| URL: | http://62.60.226.159/NuclearBomb.exe |
| Full analysis: | https://app.any.run/tasks/25049b94-f04f-44fd-bad1-229bb94a7219 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | March 01, 2026, 05:43:03 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 4509BF4FBA935104DA911A312B4F315D |
| SHA1: | 56FFC0AA7EB57A0EF53419E04CF532850D7C37AE |
| SHA256: | 666393A4AFC93424BD286DC46CEC718EE0E1F9A7FD69401BFCAA4B4550E55C34 |
| SSDEEP: | 3:N1KmVjXUTf+KFdA:CmVATfA |
MALICIOUS
STEALC has been detected (SURICATA)
- msedge.exe (PID: 3952)
- snovmx.exe (PID: 1856)
- snovmx.exe (PID: 4700)
- snovmx.exe (PID: 2248)
- snovmx.exe (PID: 7932)
- snovmx.exe (PID: 9040)
- snovmx.exe (PID: 5600)
- snovmx.exe (PID: 2092)
- snovmx.exe (PID: 3400)
- snovmx.exe (PID: 6628)
- snovmx.exe (PID: 5184)
- snovmx.exe (PID: 9012)
Changes the autorun value in the registry
- syshuge.exe (PID: 1352)
- sykkrc.exe (PID: 1000)
- sysipvs.exe (PID: 1672)
- reg.exe (PID: 8596)
- syshuge.exe (PID: 8816)
- syshuge.exe (PID: 8100)
- syshuge.exe (PID: 3352)
- syshuge.exe (PID: 8628)
- syshuge.exe (PID: 7232)
- syshuge.exe (PID: 4796)
- syshuge.exe (PID: 5788)
- syshuge.exe (PID: 8444)
- syshuge.exe (PID: 5500)
- syshuge.exe (PID: 1956)
- syshuge.exe (PID: 8844)
- syshuge.exe (PID: 4608)
- syshuge.exe (PID: 7540)
- syshuge.exe (PID: 3240)
- syshuge.exe (PID: 4776)
- syshuge.exe (PID: 508)
- syshuge.exe (PID: 9416)
- syshuge.exe (PID: 7340)
- syshuge.exe (PID: 9528)
- syshuge.exe (PID: 9552)
- syshuge.exe (PID: 9616)
- syshuge.exe (PID: 9948)
- syshuge.exe (PID: 10124)
- syshuge.exe (PID: 10096)
- syshuge.exe (PID: 10180)
- syshuge.exe (PID: 9248)
- syshuge.exe (PID: 10164)
- syshuge.exe (PID: 10264)
- syshuge.exe (PID: 10320)
- syshuge.exe (PID: 10360)
- syshuge.exe (PID: 10408)
- syshuge.exe (PID: 10336)
- syshuge.exe (PID: 10400)
- syshuge.exe (PID: 10312)
- syshuge.exe (PID: 10256)
- syshuge.exe (PID: 12492)
- syshuge.exe (PID: 11424)
- syshuge.exe (PID: 10412)
GENERIC has been found (auto)
- NuclearBomb.exe (PID: 6628)
- sykkrc.exe (PID: 1000)
STEALC has been detected
- snovmx.exe (PID: 1856)
- snovmx.exe (PID: 2248)
- snovmx.exe (PID: 4700)
- snovmx.exe (PID: 7932)
- snovmx.exe (PID: 6628)
- snovmx.exe (PID: 5600)
- snovmx.exe (PID: 9040)
- snovmx.exe (PID: 9012)
- snovmx.exe (PID: 5184)
- snovmx.exe (PID: 2092)
- snovmx.exe (PID: 3400)
- snovmx.exe (PID: 3232)
- snovmx.exe (PID: 8224)
- snovmx.exe (PID: 552)
- snovmx.exe (PID: 9560)
- snovmx.exe (PID: 9752)
- snovmx.exe (PID: 9864)
- snovmx.exe (PID: 4364)
- snovmx.exe (PID: 7416)
- snovmx.exe (PID: 10088)
- snovmx.exe (PID: 10004)
- snovmx.exe (PID: 9992)
- snovmx.exe (PID: 10392)
- snovmx.exe (PID: 10424)
- snovmx.exe (PID: 10440)
- snovmx.exe (PID: 10516)
- snovmx.exe (PID: 10492)
- snovmx.exe (PID: 10596)
- snovmx.exe (PID: 10532)
- snovmx.exe (PID: 10500)
- snovmx.exe (PID: 10576)
- snovmx.exe (PID: 10612)
- snovmx.exe (PID: 10568)
- snovmx.exe (PID: 10524)
- snovmx.exe (PID: 9800)
- snovmx.exe (PID: 12708)
- snovmx.exe (PID: 12840)
Modifies files in the Chrome extension folder
- sysppl.exe (PID: 1844)
REDLINE has been detected (SURICATA)
- sysmnom.exe (PID: 4664)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 5796)
- sysmnom.exe (PID: 8940)
- sysmnom.exe (PID: 9112)
- sysmnom.exe (PID: 8228)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 1824)
- sysmnom.exe (PID: 9840)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 10108)
- sysmnom.exe (PID: 8300)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10472)
- sysmnom.exe (PID: 10656)
- sysmnom.exe (PID: 10728)
- sysmnom.exe (PID: 10772)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 10868)
- sysmnom.exe (PID: 10884)
- sysmnom.exe (PID: 10944)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 10908)
- sysmnom.exe (PID: 11020)
- sysmnom.exe (PID: 11012)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 10980)
- sysmnom.exe (PID: 6108)
- sysmnom.exe (PID: 9664)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 12732)
- sysmnom.exe (PID: 8792)
- sysmnom.exe (PID: 14320)
Actions looks like stealing of personal data
- updater.exe (PID: 4608)
- sysmnom.exe (PID: 4664)
- updater.exe (PID: 6820)
- updater.exe (PID: 7756)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 9112)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 8300)
- sysmnom.exe (PID: 9840)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10868)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10656)
- sysmnom.exe (PID: 12732)
- sysmnom.exe (PID: 8940)
- sysmnom.exe (PID: 10884)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 6108)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 9664)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 10908)
- updater.exe (PID: 7464)
- sysmnom.exe (PID: 8792)
METASTEALER has been detected (SURICATA)
- sysmnom.exe (PID: 4664)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 5796)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 8940)
- sysmnom.exe (PID: 9112)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 8228)
- sysmnom.exe (PID: 1824)
- sysmnom.exe (PID: 9840)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 10108)
- sysmnom.exe (PID: 8300)
- sysmnom.exe (PID: 10472)
- sysmnom.exe (PID: 10656)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10728)
- sysmnom.exe (PID: 10772)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 10868)
- sysmnom.exe (PID: 10884)
- sysmnom.exe (PID: 10944)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 11020)
- sysmnom.exe (PID: 10908)
- sysmnom.exe (PID: 10980)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 11012)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 9664)
- sysmnom.exe (PID: 6108)
- sysmnom.exe (PID: 12732)
- sysmnom.exe (PID: 8792)
- sysmnom.exe (PID: 14320)
Steals credentials from Web Browsers
- sysmnom.exe (PID: 4664)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 9112)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 1824)
- sysmnom.exe (PID: 10108)
- sysmnom.exe (PID: 8300)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10944)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 6108)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 9840)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 9664)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 10908)
- sysmnom.exe (PID: 8792)
AMADEY has been detected (SURICATA)
- jixwk.exe (PID: 7296)
- defconhost.exe (PID: 5204)
Runs injected code in another process
- syshuge.exe (PID: 8816)
- syshuge.exe (PID: 1352)
- syshuge.exe (PID: 8100)
- syshuge.exe (PID: 3352)
- syshuge.exe (PID: 8628)
- syshuge.exe (PID: 7232)
- syshuge.exe (PID: 4796)
- syshuge.exe (PID: 5788)
- syshuge.exe (PID: 8444)
- syshuge.exe (PID: 5500)
- syshuge.exe (PID: 1956)
- syshuge.exe (PID: 4608)
- syshuge.exe (PID: 8844)
- syshuge.exe (PID: 7540)
- syshuge.exe (PID: 4776)
- syshuge.exe (PID: 508)
- syshuge.exe (PID: 9416)
- syshuge.exe (PID: 7340)
- syshuge.exe (PID: 9528)
- syshuge.exe (PID: 9552)
- syshuge.exe (PID: 9616)
- syshuge.exe (PID: 9948)
- syshuge.exe (PID: 10124)
- syshuge.exe (PID: 10096)
- syshuge.exe (PID: 9248)
- syshuge.exe (PID: 10180)
- syshuge.exe (PID: 10164)
- syshuge.exe (PID: 10264)
- syshuge.exe (PID: 10320)
- syshuge.exe (PID: 10408)
- syshuge.exe (PID: 10336)
- syshuge.exe (PID: 10360)
- syshuge.exe (PID: 10400)
- syshuge.exe (PID: 10312)
- syshuge.exe (PID: 10256)
- syshuge.exe (PID: 12492)
- syshuge.exe (PID: 11424)
- syshuge.exe (PID: 10412)
Application was injected by another process
- explorer.exe (PID: 4972)
Stealers network behavior
- sysmnom.exe (PID: 8228)
- sysmnom.exe (PID: 8300)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 14320)
REDLINE has been detected (YARA)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8228)
SUSPICIOUS
Creates file in the systems drive root
- explorer.exe (PID: 4972)
The process creates files with name similar to system file names
- NuclearBomb.exe (PID: 6628)
- sykkrc.exe (PID: 1000)
- defconhost.exe (PID: 5204)
Reads the date of Windows installation
- NuclearBomb.exe (PID: 6628)
- sysipvs.exe (PID: 1672)
- NuclearBomb.exe (PID: 8788)
- NuclearBomb.exe (PID: 1600)
- NuclearBomb.exe (PID: 5768)
- NuclearBomb.exe (PID: 2856)
- NuclearBomb.exe (PID: 4636)
- NuclearBomb.exe (PID: 7812)
- NuclearBomb.exe (PID: 8300)
- NuclearBomb.exe (PID: 8460)
- NuclearBomb.exe (PID: 1084)
- NuclearBomb.exe (PID: 4424)
- NuclearBomb.exe (PID: 6880)
- NuclearBomb.exe (PID: 4812)
- NuclearBomb.exe (PID: 1632)
- NuclearBomb.exe (PID: 3096)
- NuclearBomb.exe (PID: 6548)
- NuclearBomb.exe (PID: 4816)
- NuclearBomb.exe (PID: 7960)
- NuclearBomb.exe (PID: 8272)
- NuclearBomb.exe (PID: 4700)
- NuclearBomb.exe (PID: 8328)
- NuclearBomb.exe (PID: 8572)
- NuclearBomb.exe (PID: 3952)
- NuclearBomb.exe (PID: 1044)
- NuclearBomb.exe (PID: 6584)
- NuclearBomb.exe (PID: 3644)
- NuclearBomb.exe (PID: 7548)
- NuclearBomb.exe (PID: 6352)
- NuclearBomb.exe (PID: 8688)
- NuclearBomb.exe (PID: 8824)
- NuclearBomb.exe (PID: 1868)
- NuclearBomb.exe (PID: 5716)
- NuclearBomb.exe (PID: 5040)
- NuclearBomb.exe (PID: 4624)
- NuclearBomb.exe (PID: 7372)
- NuclearBomb.exe (PID: 8048)
- NuclearBomb.exe (PID: 8852)
- NuclearBomb.exe (PID: 2148)
- NuclearBomb.exe (PID: 8012)
- NuclearBomb.exe (PID: 6596)
- NuclearBomb.exe (PID: 5304)
Process drops python dynamic module
- updater.exe (PID: 1172)
- updater.exe (PID: 6432)
- updater.exe (PID: 9100)
- updater.exe (PID: 7280)
Application launched itself
- updater.exe (PID: 1172)
- updater.exe (PID: 6432)
- updater.exe (PID: 9100)
- updater.exe (PID: 7280)
Loads Python modules
- updater.exe (PID: 4608)
- updater.exe (PID: 6820)
- updater.exe (PID: 7756)
- updater.exe (PID: 7464)
Possible stealing of FTP data
- sysmnom.exe (PID: 4664)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 9112)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 1824)
- sysmnom.exe (PID: 10108)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10944)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 6108)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 10908)
Starts itself from another location
- sysipvs.exe (PID: 1672)
Possible stealing of messenger data
- sysmnom.exe (PID: 4664)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 9112)
- sysmnom.exe (PID: 8300)
- sysmnom.exe (PID: 10108)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 1824)
- sysmnom.exe (PID: 8940)
- sysmnom.exe (PID: 10908)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 11020)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 11036)
Possible stealing of VPN data
- sysmnom.exe (PID: 4664)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 9840)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 10868)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10656)
- sysmnom.exe (PID: 12732)
- sysmnom.exe (PID: 8940)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 10908)
Starts CMD.EXE for commands execution
- defconhost.exe (PID: 5204)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 7532)
Possible stealing from crypto wallets
- sysmnom.exe (PID: 4664)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 9840)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 10908)
Contacting a server suspected of hosting an CnC
- defconhost.exe (PID: 5204)
There is functionality for enable RDP (YARA)
- defconhost.exe (PID: 5204)
Found regular expressions for crypto-addresses (YARA)
- sykkrc.exe (PID: 1000)
- sysppl.exe (PID: 1844)
- jixwk.exe (PID: 7296)
- sysppl.exe (PID: 4300)
Cleans NTFS data stream (Zone Identifier)
- explorer.exe (PID: 4972)
INFO
Reads Environment values
- identity_helper.exe (PID: 4688)
Application launched itself
- msedge.exe (PID: 6488)
Launching a file from the Downloads directory
- msedge.exe (PID: 6488)
Reads the computer name
- identity_helper.exe (PID: 4688)
- NuclearBomb.exe (PID: 6628)
- syshuge.exe (PID: 1352)
- snovmx.exe (PID: 1856)
- sysmnom.exe (PID: 4664)
- updater.exe (PID: 1172)
- sysppl.exe (PID: 1844)
- jixwk.exe (PID: 7296)
- sysipvs.exe (PID: 1672)
- defconhost.exe (PID: 5204)
- syshuge.exe (PID: 8816)
- NuclearBomb.exe (PID: 8788)
- syshuge.exe (PID: 8100)
- snovmx.exe (PID: 2248)
- sysmnom.exe (PID: 8876)
- sysppl.exe (PID: 4300)
- updater.exe (PID: 6432)
- NuclearBomb.exe (PID: 1600)
- snovmx.exe (PID: 4700)
- sysppl.exe (PID: 2424)
- sysmnom.exe (PID: 8228)
- syshuge.exe (PID: 3352)
- NuclearBomb.exe (PID: 5768)
- syshuge.exe (PID: 8628)
- snovmx.exe (PID: 7932)
- sysppl.exe (PID: 4924)
- NuclearBomb.exe (PID: 1084)
- syshuge.exe (PID: 7232)
- snovmx.exe (PID: 6628)
- NuclearBomb.exe (PID: 2856)
- sysmnom.exe (PID: 8544)
- sysppl.exe (PID: 1172)
- sysmnom.exe (PID: 4312)
- syshuge.exe (PID: 4796)
- updater.exe (PID: 9100)
- snovmx.exe (PID: 5600)
- sysmnom.exe (PID: 5796)
- sysppl.exe (PID: 2232)
- syshuge.exe (PID: 5788)
- NuclearBomb.exe (PID: 4636)
- snovmx.exe (PID: 9040)
- syshuge.exe (PID: 8444)
- sysppl.exe (PID: 1156)
- sysmnom.exe (PID: 8940)
- NuclearBomb.exe (PID: 7812)
- snovmx.exe (PID: 9012)
- sysppl.exe (PID: 1960)
- sysmnom.exe (PID: 9112)
- NuclearBomb.exe (PID: 8300)
- snovmx.exe (PID: 5184)
- syshuge.exe (PID: 5500)
- sysppl.exe (PID: 8584)
- sysmnom.exe (PID: 4756)
- NuclearBomb.exe (PID: 8460)
- snovmx.exe (PID: 2092)
- syshuge.exe (PID: 1956)
- updater.exe (PID: 7280)
- sysmnom.exe (PID: 1824)
- sysppl.exe (PID: 7304)
- NuclearBomb.exe (PID: 4424)
- NuclearBomb.exe (PID: 4812)
- NuclearBomb.exe (PID: 6880)
- NuclearBomb.exe (PID: 8272)
- NuclearBomb.exe (PID: 1632)
- NuclearBomb.exe (PID: 4816)
- syshuge.exe (PID: 8844)
- NuclearBomb.exe (PID: 7548)
- syshuge.exe (PID: 4608)
- NuclearBomb.exe (PID: 8572)
- NuclearBomb.exe (PID: 3096)
- NuclearBomb.exe (PID: 7960)
- snovmx.exe (PID: 3232)
- NuclearBomb.exe (PID: 6548)
- NuclearBomb.exe (PID: 1044)
- NuclearBomb.exe (PID: 3952)
- snovmx.exe (PID: 3400)
- NuclearBomb.exe (PID: 8824)
- NuclearBomb.exe (PID: 3644)
- syshuge.exe (PID: 7540)
- NuclearBomb.exe (PID: 8688)
- NuclearBomb.exe (PID: 8328)
- NuclearBomb.exe (PID: 4624)
- NuclearBomb.exe (PID: 4700)
- snovmx.exe (PID: 8224)
- NuclearBomb.exe (PID: 6584)
- NuclearBomb.exe (PID: 6352)
- NuclearBomb.exe (PID: 1868)
- NuclearBomb.exe (PID: 5716)
- NuclearBomb.exe (PID: 5040)
- NuclearBomb.exe (PID: 5304)
- NuclearBomb.exe (PID: 8852)
- syshuge.exe (PID: 3240)
- NuclearBomb.exe (PID: 8048)
- snovmx.exe (PID: 552)
- NuclearBomb.exe (PID: 8012)
- syshuge.exe (PID: 4776)
- sysmnom.exe (PID: 8300)
- syshuge.exe (PID: 508)
- sysppl.exe (PID: 3176)
- NuclearBomb.exe (PID: 6596)
- NuclearBomb.exe (PID: 2148)
- syshuge.exe (PID: 9416)
- syshuge.exe (PID: 7340)
- NuclearBomb.exe (PID: 7372)
- snovmx.exe (PID: 9560)
- syshuge.exe (PID: 9528)
- syshuge.exe (PID: 9552)
- sysmnom.exe (PID: 9544)
- syshuge.exe (PID: 9616)
- snovmx.exe (PID: 9752)
- snovmx.exe (PID: 9864)
- syshuge.exe (PID: 9948)
- sysmnom.exe (PID: 9840)
- snovmx.exe (PID: 9992)
- snovmx.exe (PID: 10004)
- snovmx.exe (PID: 10088)
- syshuge.exe (PID: 10096)
- syshuge.exe (PID: 10164)
- syshuge.exe (PID: 10180)
- syshuge.exe (PID: 10124)
- snovmx.exe (PID: 4364)
- snovmx.exe (PID: 7416)
- syshuge.exe (PID: 9248)
- sysmnom.exe (PID: 10108)
- syshuge.exe (PID: 10264)
- syshuge.exe (PID: 10320)
- syshuge.exe (PID: 10360)
- snovmx.exe (PID: 10392)
- syshuge.exe (PID: 10400)
- syshuge.exe (PID: 10312)
- syshuge.exe (PID: 10336)
- syshuge.exe (PID: 10408)
- snovmx.exe (PID: 10516)
- snovmx.exe (PID: 10440)
- snovmx.exe (PID: 10492)
- snovmx.exe (PID: 10500)
- snovmx.exe (PID: 10424)
- snovmx.exe (PID: 10524)
- snovmx.exe (PID: 10596)
- snovmx.exe (PID: 10532)
- snovmx.exe (PID: 10568)
- snovmx.exe (PID: 10576)
- snovmx.exe (PID: 10612)
- syshuge.exe (PID: 10256)
- sysmnom.exe (PID: 10656)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10728)
- sysmnom.exe (PID: 10472)
- snovmx.exe (PID: 9800)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10772)
- sysmnom.exe (PID: 10868)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 10908)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 10884)
- sysmnom.exe (PID: 10944)
- sysmnom.exe (PID: 11020)
- sysmnom.exe (PID: 11012)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 10980)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 6108)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 9664)
- syshuge.exe (PID: 12492)
- sysppl.exe (PID: 10172)
- sysmnom.exe (PID: 12732)
- sysppl.exe (PID: 10464)
- sysppl.exe (PID: 10480)
- snovmx.exe (PID: 12708)
- sysppl.exe (PID: 11004)
- sysppl.exe (PID: 10804)
- sysppl.exe (PID: 10680)
- sysppl.exe (PID: 10820)
- sysppl.exe (PID: 10996)
- sysppl.exe (PID: 10796)
- sysppl.exe (PID: 11108)
- sysppl.exe (PID: 11100)
- sysppl.exe (PID: 11028)
- sysppl.exe (PID: 11120)
- sysppl.exe (PID: 11160)
- sysppl.exe (PID: 10188)
- sysppl.exe (PID: 10180)
- sysppl.exe (PID: 11076)
- sysppl.exe (PID: 6608)
- sysppl.exe (PID: 11128)
- sysppl.exe (PID: 11140)
- sysppl.exe (PID: 9852)
- sysppl.exe (PID: 11084)
- sysppl.exe (PID: 11136)
- sysppl.exe (PID: 11244)
- sysppl.exe (PID: 12740)
- sysmnom.exe (PID: 8792)
- snovmx.exe (PID: 12840)
- syshuge.exe (PID: 11424)
- syshuge.exe (PID: 10412)
- sysmnom.exe (PID: 14320)
- sysppl.exe (PID: 7948)
- snovmx.exe (PID: 13964)
Checks supported languages
- identity_helper.exe (PID: 4688)
- defconhost.exe (PID: 5204)
- syshuge.exe (PID: 1352)
- snovmx.exe (PID: 1856)
- sykkrc.exe (PID: 1000)
- NuclearBomb.exe (PID: 6628)
- sysipvs.exe (PID: 1672)
- sysmnom.exe (PID: 4664)
- sysnkk.exe (PID: 5736)
- updater.exe (PID: 1172)
- updater.exe (PID: 4608)
- sysppl.exe (PID: 1844)
- jixwk.exe (PID: 7296)
- syshuge.exe (PID: 8816)
- svchost.exe (PID: 8392)
- jixwk.exe (PID: 8300)
- $99defconhost.exe (PID: 8316)
- NuclearBomb.exe (PID: 8788)
- defconhost.exe (PID: 2360)
- syshuge.exe (PID: 8100)
- snovmx.exe (PID: 2248)
- sysipvs.exe (PID: 8636)
- sykkrc.exe (PID: 8572)
- sysmnom.exe (PID: 8876)
- sysppl.exe (PID: 4300)
- sysnkk.exe (PID: 8324)
- updater.exe (PID: 6432)
- defconhost.exe (PID: 2456)
- NuclearBomb.exe (PID: 1600)
- snovmx.exe (PID: 4700)
- sysppl.exe (PID: 2424)
- sykkrc.exe (PID: 6020)
- sysipvs.exe (PID: 7424)
- sysmnom.exe (PID: 8228)
- sysnkk.exe (PID: 6704)
- syshuge.exe (PID: 3352)
- syshuge.exe (PID: 8628)
- updater.exe (PID: 6820)
- defconhost.exe (PID: 1872)
- snovmx.exe (PID: 7932)
- sykkrc.exe (PID: 8144)
- sysppl.exe (PID: 4924)
- defconhost.exe (PID: 5512)
- NuclearBomb.exe (PID: 5768)
- sysmnom.exe (PID: 8544)
- sysipvs.exe (PID: 6200)
- NuclearBomb.exe (PID: 1084)
- sysipvs.exe (PID: 5716)
- sykkrc.exe (PID: 1584)
- snovmx.exe (PID: 6628)
- syshuge.exe (PID: 7232)
- sysppl.exe (PID: 1172)
- defconhost.exe (PID: 8320)
- sysmnom.exe (PID: 4312)
- NuclearBomb.exe (PID: 2856)
- syshuge.exe (PID: 4796)
- sykkrc.exe (PID: 8556)
- snovmx.exe (PID: 5600)
- sysnkk.exe (PID: 2868)
- sysipvs.exe (PID: 6084)
- sysmnom.exe (PID: 5796)
- sysppl.exe (PID: 2232)
- syshuge.exe (PID: 5788)
- defconhost.exe (PID: 4604)
- sysnkk.exe (PID: 4664)
- updater.exe (PID: 9100)
- snovmx.exe (PID: 9040)
- NuclearBomb.exe (PID: 4636)
- NuclearBomb.exe (PID: 7812)
- defconhost.exe (PID: 1692)
- syshuge.exe (PID: 8444)
- sysppl.exe (PID: 1156)
- sykkrc.exe (PID: 5504)
- sysmnom.exe (PID: 8940)
- sysipvs.exe (PID: 8600)
- snovmx.exe (PID: 9012)
- sysipvs.exe (PID: 7052)
- sysnkk.exe (PID: 5484)
- updater.exe (PID: 7756)
- NuclearBomb.exe (PID: 8300)
- sysmnom.exe (PID: 9112)
- sykkrc.exe (PID: 5508)
- sysppl.exe (PID: 1960)
- snovmx.exe (PID: 5184)
- sykkrc.exe (PID: 6496)
- sysipvs.exe (PID: 2764)
- sysnkk.exe (PID: 2820)
- defconhost.exe (PID: 4920)
- syshuge.exe (PID: 5500)
- sysmnom.exe (PID: 4756)
- sysppl.exe (PID: 8584)
- sysnkk.exe (PID: 8764)
- syshuge.exe (PID: 1956)
- sykkrc.exe (PID: 6692)
- snovmx.exe (PID: 2092)
- sysipvs.exe (PID: 5412)
- defconhost.exe (PID: 8968)
- NuclearBomb.exe (PID: 8460)
- sysnkk.exe (PID: 7000)
- updater.exe (PID: 7280)
- sysmnom.exe (PID: 1824)
- sysppl.exe (PID: 7304)
- NuclearBomb.exe (PID: 4424)
- NuclearBomb.exe (PID: 4812)
- NuclearBomb.exe (PID: 8272)
- NuclearBomb.exe (PID: 3096)
- NuclearBomb.exe (PID: 7960)
- NuclearBomb.exe (PID: 1632)
- NuclearBomb.exe (PID: 6548)
- NuclearBomb.exe (PID: 7548)
- NuclearBomb.exe (PID: 4816)
- NuclearBomb.exe (PID: 6880)
- NuclearBomb.exe (PID: 8572)
- NuclearBomb.exe (PID: 3952)
- sysnkk.exe (PID: 2372)
- NuclearBomb.exe (PID: 8328)
- NuclearBomb.exe (PID: 4700)
- NuclearBomb.exe (PID: 8824)
- NuclearBomb.exe (PID: 6584)
- NuclearBomb.exe (PID: 8048)
- NuclearBomb.exe (PID: 5040)
- NuclearBomb.exe (PID: 4624)
- updater.exe (PID: 7464)
- NuclearBomb.exe (PID: 1044)
- NuclearBomb.exe (PID: 2148)
- NuclearBomb.exe (PID: 1868)
- NuclearBomb.exe (PID: 7372)
- NuclearBomb.exe (PID: 8852)
- NuclearBomb.exe (PID: 6352)
- defconhost.exe (PID: 7720)
- NuclearBomb.exe (PID: 3644)
- NuclearBomb.exe (PID: 8012)
- NuclearBomb.exe (PID: 5716)
- NuclearBomb.exe (PID: 8688)
- defconhost.exe (PID: 5736)
- syshuge.exe (PID: 4608)
- syshuge.exe (PID: 8844)
- NuclearBomb.exe (PID: 5304)
- snovmx.exe (PID: 3232)
- NuclearBomb.exe (PID: 6596)
- snovmx.exe (PID: 3400)
- syshuge.exe (PID: 7540)
- sykkrc.exe (PID: 9040)
- sykkrc.exe (PID: 7580)
- snovmx.exe (PID: 8224)
- sysipvs.exe (PID: 8316)
- defconhost.exe (PID: 2684)
- defconhost.exe (PID: 4472)
- defconhost.exe (PID: 1176)
- syshuge.exe (PID: 3240)
- defconhost.exe (PID: 8548)
- defconhost.exe (PID: 7492)
- defconhost.exe (PID: 5612)
- snovmx.exe (PID: 552)
- sykkrc.exe (PID: 8088)
- defconhost.exe (PID: 5208)
- syshuge.exe (PID: 4776)
- sysmnom.exe (PID: 8300)
- syshuge.exe (PID: 508)
- defconhost.exe (PID: 8844)
- sysppl.exe (PID: 3176)
- syshuge.exe (PID: 7340)
- sykkrc.exe (PID: 7756)
- sysipvs.exe (PID: 4608)
- defconhost.exe (PID: 9276)
- syshuge.exe (PID: 9416)
- sysipvs.exe (PID: 9380)
- defconhost.exe (PID: 9480)
- defconhost.exe (PID: 9536)
- syshuge.exe (PID: 9528)
- syshuge.exe (PID: 9552)
- snovmx.exe (PID: 9560)
- sysmnom.exe (PID: 9544)
- defconhost.exe (PID: 9500)
- sysnkk.exe (PID: 9608)
- syshuge.exe (PID: 9616)
- defconhost.exe (PID: 9736)
- snovmx.exe (PID: 9752)
- defconhost.exe (PID: 9760)
- defconhost.exe (PID: 9880)
- snovmx.exe (PID: 9864)
- defconhost.exe (PID: 9856)
- defconhost.exe (PID: 9744)
- sysipvs.exe (PID: 9848)
- syshuge.exe (PID: 9948)
- sykkrc.exe (PID: 9984)
- snovmx.exe (PID: 9992)
- snovmx.exe (PID: 10004)
- snovmx.exe (PID: 10088)
- sysmnom.exe (PID: 10108)
- sysmnom.exe (PID: 9840)
- syshuge.exe (PID: 10124)
- sysppl.exe (PID: 10172)
- defconhost.exe (PID: 10140)
- defconhost.exe (PID: 10148)
- syshuge.exe (PID: 10164)
- defconhost.exe (PID: 10156)
- syshuge.exe (PID: 10180)
- sykkrc.exe (PID: 2572)
- syshuge.exe (PID: 10096)
- snovmx.exe (PID: 4364)
- syshuge.exe (PID: 9248)
- snovmx.exe (PID: 7416)
- sykkrc.exe (PID: 8148)
- syshuge.exe (PID: 10264)
- syshuge.exe (PID: 10360)
- sykkrc.exe (PID: 10328)
- syshuge.exe (PID: 10320)
- sykkrc.exe (PID: 10272)
- sykkrc.exe (PID: 10288)
- snovmx.exe (PID: 10392)
- sykkrc.exe (PID: 10380)
- sykkrc.exe (PID: 10344)
- syshuge.exe (PID: 10400)
- syshuge.exe (PID: 10312)
- sysipvs.exe (PID: 10456)
- sysipvs.exe (PID: 10432)
- syshuge.exe (PID: 10336)
- syshuge.exe (PID: 10408)
- sysipvs.exe (PID: 10448)
- snovmx.exe (PID: 10440)
- sysipvs.exe (PID: 10508)
- sysppl.exe (PID: 10480)
- snovmx.exe (PID: 10516)
- sysppl.exe (PID: 10464)
- snovmx.exe (PID: 10492)
- snovmx.exe (PID: 10500)
- sysipvs.exe (PID: 10560)
- snovmx.exe (PID: 10532)
- sykkrc.exe (PID: 10416)
- snovmx.exe (PID: 10424)
- snovmx.exe (PID: 10576)
- snovmx.exe (PID: 10524)
- sysipvs.exe (PID: 10620)
- snovmx.exe (PID: 10596)
- sysipvs.exe (PID: 10688)
- snovmx.exe (PID: 10568)
- sysipvs.exe (PID: 10604)
- sysipvs.exe (PID: 10812)
- sysipvs.exe (PID: 10696)
- sykkrc.exe (PID: 10672)
- sysppl.exe (PID: 10680)
- sykkrc.exe (PID: 10704)
- sykkrc.exe (PID: 10648)
- sykkrc.exe (PID: 10636)
- sysipvs.exe (PID: 10844)
- sykkrc.exe (PID: 10712)
- sysipvs.exe (PID: 10780)
- snovmx.exe (PID: 10612)
- sysipvs.exe (PID: 10788)
- sysppl.exe (PID: 10804)
- sysipvs.exe (PID: 10972)
- sykkrc.exe (PID: 10756)
- sykkrc.exe (PID: 10720)
- sysipvs.exe (PID: 10988)
- sykkrc.exe (PID: 10896)
- sysppl.exe (PID: 10796)
- sysipvs.exe (PID: 10860)
- sykkrc.exe (PID: 10664)
- sysipvs.exe (PID: 10828)
- sykkrc.exe (PID: 10748)
- sysipvs.exe (PID: 10936)
- sykkrc.exe (PID: 10964)
- sysppl.exe (PID: 11108)
- sysppl.exe (PID: 11004)
- sysipvs.exe (PID: 11232)
- sysppl.exe (PID: 11028)
- sysppl.exe (PID: 11100)
- syshuge.exe (PID: 10256)
- sysppl.exe (PID: 11084)
- defconhost.exe (PID: 9988)
- sysppl.exe (PID: 11120)
- sysipvs.exe (PID: 10304)
- sysppl.exe (PID: 10996)
- sysppl.exe (PID: 10820)
- sysipvs.exe (PID: 11152)
- sysppl.exe (PID: 6608)
- sysppl.exe (PID: 11160)
- sysppl.exe (PID: 11244)
- defconhost.exe (PID: 10248)
- sysppl.exe (PID: 11136)
- sysppl.exe (PID: 10188)
- sysppl.exe (PID: 11140)
- sysppl.exe (PID: 10180)
- sysppl.exe (PID: 11076)
- sysppl.exe (PID: 9852)
- sysppl.exe (PID: 11128)
- sysmnom.exe (PID: 10656)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10728)
- sykkrc.exe (PID: 10280)
- sysmnom.exe (PID: 10472)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10736)
- snovmx.exe (PID: 9800)
- sysmnom.exe (PID: 10772)
- sysmnom.exe (PID: 10868)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 10908)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 10944)
- sysmnom.exe (PID: 10884)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 11012)
- sysmnom.exe (PID: 11020)
- sysmnom.exe (PID: 10980)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 9664)
- sysmnom.exe (PID: 6108)
- sysnkk.exe (PID: 10544)
- syshuge.exe (PID: 12492)
- sysnkk.exe (PID: 10584)
- sysnkk.exe (PID: 10852)
- sysnkk.exe (PID: 10916)
- sysnkk.exe (PID: 10876)
- sysnkk.exe (PID: 10956)
- sysipvs.exe (PID: 12724)
- sysnkk.exe (PID: 11068)
- sysnkk.exe (PID: 11176)
- sysppl.exe (PID: 12740)
- sysnkk.exe (PID: 11184)
- sysnkk.exe (PID: 11192)
- sysnkk.exe (PID: 11168)
- sysnkk.exe (PID: 11208)
- sysnkk.exe (PID: 8108)
- sysnkk.exe (PID: 11252)
- sysnkk.exe (PID: 11216)
- sysnkk.exe (PID: 9984)
- sykkrc.exe (PID: 12716)
- sysnkk.exe (PID: 11260)
- sysnkk.exe (PID: 11092)
- sysnkk.exe (PID: 11048)
- sysnkk.exe (PID: 11200)
- defconhost.exe (PID: 12480)
- sysnkk.exe (PID: 9812)
- sysnkk.exe (PID: 12748)
- sysmnom.exe (PID: 12732)
- sysnkk.exe (PID: 10352)
- sysnkk.exe (PID: 3624)
- sysnkk.exe (PID: 6072)
- snovmx.exe (PID: 12708)
- sykkrc.exe (PID: 12204)
- syshuge.exe (PID: 11424)
- sysipvs.exe (PID: 3212)
- sysppl.exe (PID: 7948)
- snovmx.exe (PID: 12840)
- sysmnom.exe (PID: 8792)
- sysppl.exe (PID: 10260)
- sysnkk.exe (PID: 14168)
- defconhost.exe (PID: 10940)
- sysipvs.exe (PID: 10676)
- defconhost.exe (PID: 14136)
- sykkrc.exe (PID: 11956)
- syshuge.exe (PID: 10412)
- snovmx.exe (PID: 13964)
- sysmnom.exe (PID: 14320)
- sysnkk.exe (PID: 9952)
Reads security settings of Internet Explorer
- explorer.exe (PID: 4972)
- NuclearBomb.exe (PID: 6628)
- snovmx.exe (PID: 1856)
- sysipvs.exe (PID: 1672)
- defconhost.exe (PID: 5204)
- NuclearBomb.exe (PID: 8788)
- snovmx.exe (PID: 2248)
- snovmx.exe (PID: 4700)
- NuclearBomb.exe (PID: 1600)
- NuclearBomb.exe (PID: 1084)
- NuclearBomb.exe (PID: 5768)
- snovmx.exe (PID: 7932)
- NuclearBomb.exe (PID: 2856)
- snovmx.exe (PID: 6628)
- snovmx.exe (PID: 5600)
- snovmx.exe (PID: 9040)
- NuclearBomb.exe (PID: 4636)
- NuclearBomb.exe (PID: 7812)
- snovmx.exe (PID: 9012)
- NuclearBomb.exe (PID: 8300)
- snovmx.exe (PID: 5184)
- NuclearBomb.exe (PID: 8460)
- snovmx.exe (PID: 2092)
- NuclearBomb.exe (PID: 4424)
- NuclearBomb.exe (PID: 4812)
- NuclearBomb.exe (PID: 6880)
- NuclearBomb.exe (PID: 1632)
- NuclearBomb.exe (PID: 8572)
- NuclearBomb.exe (PID: 3096)
- NuclearBomb.exe (PID: 7960)
- NuclearBomb.exe (PID: 7548)
- NuclearBomb.exe (PID: 4816)
- NuclearBomb.exe (PID: 6548)
- snovmx.exe (PID: 3400)
- NuclearBomb.exe (PID: 8272)
- NuclearBomb.exe (PID: 1044)
- NuclearBomb.exe (PID: 4700)
- NuclearBomb.exe (PID: 3952)
- NuclearBomb.exe (PID: 6352)
- NuclearBomb.exe (PID: 8328)
- NuclearBomb.exe (PID: 8824)
- NuclearBomb.exe (PID: 1868)
- NuclearBomb.exe (PID: 3644)
- NuclearBomb.exe (PID: 5040)
- NuclearBomb.exe (PID: 4624)
- NuclearBomb.exe (PID: 6584)
- NuclearBomb.exe (PID: 8688)
- NuclearBomb.exe (PID: 5716)
- NuclearBomb.exe (PID: 8048)
- NuclearBomb.exe (PID: 8852)
- NuclearBomb.exe (PID: 8012)
- NuclearBomb.exe (PID: 2148)
- NuclearBomb.exe (PID: 7372)
- NuclearBomb.exe (PID: 6596)
- NuclearBomb.exe (PID: 5304)
- snovmx.exe (PID: 552)
Manual execution by a user
- NuclearBomb.exe (PID: 6628)
- syshuge.exe (PID: 8816)
- svchost.exe (PID: 8392)
- jixwk.exe (PID: 8300)
- $99defconhost.exe (PID: 8316)
- NuclearBomb.exe (PID: 8788)
- NuclearBomb.exe (PID: 1600)
- NuclearBomb.exe (PID: 5768)
- NuclearBomb.exe (PID: 1084)
- NuclearBomb.exe (PID: 2856)
- NuclearBomb.exe (PID: 4636)
- NuclearBomb.exe (PID: 8300)
- NuclearBomb.exe (PID: 7812)
- NuclearBomb.exe (PID: 8460)
- NuclearBomb.exe (PID: 6548)
- NuclearBomb.exe (PID: 4812)
- NuclearBomb.exe (PID: 6880)
- NuclearBomb.exe (PID: 7960)
- NuclearBomb.exe (PID: 3096)
- NuclearBomb.exe (PID: 1632)
- NuclearBomb.exe (PID: 4424)
- NuclearBomb.exe (PID: 8272)
- NuclearBomb.exe (PID: 8572)
- NuclearBomb.exe (PID: 3952)
- NuclearBomb.exe (PID: 8328)
- NuclearBomb.exe (PID: 4816)
- NuclearBomb.exe (PID: 7548)
- NuclearBomb.exe (PID: 8048)
- NuclearBomb.exe (PID: 8852)
- NuclearBomb.exe (PID: 1044)
- NuclearBomb.exe (PID: 6352)
- NuclearBomb.exe (PID: 6584)
- NuclearBomb.exe (PID: 4624)
- NuclearBomb.exe (PID: 7372)
- NuclearBomb.exe (PID: 8824)
- NuclearBomb.exe (PID: 2148)
- NuclearBomb.exe (PID: 1868)
- NuclearBomb.exe (PID: 4700)
- NuclearBomb.exe (PID: 8012)
- NuclearBomb.exe (PID: 5716)
- NuclearBomb.exe (PID: 8688)
- NuclearBomb.exe (PID: 5040)
- NuclearBomb.exe (PID: 5304)
- NuclearBomb.exe (PID: 3644)
- NuclearBomb.exe (PID: 6596)
Drops script file
- msedge.exe (PID: 5632)
Launching a file from a Registry key
- syshuge.exe (PID: 1352)
- sykkrc.exe (PID: 1000)
- sysipvs.exe (PID: 1672)
- reg.exe (PID: 8596)
- syshuge.exe (PID: 8816)
- syshuge.exe (PID: 8100)
- syshuge.exe (PID: 3352)
- syshuge.exe (PID: 8628)
- syshuge.exe (PID: 7232)
- syshuge.exe (PID: 4796)
- syshuge.exe (PID: 5788)
- syshuge.exe (PID: 8444)
- syshuge.exe (PID: 5500)
- syshuge.exe (PID: 1956)
- syshuge.exe (PID: 4608)
- syshuge.exe (PID: 8844)
- syshuge.exe (PID: 7540)
- syshuge.exe (PID: 3240)
- syshuge.exe (PID: 4776)
- syshuge.exe (PID: 508)
- syshuge.exe (PID: 9416)
- syshuge.exe (PID: 7340)
- syshuge.exe (PID: 9528)
- syshuge.exe (PID: 9552)
- syshuge.exe (PID: 9616)
- syshuge.exe (PID: 9948)
- syshuge.exe (PID: 10096)
- syshuge.exe (PID: 10124)
- syshuge.exe (PID: 9248)
- syshuge.exe (PID: 10180)
- syshuge.exe (PID: 10164)
- syshuge.exe (PID: 10264)
- syshuge.exe (PID: 10320)
- syshuge.exe (PID: 10360)
- syshuge.exe (PID: 10336)
- syshuge.exe (PID: 10408)
- syshuge.exe (PID: 10400)
- syshuge.exe (PID: 10312)
- syshuge.exe (PID: 10256)
- syshuge.exe (PID: 12492)
- syshuge.exe (PID: 11424)
- syshuge.exe (PID: 10412)
Process checks computer location settings
- NuclearBomb.exe (PID: 6628)
- sysipvs.exe (PID: 1672)
- NuclearBomb.exe (PID: 8788)
- NuclearBomb.exe (PID: 1600)
- NuclearBomb.exe (PID: 5768)
- NuclearBomb.exe (PID: 1084)
- NuclearBomb.exe (PID: 2856)
- NuclearBomb.exe (PID: 4636)
- NuclearBomb.exe (PID: 7812)
- NuclearBomb.exe (PID: 8300)
- NuclearBomb.exe (PID: 8460)
- NuclearBomb.exe (PID: 4424)
- NuclearBomb.exe (PID: 4812)
- NuclearBomb.exe (PID: 6880)
- NuclearBomb.exe (PID: 3096)
- NuclearBomb.exe (PID: 4816)
- NuclearBomb.exe (PID: 7960)
- NuclearBomb.exe (PID: 6548)
- NuclearBomb.exe (PID: 1632)
- NuclearBomb.exe (PID: 8328)
- NuclearBomb.exe (PID: 4700)
- NuclearBomb.exe (PID: 8572)
- NuclearBomb.exe (PID: 7548)
- NuclearBomb.exe (PID: 8272)
- NuclearBomb.exe (PID: 6352)
- NuclearBomb.exe (PID: 3644)
- NuclearBomb.exe (PID: 8824)
- NuclearBomb.exe (PID: 1868)
- NuclearBomb.exe (PID: 5716)
- NuclearBomb.exe (PID: 1044)
- NuclearBomb.exe (PID: 5040)
- NuclearBomb.exe (PID: 8688)
- NuclearBomb.exe (PID: 3952)
- NuclearBomb.exe (PID: 6584)
- NuclearBomb.exe (PID: 4624)
- NuclearBomb.exe (PID: 7372)
- NuclearBomb.exe (PID: 8048)
- NuclearBomb.exe (PID: 8852)
- NuclearBomb.exe (PID: 2148)
- NuclearBomb.exe (PID: 8012)
- NuclearBomb.exe (PID: 6596)
- NuclearBomb.exe (PID: 5304)
Checks proxy server information
- snovmx.exe (PID: 1856)
- defconhost.exe (PID: 5204)
- slui.exe (PID: 1884)
- snovmx.exe (PID: 2248)
- snovmx.exe (PID: 4700)
- snovmx.exe (PID: 7932)
- snovmx.exe (PID: 6628)
- snovmx.exe (PID: 5600)
- snovmx.exe (PID: 9040)
- snovmx.exe (PID: 9012)
- snovmx.exe (PID: 5184)
- snovmx.exe (PID: 2092)
- snovmx.exe (PID: 3400)
- snovmx.exe (PID: 552)
Creates files or folders in the user directory
- NuclearBomb.exe (PID: 6628)
Create files in a temporary directory
- sysnkk.exe (PID: 5736)
- updater.exe (PID: 1172)
- sysppl.exe (PID: 1844)
- updater.exe (PID: 6432)
- sysnkk.exe (PID: 8324)
- sysnkk.exe (PID: 4664)
- updater.exe (PID: 9100)
- updater.exe (PID: 7280)
- sysnkk.exe (PID: 14168)
Reads the machine GUID from the registry
- sysmnom.exe (PID: 4664)
- sysipvs.exe (PID: 1672)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8228)
- sysmnom.exe (PID: 8544)
- sysmnom.exe (PID: 4312)
- sysmnom.exe (PID: 5796)
- sysmnom.exe (PID: 8940)
- sysmnom.exe (PID: 9112)
- sysmnom.exe (PID: 4756)
- sysmnom.exe (PID: 1824)
- sysmnom.exe (PID: 8300)
- sysmnom.exe (PID: 9840)
- sysmnom.exe (PID: 10108)
- sysmnom.exe (PID: 9544)
- sysmnom.exe (PID: 10472)
- sysmnom.exe (PID: 10628)
- sysmnom.exe (PID: 10656)
- sysmnom.exe (PID: 10728)
- sysmnom.exe (PID: 10764)
- sysmnom.exe (PID: 10772)
- sysmnom.exe (PID: 10836)
- sysmnom.exe (PID: 10736)
- sysmnom.exe (PID: 10884)
- sysmnom.exe (PID: 10908)
- sysmnom.exe (PID: 10944)
- sysmnom.exe (PID: 11020)
- sysmnom.exe (PID: 10924)
- sysmnom.exe (PID: 10868)
- sysmnom.exe (PID: 11060)
- sysmnom.exe (PID: 11036)
- sysmnom.exe (PID: 11012)
- sysmnom.exe (PID: 10980)
- sysmnom.exe (PID: 6108)
- sysmnom.exe (PID: 9664)
- sysmnom.exe (PID: 10124)
- sysmnom.exe (PID: 12732)
- sysmnom.exe (PID: 8792)
- sysmnom.exe (PID: 14320)
Creates files in the program directory
- sysipvs.exe (PID: 1672)
Application based on Golang
- defconhost.exe (PID: 5204)
- defconhost.exe (PID: 2360)
- defconhost.exe (PID: 2456)
There is functionality for taking screenshot (YARA)
- defconhost.exe (PID: 5204)
- sysmnom.exe (PID: 8876)
- sysmnom.exe (PID: 8228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(8876) sysmnom.exe
C2 (1)196.251.107.104:1912
Botnetfff
Options
ErrorMessage
Keys
Xorqsdqsdqsdqsd
(PID) Process(8228) sysmnom.exe
C2 (1)196.251.107.104:1912
Botnetfff
Options
ErrorMessage
Keys
Xorqsdqsdqsdqsd
Total processes
539
Monitored processes
387
Malicious processes
164
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 468 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3560,i,10352030044650635447,9064998077159821210,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 508 | "C:\Users\admin\AppData\Roaming\syshuge.exe" | C:\Users\admin\AppData\Roaming\syshuge.exe | NuclearBomb.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 552 | "C:\Users\admin\AppData\Roaming\snovmx.exe" | C:\Users\admin\AppData\Roaming\snovmx.exe | NuclearBomb.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 1000 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6944,i,10352030044650635447,9064998077159821210,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1000 | "C:\Users\admin\AppData\Roaming\sykkrc.exe" | C:\Users\admin\AppData\Roaming\sykkrc.exe | NuclearBomb.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 1044 | "C:\Users\admin\Desktop\NuclearBomb.exe" | C:\Users\admin\Desktop\NuclearBomb.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1084 | "C:\Users\admin\Desktop\NuclearBomb.exe" | C:\Users\admin\Desktop\NuclearBomb.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1156 | "C:\Users\admin\AppData\Roaming\sysppl.exe" | C:\Users\admin\AppData\Roaming\sysppl.exe | — | NuclearBomb.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 1172 | "C:\Users\admin\AppData\Local\Temp\updater.exe" | C:\Users\admin\AppData\Local\Temp\updater.exe | — | sysnkk.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1172 | "C:\Users\admin\AppData\Roaming\sysppl.exe" | C:\Users\admin\AppData\Roaming\sysppl.exe | — | NuclearBomb.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
Total events
134 951
Read events
134 793
Write events
142
Delete events
16
Modification events
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000803BC |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456E9BC50E45F05DB4C86F7D791C25A96C7 | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0208 |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456E9BC50E45F05DB4C86F7D791C25A96C7 | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 04000000030000000000000012000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4 |
| Operation: | write | Name: | MRUListEx |
Value: 000000000500000003000000040000000200000001000000FFFFFFFF | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0 |
| Operation: | write | Name: | MRUListEx |
Value: 0400000005000000010000000600000008000000020000000C0000000B0000000A00000009000000070000000000000003000000FFFFFFFF | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0 |
| Operation: | write | Name: | MRUListEx |
Value: 0100000000000000FFFFFFFF | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar |
| Operation: | write | Name: | Locked |
Value: 1 | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\208\Shell |
| Operation: | write | Name: | SniffedFolderType |
Value: Pictures | |||
| (PID) Process: | (4972) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts |
| Operation: | write | Name: | LastUpdate |
Value: 02D2A36900000000 | |||
Executable files
0
Suspicious files
0
Text files
2
Unknown types
806
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1e55fd.TMP | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e55fd.TMP | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e560d.TMP | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e561d.TMP | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1e562c.TMP | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6488 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e562c.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
67
TCP/UDP connections
126
DNS requests
47
Threats
741
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3952 | msedge.exe | GET | 304 | 150.171.27.11:443 | https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist | US | — | — | whitelisted |
— | — | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D | US | binary | 313 b | whitelisted |
3952 | msedge.exe | GET | 200 | 150.171.28.11:80 | http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:81WLv09ZipqHETgp27KKgq0qCIqm2GIsJNFiI7wGelI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | US | binary | 101 b | whitelisted |
3952 | msedge.exe | GET | 200 | 150.171.28.11:443 | https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0 | US | binary | 446 b | whitelisted |
3952 | msedge.exe | GET | 200 | 62.60.226.159:80 | http://62.60.226.159/NuclearBomb.exe | GB | binary | 19.1 Mb | malicious |
3952 | msedge.exe | GET | 200 | 150.171.28.11:443 | https://edge.microsoft.com/extensionwebstorebase/v1/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=133.0.3065.92&lang=en-US&acceptformat=crx3,puff&x=id%3Djmjflgjpcpepeafmmgdpfkogkghcpiha%26v%3D1.2.1%26installedby%3Dother%26uc%26ping%3Dr%253D72%2526e%253D1 | US | binary | 413 b | whitelisted |
3952 | msedge.exe | POST | 200 | 172.217.20.131:443 | https://update.googleapis.com/service/update2/json?cup2key=14:r91EIyASTGuKRTdp5x2axsgzns0ZPZBTCGnRNm8pmRw&cup2hreq=49b2d5bbb53a53470a8c3859fe9c7d0275aa6493cda327626fc9a0134786e13b | US | binary | 891 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 51.124.78.146:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
3952 | msedge.exe | GET | 200 | 104.18.23.222:443 | https://copilot.microsoft.com/c/api/user/eligibility | US | binary | 25 b | whitelisted |
3952 | msedge.exe | GET | 200 | 2.16.204.161:443 | https://www.bing.com/api/shopping/v1/user/shoppingsettings?EnabledServiceFeaturesv2=edgeServerUX.shopping.cashbackEUMarkets,edgeServerUX.shopping.msEdgeShoppingCashbackDismissTimeout2s | NL | binary | 1.11 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
8068 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8704 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5568 | SearchApp.exe | 2.16.204.161:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
— | — | 204.79.197.203:80 | oneocsp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
— | — | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3952 | msedge.exe | 150.171.22.17:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
oneocsp.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
api.edgeoffer.microsoft.com |
| whitelisted |
copilot.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3952 | msedge.exe | Potentially Bad Traffic | ET INFO PE EXE or DLL Windows file download HTTP |
3952 | msedge.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
3952 | msedge.exe | A Network Trojan was detected | ET MALWARE Executable Downloaded From Common Stealer C2 Host (GET) |
3952 | msedge.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 8 |
3952 | msedge.exe | Misc activity | ET INFO Packed Executable Download |
8068 | svchost.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
4664 | sysmnom.exe | Potentially Bad Traffic | ET INFO Microsoft net.tcp Connection Initialization Activity |
4664 | sysmnom.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) |
4664 | sysmnom.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
4664 | sysmnom.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC - Id1Response |