Malware analysis https://www.instaluj.cz/malwarebytes-anti-malware-premium Malicious activity

Add for printing

URL:	https://www.instaluj.cz/malwarebytes-anti-malware-premium
Full analysis:	https://app.any.run/tasks/3e2062b1-5f56-4ab1-9ab2-f953c90b3ce4
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 15, 2025, 18:50:08
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer connectwise rmm-tool keylogger agenttesla
Indicators:
MD5:	6567F0C0BD9786C94E8D0719851F3795
SHA1:	166D467B89EC46410B17F1E12933CC52B0EE4FEC
SHA256:	9F5EF26F613A47C0F1EB37555A9D02AB0BD02BD84703BF0AE8DB79801F1A5A88
SSDEEP:	3:N8DSLNRvzCTWIn:2OLDvuKIn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - MBAMService.exe (PID: 7524)
- Antivirus name has been found in the command line (generic signature)
  - mbam.exe (PID: 6960)
- Steals credentials from Web Browsers
  - MBAMService.exe (PID: 7524)
- AGENTTESLA is detected
  - MBAMService.exe (PID: 7524)
SUSPICIOUS
- Reads the BIOS version
  - MBSetup.exe (PID: 2240)
  - MBAMService.exe (PID: 7524)
  - mbupdatrV5.exe (PID: 4380)
- Creates files in the driver directory
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
- Searches for installed software
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 7524)
- The process verifies whether the antivirus software is installed
  - MBSetup.exe (PID: 2240)
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
  - MBAMWsc.exe (PID: 5744)
  - mbamtray.exe (PID: 684)
  - MBAMWsc.exe (PID: 7048)
  - mbupdatrV5.exe (PID: 4380)
  - mbam.exe (PID: 6960)
  - MBAMInstallerService.exe (PID: 7916)
- Executable content was dropped or overwritten
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
- Drops 7-zip archiver for unpacking
  - MBAMInstallerService.exe (PID: 7916)
- Drops a system driver (possible attempt to evade defenses)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
- Process drops legitimate windows executable
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 7524)
- The process drops C-runtime libraries
  - MBAMInstallerService.exe (PID: 7916)
- Adds/modifies Windows certificates
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 7524)
- Changes Internet Explorer settings (feature browser emulation)
  - MBAMInstallerService.exe (PID: 7916)
- Creates or modifies Windows services
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
- Executes as Windows Service
  - MBAMService.exe (PID: 7524)
  - MBAMInstallerService.exe (PID: 7916)
- Creates/Modifies COM task schedule object
  - MBAMService.exe (PID: 7524)
- Reads security settings of Internet Explorer
  - MBAMService.exe (PID: 7524)
  - ig.exe (PID: 4812)
  - mbamtray.exe (PID: 684)
  - mbam.exe (PID: 6960)
- Creates file in the systems drive root
  - mbam.exe (PID: 6960)
- There is functionality for taking screenshot (YARA)
  - mbamtray.exe (PID: 684)
- Detected use of alternative data streams (AltDS)
  - mbam.exe (PID: 6960)
- Reads the date of Windows installation
  - mbam.exe (PID: 6960)
- Starts application from unusual location
  - MBAMService.exe (PID: 7524)
- Read startup parameters
  - MBAMService.exe (PID: 7524)
INFO
- Application launched itself
  - chrome.exe (PID: 1760)
- Executable content was dropped or overwritten
  - chrome.exe (PID: 1760)
- The sample compiled with english language support
  - chrome.exe (PID: 1760)
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
- Create files in a temporary directory
  - MBSetup.exe (PID: 2240)
  - mbam.exe (PID: 6960)
- Checks supported languages
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
  - ig.exe (PID: 4812)
  - MBAMWsc.exe (PID: 5744)
  - mbamtray.exe (PID: 684)
  - mbam.exe (PID: 6960)
  - MBAMWsc.exe (PID: 7048)
  - mbupdatrV5.exe (PID: 4380)
- Reads the computer name
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 1088)
  - MBAMService.exe (PID: 7524)
  - MBAMWsc.exe (PID: 5744)
  - mbamtray.exe (PID: 684)
  - mbupdatrV5.exe (PID: 4380)
- Reads the machine GUID from the registry
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 7524)
  - mbupdatrV5.exe (PID: 4380)
- Creates files in the program directory
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - MBAMService.exe (PID: 7524)
  - mbupdatrV5.exe (PID: 4380)
- Checks proxy server information
  - MBSetup.exe (PID: 2240)
  - slui.exe (PID: 7884)
  - mbamtray.exe (PID: 684)
  - mbam.exe (PID: 6960)
- Reads the software policy settings
  - MBSetup.exe (PID: 2240)
  - MBAMInstallerService.exe (PID: 7916)
  - slui.exe (PID: 7792)
  - slui.exe (PID: 7884)
  - MBAMService.exe (PID: 7524)
- The sample compiled with spanish language support
  - MBAMInstallerService.exe (PID: 7916)
- Reads the time zone
  - MBAMService.exe (PID: 7524)
- Reads CPU info
  - MBAMService.exe (PID: 7524)
- Reads Environment values
  - MBAMService.exe (PID: 7524)
- CONNECTWISE has been detected
  - MBAMService.exe (PID: 7524)
- Creates files or folders in the user directory
  - mbamtray.exe (PID: 684)
  - mbam.exe (PID: 6960)
- Manual execution by a user
  - mbam.exe (PID: 6960)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

180

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

684

"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

MBAMService.exe

User:

admin

Company:

Malwarebytes

Integrity Level:

MEDIUM

Description:

Malwarebytes Tray Application

Version:

4.0.0.1750

Modules

Images
c:\program files\malwarebytes\anti-malware\mbamtray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1088

"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

MBAMInstallerService.exe

User:

SYSTEM

Company:

Malwarebytes

Integrity Level:

SYSTEM

Description:

Malwarebytes Service

Exit code:

Version:

3.2.0.1314

Modules

Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll

1760

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints "https://www.instaluj.cz/malwarebytes-anti-malware-premium"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2240

"C:\Users\admin\Downloads\MBSetup.exe"

C:\Users\admin\Downloads\MBSetup.exe

chrome.exe

User:

admin

Company:

Malwarebytes

Integrity Level:

HIGH

Description:

Malwarebytes Setup

Exit code:

Version:

4.5.34.347

Modules

Images
c:\users\admin\downloads\mbsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll

2320

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ffc8830dc40,0x7ffc8830dc4c,0x7ffc8830dc58

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2384

ig.exe reseed

C:\Program Files\Malwarebytes\Anti-Malware\ig.exe

—

MBAMService.exe

User:

admin

Company:

MalwareBytes

Integrity Level:

LOW

Description:

Malware Scanner

Exit code:

16711680

Version:

1.0.4.8

Modules

Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2392

"C:\Users\admin\Downloads\MBSetup.exe"

C:\Users\admin\Downloads\MBSetup.exe

—

chrome.exe

User:

admin

Company:

Malwarebytes

Integrity Level:

MEDIUM

Description:

Malwarebytes Setup

Exit code:

3221226540

Version:

4.5.34.347

Modules

Images
c:\users\admin\downloads\mbsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3096

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5288 --field-trial-handle=1916,i,12222001880830628917,10693002999977549082,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4380

"C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no

C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\mbupdatrV5.exe

—

MBAMService.exe

User:

SYSTEM

Company:

Malwarebytes

Integrity Level:

SYSTEM

Description:

Malwarebytes Component Updater

Exit code:

Version:

3.1.0.510

Modules

Images
c:\programdata\malwarebytes\mbamservice\updatrpkg\mbupdatrv5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

4812

ig.exe secure

C:\Users\admin\AppData\LocalLow\IGDump\sec\ig.exe

—

MBAMService.exe

User:

admin

Company:

MalwareBytes

Integrity Level:

LOW

Description:

Malware Scanner

Exit code:

3235811341

Version:

1.0.4.8

Modules

Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

305 106

Read events

304 155

Write events

913

Delete events

Modification events


(PID) Process:	(1760) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(1760) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(1760) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(1760) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(1760) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(7944) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 010000000000000026975D4237AEDB01
(PID) Process:	(2240) MBSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:	write	Name:	id
Value: e736bf3e799440b4b983e93b2d181dbc
(PID) Process:	(2240) MBSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:	write	Name:	id
Value: e736bf3e799440b4b983e93b2d181dbc
(PID) Process:	(2240) MBSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1760) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 1

Add for printing

Executable files

336

Suspicious files

570

Text files

1 134

Unknown types

Dropped files

PID	Process	Filename		Type
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF10c323.TMP		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF10c323.TMP		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF10c323.TMP		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10c323.TMP		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF10c332.TMP		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF10c323.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

183

DNS requests

152

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
8076	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8076	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7524	MBAMService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAYsPEaBY%2BtRPgLpmSJnQ9Y%3D	unknown	—	—	whitelisted
7524	MBAMService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
7524	MBAMService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
7524	MBAMService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAc2N7ckVHzYR6z9KGYqXls%3D	unknown	—	—	whitelisted
7524	MBAMService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTjzY2p9Pa8oibmj%2BNSMWsz63kmWgQUuhbZbU2FL3MpdpovdYxqII%2BeyG8CEAuuZrxaun%2BVh8b56QTjMwQ%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1760	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
7248	chrome.exe	185.59.208.192:443	www.instaluj.cz	VSHosting s.r.o.	CZ	whitelisted
7248	chrome.exe	108.177.14.84:443	accounts.google.com	GOOGLE	US	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.48.23.173 23.48.23.147 23.48.23.143 23.48.23.176 23.48.23.166 23.48.23.145 23.48.23.177 184.24.77.7 184.24.77.12 184.24.77.37 184.24.77.35 184.24.77.38 184.24.77.11 184.24.77.42	whitelisted
www.instaluj.cz	185.59.208.192	whitelisted
accounts.google.com	108.177.14.84	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.250	whitelisted
www.googletagmanager.com	142.250.185.168	whitelisted
www.google.com	172.217.16.196	whitelisted
pagead2.googlesyndication.com	172.217.16.130	whitelisted
fundingchoicesmessages.google.com	142.250.184.238	whitelisted
www.facebook.com	157.240.252.35	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

https://www.instaluj.cz/malwarebytes-anti-malware-premium

6567F0C0BD9786C94E8D0719851F3795

166D467B89EC46410B17F1E12933CC52B0EE4FEC

9F5EF26F613A47C0F1EB37555A9D02AB0BD02BD84703BF0AE8DB79801F1A5A88

3:N8DSLNRvzCTWIn:2OLDvuKIn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Antivirus name has been found in the command line (generic signature)

Steals credentials from Web Browsers

AGENTTESLA is detected

SUSPICIOUS

Reads the BIOS version

Creates files in the driver directory

Searches for installed software

The process verifies whether the antivirus software is installed

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

Drops a system driver (possible attempt to evade defenses)

Process drops legitimate windows executable

The process drops C-runtime libraries

Adds/modifies Windows certificates

Changes Internet Explorer settings (feature browser emulation)

Creates or modifies Windows services

Executes as Windows Service

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

Creates file in the systems drive root

There is functionality for taking screenshot (YARA)

Detected use of alternative data streams (AltDS)

Reads the date of Windows installation

Starts application from unusual location

Read startup parameters

INFO

Application launched itself

Executable content was dropped or overwritten

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

The sample compiled with spanish language support

Reads the time zone

Reads CPU info

Reads Environment values

CONNECTWISE has been detected

Creates files or folders in the user directory

Manual execution by a user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information