Malware analysis bomb.exe Malicious activity | ANY.RUN

Add for printing

File name:	bomb.exe
Full analysis:	https://app.any.run/tasks/99f8cef9-7e0e-4542-b65f-73be2df4e84b
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 20, 2024, 19:21:15
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir loader phorpiex trojan kelihos stealer stealc nanocore rat remote risepro evasion agenttesla
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	55DBA6E7AA4E8CC73415F4E3F9F6BDAE
SHA1:	87C9F29D58F57A5E025061D389BE2655EE879D5D
SHA256:	3CEA805F1396DF15BDBCD4317388A046A41A6079DBA04576A58BA7B2C812338A
SSDEEP:	192:HLmmmmlmtYz0wZick7pDMj4GbCrMz+MCZLa7HhdSbwxz1OLU87glpp/bI6J4yfm4:pmi7k7pMiLLaLhM6OLU870NJqoI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - bomb.exe (PID: 4052)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - 468210291.exe (PID: 2960)
  - 230629444.exe (PID: 1852)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - FhrxRWmBqPUtAWZ2i1os.exe (PID: 5992)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
- Changes the autorun value in the registry
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - 468210291.exe (PID: 2960)
  - 230629444.exe (PID: 1852)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Changes Security Center notification settings
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - 468210291.exe (PID: 2960)
- PHORPIEX has been detected (SURICATA)
  - bomb.exe (PID: 4052)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - 468210291.exe (PID: 2960)
- Connects to the CnC server
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - u30c.0.exe (PID: 2028)
  - u354.0.exe (PID: 1408)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - 468210291.exe (PID: 2960)
  - nsh2F58.tmp (PID: 6832)
- Actions looks like stealing of personal data
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - RegSvcs.exe (PID: 4560)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Steals credentials from Web Browsers
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - RegSvcs.exe (PID: 4560)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
- KELIHOS has been detected (SURICATA)
  - bomb.exe (PID: 4052)
- STEALC has been detected (SURICATA)
  - u354.0.exe (PID: 1408)
  - u30c.0.exe (PID: 2028)
  - nsh2F58.tmp (PID: 6832)
- NANOCORE has been detected (SURICATA)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
- NANOCORE has been detected (YARA)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
- Uses Task Scheduler to autorun other applications
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Steals credentials
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- RISEPRO has been detected (SURICATA)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
- AGENTTESLA has been detected (YARA)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - RegSvcs.exe (PID: 4560)
  - RegSvcs.exe (PID: 8008)
- Create files in the Startup directory
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- RISEPRO has been detected (YARA)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
SUSPICIOUS
- Reads settings of System Certificates
  - bomb.exe (PID: 4052)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - RegSvcs.exe (PID: 4560)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
- Reads security settings of Internet Explorer
  - bomb.exe (PID: 4052)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - u30c.0.exe (PID: 2028)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - u354.0.exe (PID: 1408)
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - 230629444.exe (PID: 1852)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - CuNfylgNalAX7EHVWHu8.exe (PID: 1796)
  - hCbz_rkhHD8grJmG1Wxk.exe (PID: 6420)
  - http185.215.113.46costfu.exe.exe (PID: 5532)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - nsh2F58.tmp (PID: 6832)
- Reads the Internet Settings
  - bomb.exe (PID: 4052)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - u30c.0.exe (PID: 2028)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - u354.0.exe (PID: 1408)
  - http45.134.254.172HelloWorld.exe.exe (PID: 3420)
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - cmd.exe (PID: 3700)
  - 468210291.exe (PID: 2960)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - 230629444.exe (PID: 1852)
  - CuNfylgNalAX7EHVWHu8.exe (PID: 1796)
  - RegSvcs.exe (PID: 4560)
  - hCbz_rkhHD8grJmG1Wxk.exe (PID: 6420)
  - http185.215.113.46costfu.exe.exe (PID: 5532)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - nsh2F58.tmp (PID: 6832)
- Executable content was dropped or overwritten
  - bomb.exe (PID: 4052)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - 468210291.exe (PID: 2960)
  - 230629444.exe (PID: 1852)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - FhrxRWmBqPUtAWZ2i1os.exe (PID: 5992)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
- Process requests binary or script from the Internet
  - bomb.exe (PID: 4052)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
- Connects to the server without a host name
  - bomb.exe (PID: 4052)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - 230629444.exe (PID: 1852)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - nsh2F58.tmp (PID: 6832)
- Connects to unusual port
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - http45.134.254.172HelloWorld.exe.exe (PID: 3420)
  - bomb.exe (PID: 4052)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - 468210291.exe (PID: 2960)
- Application launched itself
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2404)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 2376)
- The process creates files with name similar to system file names
  - bomb.exe (PID: 4052)
- Accesses Microsoft Outlook profiles
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - RegSvcs.exe (PID: 4560)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
- Windows Defender mutex has been found
  - u30c.0.exe (PID: 2028)
  - u354.0.exe (PID: 1408)
  - nsh2F58.tmp (PID: 6832)
- Connects to SMTP port
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - RegSvcs.exe (PID: 4560)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
- Drops 7-zip archiver for unpacking
  - http45.144.232.181conhost.exe.exe (PID: 3632)
- Executing commands from a ".bat" file
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - u30c.1.exe (PID: 1344)
  - u354.1.exe (PID: 996)
  - BroomSetup.exe (PID: 7364)
- Starts CMD.EXE for commands execution
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - u30c.1.exe (PID: 1344)
  - u354.1.exe (PID: 996)
  - BroomSetup.exe (PID: 7364)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 3700)
- Starts a Microsoft application from unusual location
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Process drops legitimate windows executable
  - bomb.exe (PID: 4052)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Reads the BIOS version
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - FhrxRWmBqPUtAWZ2i1os.exe (PID: 5992)
  - NwdWg5ByPM0EfEapgjWT.exe (PID: 2928)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - http185.215.113.46costniks.exe.exe (PID: 8044)
- Adds/modifies Windows certificates
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
- Checks for external IP
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
- Reads browser cookies
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Starts itself from another location
  - 468210291.exe (PID: 2960)
- Searches for installed software
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Starts application with an unusual extension
  - cmd.exe (PID: 7448)
  - cmd.exe (PID: 7540)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - cmd.exe (PID: 1932)
- Checks Windows Trust Settings
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
INFO
- Checks supported languages
  - bomb.exe (PID: 4052)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - 1111224825.exe (PID: 3984)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2404)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 2376)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - u354.0.exe (PID: 1408)
  - u30c.0.exe (PID: 2028)
  - http45.134.254.172HelloWorld.exe.exe (PID: 3420)
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - http185.172.128.19e0cbefcb1af40c7d4aff4aca26621a98.exe.exe (PID: 3924)
  - mode.com (PID: 2356)
  - u30c.1.exe (PID: 1344)
  - u354.1.exe (PID: 996)
  - http45.144.232.181svchost.exe.exe (PID: 2628)
  - httpssecret-s1.rucrypted_0b1a5854.exe.exe (PID: 4048)
  - httpssecret-s1.rucrypted_17be3001.exe.exe (PID: 3844)
  - 468210291.exe (PID: 2960)
  - 230629444.exe (PID: 1852)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - 1217027251.exe (PID: 4000)
  - httpuhfbncvzxasqwpolgkhbn.ydns.euEED.exe.exe (PID: 1836)
  - CuNfylgNalAX7EHVWHu8.exe (PID: 1796)
  - RegSvcs.exe (PID: 4560)
  - 2120817444.exe (PID: 5632)
  - FhrxRWmBqPUtAWZ2i1os.exe (PID: 5992)
  - NwdWg5ByPM0EfEapgjWT.exe (PID: 2928)
  - hCbz_rkhHD8grJmG1Wxk.exe (PID: 6420)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - chcp.com (PID: 7488)
  - chcp.com (PID: 7564)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - http185.215.113.46costfu.exe.exe (PID: 5532)
  - BroomSetup.exe (PID: 7364)
  - http185.215.113.46costniks.exe.exe (PID: 8044)
  - 1838912494.exe (PID: 5804)
  - nsh2F58.tmp (PID: 6832)
  - chcp.com (PID: 1336)
  - httpsmail.isellemails.comMediaLightuploadsb3edefeeca7bf5e33.exe.exe (PID: 6988)
  - RegSvcs.exe (PID: 6960)
  - httpsmail.isellemails.comMediaLightuploads83c276d11d7b72505.exe.exe (PID: 2104)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
  - httpsmail.isellemails.comMediaLightuploads1c4633665c468d043.exe.exe (PID: 6636)
- Reads the computer name
  - bomb.exe (PID: 4052)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2404)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 2376)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - u354.0.exe (PID: 1408)
  - u30c.0.exe (PID: 2028)
  - http45.134.254.172HelloWorld.exe.exe (PID: 3420)
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - http185.172.128.19e0cbefcb1af40c7d4aff4aca26621a98.exe.exe (PID: 3924)
  - u30c.1.exe (PID: 1344)
  - u354.1.exe (PID: 996)
  - httpssecret-s1.rucrypted_0b1a5854.exe.exe (PID: 4048)
  - httpssecret-s1.rucrypted_17be3001.exe.exe (PID: 3844)
  - http45.144.232.181svchost.exe.exe (PID: 2628)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - 468210291.exe (PID: 2960)
  - 230629444.exe (PID: 1852)
  - CuNfylgNalAX7EHVWHu8.exe (PID: 1796)
  - RegSvcs.exe (PID: 4560)
  - NwdWg5ByPM0EfEapgjWT.exe (PID: 2928)
  - FhrxRWmBqPUtAWZ2i1os.exe (PID: 5992)
  - hCbz_rkhHD8grJmG1Wxk.exe (PID: 6420)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - http185.215.113.46costfu.exe.exe (PID: 5532)
  - BroomSetup.exe (PID: 7364)
  - http185.215.113.46costniks.exe.exe (PID: 8044)
  - nsh2F58.tmp (PID: 6832)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
- Reads the machine GUID from the registry
  - bomb.exe (PID: 4052)
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2404)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 2376)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - u354.0.exe (PID: 1408)
  - http45.134.254.172HelloWorld.exe.exe (PID: 3420)
  - http185.172.128.19e0cbefcb1af40c7d4aff4aca26621a98.exe.exe (PID: 3924)
  - http45.144.232.181svchost.exe.exe (PID: 2628)
  - httpssecret-s1.rucrypted_0b1a5854.exe.exe (PID: 4048)
  - httpssecret-s1.rucrypted_17be3001.exe.exe (PID: 3844)
  - 230629444.exe (PID: 1852)
  - 468210291.exe (PID: 2960)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - u30c.0.exe (PID: 2028)
  - RegSvcs.exe (PID: 4560)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - nsh2F58.tmp (PID: 6832)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
- Reads Environment values
  - bomb.exe (PID: 4052)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - http45.134.254.172HelloWorld.exe.exe (PID: 3420)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - RegSvcs.exe (PID: 4560)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 7620)
  - RegSvcs.exe (PID: 8008)
- Manual execution by a user
  - taskmgr.exe (PID: 2752)
- Checks proxy server information
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - u30c.0.exe (PID: 2028)
  - u354.0.exe (PID: 1408)
  - 468210291.exe (PID: 2960)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - 230629444.exe (PID: 1852)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - nsh2F58.tmp (PID: 6832)
- Reads the software policy settings
  - bomb.exe (PID: 4052)
  - httpsmerckllc.toppageslegacyzx.exe.exe (PID: 920)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - RegSvcs.exe (PID: 4560)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - RegSvcs.exe (PID: 6960)
  - RegSvcs.exe (PID: 8008)
  - RegSvcs.exe (PID: 7620)
- Creates files or folders in the user directory
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - u30c.1.exe (PID: 1344)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
- Create files in a temporary directory
  - http185.215.113.66pei.exe.exe (PID: 3964)
  - http185.215.113.66newtpp.exe.exe (PID: 2892)
  - http185.172.128.109InstallSetupNew.exe.exe (PID: 3900)
  - http185.172.128.109InstallSetup_six.exe.exe (PID: 4072)
  - bomb.exe (PID: 4052)
  - http45.144.232.181conhost.exe.exe (PID: 3632)
  - 468210291.exe (PID: 2960)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
  - httpuhfbncvzxasqwpolgkhbn.ydns.euEED.exe.exe (PID: 1836)
  - FhrxRWmBqPUtAWZ2i1os.exe (PID: 5992)
  - Sm9IoqrusX_sqXySlHUL.exe (PID: 7148)
  - qJ5_pcw3gR_qjNC4lAml.exe (PID: 7336)
  - http185.172.128.109InstallSetup3.exe.exe (PID: 292)
  - httpsmail.isellemails.comMediaLightuploads83c276d11d7b72505.exe.exe (PID: 2104)
  - httpsmail.isellemails.comMediaLightuploadsb3edefeeca7bf5e33.exe.exe (PID: 6988)
  - httpsmail.isellemails.comMediaLightuploads1c4633665c468d043.exe.exe (PID: 6636)
- Process checks whether UAC notifications are on
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
- Reads product name
  - httpsmerckllc.toppagesbigzx.exe.exe (PID: 2480)
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Creates files in the program directory
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Reads CPU info
  - http193.233.132.21654672bomereals.exe.exe (PID: 2096)
- Reads mouse settings
  - httpuhfbncvzxasqwpolgkhbn.ydns.euEED.exe.exe (PID: 1836)
  - CuNfylgNalAX7EHVWHu8.exe (PID: 1796)
  - hCbz_rkhHD8grJmG1Wxk.exe (PID: 6420)
  - http185.215.113.46costfu.exe.exe (PID: 5532)
  - httpsmail.isellemails.comMediaLightuploadsb3edefeeca7bf5e33.exe.exe (PID: 6988)
  - httpsmail.isellemails.comMediaLightuploads83c276d11d7b72505.exe.exe (PID: 2104)
  - httpsmail.isellemails.comMediaLightuploads1c4633665c468d043.exe.exe (PID: 6636)
- Application launched itself
  - msedge.exe (PID: 2568)
  - msedge.exe (PID: 2584)
  - msedge.exe (PID: 124)
  - msedge.exe (PID: 3636)
  - chrome.exe (PID: 3868)
  - msedge.exe (PID: 3440)
  - msedge.exe (PID: 752)
  - msedge.exe (PID: 3036)
  - firefox.exe (PID: 3272)
  - firefox.exe (PID: 3604)
  - firefox.exe (PID: 1832)
  - chrome.exe (PID: 3896)
  - chrome.exe (PID: 2656)
  - firefox.exe (PID: 4208)
  - chrome.exe (PID: 6768)
  - msedge.exe (PID: 2916)
  - msedge.exe (PID: 2380)
  - msedge.exe (PID: 4520)
  - msedge.exe (PID: 3436)
  - msedge.exe (PID: 3200)
  - chrome.exe (PID: 7348)
  - msedge.exe (PID: 4884)
  - chrome.exe (PID: 7472)
  - chrome.exe (PID: 1168)
  - firefox.exe (PID: 7448)
  - firefox.exe (PID: 6424)
  - firefox.exe (PID: 7824)
- The process uses the downloaded file
  - chrome.exe (PID: 1044)
  - chrome.exe (PID: 5576)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Nanocore

(PID) Process(2480) httpsmerckllc.toppagesbigzx.exe.exe

KeyboardLoggingTrue

BuildTime2024-02-12 21:33:34.835016

Version1.2.2.0

Mutexfbf9faaf-f2bf-43ae-91ec-07031d9e9f20

DefaultGroupNEW JOY

PrimaryConnectionHosttzitziklishop3.ddns.net

BackupConnectionHosttzitziklishop3.ddns.net

ConnectionPort1663

RunOnStartupTrue

RequestElevationFalse

BypassUserAccountControlTrue

ClearZoneIdentifierTrue

ClearAccessControlFalse

SetCriticalProcessFalse

PreventSystemSleepTrue

ActivateAwayModeFalse

EnableDebugModeFalse

RunDelay0

ConnectDelay4000

RestartDelay5000

TimeoutInterval5000

KeepAliveTimeout30000

MutexTimeout5000

LanTimeout2500

WanTimeout8000

BufferSize65535

MaxPacketSize10485760

GCThreshold10485760

UseCustomDnsServerTrue

PrimaryDnsServer8.8.8.8

BackupDnsServer8.8.4.4

AgentTesla

(PID) Process(920) httpsmerckllc.toppageslegacyzx.exe.exe

Protocolsmtp

Hostcp8nl.hyperhost.ua

Port587

Usernamelegacylog@fibraunollc.top

Password7213575aceACE@#$

(PID) Process(4560) RegSvcs.exe

Protocolsmtp

Hostmail.awelleh3.top

Port587

Usernameservereric33@awelleh3.top

Password54x%ex3wbV$1

(PID) Process(8008) RegSvcs.exe

Protocolsmtp

Hostmail.worlorderbillions.top

Port587

Usernamesimonsky@worlorderbillions.top

Passwordc_V]g4Z*O.;%

RisePro

(PID) Process(2096) http193.233.132.21654672bomereals.exe.exe

C2193.233.132.62

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2048:07:19 19:03:26+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	9728
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x457a
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	-
FileVersion:	1.0.0.0
InternalName:	bomb.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	bomb.exe
ProductName:	-
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

284

Monitored processes

212

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

CuNfylgNalAX7EHVWHu8.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

292

"C:\Users\admin\Desktop\http185.172.128.109InstallSetup3.exe.exe"

C:\Users\admin\Desktop\http185.172.128.109InstallSetup3.exe.exe

bomb.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\http185.172.128.109installsetup3.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

752

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

CuNfylgNalAX7EHVWHu8.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

920

"C:\Users\admin\Desktop\httpsmerckllc.toppageslegacyzx.exe.exe"

C:\Users\admin\Desktop\httpsmerckllc.toppageslegacyzx.exe.exe

httpsmerckllc.toppageslegacyzx.exe.exe

User:

admin

Company:

Protocol Labs, Inc.

Integrity Level:

MEDIUM

Description:

IPFS Desktop

Exit code:

Version:

0.30.1.0

Modules

Images
c:\users\admin\desktop\httpsmerckllc.toppageslegacyzx.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

AgentTesla

(PID) Process(920) httpsmerckllc.toppageslegacyzx.exe.exe

Protocolsmtp

Hostcp8nl.hyperhost.ua

Port587

Usernamelegacylog@fibraunollc.top

Password7213575aceACE@#$

996

"C:\Users\admin\AppData\Local\Temp\u354.1.exe"

C:\Users\admin\AppData\Local\Temp\u354.1.exe

—

http185.172.128.109InstallSetup_six.exe.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Broom

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\u354.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1044

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3736 --field-trial-handle=1268,i,1501165745835462627,1469687842698894239,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1168

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

—

http185.215.113.46costfu.exe.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1168

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7960 --field-trial-handle=1400,i,1008537502837809087,10194851078824679173,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1336

chcp 1251

C:\Windows\System32\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1344

"C:\Users\admin\AppData\Local\Temp\u30c.1.exe"

C:\Users\admin\AppData\Local\Temp\u30c.1.exe

—

http185.172.128.109InstallSetupNew.exe.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Broom

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\u30c.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

129 029

Read events

127 968

Write events

917

Delete events

144

Modification events


(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4052) bomb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value:

Add for printing

Executable files

Suspicious files

609

Text files

273

Unknown types

440

Dropped files

PID	Process	Filename		Type
4052	bomb.exe	C:\Users\admin\Desktop\httpfile-file-file1.comstats.phpid=4454&key=cd86b34c8e929498d76c20a7b1fb04c1id=admin&mn=USER-PC&os=6.1 build 7601.exe		html
		MD5:2EB381D2362A497CEAF355283E21C93A	SHA256:7544FF86CC396118EAB3A8E28E177F61616D8FEC3CC4F75B5449112849834BF6
4052	bomb.exe	C:\Users\admin\Desktop\http185.215.113.66pei.exe.exe		executable
		MD5:62B97CF4C0ABAFEDA36E3FC101A5A022	SHA256:E172537ADCEE1FCDC8F16C23E43A5AC82C56A0347FA0197C08BE979438A534AB
2892	http185.215.113.66newtpp.exe.exe	C:\Users\admin\AppData\Local\Temp\1584415341.exe		binary
		MD5:BB1927E141203BCAD01B9A072297D1E5	SHA256:0CBC8D95D04EB29ACE06CF127237E4B0EC0BABBF69DAB7FCBC6EA5BC0D5064F7
1888	ntvdm.exe	C:\Users\admin\AppData\Local\Temp\scsC2C.tmp		text
		MD5:4C361DEA398F7AEEF49953BDC0AB4A9B	SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
2892	http185.215.113.66newtpp.exe.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\1[1]		binary
		MD5:BB1927E141203BCAD01B9A072297D1E5	SHA256:0CBC8D95D04EB29ACE06CF127237E4B0EC0BABBF69DAB7FCBC6EA5BC0D5064F7
2892	http185.215.113.66newtpp.exe.exe	C:\Users\admin\winxsdrvcsa.exe		executable
		MD5:BB3D7BD66C92454429A8C78BF64F977B	SHA256:94A66EEA65EDD08CA19BF6DB266058E81714312B6A51892298B461FFD8B90161
1888	ntvdm.exe	C:\Users\admin\AppData\Local\Temp\scsC1C.tmp		text
		MD5:8CF6DDB5AA59B49F34B967CD46F013B6	SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C
3964	http185.215.113.66pei.exe.exe	C:\Users\admin\AppData\Local\Temp\1857813056.exe		executable
		MD5:91C9157C58C8E8C87D721819A6D0C054	SHA256:A7D157612744986D6CFE057A5A544A23212111B96750F6E276CDB9B18BD5C5BE
4052	bomb.exe	C:\Users\admin\Desktop\httpsmerckllc.toppageslegacyzx.exe.exe		executable
		MD5:2E1785F34AFD62C1EB7FDC65B0515D95	SHA256:E46D09BF964FC8ABFC1BCC2ED4B4AACF0AE3DA0687D5A440973C79EEA24E88BD
3964	http185.215.113.66pei.exe.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\newtpp[1].exe		executable
		MD5:91C9157C58C8E8C87D721819A6D0C054	SHA256:A7D157612744986D6CFE057A5A544A23212111B96750F6E276CDB9B18BD5C5BE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

104

TCP/UDP connections

574

DNS requests

360

Threats

368

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4052	bomb.exe	GET	200	185.215.113.66:80	http://185.215.113.66/newtpp.exe	unknown	executable	79.5 Kb	unknown
4052	bomb.exe	GET	200	185.215.113.66:80	http://185.215.113.66/pei.exe	unknown	executable	9.50 Kb	unknown
4052	bomb.exe	GET	—	37.1.214.209:80	http://37.1.214.209/2222/kkk.jpg	unknown	—	—	unknown
3964	http185.215.113.66pei.exe.exe	GET	—	185.215.113.66:80	http://twizt.net/newtpp.exe	unknown	—	—	unknown
4052	bomb.exe	GET	—	193.233.132.18:8081	http://193.233.132.18:8081/static/crypted_a6dd40e8.exe	unknown	—	—	unknown
4052	bomb.exe	GET	200	185.12.126.182:80	http://file-file-file1.com/stats.php?id=4454&key=cd86b34c8e929498d76c20a7b1fb04c1%0D?id=admin&mn=USER-PC&os=6.1%20build:%207601	unknown	html	2.86 Kb	unknown
2892	http185.215.113.66newtpp.exe.exe	GET	—	185.215.113.66:80	http://185.215.113.66/1	unknown	—	—	unknown
2892	http185.215.113.66newtpp.exe.exe	GET	—	185.215.113.66:80	http://185.215.113.66/1	unknown	—	—	unknown
4052	bomb.exe	GET	200	185.172.128.109:80	http://185.172.128.109/InstallSetupNew.exe	unknown	executable	295 Kb	unknown
4052	bomb.exe	GET	200	185.172.128.109:80	http://185.172.128.109/InstallSetup_six.exe	unknown	executable	295 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4052	bomb.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	unknown
4052	bomb.exe	185.215.113.66:80	twizt.net	1337team Limited	SC	unknown
4052	bomb.exe	207.246.70.132:80	—	AS-CHOOPA	US	malicious
4052	bomb.exe	104.21.37.191:443	rusticironstore.com	CLOUDFLARENET	—	unknown
4052	bomb.exe	137.103.255.230:443	mail.isellemails.com	ATLANTICBB-JOHNSTOWN	US	unknown
4052	bomb.exe	37.1.214.209:80	—	HVC-AS	US	unknown
4052	bomb.exe	162.159.134.233:443	cdn.discordapp.com	CLOUDFLARENET	—	shared

DNS requests

Domain	IP	Reputation
urlhaus.abuse.ch	151.101.2.49 151.101.66.49 151.101.130.49 151.101.194.49	whitelisted
file-file-file1.com	185.12.126.182	unknown
rusticironstore.com	104.21.37.191 172.67.212.109	malicious
mail.isellemails.com	137.103.255.230	unknown
computersupportexperts.com	162.240.8.41	unknown
gitea.com	18.166.250.135	unknown
cdn.discordapp.com	162.159.134.233 162.159.130.233 162.159.135.233 162.159.129.233 162.159.133.233	shared
twizt.net	185.215.113.66	unknown
riseappbucket.s3.ap-southeast-1.amazonaws.com	52.219.37.3 52.219.40.19 52.219.128.207 52.219.36.59 52.219.164.150 52.219.37.39 3.5.150.173 3.5.151.143	unknown
www.update.microsoft.com	20.109.209.108	whitelisted

Threats

PID	Process	Class	Message
4052	bomb.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 22
4052	bomb.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
4052	bomb.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
4052	bomb.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
4052	bomb.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
4052	bomb.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
4052	bomb.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
4052	bomb.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4052	bomb.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
1080	svchost.exe	Potentially Bad Traffic	ET INFO Self-Hosted Git Service Domain in DNS Lookup (gitea .com)

17 ETPRO signatures available at the full report

Add for printing

Process	Message
http193.233.132.21654672bomereals.exe.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
http193.233.132.21654672bomereals.exe.exe	gert4634
http193.233.132.21654672bomereals.exe.exe	eger 43 634
FhrxRWmBqPUtAWZ2i1os.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
NwdWg5ByPM0EfEapgjWT.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Sm9IoqrusX_sqXySlHUL.exe	erert46456
Sm9IoqrusX_sqXySlHUL.exe	reyerreyerreyerreyerreyerreyerreyerreyerreyer
http193.233.132.21654672bomereals.exe.exe	ret34634734g dfyh y rtdyrtyrty
qJ5_pcw3gR_qjNC4lAml.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
qJ5_pcw3gR_qjNC4lAml.exe	DevBug OPS

General Info

bomb.exe

55DBA6E7AA4E8CC73415F4E3F9F6BDAE

87C9F29D58F57A5E025061D389BE2655EE879D5D

3CEA805F1396DF15BDBCD4317388A046A41A6079DBA04576A58BA7B2C812338A

192:HLmmmmlmtYz0wZick7pDMj4GbCrMz+MCZLa7HhdSbwxz1OLU87glpp/bI6J4yfm4:pmi7k7pMiLLaLhM6OLU870NJqoI

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Changes Security Center notification settings

PHORPIEX has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

Steals credentials from Web Browsers

KELIHOS has been detected (SURICATA)

STEALC has been detected (SURICATA)

NANOCORE has been detected (SURICATA)

NANOCORE has been detected (YARA)

Uses Task Scheduler to autorun other applications

Steals credentials

RISEPRO has been detected (SURICATA)

AGENTTESLA has been detected (YARA)

Create files in the Startup directory

RISEPRO has been detected (YARA)

SUSPICIOUS

Reads settings of System Certificates

Reads security settings of Internet Explorer

Reads the Internet Settings

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Connects to the server without a host name

Connects to unusual port

Application launched itself

The process creates files with name similar to system file names

Accesses Microsoft Outlook profiles

Windows Defender mutex has been found

Connects to SMTP port

Drops 7-zip archiver for unpacking

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Reads the BIOS version

Adds/modifies Windows certificates

Checks for external IP

Reads browser cookies

Starts itself from another location

Searches for installed software

Starts application with an unusual extension

Checks Windows Trust Settings

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Create files in a temporary directory

Process checks whether UAC notifications are on

Reads product name

Creates files in the program directory

Reads CPU info

Reads mouse settings

Application launched itself

The process uses the downloaded file

Malware configuration

Nanocore

AgentTesla

RisePro

Static information

TRiD

EXIF

EXE