Malware analysis File_pass1234.7z Malicious activity | ANY.RUN

Add for printing

download:	File_pass1234.7z
Full analysis:	https://app.any.run/tasks/4f85a2fe-e601-4088-ab81-a7c33998a2de
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	July 08, 2023, 21:44:12
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	privateloader opendir loader evasion rat redline fabookie smoke trojan gcleaner amadey ransomware stop stealer vidar lumma arkei g0njxa
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	018FE259D51B5C71257275CAB7C1685B
SHA1:	FE7A03B8523C4DB40718A2E971B2C54485EBC671
SHA256:	4218E1020C93A986FC5A3954C39F5BC4199B0AA49A5CAD564FA509B17EF6B52D
SSDEEP:	98304:psjupcskHHPKyeKNusN4ZwiPJakTohGhbo+KpGiM+G7ITV/DcQxpUV+Zib0:plp8vKBb20hCGhvKpGiMjMQiUckb0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Creates a writable file the system directory
  - File.exe (PID: 2412)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
- Actions looks like stealing of personal data
  - File.exe (PID: 2412)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 1976)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - AppLaunch.exe (PID: 1796)
  - AppLaunch.exe (PID: 2572)
  - certreq.exe (PID: 1660)
  - c3418797.exe (PID: 1776)
  - 64D8.exe (PID: 2264)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - build2.exe (PID: 2052)
  - AppLaunch.exe (PID: 3256)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - AppLaunch.exe (PID: 3588)
  - AppLaunch.exe (PID: 2336)
  - AppLaunch.exe (PID: 3208)
  - AppLaunch.exe (PID: 616)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - l9jUx7d0.exe (PID: 2776)
- Connects to the CnC server
  - File.exe (PID: 2412)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - AppLaunch.exe (PID: 2572)
  - AppLaunch.exe (PID: 1976)
  - AppLaunch.exe (PID: 1796)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - explorer.exe (PID: 1960)
  - 64D8.exe (PID: 2264)
  - c3418797.exe (PID: 1776)
  - RepSpacer78.exe (PID: 2596)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - danke.exe (PID: 2712)
  - BB28.exe (PID: 2816)
  - AppLaunch.exe (PID: 2024)
  - build2.exe (PID: 1604)
  - oneetx.exe (PID: 3052)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - AppLaunch.exe (PID: 3256)
  - AppLaunch.exe (PID: 3588)
  - build2.exe (PID: 2052)
  - AppLaunch.exe (PID: 3208)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - RepSpacer78.exe (PID: 1356)
  - AppLaunch.exe (PID: 1840)
- PRIVATELOADER was detected
  - File.exe (PID: 2412)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
- Application was dropped or rewritten from another process
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
  - Dn6iN06bsqb_g5yKsZOT2Pq0.exe (PID: 2852)
  - JyihcsQD1yeLr20qD0UiiIa9.exe (PID: 464)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - W_LA7WppHNUKTAnX9pzbFzJA.exe (PID: 1844)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - v3399208.exe (PID: 2868)
  - v3011165.exe (PID: 2792)
  - v7644261.exe (PID: 1392)
  - a6832903.exe (PID: 1768)
  - b1048830.exe (PID: 700)
  - SchGOLr.exe (PID: 3040)
  - c3418797.exe (PID: 1776)
  - 64D8.exe (PID: 2264)
  - 674A.exe (PID: 124)
  - 674A.exe (PID: 2136)
  - d7969463.exe (PID: 2668)
  - e4008881.exe (PID: 2988)
  - danke.exe (PID: 2712)
  - bRqGy8ZO0L9.exe (PID: 2412)
  - s1EuMu.exe (PID: 2668)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - 674A.exe (PID: 2812)
  - BCDF.exe (PID: 912)
  - 674A.exe (PID: 2536)
  - CDD7.exe (PID: 2016)
  - CDD7.exe (PID: 1928)
  - p6iLKtOtkvK.exe (PID: 3016)
  - build2.exe (PID: 2328)
  - build2.exe (PID: 1604)
  - CDD7.exe (PID: 2388)
  - build3.exe (PID: 2648)
  - CDD7.exe (PID: 412)
  - oneetx.exe (PID: 3052)
  - oldplayer.exe (PID: 2180)
  - XandETC.exe (PID: 504)
  - XandETC.exe (PID: 1840)
  - DD78.exe (PID: 2868)
  - aafg31.exe (PID: 2352)
  - build2.exe (PID: 1792)
  - jqwt4qIT1ugnZkmyfERtiBSV.exe (PID: 2188)
  - TJ6_cQ1YaU5cfvsQEZR56UyP.exe (PID: 2400)
  - _1jsb9UznTJhOyAZS_Y2ed70.exe (PID: 3224)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - build2.exe (PID: 2052)
  - build3.exe (PID: 3220)
  - N5MuUgzv.exe (PID: 3340)
  - oMY7Im.exe (PID: 3656)
  - l9jUx7d0.exe (PID: 2776)
  - mstsca.exe (PID: 3940)
  - oneetx.exe (PID: 4056)
  - danke.exe (PID: 1864)
  - updater.exe (PID: 1792)
  - K3nsneTyPq.exe (PID: 3668)
- Loads dropped or rewritten executable
  - is-4KIRT.tmp (PID: 1788)
  - regsvr32.exe (PID: 1740)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - is-U2A04.tmp (PID: 3088)
  - msiexec.exe (PID: 3756)
  - build2.exe (PID: 2052)
  - rundll32.exe (PID: 3316)
  - l9jUx7d0.exe (PID: 2776)
- Registers / Runs the DLL via REGSVR32.EXE
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
- Steals credentials from Web Browsers
  - AppLaunch.exe (PID: 1976)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - AppLaunch.exe (PID: 1796)
  - AppLaunch.exe (PID: 2572)
  - c3418797.exe (PID: 1776)
  - 64D8.exe (PID: 2264)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - AppLaunch.exe (PID: 3256)
  - build2.exe (PID: 2052)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - AppLaunch.exe (PID: 3208)
  - AppLaunch.exe (PID: 3588)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - l9jUx7d0.exe (PID: 2776)
- REDLINE was detected
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 2572)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - AppLaunch.exe (PID: 1976)
  - AppLaunch.exe (PID: 1796)
  - c3418797.exe (PID: 1776)
  - 64D8.exe (PID: 2264)
  - BB28.exe (PID: 2816)
  - AppLaunch.exe (PID: 3256)
  - AppLaunch.exe (PID: 3588)
  - AppLaunch.exe (PID: 3208)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
- Application was injected by another process
  - explorer.exe (PID: 1960)
- Runs injected code in another process
  - Dn6iN06bsqb_g5yKsZOT2Pq0.exe (PID: 2852)
- Disables Windows Defender
  - a6832903.exe (PID: 1768)
  - b1048830.exe (PID: 700)
- FABOOKIE was detected
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
- PRIVATELOADER detected by memory dumps
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
- SMOKE was detected
  - explorer.exe (PID: 1960)
- Changes the Windows auto-update feature
  - b1048830.exe (PID: 700)
- GCLEANER was detected
  - RepSpacer78.exe (PID: 2596)
  - RepSpacer78.exe (PID: 1356)
- Changes the autorun value in the registry
  - danke.exe (PID: 2712)
  - oneetx.exe (PID: 3052)
- Uses Task Scheduler to run other applications
  - danke.exe (PID: 2712)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - build3.exe (PID: 2648)
  - oneetx.exe (PID: 3052)
  - build3.exe (PID: 3220)
  - mstsca.exe (PID: 3940)
  - powershell.exe (PID: 4024)
- Uses Task Scheduler to autorun other applications
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - powershell.exe (PID: 3444)
- AMADEY was detected
  - danke.exe (PID: 2712)
  - oneetx.exe (PID: 3052)
- Stop is detected
  - 674A.exe (PID: 2812)
  - CDD7.exe (PID: 412)
- AMADEY detected by memory dumps
  - danke.exe (PID: 2712)
  - oneetx.exe (PID: 3052)
- Steals credentials
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)
- Starts CMD.EXE for self-deleting
  - uYa76gMuKTb.exe (PID: 1280)
  - RepSpacer78.exe (PID: 2596)
  - l9jUx7d0.exe (PID: 2776)
  - RepSpacer78.exe (PID: 1356)
- VIDAR was detected
  - build2.exe (PID: 1604)
  - build2.exe (PID: 2052)
- LUMMA detected by memory dumps
  - AppLaunch.exe (PID: 616)
- LUMMA was detected
  - AppLaunch.exe (PID: 2336)
  - AppLaunch.exe (PID: 616)
  - AppLaunch.exe (PID: 3180)
- ARKEI was detected
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)
- Adds path to the Windows Defender exclusion list
  - explorer.exe (PID: 1960)
SUSPICIOUS
- Adds/modifies Windows certificates
  - WinRAR.exe (PID: 2432)
  - RepSpacer78.exe (PID: 2596)
  - CDD7.exe (PID: 2016)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
- Connects to the server without a host name
  - File.exe (PID: 2412)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - RepSpacer78.exe (PID: 2596)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - danke.exe (PID: 2712)
  - explorer.exe (PID: 1960)
  - oneetx.exe (PID: 3052)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
  - RepSpacer78.exe (PID: 1356)
  - AppLaunch.exe (PID: 1840)
- Reads settings of System Certificates
  - File.exe (PID: 2412)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - CDD7.exe (PID: 1928)
  - build2.exe (PID: 1604)
  - build2.exe (PID: 2052)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
  - l9jUx7d0.exe (PID: 2776)
- Executes as Windows Service
  - raserver.exe (PID: 2880)
  - raserver.exe (PID: 2912)
  - raserver.exe (PID: 2692)
  - raserver.exe (PID: 2488)
  - raserver.exe (PID: 3524)
- Reads the Internet Settings
  - File.exe (PID: 2412)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
  - RepSpacer78.exe (PID: 2596)
  - explorer.exe (PID: 1960)
  - 674A.exe (PID: 2136)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - e4008881.exe (PID: 2988)
  - danke.exe (PID: 2712)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - AppLaunch.exe (PID: 2336)
  - AppLaunch.exe (PID: 2024)
  - CDD7.exe (PID: 1928)
  - CDD7.exe (PID: 412)
  - DD78.exe (PID: 2868)
  - AppLaunch.exe (PID: 616)
  - oldplayer.exe (PID: 2180)
  - oneetx.exe (PID: 3052)
  - build2.exe (PID: 1604)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - build2.exe (PID: 2052)
  - _1jsb9UznTJhOyAZS_Y2ed70.exe (PID: 3224)
  - RepSpacer78.exe (PID: 1356)
  - powershell.exe (PID: 3920)
  - l9jUx7d0.exe (PID: 2776)
  - AppLaunch.exe (PID: 1840)
  - AppLaunch.exe (PID: 3180)
- Executable content was dropped or overwritten
  - File.exe (PID: 2412)
  - JyihcsQD1yeLr20qD0UiiIa9.exe (PID: 464)
  - W_LA7WppHNUKTAnX9pzbFzJA.exe (PID: 1844)
  - is-4KIRT.tmp (PID: 1788)
  - v3399208.exe (PID: 2868)
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
  - v3011165.exe (PID: 2792)
  - v7644261.exe (PID: 1392)
  - RepSpacer78.exe (PID: 2596)
  - explorer.exe (PID: 1960)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - e4008881.exe (PID: 2988)
  - 674A.exe (PID: 2136)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - build3.exe (PID: 2648)
  - DD78.exe (PID: 2868)
  - oldplayer.exe (PID: 2180)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - CDD7.exe (PID: 412)
  - TJ6_cQ1YaU5cfvsQEZR56UyP.exe (PID: 2400)
  - _1jsb9UznTJhOyAZS_Y2ed70.exe (PID: 3224)
  - is-U2A04.tmp (PID: 3088)
  - RepSpacer78.exe (PID: 1356)
  - danke.exe (PID: 2712)
  - XandETC.exe (PID: 1840)
- Checks Windows Trust Settings
  - File.exe (PID: 2412)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - CDD7.exe (PID: 1928)
  - build2.exe (PID: 1604)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)
- Reads security settings of Internet Explorer
  - File.exe (PID: 2412)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - CDD7.exe (PID: 1928)
  - build2.exe (PID: 1604)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)
- Process requests binary or script from the Internet
  - File.exe (PID: 2412)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - explorer.exe (PID: 1960)
  - 674A.exe (PID: 2812)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - CDD7.exe (PID: 412)
  - danke.exe (PID: 2712)
- Connects to unusual port
  - File.exe (PID: 2412)
  - AppLaunch.exe (PID: 1976)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 2572)
  - AppLaunch.exe (PID: 1796)
  - 2XmlBiQgNCJEAQyeCKnWLtBZ.exe (PID: 2120)
  - c3418797.exe (PID: 1776)
  - 64D8.exe (PID: 2264)
  - certreq.exe (PID: 1660)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - AppLaunch.exe (PID: 3256)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - AppLaunch.exe (PID: 3588)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - build2.exe (PID: 2052)
  - AppLaunch.exe (PID: 3208)
  - l9jUx7d0.exe (PID: 2776)
- Reads the Windows owner or organization settings
  - is-4KIRT.tmp (PID: 1788)
  - is-U2A04.tmp (PID: 3088)
- The process checks if it is being run in the virtual environment
  - regsvr32.exe (PID: 1740)
  - 2XmlBiQgNCJEAQyeCKnWLtBZ.exe (PID: 2120)
  - msiexec.exe (PID: 3756)
- Reads Microsoft Outlook installation path
  - RepSpacer78.exe (PID: 2596)
  - RepSpacer78.exe (PID: 1356)
- Checks for external IP
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - File.exe (PID: 2412)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
- Searches for installed software
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 1976)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - AppLaunch.exe (PID: 2572)
  - AppLaunch.exe (PID: 1796)
  - certreq.exe (PID: 1660)
  - c3418797.exe (PID: 1776)
  - 64D8.exe (PID: 2264)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - is-U2A04.tmp (PID: 3088)
  - AppLaunch.exe (PID: 3256)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - build2.exe (PID: 2052)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - AppLaunch.exe (PID: 3208)
  - AppLaunch.exe (PID: 2336)
  - AppLaunch.exe (PID: 3588)
  - l9jUx7d0.exe (PID: 2776)
  - AppLaunch.exe (PID: 616)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)
- Reads browser cookies
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 1976)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - AppLaunch.exe (PID: 1796)
  - AppLaunch.exe (PID: 2572)
  - 64D8.exe (PID: 2264)
  - c3418797.exe (PID: 1776)
  - BB28.exe (PID: 2816)
  - AppLaunch.exe (PID: 3256)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - AppLaunch.exe (PID: 3208)
  - AppLaunch.exe (PID: 3588)
- Application launched itself
  - 674A.exe (PID: 124)
  - cmd.exe (PID: 2840)
  - 674A.exe (PID: 2536)
  - 674A.exe (PID: 2136)
  - CDD7.exe (PID: 2016)
  - build2.exe (PID: 2328)
  - CDD7.exe (PID: 1928)
  - CDD7.exe (PID: 2388)
  - cmd.exe (PID: 2300)
  - explorer.exe (PID: 1960)
  - build2.exe (PID: 1792)
- Loads DLL from Mozilla Firefox
  - certreq.exe (PID: 1660)
- Accesses Microsoft Outlook profiles
  - certreq.exe (PID: 1660)
- Starts itself from another location
  - e4008881.exe (PID: 2988)
  - oldplayer.exe (PID: 2180)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 2840)
  - danke.exe (PID: 2712)
  - oneetx.exe (PID: 3052)
  - cmd.exe (PID: 2300)
  - uYa76gMuKTb.exe (PID: 1280)
  - RepSpacer78.exe (PID: 2596)
  - explorer.exe (PID: 1960)
  - l9jUx7d0.exe (PID: 2776)
  - RepSpacer78.exe (PID: 1356)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 2840)
  - 674A.exe (PID: 2136)
  - cmd.exe (PID: 2300)
- Reads the BIOS version
  - bRqGy8ZO0L9.exe (PID: 2412)
  - s1EuMu.exe (PID: 2668)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - oMY7Im.exe (PID: 3656)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 1732)
  - cmd.exe (PID: 1524)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2776)
  - cmd.exe (PID: 3152)
- Script adds exclusion path to Windows Defender
  - explorer.exe (PID: 1960)
- Starts POWERSHELL.EXE for commands execution
  - explorer.exe (PID: 1960)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3272)
- The process checks if current user has admin rights
  - explorer.exe (PID: 1960)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 3296)
- The process executes via Task Scheduler
  - mstsca.exe (PID: 3940)
  - oneetx.exe (PID: 4056)
  - danke.exe (PID: 1864)
  - updater.exe (PID: 1792)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 3272)
INFO
- Checks supported languages
  - File.exe (PID: 2412)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - JyihcsQD1yeLr20qD0UiiIa9.exe (PID: 464)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - sYptvclcwAuqZcxcHTibMmy0.exe (PID: 2280)
  - vuUG5hnwthvkiqXOCwY0aQ3A.exe (PID: 2892)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - xSnNTymRtCfk5vjYwOPCv8RO.exe (PID: 2216)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - W_LA7WppHNUKTAnX9pzbFzJA.exe (PID: 1844)
  - AppLaunch.exe (PID: 2572)
  - AppLaunch.exe (PID: 1976)
  - 2XmlBiQgNCJEAQyeCKnWLtBZ.exe (PID: 2120)
  - AppLaunch.exe (PID: 1796)
  - is-4KIRT.tmp (PID: 1788)
  - v3399208.exe (PID: 2868)
  - Dn6iN06bsqb_g5yKsZOT2Pq0.exe (PID: 2852)
  - v3011165.exe (PID: 2792)
  - v7644261.exe (PID: 1392)
  - RepSpacer78.exe (PID: 2596)
  - b1048830.exe (PID: 700)
  - a6832903.exe (PID: 1768)
  - SchGOLr.exe (PID: 3040)
  - c3418797.exe (PID: 1776)
  - 64D8.exe (PID: 2264)
  - 674A.exe (PID: 124)
  - 674A.exe (PID: 2136)
  - d7969463.exe (PID: 2668)
  - e4008881.exe (PID: 2988)
  - danke.exe (PID: 2712)
  - bRqGy8ZO0L9.exe (PID: 2412)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - s1EuMu.exe (PID: 2668)
  - BCDF.exe (PID: 912)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - 674A.exe (PID: 2812)
  - 674A.exe (PID: 2536)
  - CDD7.exe (PID: 2016)
  - p6iLKtOtkvK.exe (PID: 3016)
  - AppLaunch.exe (PID: 2336)
  - CDD7.exe (PID: 1928)
  - build2.exe (PID: 2328)
  - AppLaunch.exe (PID: 2024)
  - build2.exe (PID: 1604)
  - CDD7.exe (PID: 2388)
  - build3.exe (PID: 2648)
  - CDD7.exe (PID: 412)
  - DD78.exe (PID: 2868)
  - oldplayer.exe (PID: 2180)
  - AppLaunch.exe (PID: 616)
  - XandETC.exe (PID: 1840)
  - oneetx.exe (PID: 3052)
  - build2.exe (PID: 1792)
  - jqwt4qIT1ugnZkmyfERtiBSV.exe (PID: 2188)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - jMo313G7V5N0k1jaPV9Koe8Y.exe (PID: 3216)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - _1jsb9UznTJhOyAZS_Y2ed70.exe (PID: 3224)
  - DsvMHMhVvXuG97fFlc1m_w6F.exe (PID: 3352)
  - sS4189ueVD0iDAx3ShIpPBs0.exe (PID: 3984)
  - AppLaunch.exe (PID: 3588)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - TJ6_cQ1YaU5cfvsQEZR56UyP.exe (PID: 2400)
  - build2.exe (PID: 2052)
  - AppLaunch.exe (PID: 3256)
  - is-U2A04.tmp (PID: 3088)
  - AppLaunch.exe (PID: 3208)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
  - build3.exe (PID: 3220)
  - RepSpacer78.exe (PID: 1356)
  - N5MuUgzv.exe (PID: 3340)
  - oMY7Im.exe (PID: 3656)
  - l9jUx7d0.exe (PID: 2776)
  - danke.exe (PID: 1864)
  - oneetx.exe (PID: 4056)
  - mstsca.exe (PID: 3940)
  - AppLaunch.exe (PID: 1840)
  - K3nsneTyPq.exe (PID: 3668)
  - updater.exe (PID: 1792)
  - AppLaunch.exe (PID: 3180)
- The process checks LSA protection
  - File.exe (PID: 2412)
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - is-4KIRT.tmp (PID: 1788)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 1796)
  - AppLaunch.exe (PID: 2572)
  - AppLaunch.exe (PID: 1976)
  - 2XmlBiQgNCJEAQyeCKnWLtBZ.exe (PID: 2120)
  - RepSpacer78.exe (PID: 2596)
  - 64D8.exe (PID: 2264)
  - explorer.exe (PID: 1960)
  - c3418797.exe (PID: 1776)
  - 674A.exe (PID: 2136)
  - e4008881.exe (PID: 2988)
  - danke.exe (PID: 2712)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - 674A.exe (PID: 2812)
  - icacls.exe (PID: 2968)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - AppLaunch.exe (PID: 2336)
  - bRqGy8ZO0L9.exe (PID: 2412)
  - AppLaunch.exe (PID: 2024)
  - CDD7.exe (PID: 1928)
  - CDD7.exe (PID: 412)
  - s1EuMu.exe (PID: 2668)
  - AppLaunch.exe (PID: 616)
  - DD78.exe (PID: 2868)
  - oneetx.exe (PID: 3052)
  - oldplayer.exe (PID: 2180)
  - build2.exe (PID: 1604)
  - taskkill.exe (PID: 2544)
  - _1jsb9UznTJhOyAZS_Y2ed70.exe (PID: 3224)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - AppLaunch.exe (PID: 3208)
  - AppLaunch.exe (PID: 3256)
  - is-U2A04.tmp (PID: 3088)
  - build2.exe (PID: 2052)
  - AppLaunch.exe (PID: 3588)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - jqwt4qIT1ugnZkmyfERtiBSV.exe (PID: 2188)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
  - RepSpacer78.exe (PID: 1356)
  - l9jUx7d0.exe (PID: 2776)
  - AppLaunch.exe (PID: 1840)
  - oMY7Im.exe (PID: 3656)
  - AppLaunch.exe (PID: 3180)
  - taskkill.exe (PID: 3252)
- Reads the computer name
  - File.exe (PID: 2412)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - AppLaunch.exe (PID: 2572)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - AppLaunch.exe (PID: 1976)
  - AppLaunch.exe (PID: 1796)
  - is-4KIRT.tmp (PID: 1788)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - a6832903.exe (PID: 1768)
  - 2XmlBiQgNCJEAQyeCKnWLtBZ.exe (PID: 2120)
  - RepSpacer78.exe (PID: 2596)
  - b1048830.exe (PID: 700)
  - 64D8.exe (PID: 2264)
  - c3418797.exe (PID: 1776)
  - 674A.exe (PID: 2136)
  - e4008881.exe (PID: 2988)
  - danke.exe (PID: 2712)
  - bRqGy8ZO0L9.exe (PID: 2412)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - s1EuMu.exe (PID: 2668)
  - 674A.exe (PID: 2812)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - AppLaunch.exe (PID: 2336)
  - AppLaunch.exe (PID: 2024)
  - CDD7.exe (PID: 1928)
  - build2.exe (PID: 1604)
  - CDD7.exe (PID: 412)
  - AppLaunch.exe (PID: 616)
  - DD78.exe (PID: 2868)
  - oldplayer.exe (PID: 2180)
  - oneetx.exe (PID: 3052)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - AppLaunch.exe (PID: 3588)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - AppLaunch.exe (PID: 3208)
  - build2.exe (PID: 2052)
  - _1jsb9UznTJhOyAZS_Y2ed70.exe (PID: 3224)
  - is-U2A04.tmp (PID: 3088)
  - AppLaunch.exe (PID: 3256)
  - jqwt4qIT1ugnZkmyfERtiBSV.exe (PID: 2188)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
  - RepSpacer78.exe (PID: 1356)
  - oMY7Im.exe (PID: 3656)
  - l9jUx7d0.exe (PID: 2776)
  - AppLaunch.exe (PID: 1840)
  - AppLaunch.exe (PID: 3180)
- Reads the machine GUID from the registry
  - File.exe (PID: 2412)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 1796)
  - AppLaunch.exe (PID: 2572)
  - AppLaunch.exe (PID: 1976)
  - 2XmlBiQgNCJEAQyeCKnWLtBZ.exe (PID: 2120)
  - o8BacxcDKYM4CFjxgAGbyc7U.exe (PID: 2360)
  - RepSpacer78.exe (PID: 2596)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - 7bLPqgAE29n9oU6GE1YnkOFx.exe (PID: 2212)
  - 64D8.exe (PID: 2264)
  - c3418797.exe (PID: 1776)
  - 674A.exe (PID: 2136)
  - e4008881.exe (PID: 2988)
  - danke.exe (PID: 2712)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - BB28.exe (PID: 2816)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - bRqGy8ZO0L9.exe (PID: 2412)
  - AppLaunch.exe (PID: 2336)
  - AppLaunch.exe (PID: 2024)
  - CDD7.exe (PID: 1928)
  - build2.exe (PID: 1604)
  - CDD7.exe (PID: 412)
  - s1EuMu.exe (PID: 2668)
  - AppLaunch.exe (PID: 616)
  - oldplayer.exe (PID: 2180)
  - oneetx.exe (PID: 3052)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - build2.exe (PID: 2052)
  - AppLaunch.exe (PID: 3588)
  - AppLaunch.exe (PID: 3208)
  - AppLaunch.exe (PID: 3256)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - OMphQbCyFcCBtl7DvvxMXYSx.exe (PID: 2476)
  - jqwt4qIT1ugnZkmyfERtiBSV.exe (PID: 2188)
  - RepSpacer78.exe (PID: 1356)
  - l9jUx7d0.exe (PID: 2776)
  - AppLaunch.exe (PID: 1840)
  - oMY7Im.exe (PID: 3656)
  - AppLaunch.exe (PID: 3180)
- Process checks computer location settings
  - File.exe (PID: 2412)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
- Checks proxy server information
  - File.exe (PID: 2412)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - RepSpacer78.exe (PID: 2596)
  - 674A.exe (PID: 2136)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - danke.exe (PID: 2712)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - AppLaunch.exe (PID: 2336)
  - AppLaunch.exe (PID: 2024)
  - CDD7.exe (PID: 1928)
  - CDD7.exe (PID: 412)
  - AppLaunch.exe (PID: 616)
  - oneetx.exe (PID: 3052)
  - build2.exe (PID: 1604)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - build2.exe (PID: 2052)
  - RepSpacer78.exe (PID: 1356)
  - l9jUx7d0.exe (PID: 2776)
  - AppLaunch.exe (PID: 1840)
  - AppLaunch.exe (PID: 3180)
- Creates files or folders in the user directory
  - File.exe (PID: 2412)
  - sxUi8Tz06yKustozuqr9FIE_.exe (PID: 2832)
  - RepSpacer78.exe (PID: 2596)
  - explorer.exe (PID: 1960)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - 674A.exe (PID: 2136)
  - 674A.exe (PID: 2812)
  - uYa76gMuKTb.exe (PID: 1280)
  - CDD7.exe (PID: 1928)
  - build3.exe (PID: 2648)
  - AppLaunch.exe (PID: 616)
  - VH1UcyhOpu6QAytAA4bFL3Kg.exe (PID: 556)
  - AppLaunch.exe (PID: 2336)
  - CDD7.exe (PID: 412)
  - jklP9z9u5977lOM9Jra3Lt6H.exe (PID: 1172)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - danke.exe (PID: 2712)
  - RepSpacer78.exe (PID: 1356)
- Create files in a temporary directory
  - File.exe (PID: 2412)
  - JyihcsQD1yeLr20qD0UiiIa9.exe (PID: 464)
  - W_LA7WppHNUKTAnX9pzbFzJA.exe (PID: 1844)
  - is-4KIRT.tmp (PID: 1788)
  - v3399208.exe (PID: 2868)
  - UfdXqjmddmTSw4pp9XDFO156.exe (PID: 2840)
  - v3011165.exe (PID: 2792)
  - v7644261.exe (PID: 1392)
  - explorer.exe (PID: 1960)
  - e4008881.exe (PID: 2988)
  - DD78.exe (PID: 2868)
  - oldplayer.exe (PID: 2180)
  - TJ6_cQ1YaU5cfvsQEZR56UyP.exe (PID: 2400)
  - is-U2A04.tmp (PID: 3088)
  - _1jsb9UznTJhOyAZS_Y2ed70.exe (PID: 3224)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
- Application was dropped or rewritten from another process
  - is-4KIRT.tmp (PID: 1788)
  - is-U2A04.tmp (PID: 3088)
- Creates files in the program directory
  - is-4KIRT.tmp (PID: 1788)
  - XK64lh1fBajdQQmvX9SlTBA2.exe (PID: 1704)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - is-U2A04.tmp (PID: 3088)
  - build2.exe (PID: 2052)
  - XandETC.exe (PID: 1840)
  - l9jUx7d0.exe (PID: 2776)
- Reads Environment values
  - qfOIPfK6dpmmrpvIxMZTZwT6.exe (PID: 2088)
  - AppLaunch.exe (PID: 1976)
  - AppLaunch.exe (PID: 1796)
  - iK3FNYYWmN0ZQnTtjXew17BN.exe (PID: 2872)
  - AppLaunch.exe (PID: 2572)
  - 64D8.exe (PID: 2264)
  - c3418797.exe (PID: 1776)
  - BB28.exe (PID: 2816)
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - AppLaunch.exe (PID: 3256)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - JWtU8KbMMiNFD5ZcHJgEt4g7.exe (PID: 3976)
  - AppLaunch.exe (PID: 3208)
  - AppLaunch.exe (PID: 3588)
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)
- Manual execution by a user
  - certreq.exe (PID: 1660)
- Process checks are UAC notifies on
  - bRqGy8ZO0L9.exe (PID: 2412)
  - s1EuMu.exe (PID: 2668)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - oMY7Im.exe (PID: 3656)
- Reads product name
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)
- Reads CPU info
  - uYa76gMuKTb.exe (PID: 1280)
  - build2.exe (PID: 1604)
  - g_hoMAUw4VwjOKlYHTY7P3Sg.exe (PID: 3304)
  - build2.exe (PID: 2052)
  - l9jUx7d0.exe (PID: 2776)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

PrivateLoader

(PID) Process(1704) XK64lh1fBajdQQmvX9SlTBA2.exe

C2 (4)85.208.136.10

94.142.138.131

94.142.138.113

208.67.104.60

Strings (62)Unknown

SOFTWARE\Microsoft\Cryptography

MachineGuid

telegram.org

twitter.com

yandex.ru

google.com

/api/tracemap.php

http://

15.5pnp.10.lock

data=

/api/firecom.php

ipinfo.io/widget

country

db-ip.com

data-api-key="

/self

countryCode

www.maxmind.com/geoip/v2.1/city/me

iso_code

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

PowerControl

\PowerControl

\PowerControl_Svc.exe

Power monitoring service for your device.

WININET.dll

WINHTTP.dll

85.208.136.10

94.142.138.131

94.142.138.113

208.67.104.60

GetVersion|

GetUpdateLink

https://

Later

" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

schtasks /create /f /RU "

" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

WinHttpSetTimeouts

CharNextA

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

(PID) Process(2360) o8BacxcDKYM4CFjxgAGbyc7U.exe

C2 (8)http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

45.15.156.229

94.131.106.196

5.181.80.133

94.142.138.131

94.142.138.113

208.67.104.60

Attributes

Payload (36)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

Strings (823)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden

iplogger.org/1nhuM4.js

SOFTWARE\LilFreske

Installed

SOFTWARE\LilFreskeUS

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

Advapi32.dll

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

wininet.dll

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

GetCurrentProcessId

CreateToolhelp32Snapshot

Process32First

Process32Next

Wow64DisableWow64FsRedirection

Wow64RevertWow64FsRedirection

User32.dll

CharToOemA

//Minor Policy

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

Exclusions_Extensions

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows\System

EnableSmartScreen

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

(x64)

(x32)

explorer.exe

current

children

SOFTWARE\Classes\ms-settings\Shell\Open\command

DelegateExecute

\ComputerDefaults.exe

SOFTWARE\Classes

ms-settings\Shell\Open\command

ms-settings\Shell\Open

ms-settings\Shell

ms-settings

data=

/api/firegate.php

Error!

onlyType

ext_url

cfg_url

ipinfo.io/widget

country

company

Google LLC

db-ip.com

data-api-key="

/self

countryCode

organization

www.maxmind.com/geoip/v2.1/city/me

iso_code

traits

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

/api/tracemap.php

http://

15.5pnp.10.lock

Guest Profile

System Profile

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

version

\resources.pak

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Secure Preferences

filter_browsers

chrome

browser

use_open_browser

extensions

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

chrome.exe

ChromeRegistryHashStoreValidationSeed

\extensions.settings

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

msedge.exe

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Roaming

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Monero

\binance.chain

\Binance

\Metamask

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec

\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp

\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec

\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa

\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh

\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn

\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca

\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn

\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee

\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf

\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo

\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm

sorare.com

yobit.net

zb.com

binance.com

huobi.com

okex.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

payoneer.com

bittrex.com

bittrex.zendesk.com

gate.io

exmo.com

yobit.io

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

localbitcoins.com

korbit.co.kr

cex.io

luno.com

bitkonan.com

jubi.com

koinex.in

koineks.com

kuna.io

koinim.com

kiwi-coin.com

leoxchange.com

lykke.com

localtrade.cc

magnr.com

lbank.info

itbit.com

gemini.com

gdax.com

gatehub.net

satoshitango.com

foxbit.com.br

flowbtc.com.br

exx.com

exrates.me

excambriorex.com

ezbtc.ca

infinitycoin.exchange

tdax.com

stex.com

vbtc.exchange

coinmarketcap.com

vwlpro.com

nocks.com

nlexch.com

novaexchange.com

mynxt.info

nzbcx.com

nevbit.com

mixcoins.com

mr.exchange

neraex.pro

dsx.uk

okcoin.com

liquid.com

quoine.com

quadrigacx.com

rightbtc.com

rippex.net

ripplefox.com

qryptos.com

ore.bz

openledger.info

omnidex.io

paribu.com

paymium.com

dcexchange.ru

dcexe.com

bitmex.com

funpay.ru

bitmaszyna.pl

bitonic.nl

bitpanda.com

bitsblockchain.net

bitmarket.net

bitlish.com

bitfex.trade

blockchain.com

blockchain.info

cryptofresh.com

btcmarkets.net

braziliex.com

btc-trade.com.ua

btc-alpha.com

bitspark.io

bitso.com

bittylicious.com

altcointrader.co.za

arenabitcoin.com

allcoin.com

796.com

abucoins.com

aidosmarket.com

bitcointrade.com

bitcointoyou.com

bitbanktrade.jp

big.one

bcex.ca

bitconnect.co

coinsbank.com

coinsecure.in

coinsquare.com

coinspot.io

coinsmarkets.com

crypto-bridge.org

dcex.com

dabtc.com

decentrex.com

deribit.com

dgtmarket.com

btcturk.com

btcxindia.com

bt.cx

bitstarcoin.com

coincheck.com

coinmate.io

coingi.com

coinnest.co.kr

coinrail.co.kr

coinpit.io

coingather.com

coinfloor.co.uk

coinegg.com

coincorner.com

coinexchange.io

pancakeswap.finance

coinbase.com

livecoin.net

mercatox.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinome.com

coinpayments.net

bitmax.io

bitbank.cc

independentreserve.com

bitmart.com

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

cointiger.com

cashierest.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

\Login Data

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Opera Software\Opera Stable

ascendex.com

crypto.com

coins.ph

coins.th

dogechain.info

miningpoolhub.com

/vpn/index.html

portal/webclient

remote/login

/vpn/tmindex.html

/LogonPoint/tmindex.html

XenApp1/auth/login.aspx

auth/silentDetection.aspx

/citrix/

/RDWeb/

/+CSCOE+/

/global-protect/

sslvpn.

/dana-na/

/my.policy

ncsecu.org

penfed.org

becu.org

schoolsfirstfcu.org

firsttechfed.com

golden1.com

alliantcreditunion.org

americafirst.com

suncoastcreditunion.com

secumd.org

safecu.org

missionfed.com

greendot.com

rbfcu.org

macu.com

dcu.org

ssfcu.org

bethpagefcu.com

starone.org

alaskausa.org

sdccu.com

aacreditunion.org

lmcu.org

teachersfcu.org

patelco.org

esl.org

onpointcu.com

logixbanking.com

psecu.com

deltacommunitycu.com

ent.com

cefcu.com

greenstate.org

unfcu.org

pffcu.org

wingsfinancial.com

iccu.comdesertfinancial.com

iccu.com

desertfinancial.com

hvfcu.org

wpcu.coop

redwoodcu.org

tcunet.com

wsecu.org

joviafinancial.com

coastal24.com

myeecu.org

gecreditunion.org

nymcu.org

affinityfcu.com

towerfcu.org

ccu.com

communityamerica.com

langleyfcu.org

credithuman.com

techcu.com

gecu.com

kfcu.org

applefcu.org

nasafcu.com

sfcu.org

genisyscu.org

unifyfcu.com

apcocu.org

firstcommunity.com

unitedfcu.com

fairwinds.org

ufcu.org

wescom.org

bcu.org

vacu.org

citadelbanking.com

servicecu.org

summitcreditunion.com

gesa.com

chevronfcu.org

traviscu.org

uwcu.org

communityfirstcu.org

ecu.org

sccu.com

bfsfcu.org

bellco.org

dfcufinancial.com

msufcu.org

members1st.org

landmarkcu.com

kinecta.org

midflorida.com

visionsfcu.org

veridiancu.org

statefarmfcu.com

tinkerfcu.org

sefcu.com

americanheritagecu.org

robinsfcu.org

canvas.org

growfinancial.org

truliantfcu.org

ascend.org

foundersfcu.com

calcoastcu.org

ucu.org

connexuscu.org

slfcu.org

numericacu.com

eecu.org

georgiasown.org

nusenda.org

tvacreditunion.com

pcu.org

msgcu.org

nuvisionfederal.com

trumarkonline.org

navigantcu.org

ornlfcu.com

jscfcu.org

lgfcu.org

elevationscu.com

gtefinancial.org

chartway.com

ecu.com

sdfcu.org

apcu.com

schools.org

metrocu.org

campuscu.com

adviacu.org

psfcu.com

andrewsfcu.org

eglinfcu.org

imcu.com

americaneagle.org

ttcu.com

vantagewest.org

empowerfcu.com

rfcu.com

capcomfcu.org

arizonafederal.org

csecreditunion.com

communityfirstfl.org

bayportcu.org

gwcu.org

wecu.com

stgeorge.com.au

imb.com.au

ing.com.au

bankofmelbourne.com.au

regionalaustraliabank.com

suncorp.com.au

regionalaustraliabank.com.au

bmo.com

cwbank.com

royalbank.com

vancity.com

servus.ca

coastcapitalsavings.com

alterna.ca

interiorsavings.com

synergycu.ca

mainstreetcu.ca

cu.com

fcu.com

robinhood.com

navyfederal.org

tboholidays.com

24x7rooms.com

adonis.com

abreuonline.com

almundo.com.ar

bonotel.com

bookohotel.com

didatravel.com

dotwconnect.com

eetglobal.com

escalabeds.com

fastpayhotels.com

getaroom.com

goglobal.travel

hoteldo.com.mx

hotelspro.com

jumbonline.com

kaluahtours.com

lci-euro.com

lotsofhotels.com

mikinet.co.uk

misterroom.com

nexustours.com

olympiaeurope.com

paximum.com

restel.es

rezserver.com

rezlive.com

sunhotels.com

totalstay.com

travco.co.uk

travellanda.com

smyrooms.com

welcomebeds.com

yalago.com

hotelbeds.com

mercadolibre.com.mx

hsbc.com.mx

bbvanetcash.mx

scotiabank.com.mx

santander.com.mx

bbva.mx

opensea.io

plantvsundead.com

axieinfinity.com

cryptocars.me

bombcrypto.io

cryptoplanes.me

cryptozoon.io

bankalhabib.com

correosprepago.es

orangebank.es

amazon.it

amazon.ca

amazon.de

amazon.com

netspend.com

online.citi.com

cloud.ibm.com

ca.ovh.com

account.alibabacloud.com

cloud.huawei.com

cloud.tencent.com

vultr.com

aws.amazon.com

portal.azure.com

digitalocean.com

console.scaleway.com

hetzner.com

linode.com

oracle.com

rackspace.com

phoenixnap.com

leaseweb.com

sso.ctl.io

ctl.io

lumen.com

paypal.com

WW_P_7

WW_P_8

https://

WW_P_

WW_P_1

links

ezstat.ru/1BfPg7

USA_1

iplis.ru/1BX4j7.png

iplis.ru/1BV4j7.mp4

USA_2

iplogger.org/1nkuM4.jpeg

iplis.ru/1BNhx7.mp3

iplis.ru/1pRXr7.txt

SetIncrement|ww_starts

false

iplis.ru/1S2Qs7.mp3

iplis.ru/1S3fd7.mp3

iplis.ru/17VHv7.mp3

iplis.ru/1GLDc7.mp3

iplis.ru/1xDsk7.mp3

iplis.ru/1xFsk7.mp3

WW_OPERA

iplis.ru/1GCuv7.pdf

iplis.ru/1lmex.mp3

iplis.ru/1Gemv7.mp3

WW_10

iplis.ru/1Gymv7.mp3

WW_11

iplis.ru/1tqHh7.mp3

WW_12

iplis.ru/1aFYp7.mp3

WW_13

iplis.ru/1cC8u7.mp3

WW_14

iplis.ru/1cN8u7.mp3

WW_15

iplis.ru/1kicy7.mp3

iplis.ru/1BMhx7.mp3

WW_16

iplis.ru/1edLy7.png

WW_17

iplis.ru/1nGPt7.png

WW_P_2

iplis.ru/1Bshv7.mp3

WW_P_3

iplis.ru/1Lgnh7.mp3

WW_P_4

iplis.ru/1vt8c7.mp3

WW_P_5

iplis.ru/1IcfD.mp3

WW_P_6

iplis.ru/1eXqs7.mp3

iplis.ru/1Unzy7.mp3

WW_18

iplis.ru/12hYs7.mp3

WW_19

iplis.ru/12d8d7.mp3

WW_20

iplis.ru/1Uvgu7.mp3

WW_21

iplis.ru/1jvTz7.mp3

browsers

Chrome:

Edge:

os_country_code

ip_country

AddExtensionStat|

net_country_code

https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://91.241.19.125/pub.php?pub=one

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

http://sarfoods.com/index.php

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

crypto_wallets

domain

bank_wallets

cu_bank_wallets

shop_wallets

bank_au_wallets

amazon_eu

webhosts

paypal

bank_ca_wallets

browser_vbmt

GetCryptoSleeping

45.15.156.229

94.131.106.196

5.181.80.133

94.142.138.131

94.142.138.113

208.67.104.60

cryptoWallets

status

bankWallets

cuBankWallets

shops

bankAUWallets

bankCAWallets

cryptoWallets_part1

cryptoWallets_part2

bankWallets_part1

bankWallets_part2

bankMXWallets

cryptoGames

bankPKWallets

bankESWallets

SetLoaderAnalyze|

SetIncrement|not_elevated

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

WinHttpSetTimeouts

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

(PID) Process(2212) 7bLPqgAE29n9oU6GE1YnkOFx.exe

C2 (7)http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

45.15.156.229

85.208.136.10

94.142.138.131

94.142.138.113

208.67.104.60

Attributes

Payload (36)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

Strings (822)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden

iplogger.org/1nhuM4.js

SOFTWARE\LilFreske

Installed

SOFTWARE\LilFreskeUS

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

Advapi32.dll

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

wininet.dll

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

GetCurrentProcessId

CreateToolhelp32Snapshot

Process32First

Process32Next

Wow64DisableWow64FsRedirection

Wow64RevertWow64FsRedirection

User32.dll

CharToOemA

//Minor Policy

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

Exclusions_Extensions

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows\System

EnableSmartScreen

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

(x64)

(x32)

explorer.exe

current

children

SOFTWARE\Classes\ms-settings\Shell\Open\command

DelegateExecute

\ComputerDefaults.exe

SOFTWARE\Classes

ms-settings\Shell\Open\command

ms-settings\Shell\Open

ms-settings\Shell

ms-settings

data=

/api/firegate.php

Error!

onlyType

ext_url

cfg_url

ipinfo.io/widget

country

company

Google LLC

db-ip.com

data-api-key="

/self

countryCode

organization

www.maxmind.com/geoip/v2.1/city/me

iso_code

traits

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

/api/tracemap.php

http://

15.5pnp.10.lock

Guest Profile

System Profile

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

version

\resources.pak

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Secure Preferences

filter_browsers

chrome

browser

use_open_browser

extensions

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

chrome.exe

ChromeRegistryHashStoreValidationSeed

\extensions.settings

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

msedge.exe

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Roaming

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Monero

\binance.chain

\Binance

\Metamask

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec

\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp

\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec

\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa

\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh

\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn

\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca

\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn

\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee

\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf

\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo

\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm

sorare.com

yobit.net

zb.com

binance.com

huobi.com

okex.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

payoneer.com

bittrex.com

bittrex.zendesk.com

gate.io

exmo.com

yobit.io

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

localbitcoins.com

korbit.co.kr

cex.io

luno.com

bitkonan.com

jubi.com

koinex.in

koineks.com

kuna.io

koinim.com

kiwi-coin.com

leoxchange.com

lykke.com

localtrade.cc

magnr.com

lbank.info

itbit.com

gemini.com

gdax.com

gatehub.net

satoshitango.com

foxbit.com.br

flowbtc.com.br

exx.com

exrates.me

excambriorex.com

ezbtc.ca

infinitycoin.exchange

tdax.com

stex.com

vbtc.exchange

coinmarketcap.com

vwlpro.com

nocks.com

nlexch.com

novaexchange.com

mynxt.info

nzbcx.com

nevbit.com

mixcoins.com

mr.exchange

neraex.pro

dsx.uk

okcoin.com

liquid.com

quoine.com

quadrigacx.com

rightbtc.com

rippex.net

ripplefox.com

qryptos.com

ore.bz

openledger.info

omnidex.io

paribu.com

paymium.com

dcexchange.ru

dcexe.com

bitmex.com

funpay.ru

bitmaszyna.pl

bitonic.nl

bitpanda.com

bitsblockchain.net

bitmarket.net

bitlish.com

bitfex.trade

blockchain.com

blockchain.info

cryptofresh.com

btcmarkets.net

braziliex.com

btc-trade.com.ua

btc-alpha.com

bitspark.io

bitso.com

bittylicious.com

altcointrader.co.za

arenabitcoin.com

allcoin.com

796.com

abucoins.com

aidosmarket.com

bitcointrade.com

bitcointoyou.com

bitbanktrade.jp

big.one

bcex.ca

bitconnect.co

coinsbank.com

coinsecure.in

coinsquare.com

coinspot.io

coinsmarkets.com

crypto-bridge.org

dcex.com

dabtc.com

decentrex.com

deribit.com

dgtmarket.com

btcturk.com

btcxindia.com

bt.cx

bitstarcoin.com

coincheck.com

coinmate.io

coingi.com

coinnest.co.kr

coinrail.co.kr

coinpit.io

coingather.com

coinfloor.co.uk

coinegg.com

coincorner.com

coinexchange.io

pancakeswap.finance

coinbase.com

livecoin.net

mercatox.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinome.com

coinpayments.net

bitmax.io

bitbank.cc

independentreserve.com

bitmart.com

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

cointiger.com

cashierest.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

\Login Data

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Opera Software\Opera Stable

ascendex.com

crypto.com

coins.ph

coins.th

dogechain.info

miningpoolhub.com

/vpn/index.html

portal/webclient

remote/login

/vpn/tmindex.html

/LogonPoint/tmindex.html

XenApp1/auth/login.aspx

auth/silentDetection.aspx

/citrix/

/RDWeb/

/+CSCOE+/

/global-protect/

sslvpn.

/dana-na/

/my.policy

ncsecu.org

penfed.org

becu.org

schoolsfirstfcu.org

firsttechfed.com

golden1.com

alliantcreditunion.org

americafirst.com

suncoastcreditunion.com

secumd.org

safecu.org

missionfed.com

greendot.com

rbfcu.org

macu.com

dcu.org

ssfcu.org

bethpagefcu.com

starone.org

alaskausa.org

sdccu.com

aacreditunion.org

lmcu.org

teachersfcu.org

patelco.org

esl.org

onpointcu.com

logixbanking.com

psecu.com

deltacommunitycu.com

ent.com

cefcu.com

greenstate.org

unfcu.org

pffcu.org

wingsfinancial.com

iccu.comdesertfinancial.com

iccu.com

desertfinancial.com

hvfcu.org

wpcu.coop

redwoodcu.org

tcunet.com

wsecu.org

joviafinancial.com

coastal24.com

myeecu.org

gecreditunion.org

nymcu.org

affinityfcu.com

towerfcu.org

ccu.com

communityamerica.com

langleyfcu.org

credithuman.com

techcu.com

gecu.com

kfcu.org

applefcu.org

nasafcu.com

sfcu.org

genisyscu.org

unifyfcu.com

apcocu.org

firstcommunity.com

unitedfcu.com

fairwinds.org

ufcu.org

wescom.org

bcu.org

vacu.org

citadelbanking.com

servicecu.org

summitcreditunion.com

gesa.com

chevronfcu.org

traviscu.org

uwcu.org

communityfirstcu.org

ecu.org

sccu.com

bfsfcu.org

bellco.org

dfcufinancial.com

msufcu.org

members1st.org

landmarkcu.com

kinecta.org

midflorida.com

visionsfcu.org

veridiancu.org

statefarmfcu.com

tinkerfcu.org

sefcu.com

americanheritagecu.org

robinsfcu.org

canvas.org

growfinancial.org

truliantfcu.org

ascend.org

foundersfcu.com

calcoastcu.org

ucu.org

connexuscu.org

slfcu.org

numericacu.com

eecu.org

georgiasown.org

nusenda.org

tvacreditunion.com

pcu.org

msgcu.org

nuvisionfederal.com

trumarkonline.org

navigantcu.org

ornlfcu.com

jscfcu.org

lgfcu.org

elevationscu.com

gtefinancial.org

chartway.com

ecu.com

sdfcu.org

apcu.com

schools.org

metrocu.org

campuscu.com

adviacu.org

psfcu.com

andrewsfcu.org

eglinfcu.org

imcu.com

americaneagle.org

ttcu.com

vantagewest.org

empowerfcu.com

rfcu.com

capcomfcu.org

arizonafederal.org

csecreditunion.com

communityfirstfl.org

bayportcu.org

gwcu.org

wecu.com

stgeorge.com.au

imb.com.au

ing.com.au

bankofmelbourne.com.au

regionalaustraliabank.com

suncorp.com.au

regionalaustraliabank.com.au

bmo.com

cwbank.com

royalbank.com

vancity.com

servus.ca

coastcapitalsavings.com

alterna.ca

interiorsavings.com

synergycu.ca

mainstreetcu.ca

cu.com

fcu.com

robinhood.com

navyfederal.org

tboholidays.com

24x7rooms.com

adonis.com

abreuonline.com

almundo.com.ar

bonotel.com

bookohotel.com

didatravel.com

dotwconnect.com

eetglobal.com

escalabeds.com

fastpayhotels.com

getaroom.com

goglobal.travel

hoteldo.com.mx

hotelspro.com

jumbonline.com

kaluahtours.com

lci-euro.com

lotsofhotels.com

mikinet.co.uk

misterroom.com

nexustours.com

olympiaeurope.com

paximum.com

restel.es

rezserver.com

rezlive.com

sunhotels.com

totalstay.com

travco.co.uk

travellanda.com

smyrooms.com

welcomebeds.com

yalago.com

hotelbeds.com

mercadolibre.com.mx

hsbc.com.mx

bbvanetcash.mx

scotiabank.com.mx

santander.com.mx

bbva.mx

opensea.io

plantvsundead.com

axieinfinity.com

cryptocars.me

bombcrypto.io

cryptoplanes.me

cryptozoon.io

bankalhabib.com

correosprepago.es

orangebank.es

amazon.it

amazon.ca

amazon.de

amazon.com

netspend.com

online.citi.com

cloud.ibm.com

ca.ovh.com

account.alibabacloud.com

cloud.huawei.com

cloud.tencent.com

vultr.com

aws.amazon.com

portal.azure.com

digitalocean.com

console.scaleway.com

hetzner.com

linode.com

oracle.com

rackspace.com

phoenixnap.com

leaseweb.com

sso.ctl.io

ctl.io

lumen.com

paypal.com

WW_P_7

WW_P_8

https://

WW_P_

WW_P_1

links

ezstat.ru/1BfPg7

USA_1

iplis.ru/1BX4j7.png

iplis.ru/1BV4j7.mp4

USA_2

iplogger.org/1nkuM4.jpeg

iplis.ru/1BNhx7.mp3

iplis.ru/1pRXr7.txt

SetIncrement|ww_starts

false

iplis.ru/1S2Qs7.mp3

iplis.ru/1S3fd7.mp3

iplis.ru/17VHv7.mp3

iplis.ru/1GLDc7.mp3

iplis.ru/1xDsk7.mp3

iplis.ru/1xFsk7.mp3

WW_OPERA

iplis.ru/1GCuv7.pdf

iplis.ru/1lmex.mp3

iplis.ru/1Gemv7.mp3

WW_10

iplis.ru/1Gymv7.mp3

WW_11

iplis.ru/1tqHh7.mp3

WW_12

iplis.ru/1aFYp7.mp3

WW_13

iplis.ru/1cC8u7.mp3

WW_14

iplis.ru/1cN8u7.mp3

WW_15

iplis.ru/1kicy7.mp3

iplis.ru/1BMhx7.mp3

WW_16

iplis.ru/1edLy7.png

WW_17

iplis.ru/1nGPt7.png

WW_P_2

iplis.ru/1Bshv7.mp3

WW_P_3

iplis.ru/1Lgnh7.mp3

WW_P_4

iplis.ru/1vt8c7.mp3

WW_P_5

iplis.ru/1IcfD.mp3

WW_P_6

iplis.ru/1eXqs7.mp3

iplis.ru/1Unzy7.mp3

WW_18

iplis.ru/12hYs7.mp3

WW_19

iplis.ru/12d8d7.mp3

WW_20

iplis.ru/1Uvgu7.mp3

WW_21

iplis.ru/1jvTz7.mp3

browsers

Chrome:

Edge:

os_country_code

ip_country

AddExtensionStat|

net_country_code

https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://91.241.19.125/pub.php?pub=one

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

http://sarfoods.com/index.php

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

crypto_wallets

domain

bank_wallets

cu_bank_wallets

shop_wallets

bank_au_wallets

amazon_eu

webhosts

paypal

bank_ca_wallets

browser_vbmt

GetCryptoSleeping

45.15.156.229

85.208.136.10

94.142.138.131

94.142.138.113

208.67.104.60

cryptoWallets

status

bankWallets

cuBankWallets

shops

bankAUWallets

bankCAWallets

cryptoWallets_part1

cryptoWallets_part2

bankWallets_part1

bankWallets_part2

bankMXWallets

cryptoGames

bankPKWallets

bankESWallets

SetLoaderAnalyze|

SetIncrement|not_elevated

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

WinHttpSetTimeouts

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

Amadey

(PID) Process(2712) danke.exe

C2 (1)http://77.91.68.3

Version3.85

Options

Drop directoryS-%lu-

Drop name%-lu

Strings (119)-%lu

3ec1f323b5

danke.exe

SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

(PID) Process(3052) oneetx.exe

C2 (1)http://5.42.65.80

Version3.83

Options

Drop directory207aa4515d

Drop nameoneetx.exe

Strings (116)SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

Lumma

(PID) Process(616) AppLaunch.exe

C2gstatic-node.io/c2sock

Options

LummaIDV566Iu--inerino

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

237

Monitored processes

163

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

C:\Users\admin\AppData\Local\Temp\674A.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\674a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

124

C:\Windows\SysWOW64\explorer.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\explorer.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

412

"C:\Users\admin\AppData\Local\Temp\CDD7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\admin\AppData\Local\Temp\CDD7.exe

CDD7.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\cdd7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

464

"C:\Users\admin\Pictures\Minor Policy\JyihcsQD1yeLr20qD0UiiIa9.exe"

C:\Users\admin\Pictures\Minor Policy\JyihcsQD1yeLr20qD0UiiIa9.exe

File.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

RepSpacer78

Exit code:

Version:

2.1.7.8

Modules

Images
c:\users\admin\pictures\minor policy\jyihcsqd1yelr20qd0uiiia9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

504

"C:\Users\admin\AppData\Local\Temp\XandETC.exe"

C:\Users\admin\AppData\Local\Temp\XandETC.exe

—

DD78.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

3221226540

Version:

90,1,32,10

Modules

Images
c:\users\admin\appdata\local\temp\xandetc.exe
c:\windows\system32\ntdll.dll

504

CACLS "..\207aa4515d" /P "admin:R" /E

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll

556

CACLS "danke.exe" /P "admin:R" /E

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

556

"C:\Users\admin\Documents\VH1UcyhOpu6QAytAA4bFL3Kg.exe"

C:\Users\admin\Documents\VH1UcyhOpu6QAytAA4bFL3Kg.exe

XK64lh1fBajdQQmvX9SlTBA2.exe

User:

admin

Company:

N-able Take Control

Integrity Level:

HIGH

Description:

TCDirectChat

Exit code:

Version:

7.0.45.1145

Modules

Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

616

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

s1EuMu.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft .NET ClickOnce Launch Utility

Exit code:

Version:

4.7.2558.0 built by: NET471REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Lumma

(PID) Process(616) AppLaunch.exe

C2gstatic-node.io/c2sock

Options

LummaIDV566Iu--inerino

636

CACLS "..\3ec1f323b5" /P "admin:R" /E

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\cacls.exe
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

44 565

Read events

43 244

Write events

1 218

Delete events

103

Modification events


(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000040131FD0E0B45449B5325CF35709B45A0000000002000000000010660000000100002000000097BA847E5D0827CAFBC4D33F7B8AFE8834428DFEF065FA018D8CAB90C5710B0A000000000E8000000002000020000000703BDF28CF4D9DFCAB7DDC229F11B838657F02A563D675B7BA5A582848A73F4F300000008091631BBFD318C1A67DDE62193EF5F65F823DF6F3FB12C344A857963FC714699639A04F9F66927C69CA8E9AC61E02154000000007CED62AF9113E09870DE72EB5744E2CBFDC316C2CF8607885EA5CBB68D61BE0CFB49EE1C4CAF8F2769692B62252F8AB0F88C1F92875F93F72FE70BCC896EFE4
(PID) Process:	(2432) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	{6Q809377-6NS0-444O-8957-N3773S02200R}\JvaENE\JvaENE.rkr
Value: 000000000B000000050000001E9A0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF30D9B8CEF2F1D80100000000
(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	HRZR_PGYFRFFVBA
Value: 0000000091000000940000006A524C00110000000300000071B504007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FDFE0700000000000000000000F012D2020000000000000000000000000000000000000000F012D2020000000012C2D2FDFE070000010000000000000000000000000000000000000000000000F012D20200000000000000000000000000000000000000000000000000000000DCD9D3FDFE0700000000000000000000568ED3FDFE07000005000000000000000000000000000000F012D20200000000C9AAD2FDFE07000000000000000000000500000000000000000000000000000000000000000000000100000000000000C3AAD3FDFE070000F012D202000000000500000000000000010000000000000001000000FFFFFFFF00000000000000000000000000000000000000001C000000010000000000000001000000FFFFFFFF0C18D202000000002C18D202000000000000000000000000010000000600000071D8D3FDFE070000F0E676030000000000000000000000000500000000000000F012D20200000000F012D2020000000063B3D2FDFE07000001000000000000000000000000000000000000000000000005000000FE0700004413D20200000000D017D202000000008014D202100000001B000000C95F05007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000FE221EFEFE07000060000100000000008202000000000000820200000000000001FFFFFF000000006A00A603000000008C00A60300000000B8ACA6030000000050DFE3020000000000010001010000000001E302000000004CE2E3020000000094DFE302000000000000000009090900090909090009111100000000000000008202000000000000820200000000000001000000000000008202000000000000DB9B5A77000000006000010000000000000000000000000000000000000000000000000000000000110000000300000071B504007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FDFE0700000000000000000000F012D2020000000000000000000000000000000000000000F012D2020000000012C2D2FDFE070000010000000000000000000000000000000000000000000000F012D2020000000000000000000000000000000000000000000000000000000013000000A80916007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C007400610073006B006D00670072002E006500780065000000008000000000542D3EFFFE07000000000000000000006800690200000000580001000000000000000000000000000000290000000000EB1ABB7700000000680069020000000000000000FE070000282547FFFE070000B0EA330000000000180069020000000000000000000000000100000000000000BF1D3EFFFE07000090DEF3020000000070C936000000000000000000000000003B94B5FDFE070000E00736000000000008006902000000005800010000000000869AA977000000000814FEDA97F1000082020000000000000000000000000000580001000000000000000000000000008202000000000000020000000000000058000100000000000000000000000000820200000000000080A671FF00000000C81263FF00000000E00736000000000001000000000000000F0000C000000000941AC90200000000820200000000000001000000000000008202000000000000DB9BA977000000005800010000000000000000000000000000000000000000000100000000000000000000000000000081020000000000000000000000000000000000000000000000000000
(PID) Process:	(2432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(2432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:	(2432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(2432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120

Add for printing

Executable files

103

Suspicious files

110

Text files

335

Unknown types

Dropped files

PID	Process	Filename		Type
2432	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2432.15422\File.exe		—
		MD5:—	SHA256:—
2412	File.exe	C:\Windows\System32\GroupPolicy\gpt.ini		text
		MD5:39DFFC602ED934569F26BE44EC645814	SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2
2412	File.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\66OI0VYZ.txt		text
		MD5:4215C968A0AC0EE1C641DD576DBAA511	SHA256:8F4154E68CABDF83803D6F53E76CFB7C1A43B856806C4C16F4E491189E2AFBE2
2412	File.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Y23XCKDS.txt		text
		MD5:0F1EE9D959D4B742EF45DEC2C60117BD	SHA256:409BD44E43806212DB077B2C824EB5D87F77C897630B4FD3F33BFB37933546CD
2412	File.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\0FMH5H9L.txt		text
		MD5:4EF329C7A64B98C4FCFC053064ADDC01	SHA256:70C848A264B914A1976CDB80D7E07C310B4A992749A33D85579C7F86ACB05721
2412	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\6523[1].exe		executable
		MD5:9B5705EA5946CAF5361473AC1FA6B5E3	SHA256:C8635BFE191B150E8425193FFBA489F93B909B02B5A644A148BF2B7A9060773D
2412	File.exe	C:\Users\admin\Pictures\Minor Policy\Dn6iN06bsqb_g5yKsZOT2Pq0.exe		executable
		MD5:9B5705EA5946CAF5361473AC1FA6B5E3	SHA256:C8635BFE191B150E8425193FFBA489F93B909B02B5A644A148BF2B7A9060773D
2412	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\okka25[1].exe		executable
		MD5:F5BBEB7B56EE19C46535707F8CAD11C3	SHA256:ED045F99C506FE48778EB6F070EE3127B27FCFA441E39A4033E01FD4E77EEA6B
2412	File.exe	C:\Users\admin\Pictures\Minor Policy\aTcmpf025UG6L_XSc96NvR0p.exe		html
		MD5:C5869B4D05FE21637D3D35D5E192988A	SHA256:2A6D587876B8C3F8E37E0642175DB8EFA43FE5198F6A3F3DC62C623C6DFB4870
2412	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\g[1].exe		executable
		MD5:88D370A2D39D62E179FD102ADA79B409	SHA256:23D6093499662611ACF5EB931868D3BE26DDF1140EAC7FE1B6B6B513DD03431A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

217

TCP/UDP connections

394

DNS requests

Threats

582

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2412	File.exe	HEAD	200	91.215.85.147:80	http://hugersi.com/dl/6523.exe	RU	—	—	suspicious
2412	File.exe	HEAD	—	95.214.25.233:80	http://95.214.25.233:3002/	US	—	—	suspicious
2412	File.exe	HEAD	200	156.236.72.121:80	http://zzz.fhauiehgha.com/m/okka25.exe	US	—	—	malicious
2412	File.exe	HEAD	200	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
2412	File.exe	HEAD	200	163.123.143.4:80	http://163.123.143.4/download/Service32.exe	unknown	—	—	malicious
2412	File.exe	HEAD	200	45.66.230.164:80	http://45.66.230.164/g.exe	BG	—	—	malicious
2412	File.exe	HEAD	200	77.91.124.5:80	http://77.91.124.5/gallery/photo270.exe	RU	—	—	suspicious
2412	File.exe	GET	200	94.142.138.131:80	http://94.142.138.131/api/tracemap.php	RU	text	15 b	malicious
2412	File.exe	POST	200	94.142.138.131:80	http://94.142.138.131/api/firegate.php	RU	text	108 b	malicious
2412	File.exe	POST	200	94.142.138.131:80	http://94.142.138.131/api/firegate.php	RU	text	4.02 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
328	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2412	File.exe	94.142.138.131:80	—	Network Management Ltd	RU	malicious
2412	File.exe	172.67.75.163:443	api.myip.com	CLOUDFLARENET	US	suspicious
2412	File.exe	87.240.129.133:80	vk.com	VKontakte Ltd	RU	malicious
2412	File.exe	34.117.59.81:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	whitelisted
2412	File.exe	87.240.132.78:80	vk.com	VKontakte Ltd	RU	suspicious
2412	File.exe	87.240.132.78:443	vk.com	VKontakte Ltd	RU	suspicious
2412	File.exe	163.123.143.4:80	—	Delis LLC	US	malicious
2412	File.exe	91.215.85.147:80	hugersi.com	—	RU	suspicious

DNS requests

Domain	IP	Reputation
api.myip.com	172.67.75.163 104.26.9.59 104.26.8.59	suspicious
ipinfo.io	34.117.59.81	shared
teredo.ipv6.microsoft.com	—	whitelisted
vk.com	87.240.129.133 87.240.132.78 87.240.132.72 87.240.132.67 87.240.137.164 93.186.225.194	whitelisted
zzz.fhauiehgha.com	156.236.72.121	malicious
camoverde.pw	188.114.96.3 188.114.97.3	malicious
hugersi.com	91.215.85.147	suspicious
apps.identrust.com	95.101.54.195 2.16.202.123	shared
ctldl.windowsupdate.com	93.184.221.240	whitelisted
sun6-23.userapi.com	95.142.206.3	unknown

Threats

PID	Process	Class	Message
2412	File.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
2412	File.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
2412	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
328	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.pw domain - Likely Hostile
2412	File.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2412	File.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2412	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
2412	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
2412	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
2412	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body

38 ETPRO signatures available at the full report

Add for printing

Process	Message
2XmlBiQgNCJEAQyeCKnWLtBZ.exe	[ERROR] All other uses require a separate written license from Roland
2XmlBiQgNCJEAQyeCKnWLtBZ.exe	[ERROR] The Roland SoundCanvas Sound Set is licensed under Microsoft's End User License Agreement

General Info

File_pass1234.7z

018FE259D51B5C71257275CAB7C1685B

FE7A03B8523C4DB40718A2E971B2C54485EBC671

4218E1020C93A986FC5A3954C39F5BC4199B0AA49A5CAD564FA509B17EF6B52D

98304:psjupcskHHPKyeKNusN4ZwiPJakTohGhbo+KpGiM+G7ITV/DcQxpUV+Zib0:plp8vKBb20hCGhvKpGiMjMQiUckb0

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Creates a writable file the system directory

Actions looks like stealing of personal data

Connects to the CnC server

PRIVATELOADER was detected

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Registers / Runs the DLL via REGSVR32.EXE

Steals credentials from Web Browsers

REDLINE was detected

Application was injected by another process

Runs injected code in another process

Disables Windows Defender

FABOOKIE was detected

PRIVATELOADER detected by memory dumps

SMOKE was detected

Changes the Windows auto-update feature

GCLEANER was detected

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Uses Task Scheduler to autorun other applications

AMADEY was detected

Stop is detected

AMADEY detected by memory dumps

Steals credentials

Starts CMD.EXE for self-deleting

VIDAR was detected

LUMMA detected by memory dumps

LUMMA was detected

ARKEI was detected

Adds path to the Windows Defender exclusion list

SUSPICIOUS

Adds/modifies Windows certificates

Connects to the server without a host name

Reads settings of System Certificates

Executes as Windows Service

Reads the Internet Settings

Executable content was dropped or overwritten

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Process requests binary or script from the Internet

Connects to unusual port

Reads the Windows owner or organization settings

The process checks if it is being run in the virtual environment

Reads Microsoft Outlook installation path

Checks for external IP

Searches for installed software

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Reads browser cookies

Application launched itself

Loads DLL from Mozilla Firefox

Accesses Microsoft Outlook profiles

Starts itself from another location

Starts CMD.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

Reads the BIOS version

Uses TIMEOUT.EXE to delay execution

Uses TASKKILL.EXE to kill process

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Starts SC.EXE for service management

The process checks if current user has admin rights

Uses powercfg.exe to modify the power settings

The process executes via Task Scheduler

Uses REG/REGEDIT.EXE to modify registry

INFO

Checks supported languages

The process checks LSA protection

Reads the computer name

Reads the machine GUID from the registry