Malware analysis bomb.exe Malicious activity | ANY.RUN

Add for printing

File name:	bomb.exe
Full analysis:	https://app.any.run/tasks/71c4b0fa-5ddb-4957-bc06-6fe2309216b0
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 07, 2024, 18:07:44
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader opendir stealer redline phorpiex trojan agenttesla
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	55DBA6E7AA4E8CC73415F4E3F9F6BDAE
SHA1:	87C9F29D58F57A5E025061D389BE2655EE879D5D
SHA256:	3CEA805F1396DF15BDBCD4317388A046A41A6079DBA04576A58BA7B2C812338A
SSDEEP:	192:HLmmmmlmtYz0wZick7pDMj4GbCrMz+MCZLa7HhdSbwxz1OLU87glpp/bI6J4yfm4:pmi7k7pMiLLaLhM6OLU870NJqoI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - BBLb.exe (PID: 2096)
  - 2918823158.exe (PID: 3396)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - http194.87.93.199booking.exe.exe (PID: 2876)
  - cs2.exe (PID: 3140)
- Steals credentials from Web Browsers
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
- Actions looks like stealing of personal data
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
- PHORPIEX has been detected (SURICATA)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - bomb.exe (PID: 1504)
- REDLINE has been detected (SURICATA)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
- Connects to the CnC server
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 3760)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 3760)
- Create files in the Startup directory
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 3832)
- AGENTTESLA has been detected (YARA)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
SUSPICIOUS
- Reads settings of System Certificates
  - bomb.exe (PID: 1504)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
- Reads the Internet Settings
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - BBLb.exe (PID: 2908)
  - http192.3.176.1429989conhost.exe.exe (PID: 3300)
  - powershell.exe (PID: 3760)
  - 2918823158.exe (PID: 3396)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - http194.87.93.199booking.exe.exe (PID: 2876)
  - wscript.exe (PID: 3832)
- Executable content was dropped or overwritten
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - BBLb.exe (PID: 2096)
  - 2918823158.exe (PID: 3396)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - http194.87.93.199booking.exe.exe (PID: 2876)
  - cs2.exe (PID: 3140)
- Process requests binary or script from the Internet
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
- Connects to the server without a host name
  - bomb.exe (PID: 1504)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - 2918823158.exe (PID: 3396)
- Application launched itself
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3356)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 3580)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - BBLb.exe (PID: 4004)
  - BBLb.exe (PID: 2728)
  - http91.215.85.223ghjk.exe.exe (PID: 3904)
  - http91.215.85.223zxcvb.exe.exe (PID: 3584)
  - http91.215.85.223native.exe.exe (PID: 2420)
  - http91.215.85.223asdf.EXE.exe (PID: 1496)
  - http91.215.85.223ghjkl.exe.exe (PID: 568)
  - http91.215.85.223asdfg.exe.exe (PID: 2868)
  - AttributeString.exe (PID: 3136)
  - MSBuild.exe (PID: 3560)
- The process creates files with name similar to system file names
  - bomb.exe (PID: 1504)
- Accesses Microsoft Outlook profiles
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
- Searches for installed software
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
- Reads browser cookies
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
- Connects to SMTP port
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
- Connects to unusual port
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - http193.233.132.73uvsrvnerosvedbss_conn_service.exe.exe (PID: 3636)
- Starts CMD.EXE for commands execution
  - BBLb.exe (PID: 2908)
  - wscript.exe (PID: 3832)
- The executable file from the user directory is run by the CMD process
  - BBLb.exe (PID: 2728)
  - cs2.exe (PID: 3140)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 1560)
- The process executes via Task Scheduler
  - powershell.exe (PID: 3760)
  - AttributeString.exe (PID: 3136)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 3760)
- Reads the BIOS version
  - http109.107.182.38mazdarega.exe.exe (PID: 552)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 3832)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 3832)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 1432)
INFO
- Create files in a temporary directory
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
- Reads Environment values
  - bomb.exe (PID: 1504)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - cs2.exe (PID: 3140)
- Reads the computer name
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 3580)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3356)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - http192.3.176.1429989conhost.exe.exe (PID: 3300)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - BBLb.exe (PID: 4004)
  - BBLb.exe (PID: 2908)
  - BBLb.exe (PID: 2728)
  - BBLb.exe (PID: 2096)
  - http91.215.85.223zxcvb.exe.exe (PID: 3584)
  - http91.215.85.223ghjk.exe.exe (PID: 3904)
  - httpssecret-s1.rufiles20a6e2ae.exe.exe (PID: 3092)
  - http91.215.85.223asdf.EXE.exe (PID: 1496)
  - 2918823158.exe (PID: 3396)
  - httpsecret-s1.rufiles1a3aab71.exe.exe (PID: 3940)
  - http91.215.85.223native.exe.exe (PID: 2420)
  - qemu-ga.exe (PID: 3848)
  - httpssecret-s1.rufiles115485c9.exe.exe (PID: 1592)
  - http91.215.85.223ghjkl.exe.exe (PID: 568)
  - httpssecret-s1.rufiles36056768.exe.exe (PID: 2000)
  - http194.87.93.199booking.exe.exe (PID: 2876)
  - http91.215.85.223asdfg.exe.exe (PID: 2868)
  - cs2.exe (PID: 3140)
  - AttributeString.exe (PID: 3136)
  - http193.233.132.73uvsrvnerosvedbss_conn_service.exe.exe (PID: 3636)
  - MSBuild.exe (PID: 3560)
  - AttributeString.exe (PID: 3952)
  - MSBuild.exe (PID: 2564)
- Checks supported languages
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 3580)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3356)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsreceitasdepascoa.comBrobite.exe.exe (PID: 3824)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - 251399556.exe (PID: 3740)
  - http192.3.176.1429989conhost.exe.exe (PID: 3300)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - BBLb.exe (PID: 4004)
  - http91.215.85.223net.exe.exe (PID: 3996)
  - BBLb.exe (PID: 2908)
  - 319392246.exe (PID: 3516)
  - BBLb.exe (PID: 2728)
  - BBLb.exe (PID: 2096)
  - 1640625667.exe (PID: 1728)
  - http91.215.85.223zxcvb.exe.exe (PID: 3584)
  - http91.215.85.223zxcvb.exe.exe (PID: 3728)
  - http91.215.85.223ghjk.exe.exe (PID: 3904)
  - http91.215.85.223ghjk.exe.exe (PID: 3436)
  - 2918823158.exe (PID: 3396)
  - httpssecret-s1.rufiles20a6e2ae.exe.exe (PID: 3092)
  - RegAsm.exe (PID: 2044)
  - httpsecret-s1.rufiles1a3aab71.exe.exe (PID: 3940)
  - http193.233.132.73uvsrvnerosvedbss_conn_service.exe.exe (PID: 3636)
  - http91.215.85.223asdf.EXE.exe (PID: 1496)
  - http91.215.85.223native.exe.exe (PID: 2644)
  - http91.215.85.223native.exe.exe (PID: 2420)
  - RegAsm.exe (PID: 2648)
  - qemu-ga.exe (PID: 3848)
  - http91.215.85.223ghjkl.exe.exe (PID: 568)
  - RegAsm.exe (PID: 2660)
  - http91.215.85.223ghjkl.exe.exe (PID: 712)
  - RegAsm.exe (PID: 2384)
  - httpssecret-s1.rufiles115485c9.exe.exe (PID: 1592)
  - httpssecret-s1.rufiles36056768.exe.exe (PID: 2000)
  - http91.215.85.223asdfg.exe.exe (PID: 2868)
  - http91.215.85.223asdfg.exe.exe (PID: 3268)
  - http109.107.182.38mazdarega.exe.exe (PID: 552)
  - http194.87.93.199booking.exe.exe (PID: 2876)
  - AttributeString.exe (PID: 3136)
  - cs2.exe (PID: 3140)
  - MSBuild.exe (PID: 3560)
  - MSBuild.exe (PID: 2564)
  - AttributeString.exe (PID: 3952)
  - http91.215.85.223asdf.EXE.exe (PID: 1976)
- Reads the machine GUID from the registry
  - bomb.exe (PID: 1504)
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 3580)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3356)
  - httpsvauxhall.toppagespersistencezx.scr.exe (PID: 2612)
  - httpsvauxhall.toppagesplugmanzx.scr.exe (PID: 3320)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - http192.3.176.1429989conhost.exe.exe (PID: 3300)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - http91.215.85.223net.exe.exe (PID: 2860)
  - BBLb.exe (PID: 2908)
  - BBLb.exe (PID: 4004)
  - BBLb.exe (PID: 2728)
  - BBLb.exe (PID: 2096)
  - http91.215.85.223zxcvb.exe.exe (PID: 3584)
  - http91.215.85.223ghjk.exe.exe (PID: 3904)
  - 2918823158.exe (PID: 3396)
  - http91.215.85.223native.exe.exe (PID: 2420)
  - http91.215.85.223asdf.EXE.exe (PID: 1496)
  - http91.215.85.223ghjkl.exe.exe (PID: 568)
  - http91.215.85.223asdfg.exe.exe (PID: 2868)
  - cs2.exe (PID: 3140)
  - AttributeString.exe (PID: 3136)
  - http193.233.132.73uvsrvnerosvedbss_conn_service.exe.exe (PID: 3636)
  - MSBuild.exe (PID: 3560)
  - AttributeString.exe (PID: 3952)
- Checks proxy server information
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - 2918823158.exe (PID: 3396)
- Creates files or folders in the user directory
  - http185.215.113.66pei.exe.exe (PID: 3136)
  - http185.215.113.66newtpp.exe.exe (PID: 2528)
  - BBLb.exe (PID: 2096)
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - http194.87.93.199booking.exe.exe (PID: 2876)
- Reads product name
  - httpsreceitasdepascoa.comEarco8.exe.exe (PID: 2916)
  - cs2.exe (PID: 3140)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2048:07:19 21:03:26+02:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	9728
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x457a
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	-
FileVersion:	1.0.0.0
InternalName:	bomb.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	bomb.exe
ProductName:	-
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

129

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

552

"C:\Users\admin\Desktop\http109.107.182.38mazdarega.exe.exe"

C:\Users\admin\Desktop\http109.107.182.38mazdarega.exe.exe

bomb.exe

User:

admin

Integrity Level:

MEDIUM

Description:

HeidiSQL 12.6.0.6783 32 Bit

Exit code:

Version:

12.6.0.6783

Modules

Images
c:\users\admin\desktop\http109.107.182.38mazdarega.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

568

"C:\Users\admin\Desktop\http91.215.85.223ghjkl.exe.exe"

C:\Users\admin\Desktop\http91.215.85.223ghjkl.exe.exe

—

bomb.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\http91.215.85.223ghjkl.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

712

C:\Users\admin\Desktop\http91.215.85.223ghjkl.exe.exe

http91.215.85.223ghjkl.exe.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221225477

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\http91.215.85.223ghjkl.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll

1112

"C:\Windows\System32\cmd.exe" /k START "" "C:\Users\admin\AppData\Local\Temp\BBLb.exe" & EXIT

C:\Windows\System32\cmd.exe

BBLb.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1432

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\cs2\mUIe5kBMcLtyyRfVNE6smXkJvw6d4pdtgx5QPUAHzK9h0eXdEXMeamhYXU.bat" "

C:\Windows\System32\cmd.exe

—

wscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1496

"C:\Users\admin\Desktop\http91.215.85.223asdf.EXE.exe"

C:\Users\admin\Desktop\http91.215.85.223asdf.EXE.exe

—

bomb.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\http91.215.85.223asdf.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1504

"C:\Users\admin\Desktop\bomb.exe"

C:\Users\admin\Desktop\bomb.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\bomb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1560

"C:\Windows\system32\dialer.exe"

C:\Windows\System32\dialer.exe

http91.215.85.223net.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Windows Phone Dialer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\dialer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1592

"C:\Users\admin\Desktop\httpssecret-s1.rufiles115485c9.exe.exe"

C:\Users\admin\Desktop\httpssecret-s1.rufiles115485c9.exe.exe

—

bomb.exe

User:

admin

Company:

AppGenius

Integrity Level:

MEDIUM

Description:

Huzzah Rigidly Software

Exit code:

Version:

1.0.0.3

Modules

Images
c:\users\admin\desktop\httpssecret-s1.rufiles115485c9.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1728

C:\Users\admin\AppData\Local\Temp\1640625667.exe

—

http185.215.113.66newtpp.exe.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\1640625667.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

25 480

Read events

25 234

Write events

246

Delete events

Modification events


(PID) Process:	(1504) bomb.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1504) bomb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1504) bomb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1504) bomb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1504) bomb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3136) http185.215.113.66pei.exe.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3136) http185.215.113.66pei.exe.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3136) http185.215.113.66pei.exe.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3136) http185.215.113.66pei.exe.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3136) http185.215.113.66pei.exe.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1504	bomb.exe	C:\Users\admin\Desktop\http185.215.113.66pei.exe.exe		executable
		MD5:62B97CF4C0ABAFEDA36E3FC101A5A022	SHA256:E172537ADCEE1FCDC8F16C23E43A5AC82C56A0347FA0197C08BE979438A534AB
1504	bomb.exe	C:\Users\admin\AppData\Local\Temp\Cab5F5B.tmp		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1504	bomb.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2792	ntvdm.exe	C:\Users\admin\AppData\Local\Temp\scs893A.tmp		text
		MD5:4C361DEA398F7AEEF49953BDC0AB4A9B	SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
3136	http185.215.113.66pei.exe.exe	C:\Users\admin\AppData\Local\Temp\251399556.exe		executable
		MD5:BB3D7BD66C92454429A8C78BF64F977B	SHA256:94A66EEA65EDD08CA19BF6DB266058E81714312B6A51892298B461FFD8B90161
1504	bomb.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:9621BFE5AF7F55BB1EC6651848DE3578	SHA256:4C40830173D3B513D77285F648EA98CD9CFE71C4CA2C11A6376C4A9780847C15
1504	bomb.exe	C:\Users\admin\Desktop\httpsvauxhall.toppagespersistencezx.scr.exe		executable
		MD5:D3F42BBFCE4403373A10572E542E1063	SHA256:FAE750F4A45D13BC3549BD6448957EB66AC39992BDE13DBEAD9B054A71001A65
1504	bomb.exe	C:\Users\admin\AppData\Local\Temp\Tar5F5C.tmp		binary
		MD5:9C0C641C06238516F27941AA1166D427	SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
1504	bomb.exe	C:\Users\admin\Desktop\httpsvauxhall.toppagesplugmanzx.scr.exe		executable
		MD5:7A6FECBFE4387BC416938FB3D053DC2E	SHA256:4668272288037C99F4A25B5620E2DC1294A62FA8A490918AE851226F3F5EF579
3548	ntvdm.exe	C:\Users\admin\AppData\Local\Temp\scs6AF4.tmp		text
		MD5:4C361DEA398F7AEEF49953BDC0AB4A9B	SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1504	bomb.exe	GET	200	185.215.113.66:80	http://185.215.113.66/pei.exe	unknown	executable	9.50 Kb	unknown
3136	http185.215.113.66pei.exe.exe	GET	200	185.215.113.84:80	http://twizt.net/newtpp.exe	unknown	executable	79.5 Kb	unknown
1504	bomb.exe	GET	200	185.215.113.66:80	http://185.215.113.66/newtpp.exe	unknown	executable	79.5 Kb	unknown
1504	bomb.exe	GET	200	173.222.108.200:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ab4180b5d892811c	unknown	compressed	65.2 Kb	unknown
1504	bomb.exe	GET	200	91.215.85.223:80	http://91.215.85.223/net.exe	unknown	executable	2.13 Mb	unknown
1504	bomb.exe	GET	200	192.3.176.142:80	http://192.3.176.142/9989/conhost.exe	unknown	executable	896 Kb	unknown
2528	http185.215.113.66newtpp.exe.exe	GET	—	185.215.113.66:80	http://185.215.113.66/1	unknown	—	—	unknown
1504	bomb.exe	GET	200	91.215.85.223:80	http://91.215.85.223/native.exe	unknown	executable	2.13 Mb	unknown
3136	http185.215.113.66pei.exe.exe	GET	200	185.215.113.84:80	http://twizt.net/peinstall.php	unknown	executable	79.5 Kb	unknown
1504	bomb.exe	GET	—	91.215.85.223:80	http://91.215.85.223/zxcvb.exe	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1504	bomb.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
1504	bomb.exe	185.215.113.66:80	—	1337team Limited	SC	unknown
1504	bomb.exe	162.159.133.233:443	cdn.discordapp.com	CLOUDFLARENET	—	shared
1504	bomb.exe	144.76.136.153:443	transfer.sh	Hetzner Online GmbH	DE	unknown
1504	bomb.exe	154.7.253.53:443	receitasdepascoa.com	TIER-NET	US	unknown
1504	bomb.exe	173.222.108.200:80	ctldl.windowsupdate.com	Akamai International B.V.	CH	unknown
1504	bomb.exe	176.97.69.6:443	letransporter.com	M247 Ltd	AU	unknown

DNS requests

Domain	IP	Reputation
urlhaus.abuse.ch	151.101.2.49 151.101.66.49 151.101.130.49 151.101.194.49	whitelisted
cdn.discordapp.com	162.159.133.233 162.159.134.233 162.159.129.233 162.159.135.233 162.159.130.233	shared
orlandiarq.com	200.58.112.57	unknown
receitasdepascoa.com	154.7.253.53	unknown
transfer.sh	144.76.136.153	whitelisted
ctldl.windowsupdate.com	173.222.108.200 80.67.82.192 173.222.108.194 173.222.108.241 173.222.108.195 173.222.108.227 173.222.108.226 173.222.108.179 173.222.108.147	whitelisted
letransporter.com	176.97.69.6	unknown
vauxhall.top	188.114.96.3 188.114.97.3	unknown
twizt.net	185.215.113.84	unknown
mahta-netwotk.click	46.175.144.56	unknown

Threats

PID	Process	Class	Message
1080	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
1080	svchost.exe	Potentially Bad Traffic	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
1080	svchost.exe	Misc activity	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
1504	bomb.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
1504	bomb.exe	Misc activity	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
1504	bomb.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 22
1504	bomb.exe	Potential Corporate Privacy Violation	ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
1504	bomb.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
1504	bomb.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
1504	bomb.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host

10 ETPRO signatures available at the full report

Add for printing

Process	Message
http109.107.182.38mazdarega.exe.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

bomb.exe

55DBA6E7AA4E8CC73415F4E3F9F6BDAE

87C9F29D58F57A5E025061D389BE2655EE879D5D

3CEA805F1396DF15BDBCD4317388A046A41A6079DBA04576A58BA7B2C812338A

192:HLmmmmlmtYz0wZick7pDMj4GbCrMz+MCZLa7HhdSbwxz1OLU87glpp/bI6J4yfm4:pmi7k7pMiLLaLhM6OLU870NJqoI

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Steals credentials from Web Browsers

Actions looks like stealing of personal data

PHORPIEX has been detected (SURICATA)

REDLINE has been detected (SURICATA)

Connects to the CnC server

Run PowerShell with an invisible window

Bypass execution policy to execute commands

Create files in the Startup directory

Uses sleep, probably for evasion detection (SCRIPT)

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Reads settings of System Certificates

Reads the Internet Settings

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Connects to the server without a host name

Application launched itself

The process creates files with name similar to system file names

Accesses Microsoft Outlook profiles

Searches for installed software

Reads browser cookies

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Connects to SMTP port

Connects to unusual port

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

The process checks if it is being run in the virtual environment

The process executes via Task Scheduler

Using PowerShell to operate with local accounts

Reads the BIOS version

Runs shell command (SCRIPT)

Executing commands from a ".bat" file

Uses REG/REGEDIT.EXE to modify registry

INFO

Create files in a temporary directory

Reads Environment values

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Reads product name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules