Malware analysis file Malicious activity | ANY.RUN

Add for printing

File name:	file
Full analysis:	https://app.any.run/tasks/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
Verdict:	Malicious activity
Analysis date:	January 27, 2023, 09:03:56
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	531981FA2658977F0ECDAD58E88F3037
SHA1:	A32FBF450455E965B54506DEA14438E0598A8E08
SHA256:	3ECD4763FFC944FDC67A9027E459CD4F448B1A8D1B36147977AFAF86BBF2A261
SSDEEP:	196608:91OyP3N/E1u7Yz/qped/kgyLPFZRsCu3hOCVci8L4Xt7uhwp1K:3OI3a1u0KeSgIHRsCuwCVciZXRNK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Install.exe (PID: 2028)
  - file.exe (PID: 2032)
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Uses Task Scheduler to run other applications
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
  - rundll32.exe (PID: 2972)
- Application was dropped or rewritten from another process
  - CiuBamk.exe (PID: 2788)
  - Install.exe (PID: 1988)
  - FHYQWsM.exe (PID: 1440)
- Creates a writable file the system directory
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Modifies exclusions in Windows Defender
  - reg.exe (PID: 2652)
  - reg.exe (PID: 2216)
  - reg.exe (PID: 2992)
  - reg.exe (PID: 2444)
  - reg.exe (PID: 2096)
  - reg.exe (PID: 2400)
  - reg.exe (PID: 1440)
  - reg.exe (PID: 620)
  - reg.exe (PID: 2168)
- Uses Task Scheduler to autorun other applications
  - FHYQWsM.exe (PID: 1440)
- Steals credentials from Web Browsers
  - FHYQWsM.exe (PID: 1440)
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 2972)
  - rundll32.exe (PID: 1892)
- Actions looks like stealing of personal data
  - FHYQWsM.exe (PID: 1440)
- Modifies files in the Chrome extension folder
  - FHYQWsM.exe (PID: 1440)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Install.exe (PID: 2028)
  - file.exe (PID: 2032)
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Executes via Task Scheduler
  - powershell.EXE (PID: 2192)
  - CiuBamk.exe (PID: 2788)
  - powershell.EXE (PID: 2276)
  - powershell.EXE (PID: 2548)
  - powershell.EXE (PID: 2648)
  - FHYQWsM.exe (PID: 1440)
  - rundll32.EXE (PID: 2480)
  - rundll32.EXE (PID: 1636)
- Uses REG/REGEDIT.EXE to modify register
  - cmd.exe (PID: 1960)
  - cmd.exe (PID: 124)
  - cmd.exe (PID: 3068)
  - cmd.exe (PID: 2544)
  - cmd.exe (PID: 1804)
  - cmd.exe (PID: 1708)
  - cmd.exe (PID: 2660)
  - cmd.exe (PID: 2088)
  - wscript.exe (PID: 2480)
  - cmd.exe (PID: 1820)
  - cmd.exe (PID: 2232)
  - cmd.exe (PID: 2748)
  - cmd.exe (PID: 2692)
  - cmd.exe (PID: 2748)
  - cmd.exe (PID: 1672)
- Starts itself from another location
  - file.exe (PID: 2032)
- Reads the BIOS version
  - Install.exe (PID: 1988)
- Reads security settings of Internet Explorer
  - powershell.EXE (PID: 2192)
  - powershell.EXE (PID: 2276)
  - powershell.EXE (PID: 2548)
  - powershell.EXE (PID: 2648)
- Executes as Windows Service
  - RAServer.exe (PID: 2072)
  - RAServer.exe (PID: 2676)
  - RAServer.exe (PID: 2364)
  - RAServer.exe (PID: 2240)
- Starts CMD.EXE for commands execution
  - CiuBamk.exe (PID: 2788)
  - forfiles.exe (PID: 1768)
  - forfiles.exe (PID: 1672)
  - FHYQWsM.exe (PID: 1440)
- Executes scripts
  - CiuBamk.exe (PID: 2788)
- Checks Windows Trust Settings
  - FHYQWsM.exe (PID: 1440)
- Reads settings of System Certificates
  - FHYQWsM.exe (PID: 1440)
- Creates a software uninstall entry
  - FHYQWsM.exe (PID: 1440)
INFO
- Create files in a temporary directory
  - Install.exe (PID: 2028)
  - file.exe (PID: 2032)
  - powershell.EXE (PID: 2192)
  - powershell.EXE (PID: 2276)
  - Install.exe (PID: 1988)
  - powershell.EXE (PID: 2548)
  - powershell.EXE (PID: 2648)
- Checks supported languages
  - Install.exe (PID: 2028)
  - file.exe (PID: 2032)
  - Install.exe (PID: 1988)
  - CiuBamk.exe (PID: 2788)
  - FHYQWsM.exe (PID: 1440)
- Reads the machine GUID from the registry
  - Install.exe (PID: 1988)
  - FHYQWsM.exe (PID: 1440)
- Reads the computer name
  - Install.exe (PID: 1988)
  - FHYQWsM.exe (PID: 1440)
- The process checks LSA protection
  - Install.exe (PID: 1988)
  - powershell.EXE (PID: 2276)
  - powershell.EXE (PID: 2192)
  - powershell.EXE (PID: 2548)
  - wscript.exe (PID: 2480)
  - powershell.EXE (PID: 2648)
  - FHYQWsM.exe (PID: 1440)
  - rundll32.exe (PID: 2972)
- Creates files in the program directory
  - FHYQWsM.exe (PID: 1440)
- Dropped object may contain Bitcoin addresses
  - FHYQWsM.exe (PID: 1440)
- Process checks computer location settings
  - FHYQWsM.exe (PID: 1440)
- Creates files or folders in the user directory
  - FHYQWsM.exe (PID: 1440)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	2010-Nov-18 16:27:35
Detected languages:	English - United States
CompanyName:	Igor Pavlov
FileDescription:	7z Setup SFX
FileVersion:	9.20
InternalName:	7zS.sfx
LegalCopyright:	Copyright (c) 1999-2010 Igor Pavlov
OriginalFilename:	7zS.sfx.exe
ProductName:	7-Zip
ProductVersion:	9.20

DOS Header

e_magic:	MZ
e_cblp:	144
e_cp:	3
e_crlc:	-
e_cparhdr:	4
e_minalloc:	-
e_maxalloc:	65535
e_ss:	-
e_sp:	184
e_csum:	-
e_ip:	-
e_cs:	-
e_ovno:	-
e_oemid:	-
e_oeminfo:	-
e_lfanew:	232

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
NumberofSections:	5
TimeDateStamp:	2010-Nov-18 16:27:35
PointerToSymbolTable:	-
NumberOfSymbols:	-
SizeOfOptionalHeader:	224
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	4096	104938	104960	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.60849
.rdata	110592	17556	17920	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.36802
.data	131072	23112	12800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	1.37054
.sxdata	155648	4	512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0203931
.rsrc	159744	2656	3072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.30196

Resources

Title	Entropy	Size	Codepage	Language	Type
1	3.75404	744	UNKNOWN	English - United States	RT_ICON
2	3.18403	296	UNKNOWN	English - United States	RT_ICON
5	1.43775	52	UNKNOWN	English - United States	RT_STRING
500	3.09294	184	UNKNOWN	English - United States	RT_DIALOG
1 (#2)	2.78284	148	UNKNOWN	English - United States	RT_STRING
1 (#3)	2.37086	34	UNKNOWN	English - United States	RT_GROUP_ICON
1 (#4)	3.44049	700	UNKNOWN	English - United States	RT_VERSION

Imports


KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

237

Monitored processes

116

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

—

forfiles.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

620

schtasks /DELETE /F /TN "gnjfbERbh"

C:\Windows\SysWOW64\schtasks.exe

—

CiuBamk.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\schtasks.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

620

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ojxAlSFCBQUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

620

schtasks /DELETE /F /TN "RJkkAvxBAKuiCqt"

C:\Windows\SysWOW64\schtasks.exe

—

FHYQWsM.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

772

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

820

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\admin\AppData\Local\Temp\exjZpBqMapvjTxaJx" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\reg.exe
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

836

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\admin\AppData\Local\Temp\exjZpBqMapvjTxaJx" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1344

"C:\Users\admin\AppData\Local\Temp\file.exe"

C:\Users\admin\AppData\Local\Temp\file.exe

—

Explorer.EXE

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7z Setup SFX

Exit code:

3221226540

Version:

9.20

Modules

Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

1440

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mgkqFoivVEbAC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1440

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\yJobuBfBRxVmVvVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

18 482

Read events

17 730

Write events

746

Delete events

Modification events


(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1988) Install.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2368) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:	write	Name:	exe
Value: 0
(PID) Process:	(2380) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	SpyNetReporting
Value: 0
(PID) Process:	(2864) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:	write	Name:	exe
Value: 0
(PID) Process:	(2872) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	SpyNetReporting
Value: 0
(PID) Process:	(2192) powershell.EXE	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2192) powershell.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

150

Unknown types

Dropped files

PID	Process	Filename		Type
2032	file.exe	C:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\__data__\config.txt		binary
		MD5:—	SHA256:—
2028	Install.exe	C:\Users\admin\AppData\Local\Temp\7zS4E7E.tmp\Install.exe		executable
		MD5:—	SHA256:—
2192	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFd5fc4.TMP		binary
		MD5:—	SHA256:—
2192	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:—	SHA256:—
2032	file.exe	C:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\Install.exe		executable
		MD5:—	SHA256:—
2192	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\696U1H2VGZ7QUBUI4KZE.temp		binary
		MD5:—	SHA256:—
2276	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ALYJ24RTA1KWOY25IJMR.temp		binary
		MD5:—	SHA256:—
2384	schtasks.exe	C:\Windows\Tasks\baqkzymadDkdbhQsxA.job		binary
		MD5:—	SHA256:—
2276	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:—	SHA256:—
2548	powershell.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe3871.TMP		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2972	rundll32.exe	POST	200	54.185.139.178:80	http://api2.check-data.xyz/api2/google_api_ifi	US	—	—	malicious
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFy5J6A6YKVTEoiTk%2FRTejk%3D	US	der	471 b	whitelisted
1440	FHYQWsM.exe	GET	200	23.45.105.185:80	http://x1.c.lencr.org/	NL	der	717 b	whitelisted
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDrLFyBxR1WMQr6Mn9JjdU0	US	der	472 b	whitelisted
1440	FHYQWsM.exe	GET	200	184.24.77.52:80	http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRB7A5ys5XSOpfz0dPt7QOXbw%3D%3D	US	der	503 b	shared
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	US	der	1.41 Kb	whitelisted
1440	FHYQWsM.exe	GET	200	172.217.18.99:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D	US	der	724 b	whitelisted
1440	FHYQWsM.exe	GET	200	178.79.242.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a13c8621d408546	DE	compressed	4.70 Kb	whitelisted
1440	FHYQWsM.exe	GET	200	184.24.77.69:80	http://apps.identrust.com/roots/dstrootcax3.p7c	US	cat	893 b	shared
1440	FHYQWsM.exe	GET	200	178.79.242.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9a88ea110ce21994	DE	compressed	61.4 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1440	FHYQWsM.exe	3.80.150.121:443	service-domain.xyz	AMAZON-AES	US	suspicious
1440	FHYQWsM.exe	178.79.242.128:80	ctldl.windowsupdate.com	LLNW	DE	malicious
1440	FHYQWsM.exe	184.24.77.69:80	apps.identrust.com	Akamai International B.V.	DE	suspicious
1440	FHYQWsM.exe	184.24.77.52:80	r3.o.lencr.org	Akamai International B.V.	DE	malicious
1440	FHYQWsM.exe	23.45.105.185:80	x1.c.lencr.org	AKAMAI-AS	DE	unknown
1440	FHYQWsM.exe	142.250.185.138:443	www.googleapis.com	GOOGLE	US	whitelisted
1440	FHYQWsM.exe	172.217.18.14:443	clients2.google.com	GOOGLE	US	whitelisted
1440	FHYQWsM.exe	172.217.18.99:80	ocsp.pki.goog	GOOGLE	US	whitelisted
2972	rundll32.exe	54.185.139.178:80	api2.check-data.xyz	AMAZON-02	US	malicious

DNS requests

Domain	IP	Reputation
teredo.ipv6.microsoft.com	—	whitelisted
service-domain.xyz	3.80.150.121	suspicious
ctldl.windowsupdate.com	178.79.242.128	whitelisted
apps.identrust.com	184.24.77.69 184.24.77.47	shared
x1.c.lencr.org	23.45.105.185	whitelisted
r3.o.lencr.org	184.24.77.52 184.24.77.79 184.24.77.46 184.24.77.67 184.24.77.54 184.24.77.69 184.24.77.57 184.24.77.56 184.24.77.53	shared
www.googleapis.com	142.250.185.138 142.250.74.202 142.250.185.106 142.250.181.234 142.250.185.170 142.250.185.74 172.217.16.138 172.217.18.10 142.250.185.202 142.250.185.234 172.217.16.202 142.250.186.138 216.58.212.170 172.217.18.106 142.250.186.42 142.250.186.74	whitelisted
ocsp.pki.goog	172.217.18.99	whitelisted
clients2.google.com	172.217.18.14	whitelisted
api2.check-data.xyz	54.185.139.178 54.191.228.37	malicious

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
—	—	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain

Add for printing

No debug info

General Info

file

531981FA2658977F0ECDAD58E88F3037

A32FBF450455E965B54506DEA14438E0598A8E08

3ECD4763FFC944FDC67A9027E459CD4F448B1A8D1B36147977AFAF86BBF2A261

196608:91OyP3N/E1u7Yz/qped/kgyLPFZRsCu3hOCVci8L4Xt7uhwp1K:3OI3a1u0KeSgIHRsCuwCVciZXRNK

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses Task Scheduler to run other applications

Application was dropped or rewritten from another process

Creates a writable file the system directory

Modifies exclusions in Windows Defender

Uses Task Scheduler to autorun other applications

Steals credentials from Web Browsers

Loads dropped or rewritten executable

Actions looks like stealing of personal data

Modifies files in the Chrome extension folder

SUSPICIOUS

Executable content was dropped or overwritten

Executes via Task Scheduler

Uses REG/REGEDIT.EXE to modify register

Starts itself from another location

Reads the BIOS version

Reads security settings of Internet Explorer

Executes as Windows Service

Starts CMD.EXE for commands execution

Executes scripts

Checks Windows Trust Settings

Reads settings of System Certificates

Creates a software uninstall entry

INFO

Create files in a temporary directory

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

The process checks LSA protection

Creates files in the program directory

Dropped object may contain Bitcoin addresses

Process checks computer location settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events