Malware analysis main.exe.exe Malicious activity | ANY.RUN

Add for printing

File name:	main.exe.exe
Full analysis:	https://app.any.run/tasks/be6e8b58-5f60-4a13-b9fb-a9fde8b448eb
Verdict:	Malicious activity
Analysis date:	April 29, 2023, 01:16:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	F3ECB621680AF3E86485E7EE7E1318CD
SHA1:	2D6660D031C4E6148D5F12E95BB97A004A653183
SHA256:	713804A0F338774B2D2AC9C2CB92AA2DEB5761B54B415510C7A91AD05060377B
SSDEEP:	196608:qB/lOqPnih8FXj+hYeB0sKYu/PaQgKDnO8NpHzgsAGKaRZtG7EMKtqlnG5Q0rGkI:PqPnLFCjQpDOETgsv/GIF6nt0kBk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat Reader DC (20.013.20074)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30704 (14.30.30704)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
Opera 12.15 (12.15.1748)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - main.exe.exe (PID: 5876)
SUSPICIOUS
- Loads Python modules
  - main.exe.exe (PID: 5876)
- Starts CMD.EXE for commands execution
  - main.exe.exe (PID: 5876)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 3776)
  - cmd.exe (PID: 6780)
  - cmd.exe (PID: 7068)
  - cmd.exe (PID: 2736)
- Executable content was dropped or overwritten
  - main.exe.exe (PID: 5876)
  - main.exe.exe (PID: 7148)
- Application launched itself
  - main.exe.exe (PID: 7148)
- Uses REG/REGEDIT.EXE to modify register
  - cmd.exe (PID: 2532)
  - cmd.exe (PID: 3428)
- Executing commands from a ".bat" file
  - main.exe.exe (PID: 5876)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 2980)
  - cmd.exe (PID: 4436)
  - cmd.exe (PID: 6532)
- Checks for external IP
  - main.exe.exe (PID: 5876)
INFO
- Checks supported languages
  - main.exe.exe (PID: 7148)
  - main.exe.exe (PID: 5876)
- Reads the computer name
  - main.exe.exe (PID: 5876)
  - main.exe.exe (PID: 7148)
- Reads the machine GUID from the registry
  - main.exe.exe (PID: 5876)
- Checks proxy server information
  - main.exe.exe (PID: 5876)
- Creates files or folders in the user directory
  - main.exe.exe (PID: 5876)
- The process checks LSA protection
  - WMIC.exe (PID: 3560)
  - main.exe.exe (PID: 5876)
  - WMIC.exe (PID: 6600)
  - WMIC.exe (PID: 6580)
  - netsh.exe (PID: 7000)
  - netsh.exe (PID: 4068)
  - netsh.exe (PID: 6456)
  - slui.exe (PID: 5036)
  - WMIC.exe (PID: 3756)
- Create files in a temporary directory
  - main.exe.exe (PID: 5876)
  - main.exe.exe (PID: 7148)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

Subsystem:	Windows GUI
SubsystemVersion:	5.2
ImageVersion:	-
OSVersion:	5.2
EntryPoint:	0xb310
UninitializedDataSize:	-
InitializedDataSize:	154624
CodeSize:	165888
LinkerVersion:	14.34
PEType:	PE32+
ImageFileCharacteristics:	Executable, Large address aware
TimeStamp:	2023:04:11 19:36:21+00:00
MachineType:	AMD AMD64

Summary

Architecture:	IMAGE_FILE_MACHINE_AMD64
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	11-Apr-2023 19:36:21

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000100

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_AMD64
Number of sections:	7
Time date stamp:	11-Apr-2023 19:36:21
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00F0
Characteristics:	IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00028800	0x00028800	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.48802
.rdata	0x0002A000	0x00012B16	0x00012C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.82468
.data	0x0003D000	0x000103F8	0x00000E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	1.80969
.pdata	0x0004E000	0x000020C4	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.2741
_RDATA	0x00051000	0x0000015C	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	2.80857
.rsrc	0x00052000	0x0000F498	0x0000F600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.55557
.reloc	0x00062000	0x00000758	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	5.25766

Resources

Title	Entropy	Size	Codepage	Language	Type
0	2.71858	104	Latin 1 / Western European	UNKNOWN	RT_GROUP_ICON
1	5.28434	1417	Latin 1 / Western European	UNKNOWN	RT_MANIFEST
2	6.44895	2216	Latin 1 / Western European	UNKNOWN	RT_ICON
3	5.77742	1384	Latin 1 / Western European	UNKNOWN	RT_ICON
4	7.95095	38188	Latin 1 / Western European	UNKNOWN	RT_ICON
5	6.0521	9640	Latin 1 / Western European	UNKNOWN	RT_ICON
6	6.15081	4264	Latin 1 / Western European	UNKNOWN	RT_ICON
7	6.39466	1128	Latin 1 / Western European	UNKNOWN	RT_ICON

Imports


ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
USER32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

160

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2008

C:\WINDOWS\system32\cmd.exe /c "ver"

C:\Windows\System32\cmd.exe

—

main.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

2156

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2532

C:\WINDOWS\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\System32\cmd.exe

—

main.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

2736

C:\WINDOWS\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\cmd.exe

—

main.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

2980

C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\System32\cmd.exe

—

main.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

3428

C:\WINDOWS\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\System32\cmd.exe

—

main.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

3456

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3560

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

3756

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

3776

C:\WINDOWS\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\cmd.exe

—

main.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

3 820

Read events

3 820

Write events

Delete events

Modification events

No data

Add for printing

Executable files

178

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_chacha20.pyd		executable
		MD5:ED1BBDC7CC945DA2D1F5A914987EB885	SHA256:1EECE2F714DC1F520D0608F9F71E692F5B269930603F8AFC330118EA38F16005
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_pkcs1_decode.pyd		executable
		MD5:3EFFD59CD95B6706C1F2DD661AA943FC	SHA256:4C29950A9EDEDBBC24A813F8178723F049A529605EF6D35F16C7955768AACE9E
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_raw_aes.pyd		executable
		MD5:671100B821EB357CEB5A4C5FF86BC31A	SHA256:803E46354CDAB4AF6FF289E98DE9C56B5B08E3E9AD5F235D5A282005FA9F2D50
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_ARC4.pyd		executable
		MD5:D9F2264898AAAA9EF6152A1414883D0F	SHA256:836CBA3B83B00427430FE6E1C4E45790616BC85C57DBD6E6D5B6930A9745B715
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_raw_aesni.pyd		executable
		MD5:DCD2F68680E2FB83E9FEFA18C7B4B3E0	SHA256:D63F63985356B7D2E0E61E7968720FB72DC6B57D73BED4F337E372918078F946
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_Salsa20.pyd		executable
		MD5:E3AE69E44C4C82D83082BBB8C25AA8DD	SHA256:4229235814BBEE62311E3623C07898B03D3B22281CD4E5F1A87B86450B1B740F
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_raw_cbc.pyd		executable
		MD5:FE44F698198190DE574DC193A0E1B967	SHA256:32FA416A29802EB0017A2C7360BF942EDB132D4671168DE26BD4C3E94D8DE919
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_raw_arc2.pyd		executable
		MD5:3F5FD606893B3DE6116D4A185E713CA3	SHA256:0898CDE5FCCFA86E2423CDF627A3745B1F59BB30DFEF0DD9423926D4167F9F82
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_raw_cfb.pyd		executable
		MD5:FF64FD41B794E0EF76A9EEAE1835863C	SHA256:5D2D1A5F79B44F36AC87D9C6D886404D9BE35D1667C4B2EB8AAB59FB77BF8BAC
7148	main.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI71482\Crypto\Cipher\_raw_cast.pyd		executable
		MD5:243E336DEC71A28E7F61548A2425A2E1	SHA256:BF53063304119CF151F22809356B5B4E44799131BBAB5319736D0321F3012238

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5756	svchost.exe	GET	200	192.229.221.95:80	http://crl3.digicert.com/DigiCertGlobalRootCA.crl	US	der	779 b	whitelisted
5876	main.exe.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/45.134.22.85	unknown	binary	267 b	malicious
6692	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	der	418 b	whitelisted
5876	main.exe.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/45.134.22.85	unknown	binary	267 b	malicious
5876	main.exe.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/45.134.22.38	unknown	binary	267 b	malicious
6692	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	der	409 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4736	SearchApp.exe	2.16.186.203:443	—	Akamai International B.V.	DE	whitelisted
4568	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	suspicious
5756	svchost.exe	192.229.221.95:80	crl3.digicert.com	EDGECAST	US	whitelisted
5876	main.exe.exe	173.231.16.77:443	api.ipify.org	WEBNX	US	suspicious
5876	main.exe.exe	162.159.135.232:443	discord.com	CLOUDFLARENET	—	malicious
5876	main.exe.exe	185.199.111.133:443	raw.githubusercontent.com	FASTLY	US	suspicious
—	—	173.231.16.77:443	api.ipify.org	WEBNX	US	suspicious
5876	main.exe.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	malicious
—	—	192.229.221.95:80	crl3.digicert.com	EDGECAST	US	whitelisted
6692	SIHClient.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
officeclient.microsoft.com	52.109.20.82 52.109.32.24	whitelisted
api.ipify.org	173.231.16.77 64.185.227.155 104.237.62.211	shared
discord.com	162.159.135.232 162.159.128.233 162.159.136.232 162.159.137.232 162.159.138.232	whitelisted
raw.githubusercontent.com	185.199.111.133 185.199.108.133 185.199.110.133 185.199.109.133	shared
ip-api.com	208.95.112.1	malicious
crl3.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
nexusrules.officeapps.live.com	52.109.8.44	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5876	main.exe.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
5876	main.exe.exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
5876	main.exe.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
5876	main.exe.exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
5876	main.exe.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
5876	main.exe.exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
5876	main.exe.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
5876	main.exe.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

Add for printing

No debug info

General Info

main.exe.exe

F3ECB621680AF3E86485E7EE7E1318CD

2D6660D031C4E6148D5F12E95BB97A004A653183

713804A0F338774B2D2AC9C2CB92AA2DEB5761B54B415510C7A91AD05060377B

196608:qB/lOqPnih8FXj+hYeB0sKYu/PaQgKDnO8NpHzgsAGKaRZtG7EMKtqlnG5Q0rGkI:PqPnLFCjQpDOETgsv/GIF6nt0kBk

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Loads Python modules

Starts CMD.EXE for commands execution

Uses WMIC.EXE to obtain Windows Installer data

Executable content was dropped or overwritten

Application launched itself

Uses REG/REGEDIT.EXE to modify register

Executing commands from a ".bat" file

Uses NETSH.EXE to obtain data on the network

Checks for external IP

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

The process checks LSA protection

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings