Malware analysis https://trickflag.info/pc.php?code=vad&q=Aimware%20CS2&source=22&s1=145658&s2=&s3=&s4=&s5=download-button-vad&click_id=MjJ8MTQ1NjU4fDB8V2luZG93c18xMHxGaXJlZm94fGF0dGhlbGFrZS5pbmZvfGFpbXdhcmVHaXR8MmEwMjoyZjA3OjQ3MDg6NGMwMDo5NDY0OjM4OWM6NTYxOmRjMmQ=&dt=1771109170&p=&tp2=&tpr= Malicious activity

Add for printing

URL:	https://trickflag.info/pc.php?code=vad&q=Aimware%20CS2&source=22&s1=145658&s2=&s3=&s4=&s5=download-button-vad&click_id=MjJ8MTQ1NjU4fDB8V2luZG93c18xMHxGaXJlZm94fGF0dGhlbGFrZS5pbmZvfGFpbXdhcmVHaXR8MmEwMjoyZjA3OjQ3MDg6NGMwMDo5NDY0OjM4OWM6NTYxOmRjMmQ=&dt=1771109170&p=&tp2=&tpr=
Full analysis:	https://app.any.run/tasks/ce253580-ea49-4050-bb83-a1a87ad39363
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 14, 2026, 22:46:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec adware innosetup inno installer delphi loader stealer auto offloader websocket advancedinstaller generic takemyfile
Indicators:
MD5:	EC2F4F61C4242CF29AC9EF636431C4CD
SHA1:	73F4885129D67DDF2A685C1F3FD48487C7105F03
SHA256:	32932513076B6545FAF1E0B1AD75451E9A9203D85C264BE3EF2957CC871745F1
SSDEEP:	6:2PXV7F2rX8XssFmu8CidqvNxjMlFTbfZur4hNaYaI:2PXlF4M8g04bAl1bhk4h7p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- INNOSETUP has been detected (SURICATA)
  - Aimware CS2.tmp (PID: 404)
- Executing a file with an untrusted certificate
  - eld1.exe (PID: 5752)
  - eld5.exe (PID: 6792)
- Actions looks like stealing of personal data
  - eld1.exe (PID: 5752)
- Steals credentials from Web Browsers
  - eld1.exe (PID: 5752)
- Changes powershell execution policy (Bypass)
  - eld1.exe (PID: 5752)
- OFFLOADER has been found (auto)
  - Aimware CS2.tmp (PID: 404)
- Changes the autorun value in the registry
  - VC_redist.x86.exe (PID: 3112)
- Adds path to the Windows Defender exclusion list
  - eld3.exe (PID: 8652)
  - Droops.exe (PID: 8392)
- Changes Windows Defender settings
  - eld3.exe (PID: 8652)
  - Droops.exe (PID: 8392)
- GENERIC has been found (auto)
  - eld4.exe (PID: 6904)
- Creates scheduled task from XML file
  - narcissist.exe (PID: 468)
  - narcissist.exe (PID: 6224)
  - narcissist.exe (PID: 3112)
- Uses Task Scheduler to run other applications
  - narcissist.exe (PID: 468)
  - narcissist.exe (PID: 6224)
  - narcissist.exe (PID: 3112)
- Create files in the Startup directory
  - Droops.exe (PID: 8392)
- Creates a new scheduled task via Registry
  - msiexec.exe (PID: 2360)
- ADVANCEDINSTALLER has been detected (SURICATA)
  - msiexec.exe (PID: 2480)
- ADWARE has been detected (SURICATA)
  - msiexec.exe (PID: 2480)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Aimware CS2.exe (PID: 3544)
  - Aimware CS2.exe (PID: 6580)
  - Aimware CS2.tmp (PID: 404)
  - eld2.exe (PID: 1520)
  - vc_redist.x86.exe (PID: 1484)
  - vc_redist.x86.exe (PID: 5992)
  - VC_redist.x86.exe (PID: 3112)
  - VC_redist.x86.exe (PID: 1676)
  - VC_redist.x86.exe (PID: 5520)
  - eld3.exe (PID: 8652)
  - Droops.exe (PID: 8392)
  - eld2.tmp (PID: 1884)
  - eld4.exe (PID: 6904)
  - narcissist.exe (PID: 468)
  - narcissist.exe (PID: 6224)
  - eld5.exe (PID: 6792)
  - narcissist.exe (PID: 3112)
- Reads the Windows owner or organization settings
  - Aimware CS2.tmp (PID: 404)
  - eld2.tmp (PID: 1884)
  - msiexec.exe (PID: 2860)
  - eld5.exe (PID: 6792)
- Access to an unwanted program domain was detected
  - Aimware CS2.tmp (PID: 404)
  - msiexec.exe (PID: 2480)
- Possible stealing from browsers
  - eld1.exe (PID: 5752)
- Possible stealing from crypto wallets
  - eld1.exe (PID: 5752)
- Searches for installed software
  - eld1.exe (PID: 5752)
  - vc_redist.x86.exe (PID: 5992)
  - dllhost.exe (PID: 8544)
  - VC_redist.x86.exe (PID: 1676)
  - VC_redist.x86.exe (PID: 5520)
- Possible stealing from password managers
  - eld1.exe (PID: 5752)
- Possible stealing of email data
  - eld1.exe (PID: 5752)
- Possible stealing of messenger data
  - eld1.exe (PID: 5752)
- Found IP address in command line
  - powershell.exe (PID: 8264)
- The process bypasses the loading of PowerShell profile settings
  - eld1.exe (PID: 5752)
- Probably download files using WebClient
  - eld1.exe (PID: 5752)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 8264)
- Starts POWERSHELL.EXE for commands execution
  - eld1.exe (PID: 5752)
  - eld3.exe (PID: 8652)
  - Droops.exe (PID: 8392)
- Process drops legitimate windows executable
  - eld2.tmp (PID: 1884)
  - vc_redist.x86.exe (PID: 1484)
  - vc_redist.x86.exe (PID: 5992)
  - VC_redist.x86.exe (PID: 3112)
  - msiexec.exe (PID: 2860)
  - VC_redist.x86.exe (PID: 5520)
  - Droops.exe (PID: 8392)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
- Starts a Microsoft application from unusual location
  - vc_redist.x86.exe (PID: 1484)
  - vc_redist.x86.exe (PID: 5992)
  - VC_redist.x86.exe (PID: 3112)
- Starts itself from another location
  - vc_redist.x86.exe (PID: 5992)
- Executes as Windows Service
  - VSSVC.exe (PID: 4472)
  - wscl.exe (PID: 4924)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 2860)
- Application launched itself
  - VC_redist.x86.exe (PID: 5508)
  - VC_redist.x86.exe (PID: 1676)
- Script adds exclusion path to Windows Defender
  - eld3.exe (PID: 8652)
  - Droops.exe (PID: 8392)
- Possibly malicious use of IEX has been detected
  - powershell.exe (PID: 8264)
- Reads the date of Windows installation
  - SystemSettings.exe (PID: 7740)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - Droops.exe (PID: 8392)
- The process executes via Task Scheduler
  - Knit.exe (PID: 272)
  - yawk.exe (PID: 5216)
  - Knit.exe (PID: 5804)
  - yawk.exe (PID: 6928)
  - yawk.exe (PID: 8820)
- ADVANCEDINSTALLER mutex has been found
  - eld5.exe (PID: 6792)
- Checks for Java to be installed
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
- Runs shell command (SCRIPT)
  - msiexec.exe (PID: 2480)
- Uses TASKKILL.EXE to kill process
  - msiexec.exe (PID: 2480)
- Probably fake Windows Update file has been dropped
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 2860)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 2860)
INFO
- Application launched itself
  - msedge.exe (PID: 7896)
- Reads Environment values
  - identity_helper.exe (PID: 6080)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
- Checks supported languages
  - identity_helper.exe (PID: 6080)
  - Aimware CS2.exe (PID: 3544)
  - Aimware CS2.tmp (PID: 3944)
  - Aimware CS2.exe (PID: 6580)
  - Aimware CS2.tmp (PID: 404)
  - eld1.exe (PID: 5752)
  - eld2.exe (PID: 1520)
  - vc_redist.x86.exe (PID: 1484)
  - vc_redist.x86.exe (PID: 5992)
  - eld2.tmp (PID: 1884)
  - VC_redist.x86.exe (PID: 3112)
  - msiexec.exe (PID: 2860)
  - VC_redist.x86.exe (PID: 5508)
  - VC_redist.x86.exe (PID: 1676)
  - VC_redist.x86.exe (PID: 5520)
  - eld3.exe (PID: 8652)
  - SystemSettings.exe (PID: 7740)
  - Droops.exe (PID: 8392)
  - eld4.exe (PID: 6904)
  - wscl.exe (PID: 4924)
  - Knit.exe (PID: 3192)
  - yawk.exe (PID: 2764)
  - narcissist.exe (PID: 468)
  - narcissist.exe (PID: 6224)
  - yawk.exe (PID: 5216)
  - eld5.exe (PID: 6792)
  - Knit.exe (PID: 272)
  - Knit.exe (PID: 8024)
  - narcissist.exe (PID: 3112)
  - Knit.exe (PID: 5804)
  - msiexec.exe (PID: 2480)
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2360)
  - SecHealthUI.exe (PID: 1956)
  - yawk.exe (PID: 6928)
  - yawk.exe (PID: 8820)
- Drops script file
  - msedge.exe (PID: 8160)
  - powershell.exe (PID: 8264)
  - eld2.tmp (PID: 1884)
  - powershell.exe (PID: 3584)
  - powershell.exe (PID: 6036)
  - powershell.exe (PID: 8472)
  - powershell.exe (PID: 3112)
  - powershell.exe (PID: 4660)
  - powershell.exe (PID: 2944)
- Reads the computer name
  - identity_helper.exe (PID: 6080)
  - Aimware CS2.tmp (PID: 3944)
  - Aimware CS2.exe (PID: 6580)
  - Aimware CS2.tmp (PID: 404)
  - eld1.exe (PID: 5752)
  - eld2.exe (PID: 1520)
  - vc_redist.x86.exe (PID: 1484)
  - vc_redist.x86.exe (PID: 5992)
  - eld2.tmp (PID: 1884)
  - VC_redist.x86.exe (PID: 3112)
  - msiexec.exe (PID: 2860)
  - VC_redist.x86.exe (PID: 1676)
  - eld3.exe (PID: 8652)
  - VC_redist.x86.exe (PID: 5520)
  - SystemSettings.exe (PID: 7740)
  - eld4.exe (PID: 6904)
  - wscl.exe (PID: 4924)
  - Knit.exe (PID: 3192)
  - yawk.exe (PID: 2764)
  - Knit.exe (PID: 272)
  - Knit.exe (PID: 8024)
  - yawk.exe (PID: 5216)
  - eld5.exe (PID: 6792)
  - Knit.exe (PID: 5804)
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
  - msiexec.exe (PID: 2360)
  - yawk.exe (PID: 6928)
  - yawk.exe (PID: 8820)
  - SecHealthUI.exe (PID: 1956)
- Manual execution by a user
  - WinRAR.exe (PID: 7564)
  - Aimware CS2.exe (PID: 3544)
  - Taskmgr.exe (PID: 7940)
  - Taskmgr.exe (PID: 7656)
  - Taskmgr.exe (PID: 8648)
  - Taskmgr.exe (PID: 5780)
- The sample compiled with english language support
  - msedge.exe (PID: 7476)
  - WinRAR.exe (PID: 7564)
  - msedge.exe (PID: 7896)
  - eld2.tmp (PID: 1884)
  - vc_redist.x86.exe (PID: 1484)
  - vc_redist.x86.exe (PID: 5992)
  - VC_redist.x86.exe (PID: 3112)
  - VC_redist.x86.exe (PID: 1676)
  - msiexec.exe (PID: 2860)
  - VC_redist.x86.exe (PID: 5520)
  - eld3.exe (PID: 8652)
  - Aimware CS2.tmp (PID: 404)
  - Droops.exe (PID: 8392)
  - eld4.exe (PID: 6904)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7564)
  - msiexec.exe (PID: 2860)
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
- Launching a file from the Downloads directory
  - msedge.exe (PID: 7896)
- Create files in a temporary directory
  - Aimware CS2.exe (PID: 3544)
  - Aimware CS2.tmp (PID: 404)
  - Aimware CS2.exe (PID: 6580)
  - eld2.exe (PID: 1520)
  - eld2.tmp (PID: 1884)
  - vc_redist.x86.exe (PID: 5992)
  - VC_redist.x86.exe (PID: 3112)
  - VC_redist.x86.exe (PID: 1676)
  - eld3.exe (PID: 8652)
  - Droops.exe (PID: 8392)
  - eld4.exe (PID: 6904)
  - narcissist.exe (PID: 6224)
  - narcissist.exe (PID: 468)
  - narcissist.exe (PID: 3112)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
- Reads security settings of Internet Explorer
  - Aimware CS2.tmp (PID: 3944)
  - Taskmgr.exe (PID: 7656)
  - Taskmgr.exe (PID: 5780)
  - vc_redist.x86.exe (PID: 5992)
  - VC_redist.x86.exe (PID: 1676)
  - eld3.exe (PID: 8652)
  - eld4.exe (PID: 6904)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 2480)
  - SecHealthUI.exe (PID: 1956)
- Process checks computer location settings
  - Aimware CS2.tmp (PID: 3944)
  - vc_redist.x86.exe (PID: 5992)
  - VC_redist.x86.exe (PID: 1676)
  - msiexec.exe (PID: 2480)
- Checks proxy server information
  - slui.exe (PID: 2688)
  - Aimware CS2.tmp (PID: 404)
  - powershell.exe (PID: 8264)
  - eld3.exe (PID: 8652)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 2480)
- Compiled with Borland Delphi (YARA)
  - Aimware CS2.exe (PID: 3544)
  - eld1.exe (PID: 5752)
  - Aimware CS2.tmp (PID: 404)
  - Aimware CS2.exe (PID: 6580)
  - Aimware CS2.tmp (PID: 3944)
- Detects InnoSetup installer (YARA)
  - Aimware CS2.exe (PID: 3544)
  - Aimware CS2.tmp (PID: 3944)
  - eld1.exe (PID: 5752)
  - Aimware CS2.exe (PID: 6580)
  - Aimware CS2.tmp (PID: 404)
- Reads the machine GUID from the registry
  - eld1.exe (PID: 5752)
  - VC_redist.x86.exe (PID: 3112)
  - msiexec.exe (PID: 2860)
  - SystemSettings.exe (PID: 7740)
  - Knit.exe (PID: 3192)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 2480)
- Disables trace logs
  - powershell.exe (PID: 8264)
- Creates files in the program directory
  - eld2.tmp (PID: 1884)
  - VC_redist.x86.exe (PID: 3112)
  - Droops.exe (PID: 8392)
  - Aimware CS2.tmp (PID: 404)
  - yawk.exe (PID: 2764)
  - SystemSettings.exe (PID: 7740)
- Manages system restore points
  - SrTasks.exe (PID: 5012)
- Creates a software uninstall entry
  - VC_redist.x86.exe (PID: 3112)
  - msiexec.exe (PID: 2860)
  - Aimware CS2.tmp (PID: 404)
- Launching a file from a Registry key
  - VC_redist.x86.exe (PID: 3112)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 2860)
  - eld2.tmp (PID: 1884)
  - eld3.exe (PID: 8652)
  - SystemSettings.exe (PID: 7740)
  - Droops.exe (PID: 8392)
  - eld5.exe (PID: 6792)
  - msiexec.exe (PID: 2480)
- Creating file in SysWOW64
  - msiexec.exe (PID: 2860)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 8264)
  - powershell.exe (PID: 6036)
  - powershell.exe (PID: 3584)
  - powershell.exe (PID: 4660)
  - powershell.exe (PID: 8472)
  - powershell.exe (PID: 3112)
  - powershell.exe (PID: 2944)
- Failed to connect to remote server (POWERSHELL)
  - powershell.exe (PID: 8264)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6036)
  - powershell.exe (PID: 3584)
  - powershell.exe (PID: 8472)
  - powershell.exe (PID: 3112)
  - powershell.exe (PID: 4660)
  - powershell.exe (PID: 2944)
- NirSoft software is detected
  - yawk.exe (PID: 2764)
  - yawk.exe (PID: 5216)
  - yawk.exe (PID: 6928)
  - yawk.exe (PID: 8820)
- Launching a file from the Startup directory
  - Droops.exe (PID: 8392)
- Reads Microsoft Office registry keys
  - msiexec.exe (PID: 4700)
  - msiexec.exe (PID: 2480)
- Reads CPU info
  - SystemSettings.exe (PID: 7740)
- Reads the time zone
  - SystemSettings.exe (PID: 7740)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

295

Monitored processes

113

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

272

"C:\Users\admin\AppData\Local\Knit.exe" "OsonahOsonatOsonatOsonapOsonasOsona:Osona/Osona/OsonawOsonawOsonawOsona.OsonagOsonaaOsonalOsonaaOsonaxOsonayOsonatOsonahOsonaeOsonarOsonaeOsona.OsonacOsonaoOsonamOsona/OsonacasahdapsjOsonamjepslatdrOsonacdejvaspiAOsonaIz5rYkr96cOsonaAeou564Ymmmwepequitugela"

C:\Users\admin\AppData\Local\Knit.exe

—

svchost.exe

User:

admin

Integrity Level:

HIGH

Description:

oyugo_5941

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\knit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

404

"C:\Users\admin\AppData\Local\Temp\is-271BKPLX55.tmp\Aimware CS2.tmp" /SL5="$70400,893440,893440,C:\Users\admin\Downloads\Aimware CS2\Aimware CS2.exe" /SPAWNWND=$C03D0 /FIRSTWND=$130274

C:\Users\admin\AppData\Local\Temp\is-271BKPLX55.tmp\Aimware CS2.tmp

Aimware CS2.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

Setup/Uninstall

Version:

51.1054.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-271bkplx55.tmp\aimware cs2.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

468

C:\Users\admin\AppData\Local\Temp\nstCEBA.tmp\narcissist.exe "C:\Users\admin\AppData\Local\Temp\nstCEBA.tmp\KnitL"

C:\Users\admin\AppData\Local\Temp\nstCEBA.tmp\narcissist.exe

Droops.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\nstceba.tmp\narcissist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

552

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

792

"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

C:\Windows\SysWOW64\taskkill.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

1116

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=7232,i,906141049097859231,9022830928548166200,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1432

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1484

"C:\Users\admin\AppData\Local\Temp\is-07L24KGT19.tmp\vc_redist.x86.exe" /install /quiet /norestart

C:\Users\admin\AppData\Local\Temp\is-07L24KGT19.tmp\vc_redist.x86.exe

eld2.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ v14 Redistributable (x86) - 14.50.35710

Exit code:

Version:

14.50.35710.0

Modules

Images
c:\users\admin\appdata\local\temp\is-07l24kgt19.tmp\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1520

"C:\Users\admin\AppData\Local\Temp\is-0WMKBLDB2V.tmp\eld2.exe" /VERYSILENT

C:\Users\admin\AppData\Local\Temp\is-0WMKBLDB2V.tmp\eld2.exe

Aimware CS2.tmp

User:

admin

Company:

Doc services Co.

Integrity Level:

HIGH

Description:

Docs Helper Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\is-0wmkbldb2v.tmp\eld2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll

1676

"C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe" -burn.filehandle.attached=536 -burn.filehandle.self=556 -uninstall -quiet -burn.related.upgrade -burn.ancestors={3fdfb881-a139-4811-9788-61520be14e1f} -burn.filehandle.self=980 -burn.embedded BurnPipe.{534544F1-1A32-4DD0-8CEA-B598BB7C95A8} {CEAE4D40-4EC8-4657-A4F4-E1E21C4A2D81} 3112

C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe

VC_redist.x86.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532

Exit code:

Version:

14.36.32532.0

Modules

Images
c:\programdata\package cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

81 061

Read events

79 940

Write events

806

Delete events

315

Modification events


(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	13
Value:
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	12
Value:
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	11
Value:
(PID) Process:	(7564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	10
Value:

Add for printing

Executable files

144

Suspicious files

161

Text files

507

Unknown types

Dropped files

PID	Process	Filename		Type
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e55a0.TMP		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e55bf.TMP		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e55bf.TMP		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e55bf.TMP		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1e55bf.TMP		—
		MD5:—	SHA256:—
7896	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

204

TCP/UDP connections

139

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7476	msedge.exe	GET	302	194.54.164.123:443	https://trickflag.info/pc.php?code=vad&q=Aimware%20CS2&source=22&s1=145658&s2=&s3=&s4=&s5=download-button-vad&click_id=MjJ8MTQ1NjU4fDB8V2luZG93c18xMHxGaXJlZm94fGF0dGhlbGFrZS5pbmZvfGFpbXdhcmVHaXR8MmEwMjoyZjA3OjQ3MDg6NGMwMDo5NDY0OjM4OWM6NTYxOmRjMmQ=&dt=1771109170&p=&tp2=&tpr=	SE	—	—	unknown
7476	msedge.exe	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=sEMlCZ4gk9sASvGU5atSq%2Fo8put9JnQQ73q%2F%2FoVYADJa%2BmLUg8V3BZLAu8zVmCtqOvtIl1Gyd8fuV3XB2krCdMnSNShAafCpNhpfQvXqUxRKQheHNw4%3D	US	—	—	unknown
—	—	GET	200	23.63.118.230:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	US	binary	313 b	whitelisted
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	959 b	whitelisted
7476	msedge.exe	GET	200	150.171.22.17:443	https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=66&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0	US	text	4.47 Kb	whitelisted
7476	msedge.exe	GET	304	150.171.27.11:443	https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist	US	—	—	whitelisted
7476	msedge.exe	GET	200	150.171.27.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:b_NNFQ5HKqWZWbG5ud7-_Z8EStzVXW-tGnXUT_oo8KM&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	101 b	whitelisted
7476	msedge.exe	GET	304	16.15.202.242:443	https://makfile.s3.us-east-1.amazonaws.com/6990fb42b70aa/Aimware%20CS2.html	US	—	—	unknown
7476	msedge.exe	GET	200	150.171.27.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	US	—	446 b	whitelisted
7476	msedge.exe	GET	200	104.18.22.222:443	https://copilot.microsoft.com/c/api/user/eligibility	US	text	25 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
8124	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5660	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.16.204.148:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.63.118.230:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7476	msedge.exe	150.171.22.17:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146 4.231.128.59	whitelisted
self.events.data.microsoft.com	104.208.16.88 13.89.179.9	whitelisted
www.bing.com	2.16.204.148 2.16.204.155 2.16.204.135 2.16.204.160 2.16.204.158 2.16.204.141 2.16.204.138 2.16.204.134 2.16.204.161 2.16.241.218 2.16.241.201	whitelisted
ocsp.digicert.com	23.63.118.230 184.30.131.245	whitelisted
google.com	142.251.208.174	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
config.edge.skype.com	150.171.22.17	whitelisted
trickflag.info	194.54.164.123	unknown

Threats

PID	Process	Class	Message
7476	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] BootstrapCDN (stackpath .bootstrapcdn .com)
7476	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] BootstrapCDN (stackpath .bootstrapcdn .com)
7476	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7476	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7476	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
7476	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6768	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
404	Aimware CS2.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
404	Aimware CS2.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
404	Aimware CS2.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer

Add for printing

Process	Message
Knit.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

https://trickflag.info/pc.php?code=vad&q=Aimware%20CS2&source=22&s1=145658&s2=&s3=&s4=&s5=download-button-vad&click_id=MjJ8MTQ1NjU4fDB8V2luZG93c18xMHxGaXJlZm94fGF0dGhlbGFrZS5pbmZvfGFpbXdhcmVHaXR8MmEwMjoyZjA3OjQ3MDg6NGMwMDo5NDY0OjM4OWM6NTYxOmRjMmQ=&dt=1771109170&p=&tp2=&tpr=

EC2F4F61C4242CF29AC9EF636431C4CD

73F4885129D67DDF2A685C1F3FD48487C7105F03

32932513076B6545FAF1E0B1AD75451E9A9203D85C264BE3EF2957CC871745F1

6:2PXV7F2rX8XssFmu8CidqvNxjMlFTbfZur4hNaYaI:2PXlF4M8g04bAl1bhk4h7p

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

INNOSETUP has been detected (SURICATA)

Executing a file with an untrusted certificate

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Changes powershell execution policy (Bypass)

OFFLOADER has been found (auto)

Changes the autorun value in the registry

Adds path to the Windows Defender exclusion list

Changes Windows Defender settings

GENERIC has been found (auto)

Creates scheduled task from XML file

Uses Task Scheduler to run other applications

Create files in the Startup directory

Creates a new scheduled task via Registry

ADVANCEDINSTALLER has been detected (SURICATA)

ADWARE has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Access to an unwanted program domain was detected

Possible stealing from browsers

Possible stealing from crypto wallets

Searches for installed software

Possible stealing from password managers

Possible stealing of email data

Possible stealing of messenger data

Found IP address in command line

The process bypasses the loading of PowerShell profile settings

Probably download files using WebClient

Bypass execution policy to execute commands

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Starts itself from another location

Executes as Windows Service

The process drops C-runtime libraries

Application launched itself

Script adds exclusion path to Windows Defender

Possibly malicious use of IEX has been detected

Reads the date of Windows installation

Uses NETSH.EXE to add a firewall rule or allowed programs

The process executes via Task Scheduler

ADVANCEDINSTALLER mutex has been found

Checks for Java to be installed

Runs shell command (SCRIPT)

Uses TASKKILL.EXE to kill process

Probably fake Windows Update file has been dropped

The process creates files with name similar to system file names

INFO

Application launched itself

Reads Environment values

Checks supported languages

Drops script file

Reads the computer name

Manual execution by a user

The sample compiled with english language support

Executable content was dropped or overwritten

Launching a file from the Downloads directory

Create files in a temporary directory

Reads security settings of Internet Explorer

Process checks computer location settings

Checks proxy server information

Compiled with Borland Delphi (YARA)

Detects InnoSetup installer (YARA)

Reads the machine GUID from the registry

Disables trace logs

Creates files in the program directory

Manages system restore points