| File name: | 4363463463464363463463463.exe |
| Full analysis: | https://app.any.run/tasks/73e46413-8d89-4c3d-8b25-7c0806df6587 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | April 17, 2024, 13:48:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 2A94F3960C58C6E70826495F76D00B85 |
| SHA1: | E2A1A5641295F5EBF01A37AC1C170AC0814BB71A |
| SHA256: | 2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE |
| SSDEEP: | 192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY |
MALICIOUS
HAUSBOMBER has been detected (YARA)
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 3460)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 4180)
Drops the executable file immediately after the start
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2888)
- xeno.exe (PID: 3776)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 2332)
- _vti_cnf.exe (PID: 3764)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 560)
- Client.exe (PID: 3016)
- 4363463463464363463463463.exe (PID: 2992)
- ISetup8.exe (PID: 3384)
- 4363463463464363463463463.exe (PID: 4180)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 3668)
- tpeinf.exe (PID: 5192)
- 4363463463464363463463463.exe (PID: 3272)
- 2474327058.exe (PID: 5484)
- 4363463463464363463463463.exe (PID: 1860)
- ISetup5.exe (PID: 5740)
- 4363463463464363463463463.exe (PID: 3460)
- peinf.exe (PID: 4820)
- yhdl.exe (PID: 5764)
- conhost.exe (PID: 5340)
- cacd6bf810543a9d46c9b104dfd72778.exe (PID: 5108)
- svchost.exe (PID: 1556)
- 503713659.exe (PID: 5836)
- cmon.exe (PID: 5580)
- 4363463463464363463463463.exe (PID: 2016)
- pei.exe (PID: 6752)
- 4363463463464363463463463.exe (PID: 2060)
- RegAsm.exe (PID: 6892)
- Pac-Man.exe (PID: 6920)
- asdfg.exe (PID: 7000)
- BLHisbnd.exe (PID: 7200)
- MartDrum.exe (PID: 7680)
- IjerkOff.exe (PID: 7628)
- amad.exe (PID: 8124)
- RegAsm.exe (PID: 6176)
- cmd.exe (PID: 6768)
- Fighting.pif (PID: 2480)
- Project_8.exe (PID: 3780)
- agentDllDhcp.exe (PID: 5660)
- WeGameMiniLoader.std.5.12.21.1022.exe (PID: 7136)
- hv.exe (PID: 7544)
- 288c47bbc1871b439df19ff4df68f00076.exe (PID: 4708)
- twztl.exe (PID: 6980)
- small.exe (PID: 7432)
- Amdau.exe (PID: 7820)
- amadycry.exe (PID: 6248)
- NINJA.exe (PID: 7468)
- random.exe (PID: 5720)
- amert.exe (PID: 5280)
- RegAsm.exe (PID: 7348)
- sunset1.exe (PID: 4676)
- pinf.exe (PID: 2240)
- timeSync.exe (PID: 5860)
- green.exe (PID: 5052)
- 1003b.exe (PID: 8308)
XenoRAT has been detected (FILE)
- xeno.exe (PID: 3776)
- xeno.exe (PID: 1348)
Creates a writable file in the system directory
- _vti_cnf.exe (PID: 3764)
- agentDllDhcp.exe (PID: 5660)
Changes the login/logoff helper path in the registry
- _vti_cnf.exe (PID: 3764)
Changes the autorun value in the registry
- _vti_cnf.exe (PID: 3764)
- 23.exe (PID: 4280)
- 2474327058.exe (PID: 5484)
- 503713659.exe (PID: 5836)
- cmon.exe (PID: 5580)
- amad.exe (PID: 8124)
- RegAsm.exe (PID: 6176)
- twztl.exe (PID: 6980)
- NewB.exe (PID: 6628)
- amadycry.exe (PID: 6248)
- random.exe (PID: 5720)
- NINJA.exe (PID: 7468)
Starts CMD.EXE for self-deleting
- Ledger-Live.exe (PID: 3780)
Uses Task Scheduler to autorun other applications
- cmd.exe (PID: 3832)
- RegAsm.exe (PID: 6176)
- random.exe (PID: 5720)
XENORAT has been detected (YARA)
- xeno.exe (PID: 1348)
Changes the Windows auto-update feature
- 2474327058.exe (PID: 5484)
- RegAsm.exe (PID: 6176)
Run PowerShell with an invisible window
- powershell.exe (PID: 5024)
- powershell.exe (PID: 4328)
- powershell.exe (PID: 7808)
- powershell.exe (PID: 6828)
Creates or modifies Windows services
- 2474327058.exe (PID: 5484)
Changes appearance of the Explorer extensions
- 2474327058.exe (PID: 5484)
Changes Security Center notification settings
- 2474327058.exe (PID: 5484)
- 503713659.exe (PID: 5836)
- twztl.exe (PID: 6980)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5768)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5768)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5768)
GCLEANER has been detected (SURICATA)
- ISetup8.exe (PID: 3384)
- ISetup5.exe (PID: 5740)
- ISetup10.exe (PID: 3256)
- ISetup4.exe (PID: 7160)
Actions looks like stealing of personal data
- xeno.exe (PID: 1348)
- RegAsm.exe (PID: 1268)
- crypted.exe (PID: 3016)
- fate.exe (PID: 6960)
- dialer.exe (PID: 7296)
Steals credentials
- xeno.exe (PID: 1348)
- timeSync.exe (PID: 5860)
Steals credentials from Web Browsers
- RegAsm.exe (PID: 1268)
- fate.exe (PID: 6960)
STEALC has been detected (SURICATA)
- u2m0.0.exe (PID: 4172)
- u4fg.0.exe (PID: 2640)
- timeSync.exe (PID: 5860)
Connects to the CnC server
- u2m0.0.exe (PID: 4172)
- xeno.exe (PID: 1348)
- u4fg.0.exe (PID: 2640)
- fate.exe (PID: 6960)
- 2474327058.exe (PID: 5484)
- control.exe (PID: 7536)
- amad.exe (PID: 8124)
- twztl.exe (PID: 6980)
- propro.exe (PID: 2756)
- timeSync.exe (PID: 5860)
- FGwmr.exe (PID: 5852)
ASYNCRAT has been detected (YARA)
- system.exe (PID: 4252)
- strt.exe (PID: 4132)
- powershell.exe (PID: 5768)
LAPLASCLIPPER has been detected (YARA)
- svcservice.exe (PID: 6072)
LUMMA has been detected (YARA)
- crypted.exe (PID: 3016)
- AppLaunch.exe (PID: 5268)
XENORAT has been detected (SURICATA)
- xeno.exe (PID: 1348)
REDLINE has been detected (YARA)
- RegAsm.exe (PID: 1636)
- RegAsm.exe (PID: 5320)
- fate.exe (PID: 6960)
- RegAsm.exe (PID: 6892)
Create files in the Startup directory
- dllhost.exe (PID: 4720)
- cmd.exe (PID: 2968)
- Amdau.exe (PID: 7820)
XWORM has been detected (YARA)
- svchost.exe (PID: 1556)
LUMMA has been detected (SURICATA)
- AppLaunch.exe (PID: 5268)
RISEPRO has been detected (YARA)
- RegAsm.exe (PID: 6176)
Bypass execution policy to execute commands
- powershell.exe (PID: 7808)
- powershell.exe (PID: 6828)
- powershell.exe (PID: 7688)
- powershell.exe (PID: 4948)
- powershell.exe (PID: 8392)
QUASAR has been detected (YARA)
- control.exe (PID: 7536)
Antivirus name has been found in the command line (generic signature)
- findstr.exe (PID: 3220)
- findstr.exe (PID: 7124)
ASYNCRAT has been detected (SURICATA)
- powershell.exe (PID: 5768)
- control.exe (PID: 7536)
- asyns.exe (PID: 7488)
REDLINE has been detected (SURICATA)
- fate.exe (PID: 6960)
- trust12344.exe (PID: 4384)
- propro.exe (PID: 2756)
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 6284)
UAC/LUA settings modification
- wefhrf.exe (PID: 7308)
Adds process to the Windows Defender exclusion list
- wefhrf.exe (PID: 7308)
- build6_unencrypted.exe (PID: 3144)
Generic malware mutex has been detected
- hv.exe (PID: 7544)
RHADAMANTHYS has been detected (SURICATA)
- dialer.exe (PID: 7296)
Amadey has been detected
- NewB.exe (PID: 6628)
Changes powershell execution policy (Bypass)
- build6_unencrypted.exe (PID: 3144)
- BrawlB0t.exe (PID: 6312)
Adds path to the Windows Defender exclusion list
- build6_unencrypted.exe (PID: 3144)
- BrawlB0t.exe (PID: 6312)
QUASAR has been detected (SURICATA)
- control.exe (PID: 7536)
RISEPRO has been detected (SURICATA)
- RegAsm.exe (PID: 6176)
- random.exe (PID: 5720)
- sarra.exe (PID: 3076)
AMADEY has been detected (SURICATA)
- amad.exe (PID: 8124)
- NewB.exe (PID: 6628)
- amadycry.exe (PID: 6744)
DCRAT has been detected (SURICATA)
- taskeng.exe (PID: 5492)
Runs injected code in another process
- powershell.EXE (PID: 4280)
Application was injected by another process
- dllhost.exe (PID: 8252)
PHISHING has been detected (SURICATA)
- 4363463463464363463463463.exe (PID: 3460)
AZORULT has been detected (SURICATA)
- FGwmr.exe (PID: 5852)
SUSPICIOUS
Reads settings of System Certificates
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 3460)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 4180)
- system.exe (PID: 4252)
- 炎黄大陆.exe (PID: 296)
- USA123.exe (PID: 4520)
- control.exe (PID: 7536)
- RegAsm.exe (PID: 6176)
- RegAsm.exe (PID: 4604)
- RegAsm.exe (PID: 5284)
- jsc.exe (PID: 5184)
Adds/modifies Windows certificates
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 2408)
Reads the Internet Settings
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 2408)
- xeno.exe (PID: 3776)
- 4363463463464363463463463.exe (PID: 3460)
- Client.exe (PID: 3016)
- 4363463463464363463463463.exe (PID: 560)
- RegAsm.exe (PID: 1268)
- Ledger-Live.exe (PID: 3780)
- powershell.exe (PID: 3440)
- _vti_cnf.exe (PID: 3764)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 3696)
- QQ.exe (PID: 3756)
- 4363463463464363463463463.exe (PID: 2016)
- ISetup8.exe (PID: 3384)
- 4363463463464363463463463.exe (PID: 4180)
- system.exe (PID: 4252)
- go.exe (PID: 4320)
- u2m0.0.exe (PID: 4172)
- powershell.exe (PID: 5772)
- 23.exe (PID: 4280)
- tpeinf.exe (PID: 5192)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5540)
- svcservice.exe (PID: 6072)
- JSIDBWSJK.exe (PID: 4616)
- peinf.exe (PID: 4820)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5724)
- powershell.exe (PID: 4888)
- AppLaunch.exe (PID: 5268)
- yhdl.exe (PID: 5764)
- 2474327058.exe (PID: 5484)
- powershell.exe (PID: 5768)
- ISetup5.exe (PID: 5740)
- powershell.exe (PID: 5800)
- powershell.exe (PID: 2136)
- u4fg.0.exe (PID: 2640)
- powershell.exe (PID: 6032)
- 炎黄大陆.exe (PID: 296)
- conhost.exe (PID: 5340)
- cmd.exe (PID: 2248)
- svchost.exe (PID: 1556)
- VLTKBacdau.exe (PID: 3052)
- 503713659.exe (PID: 5836)
- USA123.exe (PID: 4520)
- u2m0.1.exe (PID: 6296)
- pei.exe (PID: 6752)
- RegAsm.exe (PID: 6892)
- asdfg.exe (PID: 7000)
- MartDrum.exe (PID: 7680)
- control.exe (PID: 7536)
- IjerkOff.exe (PID: 7628)
- amad.exe (PID: 8124)
- powershell.exe (PID: 7808)
- RegAsm.exe (PID: 6176)
- wscript.exe (PID: 6284)
- wefhrf.exe (PID: 7308)
- powershell.exe (PID: 7588)
- agentDllDhcp.exe (PID: 5660)
- jsc.exe (PID: 5432)
- 288c47bbc1871b439df19ff4df68f00076.exe (PID: 4708)
- powershell.exe (PID: 6828)
- RegAsm.exe (PID: 4604)
- taskeng.exe (PID: 5492)
- NewB.exe (PID: 6628)
- amadycry.exe (PID: 6744)
- twztl.exe (PID: 6980)
- small.exe (PID: 7432)
- build6_unencrypted.exe (PID: 3144)
- RegAsm.exe (PID: 5284)
- PCclear_Eng_mini.exe (PID: 6772)
- powershell.exe (PID: 7688)
- jsc.exe (PID: 5184)
- powershell.exe (PID: 4948)
Executable content was dropped or overwritten
- 4363463463464363463463463.exe (PID: 1776)
- xeno.exe (PID: 3776)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 2160)
- _vti_cnf.exe (PID: 3764)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2408)
- Client.exe (PID: 3016)
- 4363463463464363463463463.exe (PID: 2992)
- ISetup8.exe (PID: 3384)
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 4180)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 3272)
- tpeinf.exe (PID: 5192)
- 2474327058.exe (PID: 5484)
- 4363463463464363463463463.exe (PID: 1860)
- ISetup5.exe (PID: 5740)
- 4363463463464363463463463.exe (PID: 3460)
- peinf.exe (PID: 4820)
- yhdl.exe (PID: 5764)
- conhost.exe (PID: 5340)
- cacd6bf810543a9d46c9b104dfd72778.exe (PID: 5108)
- svchost.exe (PID: 1556)
- 503713659.exe (PID: 5836)
- 4363463463464363463463463.exe (PID: 560)
- dllhost.exe (PID: 4720)
- 4363463463464363463463463.exe (PID: 2016)
- cmon.exe (PID: 5580)
- 4363463463464363463463463.exe (PID: 2060)
- pei.exe (PID: 6752)
- Pac-Man.exe (PID: 6920)
- RegAsm.exe (PID: 6892)
- asdfg.exe (PID: 7000)
- BLHisbnd.exe (PID: 7200)
- MartDrum.exe (PID: 7680)
- IjerkOff.exe (PID: 7628)
- RegAsm.exe (PID: 6176)
- amad.exe (PID: 8124)
- cmd.exe (PID: 6768)
- 4363463463464363463463463.exe (PID: 2888)
- Fighting.pif (PID: 2480)
- Project_8.exe (PID: 3780)
- agentDllDhcp.exe (PID: 5660)
- 4363463463464363463463463.exe (PID: 2332)
- WeGameMiniLoader.std.5.12.21.1022.exe (PID: 7136)
- hv.exe (PID: 7544)
- 288c47bbc1871b439df19ff4df68f00076.exe (PID: 4708)
- small.exe (PID: 7432)
- twztl.exe (PID: 6980)
- Amdau.exe (PID: 7820)
- amadycry.exe (PID: 6248)
- NINJA.exe (PID: 7468)
- random.exe (PID: 5720)
- amert.exe (PID: 5280)
- RegAsm.exe (PID: 7348)
- clip.exe (PID: 7820)
- dialer.exe (PID: 7296)
- sunset1.exe (PID: 4676)
- pinf.exe (PID: 2240)
- timeSync.exe (PID: 5860)
- green.exe (PID: 5052)
- 1003b.exe (PID: 8308)
Reads security settings of Internet Explorer
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 3420)
- xeno.exe (PID: 3776)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 3108)
- Client.exe (PID: 3016)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2408)
- _vti_cnf.exe (PID: 3764)
- Ledger-Live.exe (PID: 3780)
- 4363463463464363463463463.exe (PID: 2992)
- QQ.exe (PID: 3756)
- ISetup8.exe (PID: 3384)
- system.exe (PID: 4252)
- u2m0.0.exe (PID: 4172)
- 4363463463464363463463463.exe (PID: 4180)
- 4363463463464363463463463.exe (PID: 3924)
- 23.exe (PID: 4280)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 3668)
- tpeinf.exe (PID: 5192)
- svcservice.exe (PID: 6072)
- 4363463463464363463463463.exe (PID: 3272)
- JSIDBWSJK.exe (PID: 4616)
- peinf.exe (PID: 4820)
- AppLaunch.exe (PID: 5268)
- 4363463463464363463463463.exe (PID: 1860)
- 2474327058.exe (PID: 5484)
- yhdl.exe (PID: 5764)
- 4363463463464363463463463.exe (PID: 2888)
- ISetup5.exe (PID: 5740)
- 4363463463464363463463463.exe (PID: 3460)
- u4fg.0.exe (PID: 2640)
- 炎黄大陆.exe (PID: 296)
- 4363463463464363463463463.exe (PID: 560)
- conhost.exe (PID: 5340)
- svchost.exe (PID: 1556)
- 503713659.exe (PID: 5836)
- USA123.exe (PID: 4520)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 2060)
- RegAsm.exe (PID: 6892)
- asdfg.exe (PID: 7000)
- MartDrum.exe (PID: 7680)
- IjerkOff.exe (PID: 7628)
- amad.exe (PID: 8124)
- RegAsm.exe (PID: 6176)
- wefhrf.exe (PID: 7308)
- agentDllDhcp.exe (PID: 5660)
- jsc.exe (PID: 5432)
- 288c47bbc1871b439df19ff4df68f00076.exe (PID: 4708)
- RegAsm.exe (PID: 4604)
- NewB.exe (PID: 6628)
- amadycry.exe (PID: 6744)
- small.exe (PID: 7432)
- build6_unencrypted.exe (PID: 3144)
- PCclear_Eng_mini.exe (PID: 6772)
- twztl.exe (PID: 6980)
Starts itself from another location
- xeno.exe (PID: 3776)
- 23.exe (PID: 4280)
- 2474327058.exe (PID: 5484)
- RegAsm.exe (PID: 6176)
- clip.exe (PID: 7820)
- green.exe (PID: 5052)
The process creates files with name similar to system file names
- _vti_cnf.exe (PID: 3764)
- 4363463463464363463463463.exe (PID: 560)
- Client.exe (PID: 3016)
- 4363463463464363463463463.exe (PID: 3420)
- svchost.exe (PID: 1556)
- agentDllDhcp.exe (PID: 5660)
- NINJA.exe (PID: 7468)
Starts CMD.EXE for commands execution
- _vti_cnf.exe (PID: 3764)
- Client.exe (PID: 3016)
- Ledger-Live.exe (PID: 3780)
- system.exe (PID: 4252)
- JSIDBWSJK.exe (PID: 4616)
- cmd.exe (PID: 4540)
- cmd.exe (PID: 6048)
- powershell.exe (PID: 6120)
- cmd.exe (PID: 1808)
- cmd.exe (PID: 1020)
- conhost.exe (PID: 5340)
- USA123.exe (PID: 4520)
- MartDrum.exe (PID: 7680)
- cmd.exe (PID: 8092)
- cmd.exe (PID: 6260)
- wscript.exe (PID: 6284)
- agentDllDhcp.exe (PID: 5660)
- NINJA.exe (PID: 7468)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2560)
- cmd.exe (PID: 4292)
- cmd.exe (PID: 6048)
- powershell.exe (PID: 6120)
- cmd.exe (PID: 1020)
- powershell.exe (PID: 5768)
- wefhrf.exe (PID: 7308)
- build6_unencrypted.exe (PID: 3144)
- BrawlB0t.exe (PID: 6312)
Probably download files using WebClient
- cmd.exe (PID: 2560)
- cmd.exe (PID: 4292)
Hides command output
- cmd.exe (PID: 2016)
Connects to the server without a host name
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 3460)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 4180)
- 4363463463464363463463463.exe (PID: 2096)
- ISetup8.exe (PID: 3384)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3272)
- ISetup5.exe (PID: 5740)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
Process requests binary or script from the Internet
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 3460)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 4180)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2016)
- ISetup8.exe (PID: 3384)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3272)
- ISetup5.exe (PID: 5740)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 1776)
Creates or modifies Windows services
- _vti_cnf.exe (PID: 3764)
- 2474327058.exe (PID: 5484)
Executing commands from a ".bat" file
- Client.exe (PID: 3016)
- JSIDBWSJK.exe (PID: 4616)
- cmd.exe (PID: 6048)
- cmd.exe (PID: 4540)
- conhost.exe (PID: 5340)
- wscript.exe (PID: 6284)
- agentDllDhcp.exe (PID: 5660)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 3592)
The executable file from the user directory is run by the CMD process
- system.exe (PID: 4252)
- Fighting.pif (PID: 2480)
Windows Defender mutex has been found
- u2m0.0.exe (PID: 4172)
- u4fg.0.exe (PID: 2640)
- RegAsm.exe (PID: 4128)
The Powershell connects to the Internet
- powershell.exe (PID: 3440)
- powershell.exe (PID: 5772)
- powershell.exe (PID: 5768)
Unusual connection from system programs
- powershell.exe (PID: 3440)
- powershell.exe (PID: 5772)
- powershell.exe (PID: 5768)
Creates file in the systems drive root
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5540)
Connects to unusual port
- 4363463463464363463463463.exe (PID: 2992)
- QQ.exe (PID: 3756)
- xeno.exe (PID: 1348)
- system.exe (PID: 4252)
- RegAsm.exe (PID: 4704)
- RegAsm.exe (PID: 5736)
- RegAsm.exe (PID: 1636)
- 2474327058.exe (PID: 5484)
- powershell.exe (PID: 5768)
- VLTKBacdau.exe (PID: 3052)
- svchost.exe (PID: 1556)
- fate.exe (PID: 6960)
- USA123.exe (PID: 4520)
- RegAsm.exe (PID: 5320)
- control.exe (PID: 7536)
- 4363463463464363463463463.exe (PID: 2016)
- RegAsm.exe (PID: 6176)
- jsc.exe (PID: 5184)
- InstallUtil.exe (PID: 6940)
- random.exe (PID: 5720)
- TypeId.exe (PID: 7372)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 3108)
- build6_unencrypted.exe (PID: 3144)
- sarra.exe (PID: 3076)
- asyns.exe (PID: 7488)
- RegAsm.exe (PID: 932)
- jok.exe (PID: 6760)
- twztl.exe (PID: 6980)
- propro.exe (PID: 2756)
- trust12344.exe (PID: 4384)
- FATTHER.exe (PID: 5928)
Reads Internet Explorer settings
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5540)
- 炎黄大陆.exe (PID: 296)
Reads the BIOS version
- new.exe (PID: 5476)
- random.exe (PID: 5720)
- amert.exe (PID: 5280)
Cryptography encrypted command line is found
- cmd.exe (PID: 6128)
- cmd.exe (PID: 5120)
Application launched itself
- cmd.exe (PID: 6048)
- cmd.exe (PID: 4540)
- powershell.exe (PID: 6120)
- cmd.exe (PID: 1808)
- cmd.exe (PID: 1020)
- powershell.exe (PID: 5768)
- asdfg.exe (PID: 7000)
- BLHisbnd.exe (PID: 7116)
- ghjk.exe (PID: 7340)
- net.exe (PID: 7484)
- cmd.exe (PID: 8092)
- cmd.exe (PID: 6260)
- Tags.exe (PID: 4624)
- InstallUtil.exe (PID: 7816)
- amadycry.exe (PID: 6248)
- zxcvb.exe (PID: 5504)
- FGwmr.exe (PID: 4996)
- ghjkl.exe (PID: 6952)
- green.exe (PID: 5052)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5768)
Probably obfuscated PowerShell command line is found
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5768)
Process checks specific path in scheduled tasks
- powershell.exe (PID: 5724)
- powershell.exe (PID: 2136)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 5724)
- powershell.exe (PID: 4888)
- powershell.exe (PID: 2136)
- powershell.exe (PID: 6032)
- powershell.exe (PID: 7808)
- powershell.exe (PID: 7588)
- powershell.exe (PID: 6828)
- powershell.exe (PID: 7688)
- powershell.exe (PID: 4948)
Executing commands from ".cmd" file
- powershell.exe (PID: 6120)
- cmd.exe (PID: 1808)
- cmd.exe (PID: 1020)
Powershell scripting: start process
- cmd.exe (PID: 2560)
- cmd.exe (PID: 4292)
Creates a software uninstall entry
- yhdl.exe (PID: 5764)
Reads Microsoft Outlook installation path
- 炎黄大陆.exe (PID: 296)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 2248)
Drops 7-zip archiver for unpacking
- conhost.exe (PID: 5340)
Process drops legitimate windows executable
- 4363463463464363463463463.exe (PID: 3420)
- svchost.exe (PID: 1556)
- 4363463463464363463463463.exe (PID: 3460)
- RegAsm.exe (PID: 6176)
- Fighting.pif (PID: 2480)
- 4363463463464363463463463.exe (PID: 2888)
- clip.exe (PID: 7820)
- 4363463463464363463463463.exe (PID: 2160)
- timeSync.exe (PID: 5860)
Checks Windows Trust Settings
- 炎黄大陆.exe (PID: 296)
- RegAsm.exe (PID: 4604)
Starts a Microsoft application from unusual location
- svchost.exe (PID: 1556)
- alex12.exe (PID: 6848)
- svchost.exe (PID: 4756)
- jsc.exe (PID: 7756)
- asyns.exe (PID: 7488)
- svchost.exe (PID: 6372)
- thost.exe (PID: 5488)
- BrawlB0t.exe (PID: 6312)
- alex12341.exe (PID: 9044)
Likely accesses (executes) a file from the Public directory
- schtasks.exe (PID: 2808)
- svchost.exe (PID: 4756)
- svchost.exe (PID: 6372)
Reads browser cookies
- crypted.exe (PID: 3016)
- fate.exe (PID: 6960)
Searches for installed software
- crypted.exe (PID: 3016)
- fate.exe (PID: 6960)
- dialer.exe (PID: 7296)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 6236)
Reads the date of Windows installation
- u2m0.1.exe (PID: 6296)
- u4fg.1.exe (PID: 7720)
The process checks if it is being run in the virtual environment
- dialer.exe (PID: 7296)
The process executes via Task Scheduler
- powershell.exe (PID: 7808)
- TypeId.exe (PID: 7372)
- svchost.exe (PID: 4756)
- Tags.exe (PID: 4624)
- powershell.exe (PID: 6828)
- system.exe (PID: 5012)
- NewB.exe (PID: 2396)
- svchost.exe (PID: 6372)
- powershell.EXE (PID: 4280)
Node.exe was dropped
- 4363463463464363463463463.exe (PID: 2096)
- amad.exe (PID: 8124)
Get information on the list of running processes
- cmd.exe (PID: 6260)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 6260)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- USA123.exe (PID: 4520)
- RegAsm.exe (PID: 4604)
Suspicious file concatenation
- cmd.exe (PID: 6768)
- cmd.exe (PID: 7216)
Drops a file with a rarely used extension (PIF)
- cmd.exe (PID: 6768)
- Fighting.pif (PID: 2480)
Checks for external IP
- USA123.exe (PID: 4520)
- RegAsm.exe (PID: 6176)
- WizClient.exe (PID: 2880)
Starts application with an unusual extension
- cmd.exe (PID: 6260)
- green.exe (PID: 5052)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 6260)
Connects to FTP
- VLTKBacdau.exe (PID: 3052)
Non-standard symbols in registry
- fate.exe (PID: 6960)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6284)
Script adds exclusion path to Windows Defender
- wefhrf.exe (PID: 7308)
- build6_unencrypted.exe (PID: 3144)
- BrawlB0t.exe (PID: 6312)
Script adds exclusion process to Windows Defender
- wefhrf.exe (PID: 7308)
- build6_unencrypted.exe (PID: 3144)
Executed via WMI
- schtasks.exe (PID: 1840)
- schtasks.exe (PID: 7976)
- schtasks.exe (PID: 7740)
- schtasks.exe (PID: 7932)
- schtasks.exe (PID: 7960)
- schtasks.exe (PID: 7996)
- schtasks.exe (PID: 6864)
- schtasks.exe (PID: 5220)
- schtasks.exe (PID: 4160)
- schtasks.exe (PID: 3144)
- schtasks.exe (PID: 7532)
- schtasks.exe (PID: 6628)
- schtasks.exe (PID: 2540)
- schtasks.exe (PID: 7392)
- schtasks.exe (PID: 6836)
- schtasks.exe (PID: 7708)
- schtasks.exe (PID: 6884)
- schtasks.exe (PID: 6888)
- schtasks.exe (PID: 7020)
- schtasks.exe (PID: 3424)
- schtasks.exe (PID: 6784)
- schtasks.exe (PID: 5844)
- schtasks.exe (PID: 5328)
- schtasks.exe (PID: 6004)
- schtasks.exe (PID: 4668)
- schtasks.exe (PID: 2424)
- schtasks.exe (PID: 120)
- schtasks.exe (PID: 6804)
- schtasks.exe (PID: 6788)
- schtasks.exe (PID: 3220)
- FGwmr.exe (PID: 4996)
Probably delay the execution using 'w32tm.exe'
- cmd.exe (PID: 5004)
Loads DLL from Mozilla Firefox
- dialer.exe (PID: 7296)
Accesses Microsoft Outlook profiles
- dialer.exe (PID: 7296)
Detected use of alternative data streams (AltDS)
- NINJA.exe (PID: 7468)
The process executes VB scripts
- NINJA.exe (PID: 7468)
Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
- wscript.exe (PID: 5960)
Executes WMI query (SCRIPT)
- wscript.exe (PID: 5960)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 5960)
The process drops Mozilla's DLL files
- timeSync.exe (PID: 5860)
The process drops C-runtime libraries
- timeSync.exe (PID: 5860)
INFO
Reads the computer name
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2332)
- xeno.exe (PID: 3776)
- 4363463463464363463463463.exe (PID: 2408)
- xeno.exe (PID: 1348)
- boomlumma.exe (PID: 3964)
- 4363463463464363463463463.exe (PID: 3460)
- Ledger-Live.exe (PID: 3780)
- cryptotaeg.exe (PID: 1504)
- _vti_cnf.exe (PID: 3764)
- Client.exe (PID: 3016)
- RegAsm.exe (PID: 1268)
- 4363463463464363463463463.exe (PID: 560)
- ISetup8.exe (PID: 3384)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- lumma2.exe (PID: 3960)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 3696)
- SuburbansKamacite.exe (PID: 3164)
- 4363463463464363463463463.exe (PID: 2016)
- QQ.exe (PID: 3756)
- 4363463463464363463463463.exe (PID: 4180)
- go.exe (PID: 4320)
- u2m0.0.exe (PID: 4172)
- system.exe (PID: 4252)
- strt.exe (PID: 4132)
- appdata.exe (PID: 4440)
- RegAsm.exe (PID: 4704)
- 23.exe (PID: 4280)
- swizzyy.exe (PID: 5460)
- RegAsm.exe (PID: 5736)
- tpeinf.exe (PID: 5192)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5540)
- new.exe (PID: 5476)
- svcservice.exe (PID: 6072)
- chdyz.exe (PID: 4844)
- peinf.exe (PID: 4820)
- JSIDBWSJK.exe (PID: 4616)
- ISetup5.exe (PID: 5740)
- crypted.exe (PID: 3016)
- AppLaunch.exe (PID: 5268)
- goldprime123mm.exe (PID: 5136)
- RegAsm.exe (PID: 1636)
- 2474327058.exe (PID: 5484)
- yhdl.exe (PID: 5764)
- cmon.exe (PID: 5580)
- u4fg.0.exe (PID: 2640)
- 炎黄大陆.exe (PID: 296)
- conhost.exe (PID: 5340)
- cacd6bf810543a9d46c9b104dfd72778.exe (PID: 5108)
- svchost.exe (PID: 1556)
- VLTKBacdau.exe (PID: 3052)
- goldprime123.exe (PID: 4460)
- RegAsm.exe (PID: 5320)
- USA123.exe (PID: 4520)
- 503713659.exe (PID: 5836)
- html.exe (PID: 5136)
- u2m0.1.exe (PID: 6296)
- flt_shovemydiscoupyourarse.exe (PID: 6376)
- crypted_33cb9091.exe (PID: 5188)
- pei.exe (PID: 6752)
- RegAsm.exe (PID: 6892)
- alex12.exe (PID: 6848)
- olehpsp.exe (PID: 6968)
- fate.exe (PID: 6960)
- asdfg.exe (PID: 7000)
- Pac-Man.exe (PID: 6920)
- BLHisbnd.exe (PID: 7116)
- BLHisbnd.exe (PID: 7200)
- gold.exe (PID: 7032)
- ghjk.exe (PID: 7340)
- net.exe (PID: 7484)
- hv.exe (PID: 7544)
- dsdasda.exe (PID: 7568)
- control.exe (PID: 7536)
- Tweeter%20Traffic.exe (PID: 7604)
- kb^fr_ouverture.exe (PID: 7512)
- u4fg.1.exe (PID: 7720)
- MartDrum.exe (PID: 7680)
- amad.exe (PID: 8124)
- RegAsm.exe (PID: 6176)
- IjerkOff.exe (PID: 7628)
- Fighting.pif (PID: 2480)
- wefhrf.exe (PID: 7308)
- IEUpdater2286.exe (PID: 7236)
- TypeId.exe (PID: 7372)
- agentDllDhcp.exe (PID: 5660)
- Amdau.exe (PID: 7820)
- pinguin.exe (PID: 5820)
- jokerpos.exe (PID: 4988)
- RegAsm.exe (PID: 4128)
- Tags.exe (PID: 4624)
- svchost.exe (PID: 4756)
- WeGameMiniLoader.std.5.12.21.1022.exe (PID: 7136)
- Tags.exe (PID: 4896)
- jsc.exe (PID: 5432)
- 288c47bbc1871b439df19ff4df68f00076.exe (PID: 4708)
- taskeng.exe (PID: 5492)
- jsc.exe (PID: 5184)
- ISetup4.exe (PID: 7160)
- WeGameMiniLoader.exe (PID: 5624)
- InstallUtil.exe (PID: 7816)
- InstallUtil.exe (PID: 6940)
- ISetup10.exe (PID: 3256)
- 288c47bbc1871b439df19ff4df68f076.exe (PID: 7040)
- NINJA.exe (PID: 7468)
- WatchDog.exe (PID: 7292)
- small.exe (PID: 7432)
- cry.exe (PID: 7228)
- RegAsm.exe (PID: 4604)
- amadycry.exe (PID: 6248)
- NewB.exe (PID: 6628)
- crypted_d786fd3e.exe (PID: 6088)
- build6_unencrypted.exe (PID: 3144)
- amadycry.exe (PID: 6744)
- twztl.exe (PID: 6980)
- random.exe (PID: 5720)
- PCclear_Eng_mini.exe (PID: 6772)
- RegAsm.exe (PID: 5284)
- virus.exe (PID: 4420)
- amert.exe (PID: 5280)
Checks supported languages
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2332)
- xeno.exe (PID: 3776)
- xeno.exe (PID: 1348)
- 4363463463464363463463463.exe (PID: 2408)
- boomlumma.exe (PID: 3964)
- RegAsm.exe (PID: 4004)
- 4363463463464363463463463.exe (PID: 3460)
- Ledger-Live.exe (PID: 3780)
- Client.exe (PID: 3016)
- cryptotaeg.exe (PID: 1504)
- _vti_cnf.exe (PID: 3764)
- RegAsm.exe (PID: 1268)
- ISetup8.exe (PID: 3384)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 3924)
- lumma2.exe (PID: 3960)
- RegAsm.exe (PID: 2792)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 1860)
- SuburbansKamacite.exe (PID: 3164)
- 4363463463464363463463463.exe (PID: 3272)
- QQ.exe (PID: 3756)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 3696)
- u2m0.0.exe (PID: 4172)
- system.exe (PID: 4252)
- 4363463463464363463463463.exe (PID: 4180)
- go.exe (PID: 4320)
- strt.exe (PID: 4132)
- 23.exe (PID: 4280)
- appdata.exe (PID: 4440)
- RegAsm.exe (PID: 4704)
- swizzyy.exe (PID: 5460)
- tpeinf.exe (PID: 5192)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5540)
- new.exe (PID: 5476)
- RegAsm.exe (PID: 5736)
- ttt.exe (PID: 5196)
- svcservice.exe (PID: 6072)
- 2474327058.exe (PID: 5484)
- crypted.exe (PID: 3016)
- peinf.exe (PID: 4820)
- chdyz.exe (PID: 4844)
- JSIDBWSJK.exe (PID: 4616)
- ISetup5.exe (PID: 5740)
- AppLaunch.exe (PID: 5268)
- RegAsm.exe (PID: 1636)
- yhdl.exe (PID: 5764)
- goldprime123mm.exe (PID: 5136)
- current.exe (PID: 5108)
- cmon.exe (PID: 5580)
- u4fg.0.exe (PID: 2640)
- 炎黄大陆.exe (PID: 296)
- conhost.exe (PID: 5340)
- 255810262.exe (PID: 5188)
- djdjdje1939_crypted_EASY.exe (PID: 5236)
- mode.com (PID: 2072)
- 1199620097.exe (PID: 5988)
- cacd6bf810543a9d46c9b104dfd72778.exe (PID: 5108)
- svchost.exe (PID: 1556)
- VLTKBacdau.exe (PID: 3052)
- 503713659.exe (PID: 5836)
- news_01.exe (PID: 5116)
- RegAsm.exe (PID: 5320)
- goldprime123.exe (PID: 4460)
- USA123.exe (PID: 4520)
- html.exe (PID: 5136)
- crypted_33cb9091.exe (PID: 5188)
- u2m0.1.exe (PID: 6296)
- flt_shovemydiscoupyourarse.exe (PID: 6376)
- RegAsm.exe (PID: 6176)
- 2185618648.exe (PID: 6572)
- pei.exe (PID: 6752)
- RegAsm.exe (PID: 6892)
- alex12.exe (PID: 6848)
- Pac-Man.exe (PID: 6920)
- fate.exe (PID: 6960)
- olehpsp.exe (PID: 6968)
- asdfg.exe (PID: 7000)
- 2700519352.exe (PID: 7024)
- gold.exe (PID: 7032)
- BLHisbnd.exe (PID: 7200)
- asdfg.exe (PID: 7140)
- RegAsm.exe (PID: 7056)
- BLHisbnd.exe (PID: 7116)
- ghjk.exe (PID: 7408)
- control.exe (PID: 7536)
- net.exe (PID: 7484)
- ghjk.exe (PID: 7340)
- dsdasda.exe (PID: 7568)
- net.exe (PID: 7588)
- Tweeter%20Traffic.exe (PID: 7604)
- hv.exe (PID: 7544)
- kb^fr_ouverture.exe (PID: 7512)
- MartDrum.exe (PID: 7680)
- IjerkOff.exe (PID: 7628)
- u4fg.1.exe (PID: 7720)
- amad.exe (PID: 8124)
- Project_8.exe (PID: 3780)
- Fighting.pif (PID: 2480)
- wefhrf.exe (PID: 7308)
- 648b5vt13485v134322685vt.exe (PID: 5784)
- IEUpdater2286.exe (PID: 7236)
- TypeId.exe (PID: 7372)
- agentDllDhcp.exe (PID: 5660)
- Amdau.exe (PID: 7820)
- Max.exe (PID: 7748)
- random.exe (PID: 5720)
- jokerpos.exe (PID: 4988)
- RegAsm.exe (PID: 4128)
- pinguin.exe (PID: 5820)
- Tags.exe (PID: 4896)
- WeGameMiniLoader.std.5.12.21.1022.exe (PID: 7136)
- Tags.exe (PID: 4624)
- svchost.exe (PID: 4756)
- idrB5Event.exe (PID: 5556)
- jsc.exe (PID: 5432)
- 288c47bbc1871b439df19ff4df68f00076.exe (PID: 4708)
- jsc.exe (PID: 5184)
- WeGameMiniLoader.exe (PID: 5624)
- taskeng.exe (PID: 5492)
- 288c47bbc1871b439df19ff4df68f076.exe (PID: 7040)
- ISetup4.exe (PID: 7160)
- InstallUtil.exe (PID: 7816)
- InstallUtil.exe (PID: 6940)
- ISetup10.exe (PID: 3256)
- WatchDog.exe (PID: 7292)
- small.exe (PID: 7432)
- NINJA.exe (PID: 7468)
- twztl.exe (PID: 6980)
- cry.exe (PID: 7228)
- RegAsm.exe (PID: 4604)
- eeee.exe (PID: 8052)
- amadycry.exe (PID: 6248)
- crypted_d786fd3e.exe (PID: 6088)
- amadycry.exe (PID: 6744)
- NewB.exe (PID: 6628)
- build6_unencrypted.exe (PID: 3144)
- PCclear_Eng_mini.exe (PID: 6772)
- RegAsm.exe (PID: 5284)
- 107021332.exe (PID: 8104)
- %EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe (PID: 4908)
- wmpshare.exe (PID: 4896)
- amert.exe (PID: 5280)
- virus.exe (PID: 4420)
- 2544825618.exe (PID: 3920)
Reads the machine GUID from the registry
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 3460)
- Ledger-Live.exe (PID: 3780)
- Client.exe (PID: 3016)
- RegAsm.exe (PID: 1268)
- 4363463463464363463463463.exe (PID: 560)
- _vti_cnf.exe (PID: 3764)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 3696)
- SuburbansKamacite.exe (PID: 3164)
- QQ.exe (PID: 3756)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 4180)
- system.exe (PID: 4252)
- u2m0.0.exe (PID: 4172)
- xeno.exe (PID: 1348)
- strt.exe (PID: 4132)
- RegAsm.exe (PID: 4704)
- RegAsm.exe (PID: 5736)
- tpeinf.exe (PID: 5192)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5540)
- svcservice.exe (PID: 6072)
- peinf.exe (PID: 4820)
- new.exe (PID: 5476)
- AppLaunch.exe (PID: 5268)
- RegAsm.exe (PID: 1636)
- yhdl.exe (PID: 5764)
- 2474327058.exe (PID: 5484)
- cmon.exe (PID: 5580)
- u4fg.0.exe (PID: 2640)
- 炎黄大陆.exe (PID: 296)
- cacd6bf810543a9d46c9b104dfd72778.exe (PID: 5108)
- svchost.exe (PID: 1556)
- VLTKBacdau.exe (PID: 3052)
- RegAsm.exe (PID: 5320)
- 503713659.exe (PID: 5836)
- html.exe (PID: 5136)
- USA123.exe (PID: 4520)
- u2m0.1.exe (PID: 6296)
- pei.exe (PID: 6752)
- fate.exe (PID: 6960)
- olehpsp.exe (PID: 6968)
- BLHisbnd.exe (PID: 7116)
- BLHisbnd.exe (PID: 7200)
- asdfg.exe (PID: 7000)
- ghjk.exe (PID: 7340)
- control.exe (PID: 7536)
- dsdasda.exe (PID: 7568)
- net.exe (PID: 7484)
- Tweeter%20Traffic.exe (PID: 7604)
- amad.exe (PID: 8124)
- RegAsm.exe (PID: 6176)
- TypeId.exe (PID: 7372)
- agentDllDhcp.exe (PID: 5660)
- svchost.exe (PID: 4756)
- wefhrf.exe (PID: 7308)
- Tags.exe (PID: 4624)
- Amdau.exe (PID: 7820)
- Tags.exe (PID: 4896)
- jsc.exe (PID: 5432)
- taskeng.exe (PID: 5492)
- jsc.exe (PID: 5184)
- hv.exe (PID: 7544)
- 288c47bbc1871b439df19ff4df68f076.exe (PID: 7040)
- InstallUtil.exe (PID: 7816)
- InstallUtil.exe (PID: 6940)
- WatchDog.exe (PID: 7292)
- WeGameMiniLoader.exe (PID: 5624)
- RegAsm.exe (PID: 4604)
- NINJA.exe (PID: 7468)
- amadycry.exe (PID: 6248)
- twztl.exe (PID: 6980)
- small.exe (PID: 7432)
- NewB.exe (PID: 6628)
- amadycry.exe (PID: 6744)
- build6_unencrypted.exe (PID: 3144)
- random.exe (PID: 5720)
- PCclear_Eng_mini.exe (PID: 6772)
- RegAsm.exe (PID: 5284)
- wmpshare.exe (PID: 4896)
- virus.exe (PID: 4420)
- amert.exe (PID: 5280)
Reads Environment values
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 3460)
- Client.exe (PID: 3016)
- RegAsm.exe (PID: 1268)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 4180)
- system.exe (PID: 4252)
- strt.exe (PID: 4132)
- %E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe (PID: 5540)
- chdyz.exe (PID: 4844)
- 炎黄大陆.exe (PID: 296)
- VLTKBacdau.exe (PID: 3052)
- USA123.exe (PID: 4520)
- fate.exe (PID: 6960)
- control.exe (PID: 7536)
- agentDllDhcp.exe (PID: 5660)
- jsc.exe (PID: 5184)
- taskeng.exe (PID: 5492)
- small.exe (PID: 7432)
- wefhrf.exe (PID: 7308)
- RegAsm.exe (PID: 5284)
- virus.exe (PID: 4420)
Reads the software policy settings
- 4363463463464363463463463.exe (PID: 3108)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 3460)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 4180)
- system.exe (PID: 4252)
- 炎黄大陆.exe (PID: 296)
- USA123.exe (PID: 4520)
- control.exe (PID: 7536)
- RegAsm.exe (PID: 6176)
- RegAsm.exe (PID: 4604)
- RegAsm.exe (PID: 5284)
- jsc.exe (PID: 5184)
Manual execution by a user
- 4363463463464363463463463.exe (PID: 2888)
- 4363463463464363463463463.exe (PID: 2592)
- 4363463463464363463463463.exe (PID: 3668)
- 4363463463464363463463463.exe (PID: 584)
- 4363463463464363463463463.exe (PID: 1408)
- 4363463463464363463463463.exe (PID: 2160)
- 4363463463464363463463463.exe (PID: 3536)
- 4363463463464363463463463.exe (PID: 1168)
- 4363463463464363463463463.exe (PID: 1776)
- 4363463463464363463463463.exe (PID: 3420)
- 4363463463464363463463463.exe (PID: 1484)
- 4363463463464363463463463.exe (PID: 2096)
- 4363463463464363463463463.exe (PID: 3284)
- 4363463463464363463463463.exe (PID: 2332)
- 4363463463464363463463463.exe (PID: 1836)
- 4363463463464363463463463.exe (PID: 2408)
- 4363463463464363463463463.exe (PID: 3720)
- 4363463463464363463463463.exe (PID: 3460)
- 4363463463464363463463463.exe (PID: 1124)
- 4363463463464363463463463.exe (PID: 560)
- 4363463463464363463463463.exe (PID: 2524)
- 4363463463464363463463463.exe (PID: 2992)
- 4363463463464363463463463.exe (PID: 2208)
- 4363463463464363463463463.exe (PID: 2060)
- 4363463463464363463463463.exe (PID: 3924)
- 4363463463464363463463463.exe (PID: 3368)
- 4363463463464363463463463.exe (PID: 2380)
- 4363463463464363463463463.exe (PID: 1860)
- 4363463463464363463463463.exe (PID: 3272)
- 4363463463464363463463463.exe (PID: 3696)
- 4363463463464363463463463.exe (PID: 876)
- 4363463463464363463463463.exe (PID: 3684)
- 4363463463464363463463463.exe (PID: 3832)
- 4363463463464363463463463.exe (PID: 2016)
- 4363463463464363463463463.exe (PID: 4120)
- 4363463463464363463463463.exe (PID: 4180)
- msedge.exe (PID: 4932)
- msedge.exe (PID: 5188)
- cmd.exe (PID: 2968)
- jsc.exe (PID: 7756)
Creates files or folders in the user directory
- xeno.exe (PID: 3776)
- Client.exe (PID: 3016)
- Ledger-Live.exe (PID: 3780)
- 23.exe (PID: 4280)
- tpeinf.exe (PID: 5192)
- yhdl.exe (PID: 5764)
- peinf.exe (PID: 4820)
- 炎黄大陆.exe (PID: 296)
- 2474327058.exe (PID: 5484)
- _vti_cnf.exe (PID: 3764)
- dllhost.exe (PID: 4720)
- USA123.exe (PID: 4520)
- cmon.exe (PID: 5580)
- RegAsm.exe (PID: 6892)
- BLHisbnd.exe (PID: 7200)
- amad.exe (PID: 8124)
- RegAsm.exe (PID: 6176)
- Fighting.pif (PID: 2480)
- agentDllDhcp.exe (PID: 5660)
- WeGameMiniLoader.std.5.12.21.1022.exe (PID: 7136)
- WeGameMiniLoader.exe (PID: 5624)
- Amdau.exe (PID: 7820)
- RegAsm.exe (PID: 4604)
- NINJA.exe (PID: 7468)
- amadycry.exe (PID: 6248)
- small.exe (PID: 7432)
- random.exe (PID: 5720)
Create files in a temporary directory
- 4363463463464363463463463.exe (PID: 3420)
- Client.exe (PID: 3016)
- xeno.exe (PID: 1348)
- ISetup8.exe (PID: 3384)
- tpeinf.exe (PID: 5192)
- JSIDBWSJK.exe (PID: 4616)
- ISetup5.exe (PID: 5740)
- peinf.exe (PID: 4820)
- conhost.exe (PID: 5340)
- 2474327058.exe (PID: 5484)
- u2m0.1.exe (PID: 6296)
- pei.exe (PID: 6752)
- Pac-Man.exe (PID: 6920)
- asdfg.exe (PID: 7000)
- MartDrum.exe (PID: 7680)
- RegAsm.exe (PID: 6176)
- Project_8.exe (PID: 3780)
- agentDllDhcp.exe (PID: 5660)
- WeGameMiniLoader.std.5.12.21.1022.exe (PID: 7136)
- 288c47bbc1871b439df19ff4df68f00076.exe (PID: 4708)
- hv.exe (PID: 7544)
- small.exe (PID: 7432)
- twztl.exe (PID: 6980)
- NINJA.exe (PID: 7468)
- Fighting.pif (PID: 2480)
- random.exe (PID: 5720)
- amert.exe (PID: 5280)
Checks proxy server information
- _vti_cnf.exe (PID: 3764)
- QQ.exe (PID: 3756)
- u2m0.0.exe (PID: 4172)
- tpeinf.exe (PID: 5192)
- svcservice.exe (PID: 6072)
- peinf.exe (PID: 4820)
- AppLaunch.exe (PID: 5268)
- 2474327058.exe (PID: 5484)
- yhdl.exe (PID: 5764)
- u4fg.0.exe (PID: 2640)
- 炎黄大陆.exe (PID: 296)
- 503713659.exe (PID: 5836)
- u2m0.1.exe (PID: 6296)
- pei.exe (PID: 6752)
- amad.exe (PID: 8124)
- jsc.exe (PID: 5432)
- RegAsm.exe (PID: 4604)
- amadycry.exe (PID: 6744)
- twztl.exe (PID: 6980)
- NewB.exe (PID: 6628)
- small.exe (PID: 7432)
- PCclear_Eng_mini.exe (PID: 6772)
Reads mouse settings
- go.exe (PID: 4320)
- Fighting.pif (PID: 2480)
- NINJA.exe (PID: 7468)
Application launched itself
- msedge.exe (PID: 4356)
- msedge.exe (PID: 4436)
- msedge.exe (PID: 4368)
- msedge.exe (PID: 4932)
- msedge.exe (PID: 5188)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 4328)
- powershell.exe (PID: 4888)
- powershell.exe (PID: 5724)
- powershell.exe (PID: 3440)
- powershell.exe (PID: 5124)
- powershell.exe (PID: 4472)
- powershell.exe (PID: 5800)
- powershell.exe (PID: 2136)
- powershell.exe (PID: 6032)
- powershell.exe (PID: 5132)
- powershell.exe (PID: 1556)
- powershell.exe (PID: 5772)
- powershell.exe (PID: 7808)
- powershell.exe (PID: 7588)
- powershell.exe (PID: 6828)
- powershell.exe (PID: 7688)
- powershell.exe (PID: 4948)
Process checks whether UAC notifications are on
- new.exe (PID: 5476)
- wefhrf.exe (PID: 7308)
Checks current location (POWERSHELL)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5024)
- powershell.exe (PID: 5768)
- powershell.exe (PID: 4328)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5768)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6120)
- powershell.exe (PID: 5768)
Creates files in the program directory
- yhdl.exe (PID: 5764)
- u2m0.1.exe (PID: 6296)
- RegAsm.exe (PID: 6176)
- agentDllDhcp.exe (PID: 5660)
- random.exe (PID: 5720)
- WeGameMiniLoader.exe (PID: 5624)
Drops the executable file immediately after the start
- dllhost.exe (PID: 4720)
- clip.exe (PID: 7820)
- dialer.exe (PID: 7296)
Reads product name
- fate.exe (PID: 6960)
- agentDllDhcp.exe (PID: 5660)
- taskeng.exe (PID: 5492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
LaplasClipper
(PID) Process(6072) svcservice.exe
C2 (1)http://45.159.189.105
Options
API Keyec991afa49df4efe459cfb97dc0f831257f3b06880dca401726b96cab6cb269a
Strings (6)^XZ]Z_]^]e459cfb97dc0f831257f3b06880dca401726b96cab6cb269Z
ec991afa49df4ef^X]Y_X]257f3b06880dca401726b96cab6cb269a
^XZ]Z_]^]e459cfb97dc0f831]Y_XZ1726b96cab6cb269Z
x86_64-SSE4-AVX2
/bot/online?guid
/bot/get?address
Lumma
(PID) Process(3016) crypted.exe
C2185.99.133.246
Options
LummaIDNMlPqS
BuildLummaC2, Build 20233101
(PID) Process(5268) AppLaunch.exe
C2gstatic-node.io
Options
LummaIDV566Iu--resame
AsyncRat
(PID) Process(5768) powershell.exe
BotnetCRYPTED_1
VersionVenom RAT + HVNC + Stealer + Grabber v6.0.3
Options
AutoRunfalse
Mutexfjivppwgtmaazkf
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIICOTCCAaKgAwIBAgIVAJ/xsLWdKampS62rnE6Qa19xxqHZMA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDYxNTE5MDYwN1oXDTM0MDMyNDE5MDYwN1owEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcN...
Server_SignatureGdIEcwHRwl9l0kxVS/7E1loYoe0pZT+5YBQT2pnYUwk1e9aqDuuybn7fSR9ffFCT1rF0efH41n6uobX7HoPJUKiwC+Z1HZNUEnsBdxlGImV+Ccy5igJ7LBg9NLQSvY3v7Hi4dI5aW+kfJn2u9ArKi1cr2BdyOhbfPj5elvgUkNk=
Keys
AESfe6c1b5c02631645fa5e94173086f8a88de64f0d60bbc98fa9bad0ddac398880
SaltVenomRATByVenom
RedLine
(PID) Process(1636) RegAsm.exe
C2 (1)20.218.68.91:7690
BotnetLiveTraffic
Options
ErrorMessageError
Keys
XorCongrue
(PID) Process(5320) RegAsm.exe
C2 (1)20.218.68.91:7690
BotnetLiveTraffic
Options
ErrorMessageError
Keys
XorDrest
(PID) Process(6892) RegAsm.exe
C2 (1)185.172.128.33:8970
Botnet@logscloudyt_bot
Options
ErrorMessage
Keys
XorPayoff
(PID) Process(6960) fate.exe
C2 (1)185.172.128.33:8970
Botnet@logscloudyt_bot
Options
ErrorMessage
Keys
XorPayoff
XWorm
(PID) Process(1556) svchost.exe
C294.156.8.213:58002
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
Mutex4I8Re5sXp42hc8KT
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:22 08:29:10+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 80 |
| CodeSize: | 5632 |
| InitializedDataSize: | 4608 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3552 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | 4363463463464363463463463.exe |
| LegalCopyright: | |
| OriginalFileName: | 4363463463464363463463463.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
579
Monitored processes
383
Malicious processes
115
Suspicious processes
28
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Adobe\conhost.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 296 | "C:\Program Files\炎黄大陆\炎黄大陆.exe" | C:\Program Files\炎黄大陆\炎黄大陆.exe | yhdl.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 560 | "C:\Users\admin\Desktop\4363463463464363463463463.exe" | C:\Users\admin\Desktop\4363463463464363463463463.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Version: 0.0.0.0 Modules
| |||||||||||||||
| 584 | "C:\Users\admin\Desktop\4363463463464363463463463.exe" | C:\Users\admin\Desktop\4363463463464363463463463.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 Modules
| |||||||||||||||
| 876 | "C:\Users\admin\Desktop\4363463463464363463463463.exe" | C:\Users\admin\Desktop\4363463463464363463463463.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 Modules
| |||||||||||||||
| 880 | schtasks /create /f /RU "admin" /tr "C:\ProgramData\MPGPH2286\MPGPH2286.exe" /tn "MPGPH2286 HR" /sc HOURLY /rl HIGHEST | C:\Windows\System32\schtasks.exe | — | RegAsm.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 932 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | ce0b953269c74bc.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 1020 | C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Roaming\Network36344Man.cmd" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1124 | "C:\Users\admin\Desktop\4363463463464363463463463.exe" | C:\Users\admin\Desktop\4363463463464363463463463.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 Modules
| |||||||||||||||
| 1168 | "C:\Users\admin\Desktop\4363463463464363463463463.exe" | C:\Users\admin\Desktop\4363463463464363463463463.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 Modules
| |||||||||||||||
Total events
441 213
Read events
438 633
Write events
2 301
Delete events
279
Modification events
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3108) 4363463463464363463463463.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4363463463464363463463463_RASMANCS |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
251
Suspicious files
115
Text files
186
Unknown types
69
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1776 | 4363463463464363463463463.exe | C:\Users\admin\Desktop\Files\cryptotaeg.exe | executable | |
MD5:03B7FD96167CEB3719C16A808178BCB3 | SHA256:C4358EA2998D60B3A94D6582331A845A32B9C619B6E6C0935B944D96376BF23F | |||
| 3420 | 4363463463464363463463463.exe | C:\Users\admin\AppData\Local\Temp\Cab6142.tmp | compressed | |
MD5:29F65BA8E88C063813CC50A4EA544E93 | SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184 | |||
| 2408 | 4363463463464363463463463.exe | C:\Users\admin\Desktop\Files\sc.exe | executable | |
MD5:E86471DA9E0244D1D5E29B15FC9FEB80 | SHA256:50DD267B25062A6C94DE3976D9A198A882A2B5801270492D32F0C0DADC6CAA81 | |||
| 1776 | 4363463463464363463463463.exe | C:\Users\admin\Desktop\Files\xeno.exe | executable | |
MD5:A2EEA60F1991928460ECA53FB86F127B | SHA256:373C2274F9ADD075BA56475A4AC45A313B118FBF88C2025923870C25E794A1A7 | |||
| 3776 | xeno.exe | C:\Users\admin\AppData\Roaming\XenoManager\xeno.exe | executable | |
MD5:A2EEA60F1991928460ECA53FB86F127B | SHA256:373C2274F9ADD075BA56475A4AC45A313B118FBF88C2025923870C25E794A1A7 | |||
| 3420 | 4363463463464363463463463.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:29F65BA8E88C063813CC50A4EA544E93 | SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184 | |||
| 3420 | 4363463463464363463463463.exe | C:\Users\admin\AppData\Local\Temp\Tar6143.tmp | cat | |
MD5:435A9AC180383F9FA094131B173A2F7B | SHA256:67DC37ED50B8E63272B49A254A6039EE225974F1D767BB83EB1FD80E759A7C34 | |||
| 3420 | 4363463463464363463463463.exe | C:\Users\admin\Desktop\Files\boomlumma.exe | executable | |
MD5:059E591F9DDA7D3EE0DE23F64D791CB1 | SHA256:9550ADDD57AC80AFC9A177A5E7C9E961892D96593296BAC79EC7A6EA65CC12D9 | |||
| 3440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\gxlbmbwc.pc4.ps1 | — | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 3440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\chsihvyx.z5h.psm1 | — | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
277
TCP/UDP connections
719
DNS requests
214
Threats
952
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2888 | 4363463463464363463463463.exe | GET | 200 | 193.233.132.167:80 | http://193.233.132.167/lend/bullpen12.exe | unknown | — | — | unknown |
2160 | 4363463463464363463463463.exe | GET | 200 | 103.14.122.111:80 | http://unicorpbrunei.com/Products/Siplast/_vti_cnf/_vti_cnf.exe | unknown | — | — | unknown |
3108 | 4363463463464363463463463.exe | GET | 200 | 86.68.222.14:80 | http://86.68.222.14/Client.exe | unknown | — | — | unknown |
3420 | 4363463463464363463463463.exe | GET | 200 | 193.233.132.167:80 | http://193.233.132.167/lend/boomlumma.exe | unknown | — | — | unknown |
1776 | 4363463463464363463463463.exe | GET | 200 | 86.68.222.14:80 | http://86.68.222.14/xeno.exe | unknown | — | — | unknown |
1776 | 4363463463464363463463463.exe | GET | 200 | 193.233.132.167:80 | http://193.233.132.167/lend/cryptotaeg.exe | unknown | — | — | unknown |
2096 | 4363463463464363463463463.exe | GET | 200 | 185.172.128.59:80 | http://185.172.128.59/ISetup8.exe | unknown | — | — | unknown |
3420 | 4363463463464363463463463.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cfbd754b213fd9d7 | unknown | — | — | unknown |
2332 | 4363463463464363463463463.exe | GET | 200 | 185.172.128.228:80 | http://185.172.128.228/Ledger-Live.exe | unknown | — | — | unknown |
2408 | 4363463463464363463463463.exe | GET | 200 | 185.172.128.8:80 | http://185.172.128.8/sc.exe | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3108 | 4363463463464363463463463.exe | 151.101.2.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
3108 | 4363463463464363463463463.exe | 86.68.222.14:80 | dentiste.ddns.net | Societe Francaise Du Radiotelephone - SFR SA | FR | unknown |
2888 | 4363463463464363463463463.exe | 151.101.194.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
2888 | 4363463463464363463463463.exe | 193.233.132.167:80 | — | ATT-INTERNET4 | US | unknown |
2160 | 4363463463464363463463463.exe | 151.101.194.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
3668 | 4363463463464363463463463.exe | 151.101.194.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
urlhaus.abuse.ch |
| whitelisted |
unicorpbrunei.com |
| unknown |
resourceedge.org |
| malicious |
pan.tenire.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
bitbucket.org |
| shared |
trecube.com |
| unknown |
bbuseruploads.s3.amazonaws.com |
| shared |
github.com |
| shared |
objects.githubusercontent.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3108 | 4363463463464363463463463.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
3108 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
3108 | 4363463463464363463463463.exe | A Network Trojan was detected | ET HUNTING Rejetto HTTP File Sever Response |
2888 | 4363463463464363463463463.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 37 |
2888 | 4363463463464363463463463.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2888 | 4363463463464363463463463.exe | Misc activity | ET INFO Packed Executable Download |
2888 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
2888 | 4363463463464363463463463.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2888 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
2888 | 4363463463464363463463463.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
42 ETPRO signatures available at the full report
Process | Message |
|---|---|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
strt.exe | CLR: Managed code called FailFast without specifying a reason.
|
4363463463464363463463463.exe | The request was aborted: Could not create SSL/TLS secure channel.
|
4363463463464363463463463.exe | The specified executable is not a valid application for this OS platform.
|
crypted.exe | 3CRkrhp00B3sLcoNO8n |
crypted.exe | aQ563El425pvqSO28gk |
crypted.exe | 6Dknm0lKTE482j0Hch6 |
crypted.exe | B55X8g0KRR5A45Lq8Lf |
crypted.exe | 8Coa1YuVp701wx8TDK4 |