Malware analysis MRPQTGv98.1.exe Malicious activity | ANY.RUN

Add for printing

File name:	MRPQTGv98.1.exe
Full analysis:	https://app.any.run/tasks/8eab11ef-6e11-49af-902a-bdf6c2235118
Verdict:	Malicious activity
Analysis date:	August 24, 2019, 20:52:28
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386, for MS Windows
MD5:	43412619617A74B67EA734FA4C92CBC3
SHA1:	FA52B9D52F36BD032DA207B2C8B7EB28198A1532
SHA256:	9BF9CC8BB6106C9A8F1D104702BFF8089990EB344792941187D6281AE51CFF90
SSDEEP:	98304:TfxANV3yMPwRADRBXBBqjWwE7nmU0fzfJ4LXDbzfJ4LXD1szfJ4LXDj:TfxEBPWoxBwE7h0fzR4TXzR4T5szR4TX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - IsSSD.exe (PID: 3608)
  - BDTBT.exe (PID: 2656)
  - ChkValid.exe (PID: 2404)
  - ChkValid.exe (PID: 3020)
  - ChkValid.exe (PID: 2340)
  - ChkValid.exe (PID: 3888)
  - ChkValid.exe (PID: 3340)
  - ChkValid.exe (PID: 3428)
  - ChkValid.exe (PID: 3568)
  - Generic.exe (PID: 2640)
  - Generic.exe (PID: 3448)
  - Generic.exe (PID: 4008)
  - Generic.exe (PID: 3560)
  - Generic.exe (PID: 3740)
  - ChkValid.exe (PID: 2720)
  - ChkValid.exe (PID: 2956)
  - ChkValid.exe (PID: 2396)
  - ChkValid.exe (PID: 3296)
  - Generic.exe (PID: 3204)
  - Generic.exe (PID: 3680)
  - Generic.exe (PID: 3924)
  - ChkValid.exe (PID: 2244)
  - ChkValid.exe (PID: 2060)
- Executes PowerShell scripts
  - cmd.exe (PID: 2516)
SUSPICIOUS
- Reads Environment values
  - reg.exe (PID: 3584)
  - reg.exe (PID: 3464)
  - reg.exe (PID: 2524)
  - reg.exe (PID: 2052)
  - reg.exe (PID: 3972)
  - reg.exe (PID: 2992)
  - reg.exe (PID: 2316)
  - reg.exe (PID: 3724)
- Executable content was dropped or overwritten
  - MRPQTGv98.1.exe (PID: 2336)
  - cmd.exe (PID: 3392)
- Uses WMIC.EXE to obtain a system information
  - cmd.exe (PID: 3392)
  - cmd.exe (PID: 2704)
  - cmd.exe (PID: 3956)
  - cmd.exe (PID: 2396)
  - cmd.exe (PID: 2300)
  - cmd.exe (PID: 2788)
  - cmd.exe (PID: 2420)
  - cmd.exe (PID: 3960)
  - cmd.exe (PID: 2288)
  - cmd.exe (PID: 3472)
  - cmd.exe (PID: 1216)
  - cmd.exe (PID: 3652)
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 2908)
  - cmd.exe (PID: 2124)
  - cmd.exe (PID: 3408)
  - cmd.exe (PID: 2204)
  - cmd.exe (PID: 2252)
  - cmd.exe (PID: 3068)
  - cmd.exe (PID: 2388)
  - cmd.exe (PID: 2604)
  - cmd.exe (PID: 3676)
  - cmd.exe (PID: 2840)
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 3564)
  - cmd.exe (PID: 3236)
  - cmd.exe (PID: 3492)
  - cmd.exe (PID: 3364)
  - cmd.exe (PID: 3992)
  - cmd.exe (PID: 3500)
  - cmd.exe (PID: 2928)
  - cmd.exe (PID: 3780)
  - cmd.exe (PID: 3000)
  - cmd.exe (PID: 3884)
  - cmd.exe (PID: 3356)
  - cmd.exe (PID: 1640)
  - cmd.exe (PID: 3552)
  - cmd.exe (PID: 3496)
  - cmd.exe (PID: 3936)
  - cmd.exe (PID: 1440)
  - cmd.exe (PID: 2164)
  - cmd.exe (PID: 3624)
  - cmd.exe (PID: 3584)
  - cmd.exe (PID: 3656)
  - cmd.exe (PID: 3172)
  - cmd.exe (PID: 3568)
  - cmd.exe (PID: 3304)
  - cmd.exe (PID: 2580)
  - cmd.exe (PID: 704)
  - cmd.exe (PID: 2904)
  - cmd.exe (PID: 2720)
  - cmd.exe (PID: 4044)
  - cmd.exe (PID: 3648)
  - cmd.exe (PID: 2588)
  - cmd.exe (PID: 1876)
  - cmd.exe (PID: 3520)
  - cmd.exe (PID: 2892)
  - cmd.exe (PID: 2632)
  - cmd.exe (PID: 3720)
  - cmd.exe (PID: 2388)
  - cmd.exe (PID: 3292)
  - cmd.exe (PID: 3016)
  - cmd.exe (PID: 2224)
  - cmd.exe (PID: 2828)
  - cmd.exe (PID: 3040)
  - cmd.exe (PID: 3828)
  - cmd.exe (PID: 3688)
  - cmd.exe (PID: 2484)
  - cmd.exe (PID: 3072)
  - cmd.exe (PID: 4032)
  - cmd.exe (PID: 2944)
  - cmd.exe (PID: 2604)
  - cmd.exe (PID: 4076)
- Uses REG.EXE to modify Windows registry
  - cmd.exe (PID: 2776)
  - cmd.exe (PID: 2444)
  - cmd.exe (PID: 3140)
  - cmd.exe (PID: 3940)
  - cmd.exe (PID: 2776)
  - cmd.exe (PID: 3808)
  - cmd.exe (PID: 3336)
  - cmd.exe (PID: 3392)
  - cmd.exe (PID: 2128)
  - cmd.exe (PID: 4068)
  - cmd.exe (PID: 2668)
  - cmd.exe (PID: 2772)
  - cmd.exe (PID: 2764)
  - cmd.exe (PID: 3488)
  - cmd.exe (PID: 2384)
  - cmd.exe (PID: 3408)
  - cmd.exe (PID: 3844)
  - cmd.exe (PID: 3468)
  - cmd.exe (PID: 4060)
  - cmd.exe (PID: 3752)
  - cmd.exe (PID: 3056)
  - cmd.exe (PID: 3312)
  - cmd.exe (PID: 3988)
  - cmd.exe (PID: 3624)
  - cmd.exe (PID: 3776)
  - cmd.exe (PID: 2264)
  - cmd.exe (PID: 2704)
  - cmd.exe (PID: 3668)
  - cmd.exe (PID: 2836)
  - cmd.exe (PID: 3432)
  - cmd.exe (PID: 2852)
  - cmd.exe (PID: 3064)
  - cmd.exe (PID: 2440)
  - cmd.exe (PID: 2596)
  - cmd.exe (PID: 2840)
  - cmd.exe (PID: 3536)
  - cmd.exe (PID: 2428)
  - cmd.exe (PID: 2260)
  - cmd.exe (PID: 2980)
  - cmd.exe (PID: 3600)
  - cmd.exe (PID: 4080)
  - cmd.exe (PID: 504)
  - cmd.exe (PID: 2436)
  - cmd.exe (PID: 2820)
  - cmd.exe (PID: 4064)
  - cmd.exe (PID: 2300)
  - cmd.exe (PID: 3616)
  - cmd.exe (PID: 3480)
  - cmd.exe (PID: 2952)
  - cmd.exe (PID: 3028)
  - cmd.exe (PID: 3076)
  - cmd.exe (PID: 3636)
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 4024)
  - cmd.exe (PID: 3372)
  - cmd.exe (PID: 2216)
  - cmd.exe (PID: 3384)
  - cmd.exe (PID: 2796)
  - cmd.exe (PID: 2304)
  - cmd.exe (PID: 2780)
  - cmd.exe (PID: 3320)
  - cmd.exe (PID: 3216)
  - cmd.exe (PID: 3500)
  - cmd.exe (PID: 3896)
  - cmd.exe (PID: 1260)
  - cmd.exe (PID: 3076)
  - cmd.exe (PID: 3728)
  - cmd.exe (PID: 3548)
  - cmd.exe (PID: 4024)
  - cmd.exe (PID: 2444)
  - cmd.exe (PID: 2724)
  - cmd.exe (PID: 2992)
  - cmd.exe (PID: 3008)
  - cmd.exe (PID: 2808)
  - cmd.exe (PID: 3196)
  - cmd.exe (PID: 1428)
  - cmd.exe (PID: 2428)
  - cmd.exe (PID: 3440)
  - cmd.exe (PID: 2328)
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 3716)
  - cmd.exe (PID: 2708)
  - cmd.exe (PID: 2368)
  - cmd.exe (PID: 3864)
  - cmd.exe (PID: 3224)
  - cmd.exe (PID: 3692)
  - cmd.exe (PID: 2400)
  - cmd.exe (PID: 2520)
  - cmd.exe (PID: 3144)
  - cmd.exe (PID: 2496)
  - cmd.exe (PID: 2948)
  - cmd.exe (PID: 2616)
  - cmd.exe (PID: 2220)
  - cmd.exe (PID: 4008)
- Starts CMD.EXE for commands execution
  - MRPQTGv98.1.exe (PID: 2336)
  - cmd.exe (PID: 3392)
  - cmd.exe (PID: 3932)
  - cmd.exe (PID: 2340)
  - cmd.exe (PID: 2372)
  - cmd.exe (PID: 3332)
  - cmd.exe (PID: 1260)
  - cmd.exe (PID: 3088)
  - cmd.exe (PID: 3368)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 3392)
- Application launched itself
  - cmd.exe (PID: 3392)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3392)
- Uses WMIC.EXE to obtain a list of AntiViruses
  - cmd.exe (PID: 3392)
- Executes scripts
  - cmd.exe (PID: 3392)
  - cmd.exe (PID: 3744)
  - cmd.exe (PID: 2976)
  - cmd.exe (PID: 2792)
  - cmd.exe (PID: 3456)
  - cmd.exe (PID: 2736)
  - cmd.exe (PID: 3020)
  - cmd.exe (PID: 3700)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 3392)
  - cmd.exe (PID: 3364)
- Reads the BIOS version
  - reg.exe (PID: 3920)
  - reg.exe (PID: 3096)
  - reg.exe (PID: 3928)
  - reg.exe (PID: 3412)
- Creates files in the user directory
  - powershell.exe (PID: 3432)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion:	2. 0. 1. 9
ProductName:	OEM Query Tool For MRP
LegalCopyright:	MRP
FileVersion:	2. 0. 1. 9
FileDescription:	Query Tool
CompanyName:	MRP
Comments:	Computer Query Tool For MRP
CharacterSet:	Windows, Latin1
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	2.0.1.9
FileVersionNumber:	2.0.1.9
Subsystem:	Windows command line
SubsystemVersion:	5
ImageVersion:	-
OSVersion:	5
EntryPoint:	0xcb10
UninitializedDataSize:	-
InitializedDataSize:	6590464
CodeSize:	64512
LinkerVersion:	9
PEType:	PE32
TimeStamp:	2011:12:22 14:26:47+01:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

646

Monitored processes

610

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3792	"C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe"	C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe	—	explorer.exe
User: admin Company: MRP Integrity Level: MEDIUM Description: Query Tool Exit code: 3221226540 Version: 2. 0. 1. 9
2336	"C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe"	C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe		explorer.exe
User: admin Company: MRP Integrity Level: HIGH Description: Query Tool Version: 2. 0. 1. 9
3392	cmd /c ""C:\Users\admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd""	C:\Windows\system32\cmd.exe		MRPQTGv98.1.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3756	mode con cols=90 lines=23	C:\Windows\System32\mode.com	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: DOS Device MODE Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2128	C:\Windows\system32\cmd.exe /c C:\Windows\System32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" 2>nul	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2420	C:\Windows\System32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled"	C:\Windows\System32\reg.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2832	wmic process get processid,parentprocessid,executablepath	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2960	findstr /I "Powershell"	C:\Windows\System32\findstr.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3980	wmic process get processid,parentprocessid,executablepath	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
4028	findstr /I "CMD"	C:\Windows\System32\findstr.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

3 750

Read events

3 695

Write events

Delete events

Modification events


(PID) Process:	(3432) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

365

Unknown types

Dropped files

PID	Process	Filename		Type
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\GetInstDate.vbs		text
		MD5:FEBA92D494D7E1C49A869386C470BB1D	SHA256:115DBCB99A2ECC9842E8BA5B772D28DB6FA157141B38A1F12036AD020B79BEDE
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\pkconfig.ini		text
		MD5:6FCCC532651F434A0AFFCC458AF5A080	SHA256:A930972AA7C75E05A87068DD8F85226B1F2999F5A206B2CF7B23C0F2301EEE6F
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\Generic_4.exe		executable
		MD5:9FEB2B5E667B34D220DB3E774A31946D	SHA256:617B441C97BD97AEB01FF0C6D8F8DC4B3626716F0B75F889F620E2B2E95CB750
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\NewSKU.ini		text
		MD5:C13AA712BB85F528FCBE465BED113936	SHA256:78FD535845C3C48CB10094DF58CCE7A916FE90A9BD418D49E2789BD0FAD4147A
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\RCodes.ini		text
		MD5:ACD915F5093289E8A8D0765800450DE3	SHA256:4662FDF052C540DA861371BACF0704B9190A6E7EFF4E60F320904D9DF3321B55
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\KeyInfo.exe		executable
		MD5:0B1B2C91E1E55B506FDFDAA57E705506	SHA256:4BCCF0A5F92AE7D558BC6AAF46893557CB3FBFE0C3E52BD1848F8539D707D7D9
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\BDTBT.exe		executable
		MD5:1DB1EAB663363D484EF7C6C2F8EDD7A6	SHA256:9FD28B97864EBBAABBD3C3F9C5A46F8EFC963ED5E90EBAAA2457AFA8112807C4
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\Generic_2.exe		executable
		MD5:99022B783EF7C73C93C1DFA1AC630CAC	SHA256:78C8CCB562EE0290C63A91C48107CB79AB5CD1D7F6D058688338D1E6190F0E58
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\QTOEMTest.ini		text
		MD5:46B14823C1A98A166A6E3841100D12DD	SHA256:F28073FF06C667D658E10A5AB84452E00C222799D8FF112EFFCA392AD2BE8732
2336	MRPQTGv98.1.exe	C:\Users\admin\AppData\Local\Temp\MRP_QT\QueryDisks.vbs		text
		MD5:FC9F70A8D5353786E792DC7AC76C9574	SHA256:63EC86F3397FCB381BE76BD9D4E5F85969D7731AF26A5F04A9FDCA008BDF0424

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

MRPQTGv98.1.exe

43412619617A74B67EA734FA4C92CBC3

FA52B9D52F36BD032DA207B2C8B7EB28198A1532

9BF9CC8BB6106C9A8F1D104702BFF8089990EB344792941187D6281AE51CFF90

98304:TfxANV3yMPwRADRBXBBqjWwE7nmU0fzfJ4LXDbzfJ4LXD1szfJ4LXDj:TfxEBPWoxBwE7h0fzR4TXzR4T5szR4TX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Executes PowerShell scripts

SUSPICIOUS

Reads Environment values

Executable content was dropped or overwritten

Uses WMIC.EXE to obtain a system information

Uses REG.EXE to modify Windows registry

Starts CMD.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Application launched itself

Starts SC.EXE for service management

Uses WMIC.EXE to obtain a list of AntiViruses

Executes scripts

Uses WMIC.EXE to obtain a list of video controllers

Reads the BIOS version

Creates files in the user directory

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings