steem Keychain
onofpnbbkehpmmoabgpcpmigafmmnjhl
Nash Extension
bcopgchhojmggmffilplmbdicgaihlkp
Hycon Lite Client
klnaejjgbibmhlephnhpmaofohgkpgkd
ZilPay
aeachknmefphepccionboohckonoeemg
Coin98 Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa
Phantom
hifafgmccdpekplomjjkcfgodnhcellj
Crypto.com
dngmlblcodfobpdpecaadgfbcggfjfnm
Maiar DeFi Wallet
ppdadbejkmjnefldpcdjhnkpbjkikoip
Oasis
hpbgcgmiemanfelegbndmhieiigkackl
MonstaWallet
fcckkdbjnoikooededlapcalpionmalo
MOBOX
jccapkebeeiajkkdemacblkjhhhboiek
Crust Wallet
mgffkfbidihjpoaomajlbgchddlicgpn
Pali Wallet
nphplpgoakhhjchkkhmiggakijnkhfnd
TON Wallet
ldinpeekobnhjjdofggfgjlcehhmanlj
Hiro Wallet
pocmplpaccanhmnllbbkpgfliimjljgo
Slope Wallet
bhhhlbepdkbapadjdnnojkbgioiodbic
Solflare Wallet
pgiaagfkgcbnmiiolekcfmljdagdhlcm
Stargazer Wallet
cgeeodpfagjceefieflmdfphplkenlfk
EVER Wallet
gjkdbeaiifkpoencioahhcilildpjhgh
partisia-wallet
bgjogpoidejdemgoochpnkmdjpocgkha
Ecto Wallet
ifckdpamphokdglkkdomedpdegcjhjdp
ONTO Wallet
agechnindjilpccclelhlbjphbgnobpf
Fractal Wallet
algblmhagnobbnmakepomicmfljlbehg
ADS Wallet
imijjbmbnebfnbmonjeileijahaipglj
Moonlet Wallet
kpjdchaapjheajadlaakiiigcbhoppda
ZEBEDEE
dlcobpjiigpikoobohmabehhmhfoodbb
Argent X StarkNet Wallet
bofddndhbegljegmpmnlbhcejofmjgbn
X-Wallet
mapbhaebnddapnmifbbkgeedkeplgjmf
Biport Wallet
kfdniefadaanbjodldohaedphafoffoh
Typhon Wallet
jaooiolkmfcmloonphpiiogkfckgciom
Twetch Wallet
aijcbedoijmgnlmjeegjaglmepbmpkpi
Leap Wallet
fhfffofbcgbjjojdnpcfompojdjjhdim
Lamden Wallet
agkfnefiabmfpanochlcakggnkdfmmjd
Earth Wallet
lpfcbjknijpeeillifnkikgncikgfhdo
Nami
fecfflganphcinpahcklgahckeohalog
Coin Wallet
ilhaljfiglknggcoegeknjghdgampffk
Beam Web Wallet
dklmlehijiaepdijfnbbhncfpcoeeljf
FShares Wallet
fkhebcilafocjhnlcngogekljmllgdhd
WAGMIswap.io Wallet
laphpbhjhhgigmjoflgcchgodbbclahk
BLUE - Worlds Safest and Simplest Wallet
mkjjflkhdddfjhonakofipfojoepfndk
Unification Web Wallet
jnldfbidonfeldmalbflbmlebbipcnle
Infinity Wallet
ellkdbaphhldpeajbepobaecooaoafpg
Fetch.ai Network Wallet
iokeahhehimjnekafflcihljlcjccdbe
Alby Wallet
omajpeaffjgmlpmhbfdjepdejoemifpe
xBull Wallet
pgojdfajgcjjpjnbpfaelnpnjocakldb
Sugarchain Wallet
pnndplcbkakcplkjnolgbkdgjikjednm
Tronium
fnnegphlobjdpkhecapkijjdkgcjhkib
Harmony
fhilaheimglignddkjgofkcbgekhenbh
Oxygen
cmbagcoinhmacpcgmbiniijboejgiahi
JustLiquidity Wallet
kmmolakhbgdlpkjkcjkebenjheonagdm
AlgoSigner
fnabdmcgpkkjjegokfcnfbpneacddpfh
Goldmint Lite Wallet
bgpipimickeadkjlklgciifhnalhdjhe
GeroWallet
hoighigmnhgkkdaenafgnefkcmipfjon
EO.Finance
nlgnepoeokdfodgjkjiblkadkjbdfmgd
Multi Wallet
nhihjlnjgibefgjhobhcphmnckoogdea
Waves Enterprise Wallet
ehibhohmlpipbaogcknmpmiibbllplph
Bluehelix Wallet
magbanejlegnbcppjljfhnmfmghialkl
Nebulas Wallet
fgkaeeikaoeiiggggbgdcjchmdfmamla
Vtimes
pnlfjmlcjdjgkddecgincndfgegkecke
Crocobit Wallet
bhghoamapcdpbohphigoooaddinpkbai
Authenticator
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authy
oeljdldpnmdbchonielidgobddffflal
EOS Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
GAuth Authenticator
imloifkgjagghnncjkhggdhalmcnfklk
Trezor Password Manager
%s\%s\Local Extension Settings\%s
%s\CURRENT
%s\%s\Sync Extension Settings\%s
%s\%s\IndexedDB\chrome-extension_%s_0.indexeddb.leveldb
Plugins\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x64
x86
DISPLAY
SOFTWARE\Microsoft\Cryptography
MachineGuid
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
screenshot.jpg
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
/c timeout /t 5 & del /f /q "%s" & exit
C:\Windows\System32\cmd.exe

MarsStealer

(PID) Process(2676) data64_1.exe
C2gg.gemkan.online/gate.php
Keys
XOR
Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
PurposeC2 domain
Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
PurposeC2 route
Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
PurposeCode encryption
Strings (618)LoadLibraryA
GetProcAddress
ExitProcess
advapi32.dll
crypt32.dll
GetTickCount
Sleep
GetUserDefaultLangID
CreateMutexA
GetLastError
HeapAlloc
GetProcessHeap
GetComputerNameA
VirtualProtect
GetCurrentProcess
VirtualAllocExNuma
GetUserNameA
CryptStringToBinaryA
HAL9TH
JohnDoe
21/04/2022 20:00:00
http://
Default
%hu/%hu/%hu %hu:%hu:%hu
open
sqlite3.dll
C:\ProgramData\sqlite3.dll
freebl3.dll
C:\ProgramData\freebl3.dll
mozglue.dll
C:\ProgramData\mozglue.dll
msvcp140.dll
C:\ProgramData\msvcp140.dll
nss3.dll
C:\ProgramData\nss3.dll
softokn3.dll
C:\ProgramData\softokn3.dll
vcruntime140.dll
C:\ProgramData\vcruntime140.dll
.zip
Tag:
IP: IP?
Country: Country?
Working Path:
Local Time:
TimeZone:
Display Language:
Keyboard Languages:
Is Laptop:
Processor:
Installed RAM:
OS:
(
Bit)
Videocard:
Display Resolution:
PC name:
User name:
Domain name:
MachineID:
GUID:
Installed Software:
system.txt
Grabber\%s.zip
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DESKTOP%
Wallets\
Ethereum
\Ethereum\
keystore
Electrum
\Electrum\wallets\
*.*
ElectrumLTC
\Electrum-LTC\wallets\
Exodus
\Exodus\
exodus.conf.json
window-state.json
\Exodus\exodus.wallet\
passphrase.json
seed.seco
info.seco
ElectronCash
\ElectronCash\wallets\
default_wallet
MultiDoge
\MultiDoge\
multidoge.wallet
JAXX
\jaxx\Local Storage\
file__0.localstorage
Atomic
\atomic\Local Storage\leveldb\
000003.log
CURRENT
LOCK
LOG
MANIFEST-000001
0000*
Binance
\Binance\
app-store.json
Coinomi
\Coinomi\Coinomi\wallets\
*.wallet
*.config
*wallet*.dat
GetSystemTime
lstrcatA
SystemTimeToFileTime
ntdll.dll
sscanf
memset
memcpy
wininet.dll
user32.dll
gdi32.dll
netapi32.dll
psapi.dll
bcrypt.dll
vaultcli.dll
shlwapi.dll
shell32.dll
gdiplus.dll
ole32.dll
dbghelp.dll
CreateFileA
WriteFile
CloseHandle
GetFileSize
lstrlenA
LocalAlloc
GlobalFree
ReadFile
OpenProcess
SetFilePointer
SetEndOfFile
GetCurrentProcessId
GetLocalTime
GetTimeZoneInformation
GetUserDefaultLocaleName
LocalFree
GetSystemPowerStatus
GetSystemInfo
GlobalMemoryStatusEx
IsWow64Process
GetTempPathA
GetLocaleInfoA
GetFileSizeEx
GetFileAttributesA
FindFirstFileA
FindNextFileA
FindClose
GetCurrentDirectoryA
CopyFileA
DeleteFileA
lstrcmpW
GlobalAlloc
FreeLibrary
SetCurrentDirectoryA
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
FileTimeToSystemTime
GetFileInformationByHandle
GlobalLock
GlobalSize
WideCharToMultiByte
GetWindowsDirectoryA
GetVolumeInformationA
GetVersionExA
GetModuleFileNameA
CreateFileW
CreateFileMappingW
MultiByteToWideChar
CreateThread
GetEnvironmentVariableA
SetEnvironmentVariableA
lstrcpyA
lstrcpynA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetCloseHandle
InternetReadFile
InternetSetOptionA
InternetOpenUrlA
InternetCrackUrlA
wsprintfA
CharToOemW
GetKeyboardLayoutList
EnumDisplayDevicesA
ReleaseDC
GetDC
GetSystemMetrics
GetDesktopWindow
GetWindowRect
GetWindowDC
CloseWindow
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
GetCurrentHwProfileA
RegEnumKeyExA
RegGetValueA
CreateDCA
GetDeviceCaps
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
StretchBlt
GetObjectW
GetDIBits
SaveDC
CreateDIBSection
DeleteDC
RestoreDC
DsRoleGetPrimaryDomainInformation
GetModuleFileNameExA
CryptUnprotectData
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptDecrypt
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItemWin8
VaultGetItemWin7
VaultFree
StrCmpCA
StrStrA
PathMatchSpecA
SHGetFolderPathA
ShellExecuteExA
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
CreateStreamOnHGlobal
GetHGlobalFromStream
SymMatchString
HEAD
HTTP/1.1
GET
POST
file
Content-Type: multipart/form-data; boundary=----
Content-Disposition: form-data; name="
Content-Disposition: form-data; name="file"; filename="
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
SOFT:
PROF: ?
PROF:
HOST:
USER:
PASS:
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
"}
PATH
PATH=
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
SELECT origin_url, username_value, password_value FROM logins
Cookies\%s_%s.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill\%s_%s.txt
SELECT name, value FROM autofill
CC\%s_%s.txt
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Card number:
Name on card:
Expiration date:
History\%s_%s.txt
SELECT url FROM urls
Downloads\%s_%s.txt
SELECT target_path, tab_url from downloads
Login Data
Cookies
Web Data
History
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
cookies.sqlite
formhistory.sqlite
places.sqlite
\Local State
..\profiles.ini
C:\ProgramData\
Chrome
\Google\Chrome\User Data
ChromeBeta
\Google\Chrome Beta\User Data
ChromeCanary
\Google\Chrome SxS\User Data
Chromium
\Chromium\User Data
Edge_Chromium
\Microsoft\Edge\User Data
Kometa
\Kometa\User Data
Amigo
\Amigo\User Data
Torch
\Torch\User Data
Orbitum
\Orbitum\User Data
Comodo
\Comodo\Dragon\User Data
Nichrome
\Nichrome\User Data
Maxthon5
\Maxthon5\Users
Sputnik
\Sputnik\User Data
EPB
\Epic Privacy Browser\User Data
Vivaldi
\Vivaldi\User Data
CocCoc
\CocCoc\Browser\User Data
Uran
\uCozMedia\Uran\User Data
QIP
\QIP Surf\User Data
Cent
\CentBrowser\User Data
Elements
\Elements Browser\User Data
TorBro
\TorBro\Profile
CryptoTab
\CryptoTab Browser\User Data
Brave
\BraveSoftware\Brave-Browser\User Data
Opera
\Opera Software\Opera Stable\
OperaGX
\Opera Software\Opera GX Stable\
OperaNeon
\Opera Software\Opera Neon\User Data
Firefox
\Mozilla\Firefox\Profiles\
SlimBrowser
\FlashPeak\SlimBrowser\Profiles\
PaleMoon
\Moonchild Productions\Pale Moon\Profiles\
Waterfox
\Waterfox\Profiles\
Cyberfox
\8pecxstudios\Cyberfox\Profiles\
BlackHawk
\NETGATE Technologies\BlackHawk\Profiles\
IceCat
\Mozilla\icecat\Profiles\
KMeleon
\K-Meleon\
Thunderbird
\Thunderbird\Profiles\
passwords.txt
ibnejdfjmmkpcnlpebklmnkoeoihofec
TronLink
nkbihfbeogaeaoehlefnkodbefgpgknn
MetaMask
fhbohimaelbohpjbbldcngcnapndodjp
Binance Chain Wallet
ffnbelfdoeiohenkjibnmadjiehjhajb
Yoroi
jbdaocneiiinmjbjlgalhcelgbejmnid
Nifty Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Math Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase Wallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
Guarda
blnieiiffboillknjnepogjhkgnoapac
EQUAL Wallet
cjelfplplebdjjenllpjcblmjkfcffne
Jaxx Liberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitApp Wallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
nlbmnnijcnlegkjjpcfjclmcfggfefdm
MEW CX
nanjmdknhkinifnkgdcggcfnhdaammmj
GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Saturn Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Ronin Wallet
cphhlgmgameodnhkjdmkpanlelnlohao
NeoLine
nhnkbkgjikgcigadomkphalanndcapjk
Clover Wallet
kpfopkelmapcoipemfendmdcghnegimn
Liquality Wallet
aiifbnbfobpmeekipheeijimdpnlpgpp
Terra Station
dmkamcknogkgcdfhhbddcghachkejeap
Keplr
fhmfendgdocmcbmfikdcogofphimnkno
Sollet
cnmamaachppnkjgnildpdmkaakejnhae
Auro Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Polymesh Wallet
flpiciilemghbmfalicajoolhkkenfel
ICONex
nknhiehlklippafakaeklbeglecifhad
Nabox Wallet
hcflpincpppdclinealmandijcmnkbgn
KHC
ookjlbkiijinhpmnjffcofjonbfbgaoc
Temple
mnfifefkajgofkcjkemidiaecocnkjeh
TezBox
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet
nlgbhdfgdhgbiamfdfmbikcdghidoadd
Byone
infeboajgfhgbjpjbeppbkgnabfdkdaf
OneKey
cihmoadaighcejopammfbmddcmdekcje
LeafWallet
lodccjjbdhfakaekdiahmedfbieldgik
DAppPlay
ijmpgkjfkbfhoebgogflfebnmejmfbml
BitClip
lkcjlnjfpbikmcmbachjpdbijejflpcm
Steem Keychain
onofpnbbkehpmmoabgpcpmigafmmnjhl
Nash Extension
bcopgchhojmggmffilplmbdicgaihlkp
Hycon Lite Client
klnaejjgbibmhlephnhpmaofohgkpgkd
ZilPay
aeachknmefphepccionboohckonoeemg
Coin98 Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa
Phantom
hifafgmccdpekplomjjkcfgodnhcellj
Crypto.com
dngmlblcodfobpdpecaadgfbcggfjfnm
Maiar DeFi Wallet
ppdadbejkmjnefldpcdjhnkpbjkikoip
Oasis
hpbgcgmiemanfelegbndmhieiigkackl
MonstaWallet
fcckkdbjnoikooededlapcalpionmalo
MOBOX
jccapkebeeiajkkdemacblkjhhhboiek
Crust Wallet
mgffkfbidihjpoaomajlbgchddlicgpn
Pali Wallet
nphplpgoakhhjchkkhmiggakijnkhfnd
TON Wallet
ldinpeekobnhjjdofggfgjlcehhmanlj
Hiro Wallet
pocmplpaccanhmnllbbkpgfliimjljgo
Slope Wallet
bhhhlbepdkbapadjdnnojkbgioiodbic
Solflare Wallet
pgiaagfkgcbnmiiolekcfmljdagdhlcm
Stargazer Wallet
cgeeodpfagjceefieflmdfphplkenlfk
EVER Wallet
gjkdbeaiifkpoencioahhcilildpjhgh
partisia-wallet
bgjogpoidejdemgoochpnkmdjpocgkha
Ecto Wallet
ifckdpamphokdglkkdomedpdegcjhjdp
ONTO Wallet
agechnindjilpccclelhlbjphbgnobpf
Fractal Wallet
algblmhagnobbnmakepomicmfljlbehg
ADS Wallet
imijjbmbnebfnbmonjeileijahaipglj
Moonlet Wallet
kpjdchaapjheajadlaakiiigcbhoppda
ZEBEDEE
dlcobpjiigpikoobohmabehhmhfoodbb
Argent X StarkNet Wallet
bofddndhbegljegmpmnlbhcejofmjgbn
X-Wallet
mapbhaebnddapnmifbbkgeedkeplgjmf
Biport Wallet
kfdniefadaanbjodldohaedphafoffoh
Typhon Wallet
jaooiolkmfcmloonphpiiogkfckgciom
Twetch Wallet
aijcbedoijmgnlmjeegjaglmepbmpkpi
Leap Wallet
fhfffofbcgbjjojdnpcfompojdjjhdim
Lamden Wallet
agkfnefiabmfpanochlcakggnkdfmmjd
Earth Wallet
lpfcbjknijpeeillifnkikgncikgfhdo
Nami
fecfflganphcinpahcklgahckeohalog
Coin Wallet
ilhaljfiglknggcoegeknjghdgampffk
Beam Web Wallet
dklmlehijiaepdijfnbbhncfpcoeeljf
FShares Wallet
fkhebcilafocjhnlcngogekljmllgdhd
WAGMIswap.io Wallet
laphpbhjhhgigmjoflgcchgodbbclahk
BLUE - Worlds Safest and Simplest Wallet
mkjjflkhdddfjhonakofipfojoepfndk
Unification Web Wallet
jnldfbidonfeldmalbflbmlebbipcnle
Infinity Wallet
ellkdbaphhldpeajbepobaecooaoafpg
Fetch.ai Network Wallet
iokeahhehimjnekafflcihljlcjccdbe
Alby Wallet
omajpeaffjgmlpmhbfdjepdejoemifpe
xBull Wallet
pgojdfajgcjjpjnbpfaelnpnjocakldb
Sugarchain Wallet
pnndplcbkakcplkjnolgbkdgjikjednm
Tronium
fnnegphlobjdpkhecapkijjdkgcjhkib
Harmony
fhilaheimglignddkjgofkcbgekhenbh
Oxygen
cmbagcoinhmacpcgmbiniijboejgiahi
JustLiquidity Wallet
kmmolakhbgdlpkjkcjkebenjheonagdm
AlgoSigner
fnabdmcgpkkjjegokfcnfbpneacddpfh
Goldmint Lite Wallet
bgpipimickeadkjlklgciifhnalhdjhe
GeroWallet
hoighigmnhgkkdaenafgnefkcmipfjon
EO.Finance
nlgnepoeokdfodgjkjiblkadkjbdfmgd
Multi Wallet
nhihjlnjgibefgjhobhcphmnckoogdea
Waves Enterprise Wallet
ehibhohmlpipbaogcknmpmiibbllplph
Bluehelix Wallet
magbanejlegnbcppjljfhnmfmghialkl
Nebulas Wallet
fgkaeeikaoeiiggggbgdcjchmdfmamla
Vtimes
pnlfjmlcjdjgkddecgincndfgegkecke
Crocobit Wallet
bhghoamapcdpbohphigoooaddinpkbai
Authenticator
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authy
oeljdldpnmdbchonielidgobddffflal
EOS Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
GAuth Authenticator
imloifkgjagghnncjkhggdhalmcnfklk
Trezor Password Manager
%s\%s\Local Extension Settings\%s
%s\CURRENT
%s\%s\Sync Extension Settings\%s
%s\%s\IndexedDB\chrome-extension_%s_0.indexeddb.leveldb
Plugins\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x64
x86
DISPLAY
SOFTWARE\Microsoft\Cryptography
MachineGuid
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
screenshot.jpg
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
/c timeout /t 5 & del /f /q "%s" & exit
C:\Windows\System32\cmd.exe

Remcos

(PID) Process(15112) 6.exe
C2 (9)hendersonk1.hopto.org:2404
henderson1.camdvr.org:2404
centplus1.serveftp.com:2404
harrywlike.ddns.net:2404
genekol.nsupdate.info:2404
harrywlike1.ddns.net:2404
hendersonk2022.hopto.org:2404
genekol1.nsupdate.info:2404
generem.camdvr.org:2404
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\ShellGY99V
Setup_path%APPDATA%
Copy_filesonic.exe
Startup_valuefuckuuuuu
Hide_fileFalse
Mutex_namegsgjdwg-1J0WWM
Keylog_flag1
Keylog_path%APPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogTrue
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_namenotepad;solitaire;
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_dirMicRecords
Connect_delay0
Copy_diryakkk
Keylog_dirchrome
Max_keylog_file20000

DcRat

(PID) Process(23144) WmiPrvSE.exe
C2 (1)http://95.214.53.31/PrivateDownloadssql/_/packetUploadsDleBigload/voiddbCdn/Track/localvideobase/local9wordpress/3/better/Wp85mariadb/@zRWYvxmb39GZlRXY2lmcQB3dvV2R
Options
TagLUCIFER61
MutexDCR_MUTEX-b3ZBTGApWMjWckKzqWz8
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:12:22 09:29:10+01:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 80
CodeSize: 5632
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0x3552
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: 4363463463464363463463463.exe
LegalCopyright:
OriginalFileName: 4363463463464363463463463.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
450
Monitored processes
307
Malicious processes
67
Suspicious processes
21

Behavior graph

Click at the process to see the details
start #HAUSBOMBER 4363463463464363463463463.bin.exe #ASYNCRAT windows.exe 7120.exe no specs 4363463463464363463463463.bin.exe no specs #PHORPIEX 4363463463464363463463463.bin.exe npp.exe 4363463463464363463463463.bin.exe no specs #HAUSBOMBER 4363463463464363463463463.bin.exe tuc6.exe no specs tuc6.tmp no specs cloudpanelcrt.exe no specs #SOCKS5SYSTEMZ cloudpanelcrt.exe 57872092.exe no specs tuc2.exe no specs tuc2.tmp no specs build_2023-12-19_21-29.exe 659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe #PHORPIEX sysplorsv.exe opolis.exe 987123.exe 937228412.exe osm-client.exe adobe.exe no specs adobe.tmp no specs #AMADEY fineone.exe schtasks.exe no specs kb^fr_ouverture.exe 2667019473.exe 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe no specs wscript.exe tel.exe fcc.exe jjj.exe #REDLINE vbc.exe cmd.exe no specs tuc7.exe no specs tuc7.tmp no specs #REDLINE vbc.exe tuc5.exe no specs tuc5.tmp no specs ama.exe no specs #AMADEY utsysc.exe schtasks.exe no specs %e5%8f%91%e7%a5%a8%e7%94%b5%e8%84%91%e7%89%88-%e7%bb%88%e7%ab%af_sos.exe tuc3.exe no specs tuc3.tmp no specs rundll32.exe netsh.exe no specs powershell.exe no specs winrar.exe no specs winrar.exe no specs rundll32.exe etopt.exe fineone.exe no specs utsysc.exe no specs 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe no specs 3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe no specs tuc4.exe no specs up.exe tuc4.tmp no specs #STEALC timesync.exe vltkbacdau.exe 360ts_setup_mini_ww.marketator.cpi20230401_6.6.0.1054.exe cheat.exe no specs cheat.tmp no specs #ARKEI data64_1.exe no specs utsysc.exe no specs fineone.exe no specs msedge.exe msedge.exe no specs update_new.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs csaff.exe no specs csaff.exe no specs msedge.exe no specs msedge.exe no specs update.exe no specs msedge.exe no specs coinsurf.wpf.exe csen.exe no specs msedge.exe no specs msedge.exe no specs csen.exe csen.exe coinsurf.wpf.exe no specs csen.exe update.exe no specs #RACCOON 1230.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs coinsurf.wpf.exe synapseexploit.exe no specs csen.exe #REDLINE applaunch.exe #REMCOS 6.exe doublepulsar-1.3.1.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs vltknhatrac.exe 7112.exe no specs cp.exe no specs cmd.exe no specs timeout.exe no specs utsysc.exe no specs fineone.exe no specs xrjnzc.exe no specs schtasks.exe no specs hv.exe plink.exe b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe no specs cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe no specs winrar.exe no specs winrar.exe no specs #ARECHCLIENT2 regasm.exe pdf.exe no specs #REDLINE vbc.exe c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe no specs dart.exe no specs route.exe no specs wscript.exe no specs cmd.exe no specs savesinto.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #PURPLEFOX lve.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs taskkill.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs vnloubk.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs vnloubk.exe no specs w32tm.exe no specs #DCRAT wmiprvse.exe dusers.exe no specs cmd.exe no specs users.exe no specs wscript.exe no specs ping.exe no specs wscript.exe no specs socks5-clean.exe no specs powershell.exe cmd.exe no specs chcp.com no specs new.exe ping.exe no specs wmild.exe screensaver.exe #REDLINE vbc.exe no specs wmild.exe reg.exe no specs ping.exe no specs rby1.exe no specs explorer.exe no specs explorer.exe powershell.exe no specs installutil.exe tidex_-_short_stuff.exe ntvdm.exe w-12.exe no specs ntvdm.exe no specs toolspub2.exe no specs toolspub2.exe no specs 9qjfkfhswbwacucydaw8ltyw.exe livfiq221cf5b7jvezpy9chg.exe broomsetup.exe no specs reg.exe no specs find.exe no specs reg.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs wmild.exe #STEALC nsac0ef.tmp hedpitwqqlsqhrfs8xym4jo0.exe no specs xrjnzc.exe no specs utsysc.exe no specs fineone.exe no specs wiuk1tgukp0xk2joeukj6fzv.exe no specs o4dzlnetrqsdxicnaaeoqbyf.exe no specs u9kkdnyh9pdx8yucue3ueul5.exe no specs tungbot.exe no specs tungbot.exe  icsys.icn.exe no specs otte-locker.exe explorer.exe no specs spoolsv.exe no specs svchost.exe spoolsv.exe no specs winlockerbuilderv5.exe temp3.exe schtasks.exe no specs %e5%88%9d%e5%a6%86%e5%8a%a9%e6%89%8b.exe no specs schtasks.exe no specs %e5%88%9d%e5%a6%86%e5%8a%a9%e6%89%8b.tmp no specs jusched.exe svshost.exe no specs windows security client.exe winlockerbuilderv5.exe no specs upx_compresser.exe no specs upx_compresser.exe taskhost.exe no specs taskhost.exe no specs svshost.exe no specs winlockerbuilderv5.exe no specs upx_compresser.exe no specs upx_compresser.exe no specs schtasks.exe no specs wmiprvse.exe no specs 4363463463464363463463463.bin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
296"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /FC:\Windows\System32\schtasks.exeUtsysc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
392"C:\Windows\Temp\fcc.exe" C:\Windows\Temp\fcc.exe
15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\temp\fcc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
796"C:\Users\admin\Desktop\4363463463464363463463463.bin.exe" C:\Users\admin\Desktop\4363463463464363463463463.bin.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\4363463463464363463463463.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
956C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Roaming\bebra.exe\bebra.exeC:\Windows\System32\cmd.exefcc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
968"C:\Users\admin\Desktop\Files\Opolis.exe" C:\Users\admin\Desktop\Files\Opolis.exe
4363463463464363463463463.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\files\opolis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
980"C:\Users\admin\Desktop\Files\build_2023-12-19_21-29.exe" C:\Users\admin\Desktop\Files\build_2023-12-19_21-29.exe
4363463463464363463463463.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\files\build_2023-12-19_21-29.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1216"C:\Users\admin\Desktop\Files\7120.exe" C:\Users\admin\Desktop\Files\7120.exe4363463463464363463463463.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\files\7120.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1316"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
tel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
14.8.3761.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
RedLine
(PID) Process(1316) vbc.exe
C2 (1)51.210.137.6:47909
BotnetLogsDiller Cloud (Telegram: @logsdillabot)
Options
ErrorMessage
Keys
XorConformity
1380"C:\Users\admin\Desktop\Files\etopt.exe" C:\Users\admin\Desktop\Files\etopt.exe
4363463463464363463463463.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\files\etopt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1424"C:\Users\admin\Desktop\Files\tuc2.exe" C:\Users\admin\Desktop\Files\tuc2.exe4363463463464363463463463.bin.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
CloudPanelCRT Setup
Exit code:
5
Version:
Modules
Images
c:\users\admin\desktop\files\tuc2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
159 822
Read events
138 683
Write events
21 117
Delete events
22

Modification events

(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:writeName:Blob
Value:
530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD0F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:writeName:Blob
Value:
040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB028090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA9531400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Operation:writeName:Blob
Value:
1900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA662000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C60B000000010000001A0000004900530052004700200052006F006F007400200058003100000014000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E1D000000010000001000000073B6876195F5D18E048510422AEF04E309000000010000000C000000300A06082B06010505070301030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E80F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F6320000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Operation:writeName:Blob
Value:
0400000001000000100000000CD2F9E0DA1773E9ED864DA5E370E74E0F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F63030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E809000000010000000C000000300A06082B060105050703011D000000010000001000000073B6876195F5D18E048510422AEF04E314000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E0B000000010000001A0000004900530052004700200052006F006F007400200058003100000062000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C61900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA620000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2080) 4363463463464363463463463.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1772) windows.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1 239
Suspicious files
1 309
Text files
530
Unknown types
4

Dropped files

PID
Process
Filename
Type
20804363463463464363463463463.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:B19B1FE01ADACF244CA4F568AF813533
SHA256:76CE81C6237322D035FFEBC49A7D68C6AF5F6FD659BAA5070FCA88F730D70AC9
2736tuc6.tmpC:\Users\admin\AppData\Local\Temp\is-NG79T.tmp\_isetup\_isdecmp.dllexecutable
MD5:3ADAA386B671C2DF3BAE5B39DC093008
SHA256:71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
20804363463463464363463463463.bin.exeC:\Users\admin\Desktop\Files\7120.exeexecutable
MD5:A8E200F1E66467D25A0A961FA69F9CBD
SHA256:8D25031C713F945E26935953121AB7DB9F3D71B60CE75D2A89284697426FC20A
12167120.exeC:\Users\admin\Desktop\Files\ini\npc.initext
MD5:183C450EF1DD5967088E6A6013ECD19F
SHA256:7C883E6F42D924FA84F3671158BF01AB2B481D77E16DAF1C76EA9A5644293237
2736tuc6.tmpC:\Users\admin\AppData\Local\Temp\is-NG79T.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
12167120.exeC:\Users\admin\Desktop\Files\version.dattext
MD5:AC3870FCAD1CFC367825CDA0101EEE62
SHA256:3B38239024A8C579F48E9CC3B3C5BF5AEAA06B841877488B90FFA07E2E73180C
2736tuc6.tmpC:\Program Files\CloudPanelCRT\bin\x86\is-JPIG7.tmpexecutable
MD5:526E02E9EB8953655EB293D8BAC59C8F
SHA256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
20804363463463464363463463463.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
20804363463463464363463463463.bin.exeC:\Users\admin\Desktop\Files\windows.exeexecutable
MD5:0652F7B122116EEC5CFE7CD5BAE5A7BD
SHA256:456CA399370AE37BC6C08D48765DC8774033196DEF17A913779491AF5CE7067D
1880tuc6.exeC:\Users\admin\AppData\Local\Temp\is-95R6A.tmp\tuc6.tmpexecutable
MD5:A7662827ECAEB4FC68334F6B8791B917
SHA256:05F159722D6905719D2D6F340981A293F40AB8A0D2D4A282C948066809D4AF6D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
123
TCP/UDP connections
6 666
DNS requests
572
Threats
417

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2080
4363463463464363463463463.bin.exe
GET
200
184.175.115.10:80
http://184.175.115.10/enzf/7120.exe
unknown
executable
254 Kb
unknown
1740
4363463463464363463463463.bin.exe
GET
200
185.215.113.66:80
http://185.215.113.66/npp.exe
unknown
executable
9.50 Kb
unknown
1560
npp.exe
GET
200
185.215.113.84:80
http://twizt.net/newtpp.exe
unknown
executable
80.0 Kb
unknown
2080
4363463463464363463463463.bin.exe
GET
200
104.21.46.59:80
http://hitsturbo.com/order/tuc6.exe
unknown
executable
6.29 Mb
unknown
796
4363463463464363463463463.bin.exe
GET
200
209.145.51.44:80
http://vmi1159541.contaboserver.net/RobluxCoins.exe
unknown
executable
976 Kb
unknown
3044
937228412.exe
GET
200
104.18.114.97:80
http://icanhazip.com/
unknown
text
15 b
unknown
2792
sysplorsv.exe
GET
200
185.215.113.66:80
http://185.215.113.66/2
unknown
binary
22.2 Kb
unknown
1560
npp.exe
GET
200
185.215.113.84:80
http://twizt.net/peinstall.php
unknown
executable
80.0 Kb
unknown
968
Opolis.exe
GET
200
195.26.206.107:80
http://www.opolis.eu/OSM-Client.exe.zip
unknown
binary
6.43 Mb
unknown
2080
4363463463464363463463463.bin.exe
GET
200
195.26.206.107:80
http://www.opolis.io/Opolis.exe
unknown
executable
4.91 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2080
4363463463464363463463463.bin.exe
151.101.2.49:443
urlhaus.abuse.ch
FASTLY
US
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2080
4363463463464363463463463.bin.exe
123.30.128.169:443
upload.vina-host.com
Vietnam Posts and Telecommunications VNPT
VN
unknown
2080
4363463463464363463463463.bin.exe
184.24.77.199:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2080
4363463463464363463463463.bin.exe
184.175.115.10:80
CYBERCON
US
unknown
2080
4363463463464363463463463.bin.exe
104.21.46.59:80
hitsturbo.com
CLOUDFLARENET
unknown
1740
4363463463464363463463463.bin.exe
151.101.2.49:443
urlhaus.abuse.ch
FASTLY
US
unknown
1740
4363463463464363463463463.bin.exe
185.215.113.66:80
1337team Limited
SC
unknown

DNS requests

Domain
IP
Reputation
urlhaus.abuse.ch
  • 151.101.2.49
  • 151.101.66.49
  • 151.101.130.49
  • 151.101.194.49
whitelisted
upload.vina-host.com
  • 123.30.128.169
malicious
ctldl.windowsupdate.com
  • 184.24.77.199
  • 184.24.77.194
  • 184.24.77.205
  • 184.24.77.202
  • 184.24.77.209
  • 184.24.77.207
  • 184.24.77.191
  • 184.24.77.174
  • 184.24.77.176
  • 184.24.77.208
whitelisted
hitsturbo.com
  • 104.21.46.59
  • 172.67.168.30
malicious
never.hitsturbo.com
  • 104.21.46.59
  • 172.67.168.30
malicious
vmi1159541.contaboserver.net
  • 209.145.51.44
malicious
twizt.net
  • 185.215.113.84
unknown
zateghar.com
  • 212.224.86.103
unknown
github.com
  • 140.82.121.3
  • 140.82.121.4
shared
www.opolis.io
  • 195.26.206.107
malicious

Threats

PID
Process
Class
Message
2080
4363463463464363463463463.bin.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
2080
4363463463464363463463463.bin.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2080
4363463463464363463463463.bin.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2080
4363463463464363463463463.bin.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2080
4363463463464363463463463.bin.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2080
4363463463464363463463463.bin.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
2080
4363463463464363463463463.bin.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2080
4363463463464363463463463.bin.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2080
4363463463464363463463463.bin.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2080
4363463463464363463463463.bin.exe
Misc activity
ET INFO EXE - Served Attached HTTP
36 ETPRO signatures available at the full report
Process
Message
4363463463464363463463463.bin.exe
The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe
Unable to connect to the remote server
4363463463464363463463463.bin.exe
The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe
Unable to connect to the remote server
4363463463464363463463463.bin.exe
Unable to connect to the remote server
4363463463464363463463463.bin.exe
Unable to connect to the remote server
4363463463464363463463463.bin.exe
The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe
The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe
The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe
The specified executable is not a valid application for this OS platform.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4363463463464363463463463.bin