Malware analysis http://recut.ru/12Vz Malicious activity

Add for printing

URL:	http://recut.ru/12Vz
Full analysis:	https://app.any.run/tasks/a3c46710-4d5f-4cce-95fd-9ae833736579
Verdict:	Malicious activity
Analysis date:	November 19, 2023, 18:51:02
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
SHA1:	441708D610700174A2EC20AE390FEBAB343AEF12
SHA256:	6706C0C370FD8C5D7B9F20C6ABA38E5E078397C40C6420763D8F12F1E6A74325
SSDEEP:	3:N1KMwLMj:CMwLm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - TelamonCleaner_id655a59480fd79og.exe (PID: 3848)
  - TelamonCleaner_id655a59480fd79og.exe (PID: 1176)
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - 7za.exe (PID: 2712)
- Uses Task Scheduler to run other applications
  - tt-cleaner.exe (PID: 2940)
- Actions looks like stealing of personal data
  - tt-cleaner.exe (PID: 4032)
- Creates a writable file the system directory
  - tt-cleaner.exe (PID: 4032)
SUSPICIOUS
- Reads the Windows owner or organization settings
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
- Starts CMD.EXE for commands execution
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
- Reads the Internet Settings
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - tt-cleaner.exe (PID: 2940)
- Checks Windows Trust Settings
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
- Reads settings of System Certificates
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - tt-cleaner.exe (PID: 2940)
  - tt-cleaner.exe (PID: 4032)
- The process drops C-runtime libraries
  - 7za.exe (PID: 2712)
- Adds/modifies Windows certificates
  - TelamonCleaner_id655a59480fd79og.exe (PID: 3848)
- Drops 7-zip archiver for unpacking
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
- Process drops legitimate windows executable
  - 7za.exe (PID: 2712)
- Reads security settings of Internet Explorer
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
- Reads the date of Windows installation
  - tt-cleaner.exe (PID: 2940)
- Application launched itself
  - tt-cleaner.exe (PID: 2940)
- Searches for installed software
  - tt-cleaner.exe (PID: 4032)
- Detected use of alternative data streams (AltDS)
  - tt-cleaner.exe (PID: 4032)
- The process verifies whether the antivirus software is installed
  - tt-cleaner.exe (PID: 4032)
INFO
- Drops the executable file immediately after the start
  - firefox.exe (PID: 2944)
- Application launched itself
  - firefox.exe (PID: 2944)
- Checks supported languages
  - TelamonCleaner_id655a59480fd79og.exe (PID: 1176)
  - TelamonCleaner_id655a59480fd79og.exe (PID: 3848)
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3208)
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - tt-installer-helper.exe (PID: 3952)
  - tt-installer-helper.exe (PID: 4064)
  - 7za.exe (PID: 2712)
  - tt-cleaner.exe (PID: 2940)
  - QtWebEngineProcess.exe (PID: 2312)
  - tt-cleaner.exe (PID: 4032)
- Reads the computer name
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3208)
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - tt-installer-helper.exe (PID: 3952)
  - 7za.exe (PID: 2712)
  - tt-cleaner.exe (PID: 4032)
  - tt-cleaner.exe (PID: 2940)
- Create files in a temporary directory
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - TelamonCleaner_id655a59480fd79og.exe (PID: 1176)
  - TelamonCleaner_id655a59480fd79og.exe (PID: 3848)
- The process uses the downloaded file
  - firefox.exe (PID: 2944)
- The executable file from the user directory is run by the CMD process
  - tt-installer-helper.exe (PID: 3952)
  - tt-installer-helper.exe (PID: 4064)
- Reads the machine GUID from the registry
  - tt-installer-helper.exe (PID: 3952)
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - tt-cleaner.exe (PID: 4032)
  - tt-cleaner.exe (PID: 2940)
- Checks proxy server information
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
- Creates files in the program directory
  - 7za.exe (PID: 2712)
  - TelamonCleaner_id655a59480fd79og.tmp (PID: 3908)
  - tt-cleaner.exe (PID: 2940)
  - tt-cleaner.exe (PID: 4032)
- Creates files or folders in the user directory
  - tt-cleaner.exe (PID: 2940)
  - tt-cleaner.exe (PID: 4032)
- Process checks computer location settings
  - QtWebEngineProcess.exe (PID: 2312)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1176

"C:\Users\admin\Downloads\TelamonCleaner_id655a59480fd79og.exe"

C:\Users\admin\Downloads\TelamonCleaner_id655a59480fd79og.exe

—

firefox.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Telamon Cleaner Setup

Exit code:

Version:

1.0.294.0

Modules

Images
c:\users\admin\downloads\telamoncleaner_id655a59480fd79og.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1416

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.3.1051384059\1083510495" -childID 2 -isForBrowser -prefsHandle 2932 -prefMapHandle 2924 -prefsLen 35454 -prefMapSize 244187 -jsInitHandle 852 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3625562-7abc-4d5b-80a4-f78b02fed328} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2944 1e1b6258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1620

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.5.1621764148\1984281911" -childID 4 -isForBrowser -prefsHandle 3744 -prefMapHandle 3740 -prefsLen 30253 -prefMapSize 244187 -jsInitHandle 852 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7ffdd62-1978-4392-bf63-226d17ac4450} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3756 20722158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1828

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.4.135765071\1648818577" -childID 3 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 30146 -prefMapSize 244187 -jsInitHandle 852 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73b4cd7a-e9dd-42ed-863f-5207a374d2d7} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3388 1f79f258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2160

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.8.886019646\589461319" -childID 7 -isForBrowser -prefsHandle 3976 -prefMapHandle 3972 -prefsLen 35557 -prefMapSize 244187 -jsInitHandle 852 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1aa5ed6-c370-4785-9eed-b0b8599cd2ee} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4056 20723c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2216

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.7.226682754\180301192" -childID 6 -isForBrowser -prefsHandle 3780 -prefMapHandle 3784 -prefsLen 30253 -prefMapSize 244187 -jsInitHandle 852 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95475f0a-8412-41df-88ff-0384403439d2} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3948 20722d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2284

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.2.2110894171\1183738065" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 25524 -prefMapSize 244187 -jsInitHandle 852 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {836c6eb4-17f7-4e6f-bd39-dcb84b2aceb8} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2092 19650858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2312

"C:\Program Files (x86)\Telamon Cleaner\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9665633049291574377 --renderer-client-id=2 --mojo-platform-channel-handle=2032 /prefetch:1

C:\Program Files (x86)\Telamon Cleaner\QtWebEngineProcess.exe

—

tt-cleaner.exe

User:

admin

Company:

The Qt Company Ltd.

Integrity Level:

HIGH

Description:

Qt Qtwebengineprocess

Exit code:

Version:

5.14.0.0

Modules

Images
c:\program files (x86)\telamon cleaner\qtwebengineprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2576

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.1.1166884661\1959852662" -parentBuildID 20230710165010 -prefsHandle 1420 -prefMapHandle 1416 -prefsLen 29857 -prefMapSize 244187 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad5e577-7212-4de1-a941-da67fce30ed0} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 1432 fcd4558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2712

"C:\Users\admin\AppData\Local\Temp\is-PCAE9.tmp\7za.exe" x "C:\Users\admin\AppData\Local\Temp\is-PCAE9.tmp\tt-install.zip" -o"C:\Program Files (x86)\Telamon Cleaner\" * -r -aoa

C:\Users\admin\AppData\Local\Temp\is-PCAE9.tmp\7za.exe

—

TelamonCleaner_id655a59480fd79og.tmp

User:

admin

Company:

Igor Pavlov

Integrity Level:

HIGH

Description:

7-Zip Standalone Console

Exit code:

Version:

21.07

Modules

Images
c:\users\admin\appdata\local\temp\is-pcae9.tmp\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

153 500

Read events

153 088

Write events

399

Delete events

Modification events


(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 0000000000000000
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 1
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Theme
Value: 1
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Enabled
Value: 1
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 0
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableDefaultBrowserAgent
Value: 0
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|SetDefaultBrowserUserChoice
Value: 1
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|AppLastRunTime
Value: F8B731ACA1C5D901
(PID) Process:	(2944) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0

Add for printing

Executable files

Suspicious files

610

Text files

1 723

Unknown types

Dropped files

PID	Process	Filename		Type
2944	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\urlCache-current.bin		binary
		MD5:4DF9B77C7650AF87B264E535779AE2A4	SHA256:C57071FCFEF26EE4F08A2029E547848EC015B10045ABAD705195A9F966FEAE58
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cert9.db		binary
		MD5:EC07C7920DFF48CB4A5F3BCDCF15469A	SHA256:DB7731C7FEF56E195DCDF717444ADFF50AE6ED14747407B3BBEE8A5429DAA67A
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\places.sqlite-wal		binary
		MD5:8E2F8B101931C1EFE48AE5B1BE6A0060	SHA256:E4CBACF172A0E5A5E713CF44E923EC12F15FBD629B8E5800713364860E1DA582
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\prefs-1.js		text
		MD5:01AF74EC3B3BDBF3689AD316486BFD4E	SHA256:2CD5AE9CAD8CD30B31CDB935AD6940B9EAF24C2E781237FF90EA0F36227F29A5
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		binary
		MD5:19AF88BD28BFF96A5D35A48E612EC6ED	SHA256:35C3979D040CD52A89B1478F4780D32535C0853D1AC2BE55C88116CAE7544ED0
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\protections.sqlite-journal		binary
		MD5:77580941C163BEE88C522B1D537357A2	SHA256:A4F1E7475BAF6415BC0F16C4ACB125DB2A996F49C558B7411463A73BEEE53165
2944	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F		compressed
		MD5:FAEDB0DFA9D67A045D0F223D4F418BE9	SHA256:17EFD4A12EEFA78B5FFB0E422D06387953CEECF7D3D3B505A723EA7DF7336450
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

182

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2944	firefox.exe	GET	301	104.21.36.83:80	http://recut.ru/12Vz	unknown	—	—	unknown
2944	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	text	8 b	unknown
2944	firefox.exe	POST	200	184.24.77.62:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
2944	firefox.exe	POST	200	18.245.65.219:80	http://ocsp.r2m02.amazontrust.com/	US	binary	471 b	unknown
2944	firefox.exe	POST	200	184.24.77.62:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
2944	firefox.exe	POST	200	184.24.77.62:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
2944	firefox.exe	POST	200	142.250.184.195:80	http://ocsp.pki.goog/gts1c3	US	binary	472 b	unknown
2944	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	US	binary	471 b	unknown
2944	firefox.exe	POST	200	142.250.184.195:80	http://ocsp.pki.goog/gts1c3	US	binary	472 b	unknown
2944	firefox.exe	POST	200	184.24.77.62:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2944	firefox.exe	104.21.36.83:80	recut.ru	CLOUDFLARENET	—	unknown
2944	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
2944	firefox.exe	34.117.237.239:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	unknown
2944	firefox.exe	52.3.25.250:443	spocs.getpocket.com	AMAZON-AES	US	unknown
2944	firefox.exe	104.21.36.83:443	recut.ru	—	—	unknown
2944	firefox.exe	172.217.18.10:443	safebrowsing.googleapis.com	—	—	whitelisted
2944	firefox.exe	34.160.144.191:443	content-signature-2.cdn.mozilla.net	GOOGLE	US	unknown

DNS requests

Domain	IP	Reputation
recut.ru	104.21.36.83 172.67.190.172 2606:4700:3035::6815:2453 2606:4700:3032::ac43:beac	unknown
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	93.184.216.34	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
contile.services.mozilla.com	34.117.237.239	whitelisted
spocs.getpocket.com	52.3.25.250 100.24.80.211 44.219.111.48 54.80.218.135	shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com	44.219.111.48 54.80.218.135 52.3.25.250 100.24.80.211	shared
r3.o.lencr.org	184.24.77.62 184.24.77.45 184.24.77.56 184.24.77.53 184.24.77.48 184.24.77.54 184.24.77.46 184.24.77.67	shared
content-signature-2.cdn.mozilla.net	34.160.144.191	whitelisted

Threats

PID	Process	Class	Message
324	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .biz TLD
324	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .biz TLD
324	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .biz TLD

Add for printing

Process	Message
tt-installer-helper.exe	[2023-11-19 18:51:59] E regstorage.cpp:62 [RegStorage] get<std::wstring>() RegOpenKeyEx failed. 2
tt-cleaner.exe	[2023-11-19 18:52:46] M log.cpp:93 Logging to C:\Program Files (x86)\Telamon Cleaner\logs\tt-cln-app-2023-11-19-18-52-46.log
tt-cleaner.exe	[2023-11-19 18:52:47] M main.cpp:51 Start main: "C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe" --install --l=t thread id: 2840 process id: 2940
tt-cleaner.exe	[2023-11-19 18:52:47] M main.cpp:52 Version: 1.0.294
tt-cleaner.exe	[2023-11-19 18:52:47] M app.cpp:522 Found installer_path: C:\Users\admin\Downloads\TelamonCleaner_id655a59480fd79og.exe
tt-cleaner.exe	[2023-11-19 18:52:47] M http.cpp:53 WinSock init ok, version 514
tt-cleaner.exe	[2023-11-19 18:52:47] E regstorage.cpp:62 [RegStorage] get<std::wstring>() Cannot get size of string value: RegGetValue failed. 2
tt-cleaner.exe	[2023-11-19 18:52:49] M log.cpp:93 Logging to C:\Program Files (x86)\Telamon Cleaner\logs\tt-cln-app-2023-11-19-18-52-49.log
tt-cleaner.exe	[2023-11-19 18:52:49] M main.cpp:51 Start main: "C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe" thread id: 4064 process id: 4032
tt-cleaner.exe	[2023-11-19 18:52:49] M main.cpp:52 Version: 1.0.294

General Info

http://recut.ru/12Vz

441708D610700174A2EC20AE390FEBAB343AEF12

6706C0C370FD8C5D7B9F20C6ABA38E5E078397C40C6420763D8F12F1E6A74325

3:N1KMwLMj:CMwLm

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses Task Scheduler to run other applications

Actions looks like stealing of personal data

Creates a writable file the system directory

SUSPICIOUS

Reads the Windows owner or organization settings

Starts CMD.EXE for commands execution

Reads the Internet Settings

Checks Windows Trust Settings

Reads settings of System Certificates

The process drops C-runtime libraries

Adds/modifies Windows certificates

Drops 7-zip archiver for unpacking

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Searches for installed software

Detected use of alternative data streams (AltDS)

The process verifies whether the antivirus software is installed

INFO

Drops the executable file immediately after the start

Application launched itself

Checks supported languages

Reads the computer name

Create files in a temporary directory

The process uses the downloaded file

The executable file from the user directory is run by the CMD process

Reads the machine GUID from the registry

Checks proxy server information

Creates files in the program directory

Creates files or folders in the user directory

Process checks computer location settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings