Malware analysis 5.rar Malicious activity | ANY.RUN

Add for printing

File name:	5.rar
Full analysis:	https://app.any.run/tasks/e956e8a9-ba35-4a1d-8ffe-565fc09469a6
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 02, 2023, 21:11:54
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion stealer revengerat
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	EFBCFDDA51C06ED0656CC7EB0BBB4956
SHA1:	77229FB2CDE58298831B7D2012E98EE01E5BF11A
SHA256:	4CF5F4C8E88EB4889970297882CFD56407484AC980845BE015D567047A7943C8
SSDEEP:	98304:J9kE9g/opU0utVmzenpKRoT4iaAHOp1yKpIiIzirGodHMEc/2V6/DRdMCnVKlfC5:atUHdGRH6FfFY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - ZaccMoMY.exe (PID: 600)
  - ZaccMoMY.exe (PID: 2220)
  - ZaccMoMY.exe (PID: 3856)
  - unionreturns.rtf.exe (PID: 3616)
- Drops the executable file immediately after the start
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - devenv.exe (PID: 1008)
  - 7cd25b7b269534280117df86611a98dc.exe (PID: 1968)
  - ZaccMoMY.exe (PID: 2220)
  - 43ad618c1063692c30544a17f1759d47.exe (PID: 1840)
  - 03ec8fb881c08537e6fa560e49702dc4.exe (PID: 3792)
- Changes the login/logoff helper path in the registry
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
- Changes appearance of the Explorer extensions
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - unionreturns.rtf.exe (PID: 3616)
- Actions looks like stealing of personal data
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
  - ZaccMoMY.exe (PID: 2220)
- REVENGERAT has been detected (YARA)
  - admtools.exe (PID: 2240)
- Modifies files in the Chrome extension folder
  - ZaccMoMY.exe (PID: 2220)
- Steals credentials from Web Browsers
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
- Probably malicious OneNote attachment is found
  - ZaccMoMY.exe (PID: 2220)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 2740)
  - 43ad618c1063692c30544a17f1759d47.exe (PID: 1840)
- Uses REG/REGEDIT.EXE to modify registry
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 9b3f121ce986f775d6f9b6b3803e60b9.exe (PID: 3848)
- Starts CMD.EXE for commands execution
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 9b3f121ce986f775d6f9b6b3803e60b9.exe (PID: 3848)
- Reads the Internet Settings
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - devenv.exe (PID: 1008)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
  - unionreturns.rtf.exe (PID: 3616)
- Reads Microsoft Outlook installation path
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
- Reads Internet Explorer settings
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
- Connects to unusual port
  - admtools.exe (PID: 2240)
- Detected use of alternative data streams (AltDS)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
- Starts application with an unusual extension
  - 7cd25b7b269534280117df86611a98dc.exe (PID: 1968)
  - 03ec8fb881c08537e6fa560e49702dc4.exe (PID: 3792)
- Starts itself from another location
  - 7cd25b7b269534280117df86611a98dc.exe (PID: 1968)
  - 03ec8fb881c08537e6fa560e49702dc4.exe (PID: 3792)
- Application launched itself
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 296)
  - 48b29f7890ad902bddd43e3db4b94401.exe (PID: 2716)
- Checks for external IP
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
- Accesses Microsoft Outlook profiles
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
- Reads settings of System Certificates
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
- Connects to SMTP port
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
INFO
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 2740)
- Checks supported languages
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 372e6b9506740d8ac2b165867d7e8629.exe (PID: 3028)
  - 939ca386280a3011927bce23015b8fea.exe (PID: 2136)
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - SkQQcsYU.exe (PID: 2668)
  - ZaccMoMY.exe (PID: 600)
  - ZaccMoMY.exe (PID: 2220)
  - ZaccMoMY.exe (PID: 3856)
  - SkQQcsYU.exe (PID: 1936)
  - SkQQcsYU.exe (PID: 4060)
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - clist.exe (PID: 2064)
  - chocolatey.exe (PID: 3052)
  - Bginfo.exe (PID: 3360)
  - wmpnscfg.exe (PID: 680)
  - devenv.exe (PID: 1008)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 296)
  - admtools.exe (PID: 2240)
  - 9b3f121ce986f775d6f9b6b3803e60b9.exe (PID: 3848)
  - 7cd25b7b269534280117df86611a98dc.exe (PID: 1968)
  - 43ad618c1063692c30544a17f1759d47.exe (PID: 1840)
  - 14f62cf5811d351e21c1793b388ab187.exe (PID: 2316)
  - 34c445cd62b06b1cc14ee072582c1002.exe (PID: 3880)
  - 48b29f7890ad902bddd43e3db4b94401.exe (PID: 2716)
  - BCEB.tmp (PID: 3592)
  - 55f44b3b96fc07c2b497845dd01b785a.exe (PID: 3784)
  - blwxm.exe (PID: 3504)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
  - 03ec8fb881c08537e6fa560e49702dc4.exe (PID: 3792)
  - Bginfo.exe (PID: 1420)
  - unionreturns.rtf.exe (PID: 3616)
  - EA64.tmp (PID: 3020)
- Manual execution by a user
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 939ca386280a3011927bce23015b8fea.exe (PID: 2136)
  - 372e6b9506740d8ac2b165867d7e8629.exe (PID: 3028)
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3676)
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - wmpnscfg.exe (PID: 680)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 296)
  - 7cd25b7b269534280117df86611a98dc.exe (PID: 1968)
  - 9b3f121ce986f775d6f9b6b3803e60b9.exe (PID: 3848)
  - 14f62cf5811d351e21c1793b388ab187.exe (PID: 1640)
  - 14f62cf5811d351e21c1793b388ab187.exe (PID: 2316)
  - 34c445cd62b06b1cc14ee072582c1002.exe (PID: 3880)
  - 43ad618c1063692c30544a17f1759d47.exe (PID: 1840)
  - 48b29f7890ad902bddd43e3db4b94401.exe (PID: 2716)
  - 55f44b3b96fc07c2b497845dd01b785a.exe (PID: 3784)
  - 03ec8fb881c08537e6fa560e49702dc4.exe (PID: 3792)
  - unionreturns.rtf.exe (PID: 3616)
- Creates files in the program directory
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - ZaccMoMY.exe (PID: 2220)
  - 43ad618c1063692c30544a17f1759d47.exe (PID: 1840)
- Reads the computer name
  - 939ca386280a3011927bce23015b8fea.exe (PID: 2136)
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - ZaccMoMY.exe (PID: 600)
  - ZaccMoMY.exe (PID: 2220)
  - SkQQcsYU.exe (PID: 2668)
  - ZaccMoMY.exe (PID: 3856)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - SkQQcsYU.exe (PID: 1936)
  - SkQQcsYU.exe (PID: 4060)
  - Bginfo.exe (PID: 3360)
  - clist.exe (PID: 2064)
  - chocolatey.exe (PID: 3052)
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 296)
  - wmpnscfg.exe (PID: 680)
  - devenv.exe (PID: 1008)
  - admtools.exe (PID: 2240)
  - 9b3f121ce986f775d6f9b6b3803e60b9.exe (PID: 3848)
  - 7cd25b7b269534280117df86611a98dc.exe (PID: 1968)
  - 14f62cf5811d351e21c1793b388ab187.exe (PID: 2316)
  - BCEB.tmp (PID: 3592)
  - 43ad618c1063692c30544a17f1759d47.exe (PID: 1840)
  - 34c445cd62b06b1cc14ee072582c1002.exe (PID: 3880)
  - 48b29f7890ad902bddd43e3db4b94401.exe (PID: 2716)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
  - Bginfo.exe (PID: 1420)
  - unionreturns.rtf.exe (PID: 3616)
- Create files in a temporary directory
  - 372e6b9506740d8ac2b165867d7e8629.exe (PID: 3028)
  - 2411f758cdfc2a6ba79cf02892f7aa6c.exe (PID: 2528)
  - 742675c7a16a8f4e8283adf73cccee60.exe (PID: 2184)
  - 91d8af6f1a78c3219946fbf647d51167.exe (PID: 2632)
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - 9b3f121ce986f775d6f9b6b3803e60b9.exe (PID: 3848)
- Reads the machine GUID from the registry
  - 372e6b9506740d8ac2b165867d7e8629.exe (PID: 3028)
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 296)
  - devenv.exe (PID: 1008)
  - admtools.exe (PID: 2240)
  - 7cd25b7b269534280117df86611a98dc.exe (PID: 1968)
  - 34c445cd62b06b1cc14ee072582c1002.exe (PID: 3880)
  - 48b29f7890ad902bddd43e3db4b94401.exe (PID: 2716)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
  - unionreturns.rtf.exe (PID: 3616)
- The executable file from the user directory is run by the CMD process
  - chocolatey.exe (PID: 3052)
  - Bginfo.exe (PID: 3360)
  - clist.exe (PID: 2064)
  - Bginfo.exe (PID: 1420)
- Changes appearance of the Explorer extensions
  - reg.exe (PID: 4044)
  - reg.exe (PID: 3728)
  - reg.exe (PID: 3384)
  - reg.exe (PID: 4040)
  - reg.exe (PID: 3916)
  - reg.exe (PID: 3644)
  - reg.exe (PID: 2632)
  - reg.exe (PID: 3864)
- Reads Environment values
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - b8e611bd3eeab906a59eca8edfcd4b17.exe (PID: 3248)
- Checks proxy server information
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - devenv.exe (PID: 1008)
- Creates files or folders in the user directory
  - 897956d6a1fe98391a8d3ba3cd368e97.exe (PID: 3224)
  - a110327b5e01cb61f49a21a2a948dca1.exe (PID: 2392)
  - blwxm.exe (PID: 3504)
  - ZaccMoMY.exe (PID: 2220)
- Reads Microsoft Office registry keys
  - unionreturns.rtf.exe (PID: 3616)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

122

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

296

"C:\Users\admin\Desktop\b8e611bd3eeab906a59eca8edfcd4b17.exe"

C:\Users\admin\Desktop\b8e611bd3eeab906a59eca8edfcd4b17.exe

—

explorer.exe

User:

admin

Company:

Schweggmanns

Integrity Level:

MEDIUM

Description:

DeCaireRobert

Exit code:

4294967295

Version:

1.0.2.0

Modules

Images
c:\users\admin\desktop\b8e611bd3eeab906a59eca8edfcd4b17.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

600

"C:\Users\admin\suMAsEkw\ZaccMoMY.exe"

C:\Users\admin\suMAsEkw\ZaccMoMY.exe

91d8af6f1a78c3219946fbf647d51167.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\sumasekw\zaccmomy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

680

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1008

"C:\Users\Public\Documents\devenv.exe"

C:\Users\Public\Documents\devenv.exe

—

a110327b5e01cb61f49a21a2a948dca1.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\public\documents\devenv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1420

C:\Users\admin\AppData\Local\Temp\Bginfo.exe

—

cmd.exe

User:

admin

Company:

Sysinternals - www.sysinternals.com

Integrity Level:

MEDIUM

Description:

BGInfo - Wallpaper text configurator - shim

Exit code:

4294967295

Version:

4.28.0.0

Modules

Images
c:\users\admin\appdata\local\temp\bginfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1640

"C:\Users\admin\Desktop\14f62cf5811d351e21c1793b388ab187.exe"

C:\Users\admin\Desktop\14f62cf5811d351e21c1793b388ab187.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

FeihuoClient

Exit code:

3221226540

Version:

1, 0, 0, 1

Modules

Images
c:\users\admin\desktop\14f62cf5811d351e21c1793b388ab187.exe
c:\windows\system32\ntdll.dll

1840

"C:\Users\admin\Desktop\43ad618c1063692c30544a17f1759d47.exe"

C:\Users\admin\Desktop\43ad618c1063692c30544a17f1759d47.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Mira Malware

Exit code:

Version:

1.0.0.155

Modules

Images
c:\users\admin\desktop\43ad618c1063692c30544a17f1759d47.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1936

"C:\ProgramData\SmAUcsog\SkQQcsYU.exe"

C:\ProgramData\SmAUcsog\SkQQcsYU.exe

2411f758cdfc2a6ba79cf02892f7aa6c.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\programdata\smaucsog\skqqcsyu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

1968

"C:\Users\admin\Desktop\7cd25b7b269534280117df86611a98dc.exe"

C:\Users\admin\Desktop\7cd25b7b269534280117df86611a98dc.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

JPEG Image

Exit code:

Version:

6.1.7601.17514

Modules

Images
c:\users\admin\desktop\7cd25b7b269534280117df86611a98dc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll

2064

C:\Users\admin\AppData\Local\Temp\clist.exe

—

cmd.exe

User:

admin

Company:

Chocolatey Software, Inc.

Integrity Level:

MEDIUM

Description:

chocolatey - shim

Exit code:

4294967295

Version:

0.10.5.0

Modules

Images
c:\users\admin\appdata\local\temp\clist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

Add for printing

Total events

12 270

Read events

11 694

Write events

433

Delete events

143

Modification events


(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2740) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2136) 939ca386280a3011927bce23015b8fea.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:	write	Name:	Name
Value: flashplayer32ax_xa_install.exe
(PID) Process:	(2136) 939ca386280a3011927bce23015b8fea.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:	write	Name:	Name
Value: 939ca386280a3011927bce23015b8fea.exe

Add for printing

Executable files

1 641

Suspicious files

Text files

165

Unknown types

Dropped files

PID	Process	Filename		Type
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\897956d6a1fe98391a8d3ba3cd368e97.exe		executable
		MD5:897956D6A1FE98391A8D3BA3CD368E97	SHA256:7C254495B75C4CBDF290C5E1ECC393E6455444549B67FDA23EA0877AAB494EC1
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\372e6b9506740d8ac2b165867d7e8629.exe		executable
		MD5:372E6B9506740D8AC2B165867D7E8629	SHA256:20BD3811509F529D47B0FD5766FB3835AE9F6F55F7073C4E46D5473A66C7D239
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\2411f758cdfc2a6ba79cf02892f7aa6c.exe		executable
		MD5:2411F758CDFC2A6BA79CF02892F7AA6C	SHA256:31F5909A7E0D5305094160BC85EEBE386AF77F981C108F263D790476A0B1926A
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\34c445cd62b06b1cc14ee072582c1002.exe		executable
		MD5:34C445CD62B06B1CC14EE072582C1002	SHA256:44F32BFE95865828F7CCCC57C82FC7446662AAB0395C73EA38FEA406DD97A310
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\b8e611bd3eeab906a59eca8edfcd4b17.exe		executable
		MD5:B8E611BD3EEAB906A59ECA8EDFCD4B17	SHA256:231317B913C919405748768B287DC4554EB17C0040E5360C6886BBF846935979
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\939ca386280a3011927bce23015b8fea.exe		executable
		MD5:939CA386280A3011927BCE23015B8FEA	SHA256:F39DB07D4050664B833967DA8FBEB6F386E576F092FB0AEE1CF281F36855CAF0
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\a110327b5e01cb61f49a21a2a948dca1.exe		executable
		MD5:A110327B5E01CB61F49A21A2A948DCA1	SHA256:DB3B2F5977BDB811E8B3773976BC39A2210210487F3EAD2B9EA438C177DA378D
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\7cd25b7b269534280117df86611a98dc.exe		executable
		MD5:7CD25B7B269534280117DF86611A98DC	SHA256:0DE9861B0900806EDA19FDB760B9CAFFF92F1868159447B8C2667889C1699D5E
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\14f62cf5811d351e21c1793b388ab187.exe		executable
		MD5:14F62CF5811D351E21C1793B388AB187	SHA256:4228281BAC9B6FFBF4897984D29501C631CDE04C62DCA360D22F7D8A2AE24558
2740	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2740.1122\742675c7a16a8f4e8283adf73cccee60.exe		executable
		MD5:742675C7A16A8F4E8283ADF73CCCEE60	SHA256:52C2A369FEEFA1770EE88F28606657DC2CF2F8AACC1790B3E1CBE1CC0454346F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
600	ZaccMoMY.exe	GET	302	142.250.186.46:80	http://google.com/	unknown	html	392 b	unknown
3856	ZaccMoMY.exe	GET	302	142.250.186.46:80	http://google.com/	unknown	html	392 b	unknown
2220	ZaccMoMY.exe	GET	302	142.250.186.46:80	http://google.com/	unknown	html	392 b	unknown
1936	SkQQcsYU.exe	GET	302	142.250.186.46:80	http://google.com/	unknown	html	392 b	unknown
4060	SkQQcsYU.exe	GET	302	142.250.186.46:80	http://google.com/	unknown	html	392 b	unknown
2668	SkQQcsYU.exe	GET	302	142.250.186.46:80	http://google.com/	unknown	html	392 b	unknown
484	lsass.exe	GET	200	184.24.77.174:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?440741f4bd306e5a	unknown	compressed	4.66 Kb	unknown
484	lsass.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkcHsQGaDFetObPhfan5	unknown	binary	1.41 Kb	unknown
484	lsass.exe	GET	200	104.18.21.226:80	http://ocsp2.globalsign.com/gsorganizationvalsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSVLM6m9XSaK2pXyc357yFJVjgNwQQUaIa4fXrZbUlrhy8YixU0bNe0eg4CDBmR9B7vwIydpZ3THA%3D%3D	unknown	binary	1.43 Kb	unknown
1080	svchost.exe	GET	200	23.216.77.132:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4a02763af10da56d	unknown	compressed	65.2 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2588	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2220	ZaccMoMY.exe	142.250.186.46:80	—	GOOGLE	US	whitelisted
600	ZaccMoMY.exe	142.250.186.46:80	—	GOOGLE	US	whitelisted
2668	SkQQcsYU.exe	142.250.186.46:80	—	GOOGLE	US	whitelisted
1936	SkQQcsYU.exe	142.250.186.46:80	—	GOOGLE	US	whitelisted
3856	ZaccMoMY.exe	142.250.186.46:80	—	GOOGLE	US	whitelisted
4060	SkQQcsYU.exe	142.250.186.46:80	—	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
api.v2.secdls.com	—	unknown
staticrr.cloudsvr332.com	—	unknown
staticrr.sslsecure1.com	193.166.255.171	unknown
api.peer2profit.com	—	unknown
pex.0x01.cf	45.84.227.157	unknown
staticrr.sslsecure2.com	—	unknown
staticrr.sslsecure3.com	—	unknown
staticrr.sslsecure4.com	—	unknown
staticrr.sslsecure5.com	—	unknown
staticrr.sslsecure6.com	—	unknown

Threats

PID	Process	Class	Message
2220	ZaccMoMY.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
600	ZaccMoMY.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
600	ZaccMoMY.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
2668	SkQQcsYU.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1936	SkQQcsYU.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
3856	ZaccMoMY.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
4060	SkQQcsYU.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1080	svchost.exe	Misc activity	ET INFO DNS Query for Suspicious .cf Domain
1080	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3248	b8e611bd3eeab906a59eca8edfcd4b17.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI

Add for printing

No debug info

General Info

5.rar

EFBCFDDA51C06ED0656CC7EB0BBB4956

77229FB2CDE58298831B7D2012E98EE01E5BF11A

4CF5F4C8E88EB4889970297882CFD56407484AC980845BE015D567047A7943C8

98304:J9kE9g/opU0utVmzenpKRoT4iaAHOp1yKpIiIzirGodHMEc/2V6/DRdMCnVKlfC5:atUHdGRH6FfFY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Drops the executable file immediately after the start

Changes the login/logoff helper path in the registry

Changes appearance of the Explorer extensions

Actions looks like stealing of personal data

REVENGERAT has been detected (YARA)

Modifies files in the Chrome extension folder

Steals credentials from Web Browsers

Probably malicious OneNote attachment is found

SUSPICIOUS

Process drops legitimate windows executable

Uses REG/REGEDIT.EXE to modify registry

Starts CMD.EXE for commands execution

Reads the Internet Settings

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Connects to unusual port

Detected use of alternative data streams (AltDS)

Starts application with an unusual extension

Starts itself from another location

Application launched itself

Checks for external IP

Accesses Microsoft Outlook profiles

Reads settings of System Certificates

Connects to SMTP port

INFO

Drops the executable file immediately after the start

Checks supported languages

Manual execution by a user

Creates files in the program directory

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

The executable file from the user directory is run by the CMD process

Changes appearance of the Explorer extensions

Reads Environment values

Checks proxy server information

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events