| File name: | 4363463463464363463463463.exe |
| Full analysis: | https://app.any.run/tasks/2f5cd703-28ee-4373-89f7-25336e6c22ff |
| Verdict: | Malicious activity |
| Threats: | The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. |
| Analysis date: | January 07, 2024, 13:50:16 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 2A94F3960C58C6E70826495F76D00B85 |
| SHA1: | E2A1A5641295F5EBF01A37AC1C170AC0814BB71A |
| SHA256: | 2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE |
| SSDEEP: | 192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY |
MALICIOUS
HAUSBOMBER has been detected (YARA)
- 4363463463464363463463463.exe (PID: 2088)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2540)
- 4363463463464363463463463.exe (PID: 2760)
Bypass execution policy to execute commands
- powershell.exe (PID: 2820)
- powershell.exe (PID: 3216)
- powershell.exe (PID: 3244)
- powershell.exe (PID: 2772)
- powershell.exe (PID: 3624)
Adds path to the Windows Defender exclusion list
- Archevod_XWorm.exe (PID: 2364)
- WinScp.exe (PID: 3144)
- Installsetup2.exe (PID: 6504)
- comSvc.exe (PID: 7228)
- Had.exe (PID: 8608)
- WinDir.exe (PID: 9824)
- WinScp.exe (PID: 6452)
Changes powershell execution policy (Bypass)
- Archevod_XWorm.exe (PID: 2364)
- socks5-clean.exe (PID: 748)
Signature: RAMNIT has been detected
- jxszdjp.exe (PID: 2656)
- jxszdjpSrv.exe (PID: 3108)
- iexplore.exe (PID: 3128)
- DesktopLayer.exe (PID: 3152)
Adds process to the Windows Defender exclusion list
- Archevod_XWorm.exe (PID: 2364)
Changes the login/logoff helper path in the registry
- iexplore.exe (PID: 3128)
- _VTI_CNF.exe (PID: 5120)
- Winlock.exe (PID: 8876)
Uses Task Scheduler to run other applications
- Archevod_XWorm.exe (PID: 2364)
- cmd.exe (PID: 3192)
- tuc3.tmp (PID: 5192)
- XRJNZC.exe (PID: 2028)
- cmd.exe (PID: 4572)
- Install.exe (PID: 8352)
- Utsysc.exe (PID: 8212)
- Install.exe (PID: 6308)
Create files in the Startup directory
- Archevod_XWorm.exe (PID: 2364)
- rest.exe (PID: 3188)
- dllhost.exe (PID: 4456)
- NINJA.exe (PID: 3588)
- jsc.exe (PID: 6796)
- Winlock.exe (PID: 8876)
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 332)
- wscript.exe (PID: 3884)
- wscript.exe (PID: 6572)
- wscript.exe (PID: 9304)
- wscript.exe (PID: 9264)
DcRAT is detected
- agentServerComponent.exe (PID: 1264)
Steals credentials from Web Browsers
- Restoro.exe (PID: 2964)
- rest.exe (PID: 3188)
- AppLaunch.exe (PID: 3376)
- RegAsm.exe (PID: 4996)
- pixelguy.exe (PID: 4808)
- cmd.exe (PID: 4036)
- rundll32.exe (PID: 9052)
- alex.exe (PID: 7260)
- flesh.exe (PID: 5372)
Actions looks like stealing of personal data
- Restoro.exe (PID: 2964)
- sqlite3.exe (PID: 2752)
- sqlite3.exe (PID: 3252)
- sqlite3.exe (PID: 2056)
- AppLaunch.exe (PID: 3376)
- pinf.exe (PID: 4116)
- InstallUtil.exe (PID: 6024)
- RegAsm.exe (PID: 4996)
- dialer.exe (PID: 4540)
- rest.exe (PID: 3188)
- pixelguy.exe (PID: 4808)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- RegAsm.exe (PID: 8696)
- rundll32.exe (PID: 9052)
- cmd.exe (PID: 4036)
- flesh.exe (PID: 5372)
- alex.exe (PID: 7260)
Detected an obfuscated command line used with Guloader
- powershell.exe (PID: 3216)
XWORM has been detected (YARA)
- Archevod_XWorm.exe (PID: 2364)
Run PowerShell with an invisible window
- powershell.exe (PID: 3624)
Uses Task Scheduler to autorun other applications
- Temp1.exe (PID: 3388)
- asg.exe (PID: 3484)
- cmd.exe (PID: 984)
- 4iBpiQUavIMb.exe (PID: 5948)
Creates a writable file in the system directory
- Temp1.exe (PID: 3388)
- _VTI_CNF.exe (PID: 5120)
- Winlock.exe (PID: 8876)
Risepro uses scheduled tasks to run itself
- cmd.exe (PID: 3192)
- cmd.exe (PID: 984)
REMCOS has been detected (YARA)
- 6.exe (PID: 1484)
Starts CMD.EXE for self-deleting
- file.exe (PID: 4636)
- s5.exe (PID: 4284)
- 4iBpiQUavIMb.exe (PID: 5948)
- s5.exe (PID: 8948)
REDLINE has been detected (YARA)
- v2.exe (PID: 2628)
- RegSvcs.exe (PID: 4132)
METASTEALER has been detected (YARA)
- easy.exe (PID: 3528)
- RegSvcs.exe (PID: 2912)
UAC/LUA settings modification
- Installsetup2.exe (PID: 6504)
- Had.exe (PID: 8608)
QUASAR has been detected (YARA)
- asg.exe (PID: 3484)
RISEPRO has been detected (YARA)
- rest.exe (PID: 3188)
MARSSTEALER has been detected (YARA)
- data64_1.exe (PID: 2772)
Changes the autorun value in the registry
- Utsysc.exe (PID: 8212)
- WinDir.exe (PID: 9824)
ARKEI has been detected (YARA)
- data64_1.exe (PID: 2772)
Task Manager has been disabled (taskmgr)
- Winlock.exe (PID: 8876)
Modify registry editing tools (regedit)
- Winlock.exe (PID: 8876)
NANOCORE has been detected (YARA)
- CasPol.exe (PID: 4184)
SOCKS5SYSTEMZ has been detected (YARA)
- xrecode3.exe (PID: 5484)
DCRAT has been detected (YARA)
- minuscrypt_crypted.exe (PID: 5252)
LUMMA has been detected (YARA)
- AppLaunch.exe (PID: 5768)
SUSPICIOUS
Reads the Internet Settings
- 4363463463464363463463463.exe (PID: 2088)
- syncUpd.exe (PID: 1504)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2540)
- Archevod_XWorm.exe (PID: 2364)
- powershell.exe (PID: 2820)
- powershell.exe (PID: 3216)
- powershell.exe (PID: 3244)
- powershell.exe (PID: 2772)
- ajajjajajaj.exe (PID: 4028)
- v4install.exe (PID: 3896)
- wscript.exe (PID: 332)
- 2014-06-12_djylh.exe (PID: 1592)
- Restoro.exe (PID: 2964)
- wlanext.exe (PID: 3336)
- socks5-clean.exe (PID: 748)
- WinScp.exe (PID: 3144)
- POWERSHELL.exe (PID: 2976)
- Temp1.exe (PID: 3388)
- asg.exe (PID: 3484)
- tpeinf.exe (PID: 752)
- AppLaunch.exe (PID: 3376)
- s5.exe (PID: 4284)
- CasPol.exe (PID: 4184)
- peinf.exe (PID: 4124)
- rest.exe (PID: 3188)
- data64_1.exe (PID: 2772)
- payload.exe (PID: 4900)
- wscript.exe (PID: 3884)
- newrock.exe (PID: 5032)
- 1230.exe (PID: 5700)
- 4iBpiQUavIMb.exe (PID: 5948)
- file.exe (PID: 4636)
- wab.exe (PID: 5740)
- _VTI_CNF.exe (PID: 5120)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 3680)
- powershell.exe (PID: 5268)
- cmd.exe (PID: 4932)
- KB824105-x86-ENU.exe (PID: 5664)
- cp.exe (PID: 5604)
- WinLocker.exe (PID: 6076)
- %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe (PID: 3344)
- AppLaunch.exe (PID: 3616)
- XRJNZC.exe (PID: 2028)
- Tat tow roc koyor manax wodebib haninew dolixo.exe (PID: 4576)
- VLTKBacdau.exe (PID: 4208)
- AppLaunch.exe (PID: 5768)
- conhost.exe (PID: 4484)
- cmd.exe (PID: 6164)
- fund.exe (PID: 6512)
- Installsetup2.exe (PID: 6504)
- curlprotectionstdlib.exe (PID: 2852)
- wscript.exe (PID: 6572)
- jsc.exe (PID: 6796)
- powershell.exe (PID: 6764)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- data64_6.exe (PID: 7176)
- control.exe (PID: 8064)
- 444567.exe (PID: 6276)
- powershell.exe (PID: 3828)
- powershell.exe (PID: 4064)
- powershell.exe (PID: 6380)
- powershell.exe (PID: 6468)
- powershell.exe (PID: 5732)
- powershell.exe (PID: 6428)
- powershell.exe (PID: 4352)
- powershell.exe (PID: 6308)
- powershell.exe (PID: 6316)
- powershell.exe (PID: 6452)
- powershell.exe (PID: 6564)
- powershell.exe (PID: 6340)
- powershell.exe (PID: 6292)
- powershell.exe (PID: 2516)
- Install.exe (PID: 8352)
- xrecode3.exe (PID: 5484)
- comSvc.exe (PID: 7228)
- s5.exe (PID: 8948)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
- cmd.exe (PID: 8868)
- syspolrvcs.exe (PID: 8672)
- plink.exe (PID: 8616)
- TaAgente.exe (PID: 8244)
- Winlock.exe (PID: 8876)
- pocketrar350sc.exe (PID: 6404)
- ama.exe (PID: 6420)
- powershell.EXE (PID: 9868)
- Utsysc.exe (PID: 8212)
- rundll32.exe (PID: 8104)
- baseline.exe (PID: 8412)
- Lipuresenu.exe (PID: 2576)
- Had.exe (PID: 8608)
- jsc.exe (PID: 9508)
- build2.exe (PID: 9816)
- WinDir.exe (PID: 9824)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- POWERSHELL.exe (PID: 4176)
- powershell.exe (PID: 5976)
- rundll32.exe (PID: 9052)
- Vpeswawqko.exe (PID: 7048)
- rundll32.exe (PID: 7816)
- alex.exe (PID: 7260)
Reads settings of System Certificates
- 4363463463464363463463463.exe (PID: 2088)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2540)
- AppLaunch.exe (PID: 3376)
- rest.exe (PID: 3188)
- file.exe (PID: 4636)
- s5.exe (PID: 4284)
- jsc.exe (PID: 6796)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- 444567.exe (PID: 6276)
- Winlock.exe (PID: 8876)
- Lipuresenu.exe (PID: 2576)
- s5.exe (PID: 8948)
- jsc.exe (PID: 9508)
- WinDir.exe (PID: 9824)
- build2.exe (PID: 9816)
- Vpeswawqko.exe (PID: 7048)
Adds/modifies Windows certificates
- 4363463463464363463463463.exe (PID: 2088)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2292)
Reads the Windows owner or organization settings
- adobe.tmp (PID: 2052)
- tuc6.tmp (PID: 4008)
- tuc2.tmp (PID: 3336)
- tuc3.tmp (PID: 5192)
- tuc5.tmp (PID: 5692)
- tuc4.tmp (PID: 4276)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- lightcleaner.tmp (PID: 9244)
The process creates files with name similar to system file names
- 4363463463464363463463463.exe (PID: 2540)
- Restoro.exe (PID: 2964)
- _VTI_CNF.exe (PID: 5120)
- NINJA.exe (PID: 3588)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2096)
- comSvc.exe (PID: 7228)
Starts POWERSHELL.EXE for commands execution
- Archevod_XWorm.exe (PID: 2364)
- wlanext.exe (PID: 3336)
- powershell.exe (PID: 3508)
- socks5-clean.exe (PID: 748)
- WinScp.exe (PID: 3144)
- cmd.exe (PID: 5276)
- Installsetup2.exe (PID: 6504)
- comSvc.exe (PID: 7228)
- Had.exe (PID: 8608)
- WinDir.exe (PID: 9824)
- rundll32.exe (PID: 9052)
- WinScp.exe (PID: 6452)
Script adds exclusion path to Windows Defender
- Archevod_XWorm.exe (PID: 2364)
- WinScp.exe (PID: 3144)
- Installsetup2.exe (PID: 6504)
- comSvc.exe (PID: 7228)
- Had.exe (PID: 8608)
- WinDir.exe (PID: 9824)
- WinScp.exe (PID: 6452)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 2820)
- powershell.exe (PID: 3244)
- powershell.exe (PID: 3216)
- powershell.exe (PID: 2772)
- powershell.exe (PID: 6764)
- powershell.exe (PID: 4064)
- powershell.exe (PID: 6380)
- powershell.exe (PID: 6468)
- powershell.exe (PID: 6428)
- powershell.exe (PID: 5732)
- powershell.exe (PID: 3828)
- powershell.exe (PID: 4352)
- powershell.exe (PID: 6308)
- powershell.exe (PID: 6316)
- powershell.exe (PID: 6452)
- powershell.exe (PID: 6340)
- powershell.exe (PID: 6564)
- powershell.exe (PID: 6292)
- powershell.exe (PID: 2516)
- powershell.exe (PID: 5976)
Script adds exclusion process to Windows Defender
- Archevod_XWorm.exe (PID: 2364)
Searches for installed software
- tuc6.tmp (PID: 4008)
- tuc2.tmp (PID: 3336)
- AppLaunch.exe (PID: 3376)
- rest.exe (PID: 3188)
- tuc5.tmp (PID: 5692)
- InstallUtil.exe (PID: 6024)
- tuc4.tmp (PID: 4276)
- RegAsm.exe (PID: 4996)
- dialer.exe (PID: 4540)
- pixelguy.exe (PID: 4808)
- RegAsm.exe (PID: 8696)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- alex.exe (PID: 7260)
- flesh.exe (PID: 5372)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 332)
- ns8184.tmp (PID: 2796)
- ns8222.tmp (PID: 3144)
- ns82A1.tmp (PID: 1540)
- ns833E.tmp (PID: 3256)
- ns8860.tmp (PID: 3268)
- rest.exe (PID: 3188)
- wscript.exe (PID: 3884)
- s5.exe (PID: 4284)
- _VTI_CNF.exe (PID: 5120)
- file.exe (PID: 4636)
- KB824105-x86-ENU.exe (PID: 5664)
- cp.exe (PID: 5604)
- WinLocker.exe (PID: 6076)
- 4iBpiQUavIMb.exe (PID: 5948)
- NINJA.exe (PID: 3588)
- conhost.exe (PID: 4484)
- wscript.exe (PID: 6572)
- forfiles.exe (PID: 8756)
- forfiles.exe (PID: 9276)
- Winlock.exe (PID: 8876)
- s5.exe (PID: 8948)
- forfiles.exe (PID: 9524)
- forfiles.exe (PID: 8620)
- dusers.exe (PID: 8252)
Executing commands from a ".bat" file
- wscript.exe (PID: 332)
- ns8184.tmp (PID: 2796)
- ns8222.tmp (PID: 3144)
- ns82A1.tmp (PID: 1540)
- wscript.exe (PID: 3884)
- cp.exe (PID: 5604)
- WinLocker.exe (PID: 6076)
- conhost.exe (PID: 4484)
- wscript.exe (PID: 6572)
- dusers.exe (PID: 8252)
Runs shell command (SCRIPT)
- wscript.exe (PID: 332)
- wscript.exe (PID: 3884)
- wscript.exe (PID: 6572)
Reads Microsoft Outlook installation path
- 2014-06-12_djylh.exe (PID: 1592)
- pocketrar350sc.exe (PID: 6404)
Starts application with an unusual extension
- Restoro.exe (PID: 2964)
- cmd.exe (PID: 5380)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
Reads browser cookies
- sqlite3.exe (PID: 2752)
- AppLaunch.exe (PID: 3376)
- InstallUtil.exe (PID: 6024)
- RegAsm.exe (PID: 4996)
- pixelguy.exe (PID: 4808)
- RegAsm.exe (PID: 8696)
Get information on the list of running processes
- Restoro.exe (PID: 2964)
- ns833E.tmp (PID: 3256)
- cmd.exe (PID: 3164)
- ns8860.tmp (PID: 3268)
- cmd.exe (PID: 3540)
Base64-obfuscated command line is found
- powershell.exe (PID: 3508)
Checks Windows Trust Settings
- WinScp.exe (PID: 3144)
- file.exe (PID: 4636)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- Winlock.exe (PID: 8876)
- WinDir.exe (PID: 9824)
- build2.exe (PID: 9816)
Reads security settings of Internet Explorer
- WinScp.exe (PID: 3144)
- file.exe (PID: 4636)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- Winlock.exe (PID: 8876)
- build2.exe (PID: 9816)
- WinDir.exe (PID: 9824)
Reads Internet Explorer settings
- 2014-06-12_djylh.exe (PID: 1592)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 3680)
- pocketrar350sc.exe (PID: 6404)
The process executes Powershell scripts
- socks5-clean.exe (PID: 748)
- cmd.exe (PID: 5276)
Accesses Microsoft Outlook profiles
- rest.exe (PID: 3188)
- rundll32.exe (PID: 9052)
Reads the BIOS version
- brg.exe (PID: 4292)
- new.exe (PID: 3660)
- Install.exe (PID: 8352)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 5276)
Creates or modifies Windows services
- _VTI_CNF.exe (PID: 5120)
- lve5.exe (PID: 6572)
Probably download files using WebClient
- cmd.exe (PID: 5276)
The process checks if it is being run in the virtual environment
- dialer.exe (PID: 4540)
Starts NET.EXE to map network drives
- cmd.exe (PID: 5796)
Uses NETSH.EXE to change the status of the firewall
- cmd.exe (PID: 4036)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 5432)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 4036)
- cmd.exe (PID: 6164)
Loads DLL from Mozilla Firefox
- dialer.exe (PID: 4540)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 4036)
- cmd.exe (PID: 9568)
- cmd.exe (PID: 9812)
- cmd.exe (PID: 7788)
- cmd.exe (PID: 6580)
- cmd.exe (PID: 9964)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 3732)
- cmd.exe (PID: 8776)
Detected use of alternative data streams (AltDS)
- NINJA.exe (PID: 3588)
Executes WMI query (SCRIPT)
- wscript.exe (PID: 5088)
- wscript.exe (PID: 9264)
Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
- wscript.exe (PID: 5088)
The process executes VB scripts
- NINJA.exe (PID: 3588)
- pdf.exe (PID: 3896)
- cmd.exe (PID: 8868)
- PluginFlash.exe (PID: 5156)
- iexplore.exe (PID: 8016)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 5088)
- wscript.exe (PID: 9304)
- wscript.exe (PID: 9264)
Uses RUNDLL32.EXE to load library
- control.exe (PID: 8064)
- Utsysc.exe (PID: 8212)
The process verifies whether the antivirus software is installed
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
Checks whether a specific file exists (SCRIPT)
- wscript.exe (PID: 9304)
Uses WMI to retrieve WMI-managed resources (SCRIPT)
- wscript.exe (PID: 9264)
Found strings related to reading or modifying Windows Defender settings
- forfiles.exe (PID: 8756)
- forfiles.exe (PID: 9276)
- forfiles.exe (PID: 9524)
- forfiles.exe (PID: 8620)
Creates files in the driver directory
- Winlock.exe (PID: 8876)
Uses NETSH.EXE to obtain data on the network
- rundll32.exe (PID: 9052)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 5664)
INFO
Reads the computer name
- 4363463463464363463463463.exe (PID: 2088)
- syncUpd.exe (PID: 1504)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2736)
- adobe.tmp (PID: 2052)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2540)
- Archevod_XWorm.exe (PID: 2364)
- curlprotectionstdlib.exe (PID: 2368)
- 6.exe (PID: 1484)
- easy.exe (PID: 3528)
- ajajjajajaj.exe (PID: 4028)
- BestSoftware.exe (PID: 3628)
- v4install.exe (PID: 3896)
- tuc6.tmp (PID: 4008)
- WatchDog.exe (PID: 2072)
- agentServerComponent.exe (PID: 1264)
- 2014-06-12_djylh.exe (PID: 1592)
- Restoro.exe (PID: 2964)
- RegSvcs.exe (PID: 2912)
- wlanext.exe (PID: 3336)
- msedge.exe (PID: 2984)
- socks5-clean.exe (PID: 748)
- v2.exe (PID: 2628)
- WinScp.exe (PID: 3144)
- kb%5Efr_ouverture.exe (PID: 1000)
- hv.exe (PID: 3100)
- AppLaunch.exe (PID: 3376)
- Temp1.exe (PID: 3388)
- asg.exe (PID: 3484)
- rest.exe (PID: 3188)
- tuc2.tmp (PID: 3336)
- RegSvcs.exe (PID: 4132)
- tpeinf.exe (PID: 752)
- QubpyznbC7neo.exe (PID: 4140)
- s5.exe (PID: 4284)
- CasPol.exe (PID: 4184)
- defense.exe (PID: 3020)
- peinf.exe (PID: 4124)
- data64_1.exe (PID: 2772)
- payload.exe (PID: 4900)
- newrock.exe (PID: 5032)
- Broom.exe (PID: 5104)
- tuc3.tmp (PID: 5192)
- MRK.exe (PID: 5456)
- 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 5132)
- xrecode3.exe (PID: 5276)
- 1230.exe (PID: 5700)
- tuc5.tmp (PID: 5692)
- 4iBpiQUavIMb.exe (PID: 5948)
- InstallUtil.exe (PID: 6024)
- tuc4.tmp (PID: 4276)
- RegAsm.exe (PID: 4996)
- tidex_-_short_stuff.exe (PID: 4964)
- golden.exe (PID: 4924)
- file.exe (PID: 4636)
- _VTI_CNF.exe (PID: 5120)
- wab.exe (PID: 5740)
- KB824105-x86-ENU.exe (PID: 5664)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 3680)
- InstallSetup9.exe (PID: 5068)
- AppLaunch.exe (PID: 3616)
- cp.exe (PID: 5604)
- WinLocker.exe (PID: 6076)
- %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe (PID: 3344)
- VLTKBacdau.exe (PID: 4208)
- XRJNZC.exe (PID: 2028)
- msedge.exe (PID: 5088)
- Tat tow roc koyor manax wodebib haninew dolixo.exe (PID: 4576)
- new.exe (PID: 3660)
- NINJA.exe (PID: 3588)
- windows.exe (PID: 4708)
- AppLaunch.exe (PID: 5768)
- pixelguy.exe (PID: 4808)
- conhost.exe (PID: 4484)
- updHost.exe (PID: 6336)
- Installsetup2.exe (PID: 6504)
- fund.exe (PID: 6512)
- jsc.exe (PID: 6796)
- curlprotectionstdlib.exe (PID: 2852)
- comSvc.exe (PID: 7228)
- data64_6.exe (PID: 7176)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- kb^fr_ouverture.exe (PID: 8048)
- msedge.exe (PID: 3784)
- vbc.exe (PID: 6364)
- system.exe (PID: 6324)
- 444567.exe (PID: 6276)
- pdf.exe (PID: 3896)
- Gsoymaq.exe (PID: 7732)
- lve5.exe (PID: 6572)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
- C6cQHHsmrN7VJRDq5gTCIZl0.exe (PID: 3852)
- lP3RbRUvMxhMyMEFAa95ZTC3.exe (PID: 8116)
- Gsoymaq.exe (PID: 7680)
- M5traider.exe (PID: 8140)
- Lipuresenu.exe (PID: 2576)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- TaAgente.exe (PID: 8244)
- 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 8476)
- Install.exe (PID: 8352)
- BroomSetup.exe (PID: 6884)
- autorun.exe (PID: 8648)
- RegAsm.exe (PID: 8696)
- AppLaunch.exe (PID: 8664)
- xrecode3.exe (PID: 5484)
- Update.exe (PID: 8812)
- cmd.exe (PID: 8868)
- s5.exe (PID: 8948)
- syspolrvcs.exe (PID: 8672)
- Winlock.exe (PID: 8876)
- plink.exe (PID: 8616)
- DefenderControl.exe (PID: 9652)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- ama.exe (PID: 6420)
- Temp3.exe (PID: 10072)
- pocketrar350sc.exe (PID: 6404)
- RegSvcs.exe (PID: 4440)
- Utsysc.exe (PID: 8212)
- lve.exe (PID: 7020)
- lightcleaner.tmp (PID: 9244)
- SystemUpdate.exe (PID: 3572)
- baseline.exe (PID: 8412)
- InstallSetup9.exe (PID: 7436)
- PCSupport.exe (PID: 7432)
- Had.exe (PID: 8608)
- winvnc.exe (PID: 8636)
- msedge.exe (PID: 6216)
- Otte-Locker.exe (PID: 7492)
- system.exe (PID: 8284)
- WinlockerBuilderv5.exe (PID: 3856)
- jsc.exe (PID: 9508)
- WinDir.exe (PID: 9824)
- build2.exe (PID: 9816)
- photo_dnkafan3.exe (PID: 8884)
- alex.exe (PID: 7260)
- flesh.exe (PID: 5372)
- etopt.exe (PID: 1516)
- TtcgBNmQFvoTQHIP1F3rMIlk.exe (PID: 2816)
- bakhtiar.exe (PID: 7576)
- Vpeswawqko.exe (PID: 7048)
- lve5.exe (PID: 5836)
- qemu-ga.exe (PID: 8028)
- jsoAfhOkdDl64RfkIEX0x8aK.exe (PID: 8448)
- T1_Net.exe (PID: 8040)
- l3pZDDRc6tYeDu9QO54ZLLiL.exe (PID: 3696)
- WCFIBf2WdSZF2ZGsFtkg1RbT.exe (PID: 9284)
Drops the executable file immediately after the start
- 4363463463464363463463463.exe (PID: 2088)
- adobe.exe (PID: 2580)
- adobe.tmp (PID: 2052)
- 4363463463464363463463463.exe (PID: 2540)
- 4363463463464363463463463.exe (PID: 2292)
- curlprotectionstdlib.exe (PID: 2368)
- jxszdjp.exe (PID: 2656)
- jxszdjpSrv.exe (PID: 3108)
- smell-the-roses.exe (PID: 3800)
- 4363463463464363463463463.exe (PID: 2760)
- Archevod_XWorm.exe (PID: 2364)
- ajajjajajaj.exe (PID: 4028)
- v4install.exe (PID: 3896)
- tuc6.exe (PID: 2152)
- tuc6.tmp (PID: 4008)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2096)
- agentServerComponent.exe (PID: 1264)
- Restoro.exe (PID: 2964)
- tuc2.exe (PID: 876)
- Temp1.exe (PID: 3388)
- rest.exe (PID: 3188)
- v2.exe (PID: 2628)
- tuc2.tmp (PID: 3336)
- dllhost.exe (PID: 4456)
- payload.exe (PID: 4900)
- tuc3.exe (PID: 5176)
- newrock.exe (PID: 5032)
- InstallSetup9.exe (PID: 5068)
- xrecode3.exe (PID: 5276)
- pinf.exe (PID: 4116)
- s5.exe (PID: 4284)
- tuc3.tmp (PID: 5192)
- tuc5.exe (PID: 5532)
- tuc5.tmp (PID: 5692)
- 4iBpiQUavIMb.exe (PID: 5948)
- tuc4.exe (PID: 4320)
- tuc4.tmp (PID: 4276)
- jet.exe (PID: 3584)
- _VTI_CNF.exe (PID: 5120)
- cp.exe (PID: 5604)
- WinLocker.exe (PID: 6076)
- NINJA.exe (PID: 3588)
- conhost.exe (PID: 4484)
- fund.exe (PID: 6512)
- jsc.exe (PID: 6796)
- I2Ex5pwRwZqXz75aHosVhcCf.exe (PID: 7352)
- comSvc.exe (PID: 7228)
- data64_6.exe (PID: 7176)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- VQpUThDmYaprmzsTDTAflg52.exe (PID: 6508)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
- lve5.exe (PID: 6572)
- 444567.exe (PID: 6276)
- pocketrar350sc.exe (PID: 6404)
- 9IIBedBp4oKYeL6yADSHQI1L.exe (PID: 6492)
- HF9LrYFHBDTlRxD3D2FvmaME.exe (PID: 4088)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- Install.exe (PID: 668)
- twztl.exe (PID: 8284)
- lightcleaner.exe (PID: 8828)
- Project_8.exe (PID: 8800)
- 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 8476)
- Winlock.exe (PID: 8876)
- cmd.exe (PID: 8868)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- lightcleaner.tmp (PID: 9244)
- ama.exe (PID: 6420)
- s5.exe (PID: 8948)
- PCSupport.exe (PID: 7432)
- Utsysc.exe (PID: 8212)
- Install.exe (PID: 8352)
- jsc.exe (PID: 9508)
- etopt.exe (PID: 1516)
- WhHkWzUI2xrKNVpWIaMLt6SE.exe (PID: 5492)
- alex.exe (PID: 7260)
- KklpEtLYLh06uw7mL3kXa22n.exe (PID: 6152)
- KklpEtLYLh06uw7mL3kXa22n.tmp (PID: 9012)
- 4ZdY3yAPizHKBiwumgGCHkah.exe (PID: 6304)
- Install.exe (PID: 8464)
- WCFIBf2WdSZF2ZGsFtkg1RbT.exe (PID: 9284)
- PrntScrnOfAMZOrderID.jpg.exe (PID: 6680)
- PluginFlash.exe (PID: 5156)
- Opolis.exe (PID: 8560)
- Install.exe (PID: 6308)
- dusers.exe (PID: 8252)
Checks supported languages
- 4363463463464363463463463.exe (PID: 2088)
- syncUpd.exe (PID: 1504)
- 4363463463464363463463463.exe (PID: 2096)
- adobe.exe (PID: 2580)
- adobe.tmp (PID: 2052)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2540)
- curlprotectionstdlib.exe (PID: 2368)
- Archevod_XWorm.exe (PID: 2364)
- curlprotectionstdlib.exe (PID: 2852)
- 6.exe (PID: 1484)
- jxszdjp.exe (PID: 2656)
- DesktopLayer.exe (PID: 3152)
- jxszdjpSrv.exe (PID: 3108)
- easy.exe (PID: 3528)
- BestSoftware.exe (PID: 3628)
- smell-the-roses.exe (PID: 3800)
- ajajjajajaj.exe (PID: 4028)
- richedit.exe (PID: 4024)
- tuc6.exe (PID: 2152)
- v4install.exe (PID: 3896)
- yhjjs.exe (PID: 840)
- tuc6.tmp (PID: 4008)
- WatchDog.exe (PID: 2072)
- 2014-06-12_djylh.exe (PID: 1592)
- tbbhts.exe (PID: 2128)
- news_01.exe (PID: 2000)
- agentServerComponent.exe (PID: 1264)
- Restoro.exe (PID: 2964)
- RegSvcs.exe (PID: 2912)
- ns8184.tmp (PID: 2796)
- sqlite3.exe (PID: 2752)
- ns8222.tmp (PID: 3144)
- ns82A1.tmp (PID: 1540)
- sqlite3.exe (PID: 3252)
- sqlite3.exe (PID: 2056)
- ns833E.tmp (PID: 3256)
- msedge.exe (PID: 2984)
- ioot.exe (PID: 3372)
- wlanext.exe (PID: 3336)
- ns8860.tmp (PID: 3268)
- data64_1.exe (PID: 2772)
- socks5-clean.exe (PID: 748)
- v2.exe (PID: 2628)
- WinScp.exe (PID: 3144)
- kb%5Efr_ouverture.exe (PID: 1000)
- AppLaunch.exe (PID: 3376)
- hv.exe (PID: 3100)
- SynapseExploit.exe (PID: 3332)
- Temp1.exe (PID: 3388)
- asg.exe (PID: 3484)
- rest.exe (PID: 3188)
- tuc2.exe (PID: 876)
- tuc2.tmp (PID: 3336)
- s5.exe (PID: 3984)
- tpeinf.exe (PID: 752)
- toolspub2.exe (PID: 4080)
- pinf.exe (PID: 4116)
- QubpyznbC7neo.exe (PID: 4140)
- RegSvcs.exe (PID: 4132)
- defense.exe (PID: 3020)
- CasPol.exe (PID: 4184)
- s5.exe (PID: 4284)
- toolspub2.exe (PID: 4276)
- peinf.exe (PID: 4124)
- payload.exe (PID: 4900)
- newrock.exe (PID: 5032)
- 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 5132)
- tuc3.tmp (PID: 5192)
- InstallSetup9.exe (PID: 5068)
- toolspub2.exe (PID: 5092)
- Broom.exe (PID: 5104)
- tuc3.exe (PID: 5176)
- xrecode3.exe (PID: 5276)
- xrecode3.exe (PID: 5484)
- MRK.exe (PID: 5456)
- tuc5.exe (PID: 5532)
- toolspub2.exe (PID: 5356)
- tuc5.tmp (PID: 5692)
- 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 5588)
- 1230.exe (PID: 5700)
- wab.exe (PID: 5740)
- 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 5540)
- 4iBpiQUavIMb.exe (PID: 5948)
- InstallUtil.exe (PID: 6024)
- tuc4.exe (PID: 4320)
- tuc4.tmp (PID: 4276)
- 7.exe (PID: 4520)
- RegSvcs.exe (PID: 4728)
- golden.exe (PID: 4924)
- brg.exe (PID: 4292)
- RegAsm.exe (PID: 4996)
- tidex_-_short_stuff.exe (PID: 4964)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 3680)
- _VTI_CNF.exe (PID: 5120)
- file.exe (PID: 4636)
- jet.exe (PID: 3584)
- KB824105-x86-ENU.exe (PID: 5664)
- AppLaunch.exe (PID: 3616)
- minuscrypt_crypted.exe (PID: 5252)
- cp.exe (PID: 5604)
- WinLocker.exe (PID: 6076)
- VLTKBacdau.exe (PID: 4208)
- XRJNZC.exe (PID: 2028)
- %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe (PID: 3344)
- Tat tow roc koyor manax wodebib haninew dolixo.exe (PID: 4576)
- msedge.exe (PID: 5088)
- chcp.com (PID: 4720)
- 865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe (PID: 5836)
- 1e3d458e7ef866069259cb3b13b761e46f6278c3fca69ca846baca650b4e0f72.exe (PID: 4180)
- 1e3d458e7ef866069259cb3b13b761e46f6278c3fca69ca846baca650b4e0f72.exe (PID: 2752)
- f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe (PID: 3672)
- f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe (PID: 3692)
- new.exe (PID: 3660)
- 865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe (PID: 3696)
- miiyyjss.exe (PID: 4676)
- NINJA.exe (PID: 3588)
- windows.exe (PID: 4708)
- AppLaunch.exe (PID: 5768)
- pixelguy.exe (PID: 4808)
- mode.com (PID: 6196)
- 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 4556)
- 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 6224)
- conhost.exe (PID: 4484)
- updHost.exe (PID: 6336)
- toolspub1.exe (PID: 6648)
- Installsetup2.exe (PID: 6504)
- fund.exe (PID: 6512)
- jsc.exe (PID: 6796)
- data64_6.exe (PID: 7176)
- comSvc.exe (PID: 7228)
- XkaKKj5Zeb8D3PJ9aKgR0Xs5.exe (PID: 7252)
- I2Ex5pwRwZqXz75aHosVhcCf.exe (PID: 7352)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- %EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe (PID: 7632)
- kb^fr_ouverture.exe (PID: 8048)
- 444567.exe (PID: 6276)
- system.exe (PID: 6324)
- msedge.exe (PID: 3784)
- XRJNZC.exe (PID: 1692)
- vbc.exe (PID: 6364)
- VQpUThDmYaprmzsTDTAflg52.exe (PID: 6508)
- pdf.exe (PID: 3896)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
- BroomSetup.exe (PID: 6884)
- lve5.exe (PID: 6572)
- lP3RbRUvMxhMyMEFAa95ZTC3.exe (PID: 8116)
- Gsoymaq.exe (PID: 7732)
- Lipuresenu.exe (PID: 2576)
- ama.exe (PID: 6420)
- pocketrar350sc.exe (PID: 6404)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- Gsoymaq.exe (PID: 7680)
- C6cQHHsmrN7VJRDq5gTCIZl0.exe (PID: 3852)
- M5traider.exe (PID: 8140)
- HF9LrYFHBDTlRxD3D2FvmaME.exe (PID: 4088)
- 9IIBedBp4oKYeL6yADSHQI1L.exe (PID: 6492)
- Install.exe (PID: 668)
- twztl.exe (PID: 8284)
- Install.exe (PID: 8352)
- 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 8476)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- TaAgente.exe (PID: 8244)
- RegAsm.exe (PID: 8696)
- s5.exe (PID: 8624)
- autorun.exe (PID: 8648)
- AppLaunch.exe (PID: 8664)
- syspolrvcs.exe (PID: 8672)
- bin.exe (PID: 8632)
- Update.exe (PID: 8812)
- cmd.exe (PID: 8868)
- lightcleaner.exe (PID: 8828)
- Winlock.exe (PID: 8876)
- Project_8.exe (PID: 8800)
- 659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe (PID: 8988)
- s5.exe (PID: 8948)
- 648b5vt13485v134322685vt.exe (PID: 8956)
- lightcleaner.tmp (PID: 9244)
- ww.exe (PID: 9456)
- plink.exe (PID: 8616)
- DefenderControl.exe (PID: 9652)
- Temp3.exe (PID: 10072)
- Controlbackup.exe (PID: 10212)
- Utsysc.exe (PID: 8212)
- RegSvcs.exe (PID: 4440)
- PCSupport.exe (PID: 7432)
- lve.exe (PID: 7020)
- InstallSetup9.exe (PID: 7436)
- baseline.exe (PID: 8412)
- 901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe (PID: 7532)
- soft.exe (PID: 8472)
- SystemUpdate.exe (PID: 3572)
- Had.exe (PID: 8608)
- winvnc.exe (PID: 8636)
- build2.exe (PID: 7308)
- Utsysc.exe (PID: 8724)
- msedge.exe (PID: 6216)
- system.exe (PID: 8284)
- XRJNZC.exe (PID: 6300)
- photo_dnkafan3.exe (PID: 8884)
- soft.exe (PID: 8628)
- 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 4588)
- Otte-Locker.exe (PID: 7492)
- WinlockerBuilderv5.exe (PID: 3856)
- WinDir.exe (PID: 9824)
- build2.exe (PID: 9816)
- jsc.exe (PID: 9508)
- pagaqKjtCfvbRnDJrS38y41T.exe (PID: 6360)
- 26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe (PID: 5396)
- etopt.exe (PID: 1516)
- alex.exe (PID: 7260)
- Project_8.exe (PID: 7264)
- flesh.exe (PID: 5372)
- bakhtiar.exe (PID: 7576)
- TtcgBNmQFvoTQHIP1F3rMIlk.exe (PID: 2816)
- WhHkWzUI2xrKNVpWIaMLt6SE.exe (PID: 5492)
- Vpeswawqko.exe (PID: 7048)
- l3pZDDRc6tYeDu9QO54ZLLiL.exe (PID: 3696)
- jsoAfhOkdDl64RfkIEX0x8aK.exe (PID: 8448)
- lve5.exe (PID: 5836)
- KklpEtLYLh06uw7mL3kXa22n.exe (PID: 6152)
- WCFIBf2WdSZF2ZGsFtkg1RbT.exe (PID: 9284)
- 865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe (PID: 9028)
- T1_Net.exe (PID: 8040)
- qemu-ga.exe (PID: 8028)
- KklpEtLYLh06uw7mL3kXa22n.tmp (PID: 9012)
Reads the machine GUID from the registry
- 4363463463464363463463463.exe (PID: 2088)
- syncUpd.exe (PID: 1504)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2540)
- Archevod_XWorm.exe (PID: 2364)
- easy.exe (PID: 3528)
- WatchDog.exe (PID: 2072)
- agentServerComponent.exe (PID: 1264)
- 2014-06-12_djylh.exe (PID: 1592)
- BestSoftware.exe (PID: 3628)
- RegSvcs.exe (PID: 2912)
- Restoro.exe (PID: 2964)
- msedge.exe (PID: 2984)
- v2.exe (PID: 2628)
- WinScp.exe (PID: 3144)
- AppLaunch.exe (PID: 3376)
- Temp1.exe (PID: 3388)
- asg.exe (PID: 3484)
- rest.exe (PID: 3188)
- QubpyznbC7neo.exe (PID: 4140)
- RegSvcs.exe (PID: 4132)
- tpeinf.exe (PID: 752)
- CasPol.exe (PID: 4184)
- defense.exe (PID: 3020)
- peinf.exe (PID: 4124)
- s5.exe (PID: 4284)
- data64_1.exe (PID: 2772)
- payload.exe (PID: 4900)
- newrock.exe (PID: 5032)
- 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 5132)
- MRK.exe (PID: 5456)
- 1230.exe (PID: 5700)
- hv.exe (PID: 3100)
- InstallUtil.exe (PID: 6024)
- 4iBpiQUavIMb.exe (PID: 5948)
- RegAsm.exe (PID: 4996)
- file.exe (PID: 4636)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 3680)
- KB824105-x86-ENU.exe (PID: 5664)
- wab.exe (PID: 5740)
- _VTI_CNF.exe (PID: 5120)
- AppLaunch.exe (PID: 3616)
- VLTKBacdau.exe (PID: 4208)
- %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe (PID: 3344)
- msedge.exe (PID: 5088)
- Tat tow roc koyor manax wodebib haninew dolixo.exe (PID: 4576)
- NINJA.exe (PID: 3588)
- windows.exe (PID: 4708)
- new.exe (PID: 3660)
- AppLaunch.exe (PID: 5768)
- pixelguy.exe (PID: 4808)
- curlprotectionstdlib.exe (PID: 2852)
- jsc.exe (PID: 6796)
- Installsetup2.exe (PID: 6504)
- comSvc.exe (PID: 7228)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- vbc.exe (PID: 6364)
- msedge.exe (PID: 3784)
- 444567.exe (PID: 6276)
- pdf.exe (PID: 3896)
- C6cQHHsmrN7VJRDq5gTCIZl0.exe (PID: 3852)
- lP3RbRUvMxhMyMEFAa95ZTC3.exe (PID: 8116)
- M5traider.exe (PID: 8140)
- Lipuresenu.exe (PID: 2576)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- Install.exe (PID: 8352)
- 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 8476)
- xrecode3.exe (PID: 5484)
- RegAsm.exe (PID: 8696)
- s5.exe (PID: 8948)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
- Update.exe (PID: 8812)
- syspolrvcs.exe (PID: 8672)
- cmd.exe (PID: 8868)
- plink.exe (PID: 8616)
- ama.exe (PID: 6420)
- Temp3.exe (PID: 10072)
- pocketrar350sc.exe (PID: 6404)
- Winlock.exe (PID: 8876)
- RegSvcs.exe (PID: 4440)
- Utsysc.exe (PID: 8212)
- SystemUpdate.exe (PID: 3572)
- baseline.exe (PID: 8412)
- Had.exe (PID: 8608)
- msedge.exe (PID: 6216)
- Otte-Locker.exe (PID: 7492)
- jsc.exe (PID: 9508)
- WinlockerBuilderv5.exe (PID: 3856)
- build2.exe (PID: 9816)
- WinDir.exe (PID: 9824)
- alex.exe (PID: 7260)
- TaAgente.exe (PID: 8244)
- flesh.exe (PID: 5372)
- etopt.exe (PID: 1516)
- Vpeswawqko.exe (PID: 7048)
- jsoAfhOkdDl64RfkIEX0x8aK.exe (PID: 8448)
- l3pZDDRc6tYeDu9QO54ZLLiL.exe (PID: 3696)
- T1_Net.exe (PID: 8040)
- WCFIBf2WdSZF2ZGsFtkg1RbT.exe (PID: 9284)
Reads Environment values
- 4363463463464363463463463.exe (PID: 2088)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2540)
- 6.exe (PID: 1484)
- 2014-06-12_djylh.exe (PID: 1592)
- agentServerComponent.exe (PID: 1264)
- WinScp.exe (PID: 3144)
- rest.exe (PID: 3188)
- Temp1.exe (PID: 3388)
- asg.exe (PID: 3484)
- AppLaunch.exe (PID: 3376)
- InstallUtil.exe (PID: 6024)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 3680)
- RegAsm.exe (PID: 4996)
- AppLaunch.exe (PID: 3616)
- KB824105-x86-ENU.exe (PID: 5664)
- defense.exe (PID: 3020)
- VLTKBacdau.exe (PID: 4208)
- pixelguy.exe (PID: 4808)
- jsc.exe (PID: 6796)
- comSvc.exe (PID: 7228)
- 444567.exe (PID: 6276)
- cmd.exe (PID: 8868)
- RegAsm.exe (PID: 8696)
- TaAgente.exe (PID: 8244)
- Lipuresenu.exe (PID: 2576)
- jsc.exe (PID: 9508)
- WinDir.exe (PID: 9824)
- build2.exe (PID: 9816)
- flesh.exe (PID: 5372)
- Vpeswawqko.exe (PID: 7048)
- alex.exe (PID: 7260)
STEALC has been detected (SURICATA)
- syncUpd.exe (PID: 1504)
Manual execution by a user
- 4363463463464363463463463.exe (PID: 1928)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2628)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 1852)
- 4363463463464363463463463.exe (PID: 2504)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 1992)
- 4363463463464363463463463.exe (PID: 2540)
Process requests binary or script from the Internet
- 4363463463464363463463463.exe (PID: 2088)
- 4363463463464363463463463.exe (PID: 2540)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2096)
- tpeinf.exe (PID: 752)
Connects to the server without a host name
- 4363463463464363463463463.exe (PID: 2088)
- 4363463463464363463463463.exe (PID: 2540)
- 4363463463464363463463463.exe (PID: 2760)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2292)
- 4363463463464363463463463.exe (PID: 2736)
- WinScp.exe (PID: 3144)
- s5.exe (PID: 4284)
Checks proxy server information
- syncUpd.exe (PID: 1504)
- 2014-06-12_djylh.exe (PID: 1592)
- Restoro.exe (PID: 2964)
- tpeinf.exe (PID: 752)
- s5.exe (PID: 4284)
- peinf.exe (PID: 4124)
- data64_1.exe (PID: 2772)
- 1230.exe (PID: 5700)
- 4iBpiQUavIMb.exe (PID: 5948)
- wab.exe (PID: 5740)
- _VTI_CNF.exe (PID: 5120)
- file.exe (PID: 4636)
- %E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe (PID: 3344)
- Tat tow roc koyor manax wodebib haninew dolixo.exe (PID: 4576)
- AppLaunch.exe (PID: 5768)
- curlprotectionstdlib.exe (PID: 2852)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- xrecode3.exe (PID: 5484)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
- s5.exe (PID: 8948)
- syspolrvcs.exe (PID: 8672)
- plink.exe (PID: 8616)
- Winlock.exe (PID: 8876)
- pocketrar350sc.exe (PID: 6404)
- Utsysc.exe (PID: 8212)
- baseline.exe (PID: 8412)
- rundll32.exe (PID: 8104)
- build2.exe (PID: 9816)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- rundll32.exe (PID: 9052)
- rundll32.exe (PID: 7816)
Connects to the CnC server
- syncUpd.exe (PID: 1504)
- iexplore.exe (PID: 3128)
- AppLaunch.exe (PID: 3376)
- rest.exe (PID: 3188)
- InstallUtil.exe (PID: 6024)
- RegAsm.exe (PID: 4996)
- powershell.exe (PID: 5268)
- pixelguy.exe (PID: 4808)
- curlprotectionstdlib.exe (PID: 2852)
- lve5.exe (PID: 6572)
- RegAsm.exe (PID: 8696)
- xrecode3.exe (PID: 5484)
- AppLaunch.exe (PID: 8664)
- syspolrvcs.exe (PID: 8672)
Create files in a temporary directory
- adobe.exe (PID: 2580)
- adobe.tmp (PID: 2052)
- smell-the-roses.exe (PID: 3800)
- tuc6.exe (PID: 2152)
- tuc6.tmp (PID: 4008)
- 2014-06-12_djylh.exe (PID: 1592)
- Restoro.exe (PID: 2964)
- wlanext.exe (PID: 3336)
- socks5-clean.exe (PID: 748)
- WinScp.exe (PID: 3144)
- 4363463463464363463463463.exe (PID: 2760)
- tuc2.exe (PID: 876)
- tuc2.tmp (PID: 3336)
- rest.exe (PID: 3188)
- v2.exe (PID: 2628)
- tpeinf.exe (PID: 752)
- Archevod_XWorm.exe (PID: 2364)
- payload.exe (PID: 4900)
- newrock.exe (PID: 5032)
- tuc3.exe (PID: 5176)
- tuc3.tmp (PID: 5192)
- InstallSetup9.exe (PID: 5068)
- peinf.exe (PID: 4124)
- xrecode3.exe (PID: 5276)
- tuc5.exe (PID: 5532)
- tuc5.tmp (PID: 5692)
- s5.exe (PID: 4284)
- InstallUtil.exe (PID: 6024)
- tuc4.exe (PID: 4320)
- tuc4.tmp (PID: 4276)
- jet.exe (PID: 3584)
- cp.exe (PID: 5604)
- NINJA.exe (PID: 3588)
- conhost.exe (PID: 4484)
- data64_6.exe (PID: 7176)
- I2Ex5pwRwZqXz75aHosVhcCf.exe (PID: 7352)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
- VQpUThDmYaprmzsTDTAflg52.exe (PID: 6508)
- 444567.exe (PID: 6276)
- pocketrar350sc.exe (PID: 6404)
- 9IIBedBp4oKYeL6yADSHQI1L.exe (PID: 6492)
- HF9LrYFHBDTlRxD3D2FvmaME.exe (PID: 4088)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- Install.exe (PID: 668)
- lightcleaner.exe (PID: 8828)
- Winlock.exe (PID: 8876)
- Project_8.exe (PID: 8800)
- 5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe (PID: 8476)
- cmd.exe (PID: 8868)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- lightcleaner.tmp (PID: 9244)
- ama.exe (PID: 6420)
- DefenderControl.exe (PID: 9652)
- Utsysc.exe (PID: 8212)
- s5.exe (PID: 8948)
- Install.exe (PID: 8352)
- jsc.exe (PID: 9508)
- WinDir.exe (PID: 9824)
- etopt.exe (PID: 1516)
- WhHkWzUI2xrKNVpWIaMLt6SE.exe (PID: 5492)
- alex.exe (PID: 7260)
- KklpEtLYLh06uw7mL3kXa22n.exe (PID: 6152)
- WCFIBf2WdSZF2ZGsFtkg1RbT.exe (PID: 9284)
Process drops legitimate windows executable
- adobe.tmp (PID: 2052)
- 4363463463464363463463463.exe (PID: 2292)
- Archevod_XWorm.exe (PID: 2364)
- tuc6.tmp (PID: 4008)
- tuc2.tmp (PID: 3336)
- tuc3.tmp (PID: 5192)
- pinf.exe (PID: 4116)
- tuc5.tmp (PID: 5692)
- tuc4.tmp (PID: 4276)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- lightcleaner.tmp (PID: 9244)
- 4363463463464363463463463.exe (PID: 2096)
- KklpEtLYLh06uw7mL3kXa22n.tmp (PID: 9012)
Creates files or folders in the user directory
- adobe.tmp (PID: 2052)
- Archevod_XWorm.exe (PID: 2364)
- v4install.exe (PID: 3896)
- tuc6.tmp (PID: 4008)
- sqlite3.exe (PID: 2752)
- wlanext.exe (PID: 3336)
- Restoro.exe (PID: 2964)
- 2014-06-12_djylh.exe (PID: 1592)
- tuc2.tmp (PID: 3336)
- rest.exe (PID: 3188)
- CasPol.exe (PID: 4184)
- asg.exe (PID: 3484)
- dllhost.exe (PID: 4456)
- pinf.exe (PID: 4116)
- tpeinf.exe (PID: 752)
- s5.exe (PID: 4284)
- peinf.exe (PID: 4124)
- tuc5.tmp (PID: 5692)
- tuc4.tmp (PID: 4276)
- _VTI_CNF.exe (PID: 5120)
- file.exe (PID: 4636)
- NINJA.exe (PID: 3588)
- jsc.exe (PID: 6796)
- I2Ex5pwRwZqXz75aHosVhcCf.tmp (PID: 7464)
- s5.exe (PID: 8948)
- Winlock.exe (PID: 8876)
- SystemUpdate.exe (PID: 3572)
- PCSupport.exe (PID: 7432)
- Utsysc.exe (PID: 8212)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- jsc.exe (PID: 9508)
- build2.exe (PID: 9816)
- etopt.exe (PID: 1516)
Drops 7-zip archiver for unpacking
- adobe.tmp (PID: 2052)
- tuc6.tmp (PID: 4008)
- tuc2.tmp (PID: 3336)
- tuc3.tmp (PID: 5192)
- tuc5.tmp (PID: 5692)
- 4363463463464363463463463.exe (PID: 2088)
- tuc4.tmp (PID: 4276)
- conhost.exe (PID: 4484)
- jsc.exe (PID: 6796)
- HF9LrYFHBDTlRxD3D2FvmaME.exe (PID: 4088)
- 9IIBedBp4oKYeL6yADSHQI1L.tmp (PID: 8532)
- jsc.exe (PID: 9508)
- 4ZdY3yAPizHKBiwumgGCHkah.exe (PID: 6304)
- KklpEtLYLh06uw7mL3kXa22n.tmp (PID: 9012)
Writes files like Keylogger logs
- 4363463463464363463463463.exe (PID: 2540)
- 6.exe (PID: 1484)
Reads product name
- 6.exe (PID: 1484)
- agentServerComponent.exe (PID: 1264)
- AppLaunch.exe (PID: 3376)
- InstallUtil.exe (PID: 6024)
- RegAsm.exe (PID: 4996)
- AppLaunch.exe (PID: 3616)
- defense.exe (PID: 3020)
- pixelguy.exe (PID: 4808)
- comSvc.exe (PID: 7228)
- cmd.exe (PID: 8868)
- RegAsm.exe (PID: 8696)
- Lipuresenu.exe (PID: 2576)
- build2.exe (PID: 9816)
- alex.exe (PID: 7260)
- flesh.exe (PID: 5372)
Creates files in the program directory
- curlprotectionstdlib.exe (PID: 2368)
- jxszdjpSrv.exe (PID: 3108)
- iexplore.exe (PID: 3128)
- rest.exe (PID: 3188)
- tuc3.tmp (PID: 5192)
- xrecode3.exe (PID: 5276)
- curlprotectionstdlib.exe (PID: 2852)
- cp.exe (PID: 5604)
- xrecode3.exe (PID: 5484)
- comSvc.exe (PID: 7228)
- lve5.exe (PID: 6572)
- 444567.exe (PID: 6276)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- bakhtiar.exe (PID: 7576)
- etopt.exe (PID: 1516)
Connects to unusual port
- 6.exe (PID: 1484)
- easy.exe (PID: 3528)
- Archevod_XWorm.exe (PID: 2364)
- powershell.exe (PID: 3624)
- RegSvcs.exe (PID: 2912)
- rest.exe (PID: 3188)
- asg.exe (PID: 3484)
- RegSvcs.exe (PID: 4132)
- CasPol.exe (PID: 4184)
- 4363463463464363463463463.exe (PID: 2088)
- InstallUtil.exe (PID: 6024)
- RegAsm.exe (PID: 4996)
- dialer.exe (PID: 4540)
- 4363463463464363463463463.exe (PID: 2540)
- VLTKBacdau.exe (PID: 4208)
- windows.exe (PID: 4708)
- pixelguy.exe (PID: 4808)
- curlprotectionstdlib.exe (PID: 2852)
- vbc.exe (PID: 6364)
- lve5.exe (PID: 6572)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2292)
- RegAsm.exe (PID: 8696)
- xrecode3.exe (PID: 5484)
- syspolrvcs.exe (PID: 8672)
- RegSvcs.exe (PID: 4440)
- alex.exe (PID: 7260)
- build2.exe (PID: 9816)
- flesh.exe (PID: 5372)
- 4363463463464363463463463.exe (PID: 2096)
- WOvUJWL0veCQkY9fAdGkG6hm.exe (PID: 2228)
- baseline.exe (PID: 8412)
Starts itself from another location
- jxszdjpSrv.exe (PID: 3108)
- Temp1.exe (PID: 3388)
- 4iBpiQUavIMb.exe (PID: 5948)
- HF9LrYFHBDTlRxD3D2FvmaME.exe (PID: 4088)
- twztl.exe (PID: 8284)
- ama.exe (PID: 6420)
- 4ZdY3yAPizHKBiwumgGCHkah.exe (PID: 6304)
RAMNIT has been detected (SURICATA)
- iexplore.exe (PID: 3128)
The executable file from the user directory is run by the CMD process
- agentServerComponent.exe (PID: 1264)
- sqlite3.exe (PID: 2752)
- sqlite3.exe (PID: 3252)
- sqlite3.exe (PID: 2056)
XWORM has been detected (SURICATA)
- Archevod_XWorm.exe (PID: 2364)
Malware-specific behavior (creating "System.dll" in Temp)
- Restoro.exe (PID: 2964)
The process executes via Task Scheduler
- msedge.exe (PID: 2984)
- msedge.exe (PID: 5088)
- XRJNZC.exe (PID: 1692)
- system.exe (PID: 6324)
- msedge.exe (PID: 3784)
- powershell.EXE (PID: 9868)
- system.exe (PID: 8284)
- msedge.exe (PID: 6216)
- Utsysc.exe (PID: 8724)
- XRJNZC.exe (PID: 6300)
- powershell.EXE (PID: 7892)
- system.exe (PID: 8792)
- Utsysc.exe (PID: 9320)
- XRJNZC.exe (PID: 9200)
- msedge.exe (PID: 8776)
Application launched itself
- powershell.exe (PID: 3508)
- s5.exe (PID: 3984)
- toolspub2.exe (PID: 4080)
- toolspub2.exe (PID: 5092)
- 12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe (PID: 5540)
- 1e3d458e7ef866069259cb3b13b761e46f6278c3fca69ca846baca650b4e0f72.exe (PID: 4180)
- 865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe (PID: 5836)
- f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe (PID: 3672)
- 07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe (PID: 4556)
- Gsoymaq.exe (PID: 7732)
- s5.exe (PID: 8624)
- soft.exe (PID: 8472)
- build2.exe (PID: 7308)
- 865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe (PID: 9028)
- 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe (PID: 9880)
- PrntScrnOfAMZOrderID.jpg.exe (PID: 9196)
Changes the registry key values via Powershell
- powershell.exe (PID: 3508)
Unusual connection from system programs
- powershell.exe (PID: 3624)
- powershell.exe (PID: 5268)
- vbc.exe (PID: 6364)
- rundll32.exe (PID: 8104)
- rundll32.exe (PID: 9052)
- rundll32.exe (PID: 7816)
The Powershell connects to the Internet
- powershell.exe (PID: 3624)
- powershell.exe (PID: 5268)
REDLINE has been detected (SURICATA)
- AppLaunch.exe (PID: 3376)
- RegAsm.exe (PID: 4996)
- pixelguy.exe (PID: 4808)
- RegAsm.exe (PID: 8696)
- flesh.exe (PID: 5372)
- alex.exe (PID: 7260)
Checks for external IP
- Temp1.exe (PID: 3388)
- asg.exe (PID: 3484)
- rest.exe (PID: 3188)
- kgnAq0ecPS19tEGk9VPuHjN7.exe (PID: 1056)
RISEPRO has been detected (SURICATA)
- rest.exe (PID: 3188)
Process checks are UAC notifies on
- CasPol.exe (PID: 4184)
- brg.exe (PID: 4292)
- new.exe (PID: 3660)
- Installsetup2.exe (PID: 6504)
- Had.exe (PID: 8608)
GCLEANER has been detected (SURICATA)
- s5.exe (PID: 4284)
- s5.exe (PID: 8948)
Steals credentials
- rest.exe (PID: 3188)
Process drops SQLite DLL files
- tuc3.tmp (PID: 5192)
PHORPIEX has been detected (SURICATA)
- 4363463463464363463463463.exe (PID: 2736)
- 4363463463464363463463463.exe (PID: 2760)
- syspolrvcs.exe (PID: 8672)
ARECHCLIENT2 has been detected (SURICATA)
- InstallUtil.exe (PID: 6024)
KELIHOS has been detected (SURICATA)
- 4363463463464363463463463.exe (PID: 2292)
DOINA has been detected (SURICATA)
- powershell.exe (PID: 5268)
RHADAMANTHYS has been detected (SURICATA)
- dialer.exe (PID: 4540)
DCRAT has been detected (SURICATA)
- AppLaunch.exe (PID: 3616)
PARALLAX has been detected (SURICATA)
- defense.exe (PID: 3020)
Reads mouse settings
- NINJA.exe (PID: 3588)
- system.exe (PID: 6324)
- DefenderControl.exe (PID: 9652)
- system.exe (PID: 8284)
Connects to FTP
- VLTKBacdau.exe (PID: 4208)
- TaAgente.exe (PID: 8244)
LUMMA has been detected (SURICATA)
- AppLaunch.exe (PID: 5768)
- AppLaunch.exe (PID: 8664)
Executed via WMI
- schtasks.exe (PID: 7360)
- schtasks.exe (PID: 7416)
- schtasks.exe (PID: 7376)
- schtasks.exe (PID: 7384)
- schtasks.exe (PID: 7396)
- schtasks.exe (PID: 7408)
- schtasks.exe (PID: 7428)
- schtasks.exe (PID: 7456)
- schtasks.exe (PID: 7476)
- schtasks.exe (PID: 7496)
- schtasks.exe (PID: 7516)
- schtasks.exe (PID: 7564)
- schtasks.exe (PID: 7528)
- schtasks.exe (PID: 7680)
- schtasks.exe (PID: 7648)
- schtasks.exe (PID: 7624)
- schtasks.exe (PID: 7668)
- schtasks.exe (PID: 7808)
- schtasks.exe (PID: 7732)
- schtasks.exe (PID: 7688)
- schtasks.exe (PID: 7724)
- schtasks.exe (PID: 7744)
- schtasks.exe (PID: 7784)
- schtasks.exe (PID: 7504)
- schtasks.exe (PID: 7544)
- schtasks.exe (PID: 7612)
- schtasks.exe (PID: 7880)
- schtasks.exe (PID: 7852)
- schtasks.exe (PID: 7868)
- schtasks.exe (PID: 7892)
- schtasks.exe (PID: 7816)
- schtasks.exe (PID: 7832)
- schtasks.exe (PID: 7840)
Executes as Windows Service
- Gsoymaq.exe (PID: 7732)
Reads CPU info
- lve5.exe (PID: 6572)
Run PowerShell with an invisible window
- powershell.EXE (PID: 9868)
- powershell.EXE (PID: 7892)
SOCKS5SYSTEMZ has been detected (SURICATA)
- curlprotectionstdlib.exe (PID: 2852)
- xrecode3.exe (PID: 5484)
PURPLEFOX has been detected (SURICATA)
- lve5.exe (PID: 6572)
VIDAR has been detected (SURICATA)
- build2.exe (PID: 9816)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- build2.exe (PID: 9816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
XWorm
(PID) Process(2364) Archevod_XWorm.exe
C2canadian-perspectives.gl.at.ply.gg:33203
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameScammers
MutexTLsk4Xp0P8GNpwQw
Remcos
(PID) Process(1484) 6.exe
C2 (9)hendersonk1.hopto.org:2404
henderson1.camdvr.org:2404
centplus1.serveftp.com:2404
harrywlike.ddns.net:2404
genekol.nsupdate.info:2404
harrywlike1.ddns.net:2404
hendersonk2022.hopto.org:2404
genekol1.nsupdate.info:2404
generem.camdvr.org:2404
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\ShellGY99V
Setup_path%APPDATA%
Copy_filesonic.exe
Startup_valuefuckuuuuu
Hide_fileFalse
Mutex_namegsgjdwg-1J0WWM
Keylog_flag1
Keylog_path%APPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogTrue
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_namenotepad;solitaire;
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_dirMicRecords
Connect_delay0
Copy_diryakkk
Keylog_dirchrome
Max_keylog_file20000
MetaStealer
(PID) Process(3528) easy.exe
C2 (1)5.42.65.101:48790
Botnet325904615-26990097-easy
Options
ErrorMessage
Keys
XorPyrometry
(PID) Process(2912) RegSvcs.exe
C2 (1)5.42.65.60:29012
BotnetOWN STUK
Options
ErrorMessage
Keys
XorPointsman
MarsStealer
(PID) Process(2772) data64_1.exe
C2gg.gemkan.online/gate.php
Keys
XOR
Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
PurposeC2 domain
Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
PurposeC2 route
Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
PurposeCode encryption
Strings (618)LoadLibraryA
GetProcAddress
ExitProcess
advapi32.dll
crypt32.dll
GetTickCount
Sleep
GetUserDefaultLangID
CreateMutexA
GetLastError
HeapAlloc
GetProcessHeap
GetComputerNameA
VirtualProtect
GetCurrentProcess
VirtualAllocExNuma
GetUserNameA
CryptStringToBinaryA
HAL9TH
JohnDoe
21/04/2022 20:00:00
http://
Default
%hu/%hu/%hu %hu:%hu:%hu
open
sqlite3.dll
C:\ProgramData\sqlite3.dll
freebl3.dll
C:\ProgramData\freebl3.dll
mozglue.dll
C:\ProgramData\mozglue.dll
msvcp140.dll
C:\ProgramData\msvcp140.dll
nss3.dll
C:\ProgramData\nss3.dll
softokn3.dll
C:\ProgramData\softokn3.dll
vcruntime140.dll
C:\ProgramData\vcruntime140.dll
.zip
Tag:
IP: IP?
Country: Country?
Working Path:
Local Time:
TimeZone:
Display Language:
Keyboard Languages:
Is Laptop:
Processor:
Installed RAM:
OS:
(
Bit)
Videocard:
Display Resolution:
PC name:
User name:
Domain name:
MachineID:
GUID:
Installed Software:
system.txt
Grabber\%s.zip
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DESKTOP%
Wallets\
Ethereum
\Ethereum\
keystore
Electrum
\Electrum\wallets\
*.*
ElectrumLTC
\Electrum-LTC\wallets\
Exodus
\Exodus\
exodus.conf.json
window-state.json
\Exodus\exodus.wallet\
passphrase.json
seed.seco
info.seco
ElectronCash
\ElectronCash\wallets\
default_wallet
MultiDoge
\MultiDoge\
multidoge.wallet
JAXX
\jaxx\Local Storage\
file__0.localstorage
Atomic
\atomic\Local Storage\leveldb\
000003.log
CURRENT
LOCK
LOG
MANIFEST-000001
0000*
Binance
\Binance\
app-store.json
Coinomi
\Coinomi\Coinomi\wallets\
*.wallet
*.config
*wallet*.dat
GetSystemTime
lstrcatA
SystemTimeToFileTime
ntdll.dll
sscanf
memset
memcpy
wininet.dll
user32.dll
gdi32.dll
netapi32.dll
psapi.dll
bcrypt.dll
vaultcli.dll
shlwapi.dll
shell32.dll
gdiplus.dll
ole32.dll
dbghelp.dll
CreateFileA
WriteFile
CloseHandle
GetFileSize
lstrlenA
LocalAlloc
GlobalFree
ReadFile
OpenProcess
SetFilePointer
SetEndOfFile
GetCurrentProcessId
GetLocalTime
GetTimeZoneInformation
GetUserDefaultLocaleName
LocalFree
GetSystemPowerStatus
GetSystemInfo
GlobalMemoryStatusEx
IsWow64Process
GetTempPathA
GetLocaleInfoA
GetFileSizeEx
GetFileAttributesA
FindFirstFileA
FindNextFileA
FindClose
GetCurrentDirectoryA
CopyFileA
DeleteFileA
lstrcmpW
GlobalAlloc
FreeLibrary
SetCurrentDirectoryA
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
FileTimeToSystemTime
GetFileInformationByHandle
GlobalLock
GlobalSize
WideCharToMultiByte
GetWindowsDirectoryA
GetVolumeInformationA
GetVersionExA
GetModuleFileNameA
CreateFileW
CreateFileMappingW
MultiByteToWideChar
CreateThread
GetEnvironmentVariableA
SetEnvironmentVariableA
lstrcpyA
lstrcpynA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetCloseHandle
InternetReadFile
InternetSetOptionA
InternetOpenUrlA
InternetCrackUrlA
wsprintfA
CharToOemW
GetKeyboardLayoutList
EnumDisplayDevicesA
ReleaseDC
GetDC
GetSystemMetrics
GetDesktopWindow
GetWindowRect
GetWindowDC
CloseWindow
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
GetCurrentHwProfileA
RegEnumKeyExA
RegGetValueA
CreateDCA
GetDeviceCaps
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
StretchBlt
GetObjectW
GetDIBits
SaveDC
CreateDIBSection
DeleteDC
RestoreDC
DsRoleGetPrimaryDomainInformation
GetModuleFileNameExA
CryptUnprotectData
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptDecrypt
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItemWin8
VaultGetItemWin7
VaultFree
StrCmpCA
StrStrA
PathMatchSpecA
SHGetFolderPathA
ShellExecuteExA
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
CreateStreamOnHGlobal
GetHGlobalFromStream
SymMatchString
HEAD
HTTP/1.1
GET
POST
file
Content-Type: multipart/form-data; boundary=----
Content-Disposition: form-data; name="
Content-Disposition: form-data; name="file"; filename="
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
SOFT:
PROF: ?
PROF:
HOST:
USER:
PASS:
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
"}
PATH
PATH=
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
SELECT origin_url, username_value, password_value FROM logins
Cookies\%s_%s.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill\%s_%s.txt
SELECT name, value FROM autofill
CC\%s_%s.txt
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Card number:
Name on card:
Expiration date:
History\%s_%s.txt
SELECT url FROM urls
Downloads\%s_%s.txt
SELECT target_path, tab_url from downloads
Login Data
Cookies
Web Data
History
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
cookies.sqlite
formhistory.sqlite
places.sqlite
\Local State
..\profiles.ini
C:\ProgramData\
Chrome
\Google\Chrome\User Data
ChromeBeta
\Google\Chrome Beta\User Data
ChromeCanary
\Google\Chrome SxS\User Data
Chromium
\Chromium\User Data
Edge_Chromium
\Microsoft\Edge\User Data
Kometa
\Kometa\User Data
Amigo
\Amigo\User Data
Torch
\Torch\User Data
Orbitum
\Orbitum\User Data
Comodo
\Comodo\Dragon\User Data
Nichrome
\Nichrome\User Data
Maxthon5
\Maxthon5\Users
Sputnik
\Sputnik\User Data
EPB
\Epic Privacy Browser\User Data
Vivaldi
\Vivaldi\User Data
CocCoc
\CocCoc\Browser\User Data
Uran
\uCozMedia\Uran\User Data
QIP
\QIP Surf\User Data
Cent
\CentBrowser\User Data
Elements
\Elements Browser\User Data
TorBro
\TorBro\Profile
CryptoTab
\CryptoTab Browser\User Data
Brave
\BraveSoftware\Brave-Browser\User Data
Opera
\Opera Software\Opera Stable\
OperaGX
\Opera Software\Opera GX Stable\
OperaNeon
\Opera Software\Opera Neon\User Data
Firefox
\Mozilla\Firefox\Profiles\
SlimBrowser
\FlashPeak\SlimBrowser\Profiles\
PaleMoon
\Moonchild Productions\Pale Moon\Profiles\
Waterfox
\Waterfox\Profiles\
Cyberfox
\8pecxstudios\Cyberfox\Profiles\
BlackHawk
\NETGATE Technologies\BlackHawk\Profiles\
IceCat
\Mozilla\icecat\Profiles\
KMeleon
\K-Meleon\
Thunderbird
\Thunderbird\Profiles\
passwords.txt
ibnejdfjmmkpcnlpebklmnkoeoihofec
TronLink
nkbihfbeogaeaoehlefnkodbefgpgknn
MetaMask
fhbohimaelbohpjbbldcngcnapndodjp
Binance Chain Wallet
ffnbelfdoeiohenkjibnmadjiehjhajb
Yoroi
jbdaocneiiinmjbjlgalhcelgbejmnid
Nifty Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Math Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase Wallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
Guarda
blnieiiffboillknjnepogjhkgnoapac
EQUAL Wallet
cjelfplplebdjjenllpjcblmjkfcffne
Jaxx Liberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitApp Wallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
nlbmnnijcnlegkjjpcfjclmcfggfefdm
MEW CX
nanjmdknhkinifnkgdcggcfnhdaammmj
GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Saturn Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Ronin Wallet
cphhlgmgameodnhkjdmkpanlelnlohao
NeoLine
nhnkbkgjikgcigadomkphalanndcapjk
Clover Wallet
kpfopkelmapcoipemfendmdcghnegimn
Liquality Wallet
aiifbnbfobpmeekipheeijimdpnlpgpp
Terra Station
dmkamcknogkgcdfhhbddcghachkejeap
Keplr
fhmfendgdocmcbmfikdcogofphimnkno
Sollet
cnmamaachppnkjgnildpdmkaakejnhae
Auro Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Polymesh Wallet
flpiciilemghbmfalicajoolhkkenfel
ICONex
nknhiehlklippafakaeklbeglecifhad
Nabox Wallet
hcflpincpppdclinealmandijcmnkbgn
KHC
ookjlbkiijinhpmnjffcofjonbfbgaoc
Temple
mnfifefkajgofkcjkemidiaecocnkjeh
TezBox
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet
nlgbhdfgdhgbiamfdfmbikcdghidoadd
Byone
infeboajgfhgbjpjbeppbkgnabfdkdaf
OneKey
cihmoadaighcejopammfbmddcmdekcje
LeafWallet
lodccjjbdhfakaekdiahmedfbieldgik
DAppPlay
ijmpgkjfkbfhoebgogflfebnmejmfbml
BitClip
lkcjlnjfpbikmcmbachjpdbijejflpcm
Steem Keychain
onofpnbbkehpmmoabgpcpmigafmmnjhl
Nash Extension
bcopgchhojmggmffilplmbdicgaihlkp
Hycon Lite Client
klnaejjgbibmhlephnhpmaofohgkpgkd
ZilPay
aeachknmefphepccionboohckonoeemg
Coin98 Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa
Phantom
hifafgmccdpekplomjjkcfgodnhcellj
Crypto.com
dngmlblcodfobpdpecaadgfbcggfjfnm
Maiar DeFi Wallet
ppdadbejkmjnefldpcdjhnkpbjkikoip
Oasis
hpbgcgmiemanfelegbndmhieiigkackl
MonstaWallet
fcckkdbjnoikooededlapcalpionmalo
MOBOX
jccapkebeeiajkkdemacblkjhhhboiek
Crust Wallet
mgffkfbidihjpoaomajlbgchddlicgpn
Pali Wallet
nphplpgoakhhjchkkhmiggakijnkhfnd
TON Wallet
ldinpeekobnhjjdofggfgjlcehhmanlj
Hiro Wallet
pocmplpaccanhmnllbbkpgfliimjljgo
Slope Wallet
bhhhlbepdkbapadjdnnojkbgioiodbic
Solflare Wallet
pgiaagfkgcbnmiiolekcfmljdagdhlcm
Stargazer Wallet
cgeeodpfagjceefieflmdfphplkenlfk
EVER Wallet
gjkdbeaiifkpoencioahhcilildpjhgh
partisia-wallet
bgjogpoidejdemgoochpnkmdjpocgkha
Ecto Wallet
ifckdpamphokdglkkdomedpdegcjhjdp
ONTO Wallet
agechnindjilpccclelhlbjphbgnobpf
Fractal Wallet
algblmhagnobbnmakepomicmfljlbehg
ADS Wallet
imijjbmbnebfnbmonjeileijahaipglj
Moonlet Wallet
kpjdchaapjheajadlaakiiigcbhoppda
ZEBEDEE
dlcobpjiigpikoobohmabehhmhfoodbb
Argent X StarkNet Wallet
bofddndhbegljegmpmnlbhcejofmjgbn
X-Wallet
mapbhaebnddapnmifbbkgeedkeplgjmf
Biport Wallet
kfdniefadaanbjodldohaedphafoffoh
Typhon Wallet
jaooiolkmfcmloonphpiiogkfckgciom
Twetch Wallet
aijcbedoijmgnlmjeegjaglmepbmpkpi
Leap Wallet
fhfffofbcgbjjojdnpcfompojdjjhdim
Lamden Wallet
agkfnefiabmfpanochlcakggnkdfmmjd
Earth Wallet
lpfcbjknijpeeillifnkikgncikgfhdo
Nami
fecfflganphcinpahcklgahckeohalog
Coin Wallet
ilhaljfiglknggcoegeknjghdgampffk
Beam Web Wallet
dklmlehijiaepdijfnbbhncfpcoeeljf
FShares Wallet
fkhebcilafocjhnlcngogekljmllgdhd
WAGMIswap.io Wallet
laphpbhjhhgigmjoflgcchgodbbclahk
BLUE - Worlds Safest and Simplest Wallet
mkjjflkhdddfjhonakofipfojoepfndk
Unification Web Wallet
jnldfbidonfeldmalbflbmlebbipcnle
Infinity Wallet
ellkdbaphhldpeajbepobaecooaoafpg
Fetch.ai Network Wallet
iokeahhehimjnekafflcihljlcjccdbe
Alby Wallet
omajpeaffjgmlpmhbfdjepdejoemifpe
xBull Wallet
pgojdfajgcjjpjnbpfaelnpnjocakldb
Sugarchain Wallet
pnndplcbkakcplkjnolgbkdgjikjednm
Tronium
fnnegphlobjdpkhecapkijjdkgcjhkib
Harmony
fhilaheimglignddkjgofkcbgekhenbh
Oxygen
cmbagcoinhmacpcgmbiniijboejgiahi
JustLiquidity Wallet
kmmolakhbgdlpkjkcjkebenjheonagdm
AlgoSigner
fnabdmcgpkkjjegokfcnfbpneacddpfh
Goldmint Lite Wallet
bgpipimickeadkjlklgciifhnalhdjhe
GeroWallet
hoighigmnhgkkdaenafgnefkcmipfjon
EO.Finance
nlgnepoeokdfodgjkjiblkadkjbdfmgd
Multi Wallet
nhihjlnjgibefgjhobhcphmnckoogdea
Waves Enterprise Wallet
ehibhohmlpipbaogcknmpmiibbllplph
Bluehelix Wallet
magbanejlegnbcppjljfhnmfmghialkl
Nebulas Wallet
fgkaeeikaoeiiggggbgdcjchmdfmamla
Vtimes
pnlfjmlcjdjgkddecgincndfgegkecke
Crocobit Wallet
bhghoamapcdpbohphigoooaddinpkbai
Authenticator
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authy
oeljdldpnmdbchonielidgobddffflal
EOS Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
GAuth Authenticator
imloifkgjagghnncjkhggdhalmcnfklk
Trezor Password Manager
%s\%s\Local Extension Settings\%s
%s\CURRENT
%s\%s\Sync Extension Settings\%s
%s\%s\IndexedDB\chrome-extension_%s_0.indexeddb.leveldb
Plugins\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x64
x86
DISPLAY
SOFTWARE\Microsoft\Cryptography
MachineGuid
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
screenshot.jpg
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
/c timeout /t 5 & del /f /q "%s" & exit
C:\Windows\System32\cmd.exe
Arkei
(PID) Process(2772) data64_1.exe
C2 (1)http://gg.gemkan.online/gate.php
Strings (618)LoadLibraryA
GetProcAddress
ExitProcess
advapi32.dll
crypt32.dll
GetTickCount
Sleep
GetUserDefaultLangID
CreateMutexA
GetLastError
HeapAlloc
GetProcessHeap
GetComputerNameA
VirtualProtect
GetCurrentProcess
VirtualAllocExNuma
GetUserNameA
CryptStringToBinaryA
HAL9TH
JohnDoe
21/04/2022 20:00:00
http://
Default
%hu/%hu/%hu %hu:%hu:%hu
open
sqlite3.dll
C:\ProgramData\sqlite3.dll
freebl3.dll
C:\ProgramData\freebl3.dll
mozglue.dll
C:\ProgramData\mozglue.dll
msvcp140.dll
C:\ProgramData\msvcp140.dll
nss3.dll
C:\ProgramData\nss3.dll
softokn3.dll
C:\ProgramData\softokn3.dll
vcruntime140.dll
C:\ProgramData\vcruntime140.dll
.zip
Tag:
IP: IP?
Country: Country?
Working Path:
Local Time:
TimeZone:
Display Language:
Keyboard Languages:
Is Laptop:
Processor:
Installed RAM:
OS:
(
Bit)
Videocard:
Display Resolution:
PC name:
User name:
Domain name:
MachineID:
GUID:
Installed Software:
system.txt
Grabber\%s.zip
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DESKTOP%
Wallets\
Ethereum
\Ethereum\
keystore
Electrum
\Electrum\wallets\
*.*
ElectrumLTC
\Electrum-LTC\wallets\
Exodus
\Exodus\
exodus.conf.json
window-state.json
\Exodus\exodus.wallet\
passphrase.json
seed.seco
info.seco
ElectronCash
\ElectronCash\wallets\
default_wallet
MultiDoge
\MultiDoge\
multidoge.wallet
JAXX
\jaxx\Local Storage\
file__0.localstorage
Atomic
\atomic\Local Storage\leveldb\
000003.log
CURRENT
LOCK
LOG
MANIFEST-000001
0000*
Binance
\Binance\
app-store.json
Coinomi
\Coinomi\Coinomi\wallets\
*.wallet
*.config
*wallet*.dat
GetSystemTime
lstrcatA
SystemTimeToFileTime
ntdll.dll
sscanf
memset
memcpy
wininet.dll
user32.dll
gdi32.dll
netapi32.dll
psapi.dll
bcrypt.dll
vaultcli.dll
shlwapi.dll
shell32.dll
gdiplus.dll
ole32.dll
dbghelp.dll
CreateFileA
WriteFile
CloseHandle
GetFileSize
lstrlenA
LocalAlloc
GlobalFree
ReadFile
OpenProcess
SetFilePointer
SetEndOfFile
GetCurrentProcessId
GetLocalTime
GetTimeZoneInformation
GetUserDefaultLocaleName
LocalFree
GetSystemPowerStatus
GetSystemInfo
GlobalMemoryStatusEx
IsWow64Process
GetTempPathA
GetLocaleInfoA
GetFileSizeEx
GetFileAttributesA
FindFirstFileA
FindNextFileA
FindClose
GetCurrentDirectoryA
CopyFileA
DeleteFileA
lstrcmpW
GlobalAlloc
FreeLibrary
SetCurrentDirectoryA
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
FileTimeToSystemTime
GetFileInformationByHandle
GlobalLock
GlobalSize
WideCharToMultiByte
GetWindowsDirectoryA
GetVolumeInformationA
GetVersionExA
GetModuleFileNameA
CreateFileW
CreateFileMappingW
MultiByteToWideChar
CreateThread
GetEnvironmentVariableA
SetEnvironmentVariableA
lstrcpyA
lstrcpynA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetCloseHandle
InternetReadFile
InternetSetOptionA
InternetOpenUrlA
InternetCrackUrlA
wsprintfA
CharToOemW
GetKeyboardLayoutList
EnumDisplayDevicesA
ReleaseDC
GetDC
GetSystemMetrics
GetDesktopWindow
GetWindowRect
GetWindowDC
CloseWindow
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
GetCurrentHwProfileA
RegEnumKeyExA
RegGetValueA
CreateDCA
GetDeviceCaps
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
StretchBlt
GetObjectW
GetDIBits
SaveDC
CreateDIBSection
DeleteDC
RestoreDC
DsRoleGetPrimaryDomainInformation
GetModuleFileNameExA
CryptUnprotectData
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptDecrypt
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItemWin8
VaultGetItemWin7
VaultFree
StrCmpCA
StrStrA
PathMatchSpecA
SHGetFolderPathA
ShellExecuteExA
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
CreateStreamOnHGlobal
GetHGlobalFromStream
SymMatchString
HEAD
HTTP/1.1
GET
POST
file
Content-Type: multipart/form-data; boundary=----
Content-Disposition: form-data; name="
Content-Disposition: form-data; name="file"; filename="
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
SOFT:
PROF: ?
PROF:
HOST:
USER:
PASS:
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
"}
PATH
PATH=
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
SELECT origin_url, username_value, password_value FROM logins
Cookies\%s_%s.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
Autofill\%s_%s.txt
SELECT name, value FROM autofill
CC\%s_%s.txt
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Card number:
Name on card:
Expiration date:
History\%s_%s.txt
SELECT url FROM urls
Downloads\%s_%s.txt
SELECT target_path, tab_url from downloads
Login Data
Cookies
Web Data
History
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places
cookies.sqlite
formhistory.sqlite
places.sqlite
\Local State
..\profiles.ini
C:\ProgramData\
Chrome
\Google\Chrome\User Data
ChromeBeta
\Google\Chrome Beta\User Data
ChromeCanary
\Google\Chrome SxS\User Data
Chromium
\Chromium\User Data
Edge_Chromium
\Microsoft\Edge\User Data
Kometa
\Kometa\User Data
Amigo
\Amigo\User Data
Torch
\Torch\User Data
Orbitum
\Orbitum\User Data
Comodo
\Comodo\Dragon\User Data
Nichrome
\Nichrome\User Data
Maxthon5
\Maxthon5\Users
Sputnik
\Sputnik\User Data
EPB
\Epic Privacy Browser\User Data
Vivaldi
\Vivaldi\User Data
CocCoc
\CocCoc\Browser\User Data
Uran
\uCozMedia\Uran\User Data
QIP
\QIP Surf\User Data
Cent
\CentBrowser\User Data
Elements
\Elements Browser\User Data
TorBro
\TorBro\Profile
CryptoTab
\CryptoTab Browser\User Data
Brave
\BraveSoftware\Brave-Browser\User Data
Opera
\Opera Software\Opera Stable\
OperaGX
\Opera Software\Opera GX Stable\
OperaNeon
\Opera Software\Opera Neon\User Data
Firefox
\Mozilla\Firefox\Profiles\
SlimBrowser
\FlashPeak\SlimBrowser\Profiles\
PaleMoon
\Moonchild Productions\Pale Moon\Profiles\
Waterfox
\Waterfox\Profiles\
Cyberfox
\8pecxstudios\Cyberfox\Profiles\
BlackHawk
\NETGATE Technologies\BlackHawk\Profiles\
IceCat
\Mozilla\icecat\Profiles\
KMeleon
\K-Meleon\
Thunderbird
\Thunderbird\Profiles\
passwords.txt
ibnejdfjmmkpcnlpebklmnkoeoihofec
TronLink
nkbihfbeogaeaoehlefnkodbefgpgknn
MetaMask
fhbohimaelbohpjbbldcngcnapndodjp
Binance Chain Wallet
ffnbelfdoeiohenkjibnmadjiehjhajb
Yoroi
jbdaocneiiinmjbjlgalhcelgbejmnid
Nifty Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Math Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase Wallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
Guarda
blnieiiffboillknjnepogjhkgnoapac
EQUAL Wallet
cjelfplplebdjjenllpjcblmjkfcffne
Jaxx Liberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitApp Wallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
nlbmnnijcnlegkjjpcfjclmcfggfefdm
MEW CX
nanjmdknhkinifnkgdcggcfnhdaammmj
GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Saturn Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Ronin Wallet
cphhlgmgameodnhkjdmkpanlelnlohao
NeoLine
nhnkbkgjikgcigadomkphalanndcapjk
Clover Wallet
kpfopkelmapcoipemfendmdcghnegimn
Liquality Wallet
aiifbnbfobpmeekipheeijimdpnlpgpp
Terra Station
dmkamcknogkgcdfhhbddcghachkejeap
Keplr
fhmfendgdocmcbmfikdcogofphimnkno
Sollet
cnmamaachppnkjgnildpdmkaakejnhae
Auro Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Polymesh Wallet
flpiciilemghbmfalicajoolhkkenfel
ICONex
nknhiehlklippafakaeklbeglecifhad
Nabox Wallet
hcflpincpppdclinealmandijcmnkbgn
KHC
ookjlbkiijinhpmnjffcofjonbfbgaoc
Temple
mnfifefkajgofkcjkemidiaecocnkjeh
TezBox
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet
nlgbhdfgdhgbiamfdfmbikcdghidoadd
Byone
infeboajgfhgbjpjbeppbkgnabfdkdaf
OneKey
cihmoadaighcejopammfbmddcmdekcje
LeafWallet
lodccjjbdhfakaekdiahmedfbieldgik
DAppPlay
ijmpgkjfkbfhoebgogflfebnmejmfbml
BitClip
lkcjlnjfpbikmcmbachjpdbijejflpcm
Steem Keychain
onofpnbbkehpmmoabgpcpmigafmmnjhl
Nash Extension
bcopgchhojmggmffilplmbdicgaihlkp
Hycon Lite Client
klnaejjgbibmhlephnhpmaofohgkpgkd
ZilPay
aeachknmefphepccionboohckonoeemg
Coin98 Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa
Phantom
hifafgmccdpekplomjjkcfgodnhcellj
Crypto.com
dngmlblcodfobpdpecaadgfbcggfjfnm
Maiar DeFi Wallet
ppdadbejkmjnefldpcdjhnkpbjkikoip
Oasis
hpbgcgmiemanfelegbndmhieiigkackl
MonstaWallet
fcckkdbjnoikooededlapcalpionmalo
MOBOX
jccapkebeeiajkkdemacblkjhhhboiek
Crust Wallet
mgffkfbidihjpoaomajlbgchddlicgpn
Pali Wallet
nphplpgoakhhjchkkhmiggakijnkhfnd
TON Wallet
ldinpeekobnhjjdofggfgjlcehhmanlj
Hiro Wallet
pocmplpaccanhmnllbbkpgfliimjljgo
Slope Wallet
bhhhlbepdkbapadjdnnojkbgioiodbic
Solflare Wallet
pgiaagfkgcbnmiiolekcfmljdagdhlcm
Stargazer Wallet
cgeeodpfagjceefieflmdfphplkenlfk
EVER Wallet
gjkdbeaiifkpoencioahhcilildpjhgh
partisia-wallet
bgjogpoidejdemgoochpnkmdjpocgkha
Ecto Wallet
ifckdpamphokdglkkdomedpdegcjhjdp
ONTO Wallet
agechnindjilpccclelhlbjphbgnobpf
Fractal Wallet
algblmhagnobbnmakepomicmfljlbehg
ADS Wallet
imijjbmbnebfnbmonjeileijahaipglj
Moonlet Wallet
kpjdchaapjheajadlaakiiigcbhoppda
ZEBEDEE
dlcobpjiigpikoobohmabehhmhfoodbb
Argent X StarkNet Wallet
bofddndhbegljegmpmnlbhcejofmjgbn
X-Wallet
mapbhaebnddapnmifbbkgeedkeplgjmf
Biport Wallet
kfdniefadaanbjodldohaedphafoffoh
Typhon Wallet
jaooiolkmfcmloonphpiiogkfckgciom
Twetch Wallet
aijcbedoijmgnlmjeegjaglmepbmpkpi
Leap Wallet
fhfffofbcgbjjojdnpcfompojdjjhdim
Lamden Wallet
agkfnefiabmfpanochlcakggnkdfmmjd
Earth Wallet
lpfcbjknijpeeillifnkikgncikgfhdo
Nami
fecfflganphcinpahcklgahckeohalog
Coin Wallet
ilhaljfiglknggcoegeknjghdgampffk
Beam Web Wallet
dklmlehijiaepdijfnbbhncfpcoeeljf
FShares Wallet
fkhebcilafocjhnlcngogekljmllgdhd
WAGMIswap.io Wallet
laphpbhjhhgigmjoflgcchgodbbclahk
BLUE - Worlds Safest and Simplest Wallet
mkjjflkhdddfjhonakofipfojoepfndk
Unification Web Wallet
jnldfbidonfeldmalbflbmlebbipcnle
Infinity Wallet
ellkdbaphhldpeajbepobaecooaoafpg
Fetch.ai Network Wallet
iokeahhehimjnekafflcihljlcjccdbe
Alby Wallet
omajpeaffjgmlpmhbfdjepdejoemifpe
xBull Wallet
pgojdfajgcjjpjnbpfaelnpnjocakldb
Sugarchain Wallet
pnndplcbkakcplkjnolgbkdgjikjednm
Tronium
fnnegphlobjdpkhecapkijjdkgcjhkib
Harmony
fhilaheimglignddkjgofkcbgekhenbh
Oxygen
cmbagcoinhmacpcgmbiniijboejgiahi
JustLiquidity Wallet
kmmolakhbgdlpkjkcjkebenjheonagdm
AlgoSigner
fnabdmcgpkkjjegokfcnfbpneacddpfh
Goldmint Lite Wallet
bgpipimickeadkjlklgciifhnalhdjhe
GeroWallet
hoighigmnhgkkdaenafgnefkcmipfjon
EO.Finance
nlgnepoeokdfodgjkjiblkadkjbdfmgd
Multi Wallet
nhihjlnjgibefgjhobhcphmnckoogdea
Waves Enterprise Wallet
ehibhohmlpipbaogcknmpmiibbllplph
Bluehelix Wallet
magbanejlegnbcppjljfhnmfmghialkl
Nebulas Wallet
fgkaeeikaoeiiggggbgdcjchmdfmamla
Vtimes
pnlfjmlcjdjgkddecgincndfgegkecke
Crocobit Wallet
bhghoamapcdpbohphigoooaddinpkbai
Authenticator
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authy
oeljdldpnmdbchonielidgobddffflal
EOS Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
GAuth Authenticator
imloifkgjagghnncjkhggdhalmcnfklk
Trezor Password Manager
%s\%s\Local Extension Settings\%s
%s\CURRENT
%s\%s\Sync Extension Settings\%s
%s\%s\IndexedDB\chrome-extension_%s_0.indexeddb.leveldb
Plugins\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x64
x86
DISPLAY
SOFTWARE\Microsoft\Cryptography
MachineGuid
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
screenshot.jpg
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
/c timeout /t 5 & del /f /q "%s" & exit
C:\Windows\System32\cmd.exe
RedLine
(PID) Process(4132) RegSvcs.exe
C2 (1)91.92.241.115:12393
Botnetvic
Options
ErrorMessage
Keys
XorFiver
Nanocore
(PID) Process(4184) CasPol.exe
BuildTime2023-12-21 08:15:54.000408
Version1.2.2.0
Mutex4c987240-839f-4536-835a-ac14ff0793a6
DefaultGroupDec
PrimaryConnectionHostglobron.duckdns.org
BackupConnectionHostglobron.duckdns.org
ConnectionPort9192
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
Lumma
(PID) Process(5768) AppLaunch.exe
C2gstatic-node.io
Options
LummaIDV566Iu--resame
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:22 09:29:10+01:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 80 |
| CodeSize: | 5632 |
| InitializedDataSize: | 4608 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3552 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | 4363463463464363463463463.exe |
| LegalCopyright: | |
| OriginalFileName: | 4363463463464363463463463.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
654
Monitored processes
443
Malicious processes
96
Suspicious processes
28
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 332 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe" | C:\Windows\System32\wscript.exe | — | v4install.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 668 | .\Install.exe | C:\Users\admin\AppData\Local\Temp\7zSA7AC.tmp\Install.exe | — | HF9LrYFHBDTlRxD3D2FvmaME.exe | |||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z Setup SFX Exit code: 0 Version: 9.20 Modules
| |||||||||||||||
| 748 | "C:\Users\admin\Desktop\Files\socks5-clean.exe" | C:\Users\admin\Desktop\Files\socks5-clean.exe | — | 4363463463464363463463463.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 752 | "C:\Users\admin\Desktop\Files\tpeinf.exe" | C:\Users\admin\Desktop\Files\tpeinf.exe | 4363463463464363463463463.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 784 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" " | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 840 | "C:\Users\admin\Desktop\Files\yhjjs.exe" | C:\Users\admin\Desktop\Files\yhjjs.exe | 4363463463464363463463463.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 876 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txt" | C:\Windows\System32\cmd.exe | — | ns8222.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 876 | "C:\Users\admin\Desktop\Files\tuc2.exe" | C:\Users\admin\Desktop\Files\tuc2.exe | — | 4363463463464363463463463.exe | |||||||||||
User: admin Company: Integrity Level: HIGH Description: CURL Protection Std LIB Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 984 | "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Users\admin\Desktop\Files\Temp1.exe" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | Temp1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 984 | "cmd.exe" /c schtasks /create /f /RU "admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST | C:\Windows\System32\cmd.exe | rest.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
189 132
Read events
186 148
Write events
2 904
Delete events
80
Modification events
| (PID) Process: | (2088) 4363463463464363463463463.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2088) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD |
| Operation: | write | Name: | Blob |
Value: 530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD0F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F | |||
| (PID) Process: | (2088) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD |
| Operation: | write | Name: | Blob |
Value: 040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB028090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA9531400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F | |||
| (PID) Process: | (2088) 4363463463464363463463463.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2088) 4363463463464363463463463.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2088) 4363463463464363463463463.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2088) 4363463463464363463463463.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1504) syncUpd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1504) syncUpd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (1504) syncUpd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
Executable files
1 079
Suspicious files
323
Text files
601
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2088 | 4363463463464363463463463.exe | C:\Users\admin\Desktop\Files\test1.exe | executable | |
MD5:962824CCA80E5383661A072B452812EF | SHA256:756C48B8E22D22EAF24AD8C69928BCF1CBB08E63EF897EAC21366F4F6BD2C403 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-C3D9M.tmp\_isetup\_iscrypt.dll | executable | |
MD5:A69559718AB506675E907FE49DEB71E9 | SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC | |||
| 2088 | 4363463463464363463463463.exe | C:\Users\admin\Desktop\Files\syncUpd.exe | executable | |
MD5:848578241A7E624F7EF0A8EF58EA5FCF | SHA256:CBD75F8A4DCEBEB2121D60D1A83724797ADF6864FBFE5693B9FB15CC6AB63A83 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-C3D9M.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\CURL Protection Std LIB\bin\x86\is-QEK5K.tmp | executable | |
MD5:F0F973781B6A66ADF354B04A36C5E944 | SHA256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\CURL Protection Std LIB\bin\x86\bassmix.dll | executable | |
MD5:8EE91149989D50DFCF9DAD00DF87C9B0 | SHA256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-C3D9M.tmp\_isetup\_isdecmp.dll | executable | |
MD5:3ADAA386B671C2DF3BAE5B39DC093008 | SHA256:71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\Temp\is-C3D9M.tmp\_isetup\_RegDLL.tmp | executable | |
MD5:0EE914C6F0BB93996C75941E1AD629C6 | SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\CURL Protection Std LIB\bin\x86\is-GTIQB.tmp | executable | |
MD5:9FF783BB73F8868FA6599CDE65ED21D7 | SHA256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816 | |||
| 2052 | adobe.tmp | C:\Users\admin\AppData\Local\CURL Protection Std LIB\bin\x86\is-LGULF.tmp | executable | |
MD5:4E35BA785CD3B37A3702E577510F39E3 | SHA256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
338
TCP/UDP connections
1 309
DNS requests
423
Threats
983
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2088 | 4363463463464363463463463.exe | GET | 200 | 77.91.68.21:80 | http://77.91.68.21/lend/test1.exe | unknown | executable | 8.06 Mb | unknown |
2088 | 4363463463464363463463463.exe | GET | 200 | 5.42.64.35:80 | http://5.42.64.35/syncUpd.exe | unknown | executable | 314 Kb | unknown |
1504 | syncUpd.exe | POST | 200 | 185.172.128.79:80 | http://185.172.128.79/3886d2276f6914c4.php | unknown | text | 8 b | unknown |
2088 | 4363463463464363463463463.exe | GET | 200 | 61.54.7.111:80 | http://d1.udashi.com/soft/wlyy/16396/jxszdjp.exe | unknown | executable | 1023 Kb | unknown |
2088 | 4363463463464363463463463.exe | GET | 200 | 188.114.96.3:80 | http://zen.topteamlife.com/order/adobe.exe | unknown | executable | 4.79 Mb | unknown |
2540 | 4363463463464363463463463.exe | GET | 200 | 195.20.16.153:80 | http://195.20.16.153/svchost.exe | unknown | executable | 322 Kb | unknown |
2292 | 4363463463464363463463463.exe | GET | 200 | 44.203.122.41:80 | http://44.203.122.41/Archevod_XWorm.exe | unknown | executable | 114 Kb | unknown |
2760 | 4363463463464363463463463.exe | GET | 200 | 77.91.68.21:80 | http://77.91.68.21/lend/ajajjajajaj.exe | unknown | executable | 2.31 Mb | unknown |
2540 | 4363463463464363463463463.exe | GET | 200 | 185.172.128.19:80 | http://185.172.128.19/newrock.exe | unknown | executable | 20.6 Mb | unknown |
2292 | 4363463463464363463463463.exe | GET | 200 | 41.185.8.154:80 | http://wispafoods.com/BestSoftware.exe | unknown | executable | 1.36 Mb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2088 | 4363463463464363463463463.exe | 151.101.2.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
2088 | 4363463463464363463463463.exe | 5.42.64.35:80 | — | CJSC Kolomna-Sviaz TV | RU | unknown |
2088 | 4363463463464363463463463.exe | 188.114.97.3:443 | frezzyhook.com | CLOUDFLARENET | NL | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2088 | 4363463463464363463463463.exe | 123.100.226.69:443 | pn-raha.go.id | PT. EXABYTES NETWORK INDONESIA | MY | unknown |
2088 | 4363463463464363463463463.exe | 77.91.68.21:80 | — | Foton Telecom CJSC | RU | unknown |
1504 | syncUpd.exe | 185.172.128.79:80 | — | OOO Nadym Svyaz Service | RU | malicious |
2088 | 4363463463464363463463463.exe | 188.114.96.3:80 | frezzyhook.com | CLOUDFLARENET | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
urlhaus.abuse.ch |
| whitelisted |
frezzyhook.com |
| malicious |
pn-raha.go.id |
| malicious |
zen.topteamlife.com |
| malicious |
stoon.hitsturbo.com |
| malicious |
d1.udashi.com |
| malicious |
github.com |
| shared |
raw.githubusercontent.com |
| shared |
wispafoods.com |
| malicious |
hendersonk1.hopto.org |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2088 | 4363463463464363463463463.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2088 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
2088 | 4363463463464363463463463.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2088 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2088 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
2088 | 4363463463464363463463463.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2088 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
2088 | 4363463463464363463463463.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2088 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2088 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
45 ETPRO signatures available at the full report
Process | Message |
|---|---|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
4363463463464363463463463.exe | The request was aborted: Could not create SSL/TLS secure channel.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
4363463463464363463463463.exe | An exception occurred during a WebClient request.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
4363463463464363463463463.exe | The request was aborted: Could not create SSL/TLS secure channel.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|