Malware analysis HitmanPro.exe Malicious activity | ANY.RUN

Add for printing

File name:	HitmanPro.exe
Full analysis:	https://app.any.run/tasks/98f54bb5-9191-484e-ae5b-fe6f8897b4b4
Verdict:	Malicious activity
Threats:	njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	December 13, 2023, 20:26:15
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	rat njrat bladabindi remote
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	B84E2AFEB7244F937FCAFAB3B370AD33
SHA1:	59161AA7ECAE65873602B7B4AF2C3775BA8ACF1E
SHA256:	A6812FD8220DBB68939414E3A8F9D7BE24DC7BC2EC190A841723C01C8EDD2C12
SSDEEP:	98304:LfLIQ/0hFPfUG8UOCn9wNB7plQR04lVIOmweMibgzSQcyyXe6w24HBJcMxUsT/Gj:LmgcuW6osKe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - HitmanPro.exe (PID: 1864)
  - cispro_installer.exe (PID: 3028)
  - 360cse_official_13.5.2044.0.exe (PID: 1036)
  - cav_installer.exe (PID: 2220)
  - chromodosetup.exe (PID: 1860)
  - CocCocSetup.exe (PID: 2444)
  - SignalSetup.exe (PID: 4036)
  - adawaresafebrowser.exe (PID: 3108)
  - avg_secure_browser_setup.exe (PID: 3296)
  - Aol_Shield.exe (PID: 3312)
  - Bitwarden-Installer-2023.12.0.exe (PID: 2908)
  - icedragonsetup.exe (PID: 3384)
  - ciscomplete_installer.exe (PID: 900)
  - ccleaner_browser_setup.exe (PID: 1296)
  - Yandex.exe (PID: 3668)
  - dragonsetup.exe (PID: 2912)
  - Skype-8.110.0.218.exe (PID: 3516)
  - setup-volga.exe (PID: 3664)
  - ccav_installer.exe (PID: 3040)
  - getscreen.exe (PID: 1420)
  - Firefox Setup 115.5.0esr.exe (PID: 3348)
  - avast_secure_browser_setup.exe (PID: 3876)
  - cfw_installer.exe (PID: 2448)
  - ccsetup619.exe (PID: 2248)
- NjRAT is detected
  - avira_ru_asu80.exe (PID: 3472)
  - mpam-feX64.exe (PID: 1904)
  - GlassWireSetup.exe (PID: 3860)
  - AutoLogger.exe (PID: 2112)
  - Windows10Upgrade9252.exe (PID: 2116)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - getsusp64.exe (PID: 1032)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - Teams_windows_x64.exe (PID: 3164)
  - cispremium_installer.exe (PID: 3704)
  - ZoomInstaller.exe (PID: 3956)
  - norton_secure_browser_setup.exe (PID: 1928)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - compass-win.exe (PID: 3720)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - 360TS_Setup_Mini.exe (PID: 296)
  - Disk-O_setup.exe (PID: 328)
  - Ashampoo Backup 2023.exe (PID: 904)
  - adguardInstaller.exe (PID: 1952)
  - AnyDesk.exe (PID: 1028)
  - rcsetup153.exe (PID: 2392)
  - dpsetup_en.exe (PID: 2260)
- NJRAT has been detected (YARA)
  - avira_ru_asu80.exe (PID: 3472)
  - setup_1.0.5.1360.exe (PID: 3484)
  - adguardInstaller.exe (PID: 1952)
  - cispremium_installer.exe (PID: 3704)
  - 360TS_Setup_Mini.exe (PID: 296)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - rcsetup153.exe (PID: 2392)
  - AutoLogger.exe (PID: 2112)
  - Ashampoo Backup 2023.exe (PID: 904)
  - GlassWireSetup.exe (PID: 3860)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - dpsetup_en.exe (PID: 2260)
  - ZoomInstaller.exe (PID: 3956)
- NJRAT has been detected (SURICATA)
  - cispremium_installer.exe (PID: 3704)
  - AutoLogger.exe (PID: 2112)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - mpam-feX64.exe (PID: 1904)
  - norton_secure_browser_setup.exe (PID: 1928)
  - getsusp64.exe (PID: 1032)
  - avira_ru_asu80.exe (PID: 3472)
  - GlassWireSetup.exe (PID: 3860)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - Windows10Upgrade9252.exe (PID: 2116)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - 360TS_Setup_Mini.exe (PID: 296)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - setup_1.0.5.1360.exe (PID: 3484)
  - compass-win.exe (PID: 3720)
  - Disk-O_setup.exe (PID: 328)
  - ZoomInstaller.exe (PID: 3956)
  - adguardInstaller.exe (PID: 1952)
  - Teams_windows_x64.exe (PID: 3164)
  - AnyDesk.exe (PID: 1028)
  - rcsetup153.exe (PID: 2392)
  - dpsetup_en.exe (PID: 2260)
  - Ashampoo Backup 2023.exe (PID: 904)
- Connects to the CnC server
  - GlassWireSetup.exe (PID: 3860)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - mpam-feX64.exe (PID: 1904)
  - norton_secure_browser_setup.exe (PID: 1928)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - getsusp64.exe (PID: 1032)
  - cispremium_installer.exe (PID: 3704)
  - AutoLogger.exe (PID: 2112)
  - setup_1.0.5.1360.exe (PID: 3484)
  - Windows10Upgrade9252.exe (PID: 2116)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - compass-win.exe (PID: 3720)
  - Disk-O_setup.exe (PID: 328)
  - 360TS_Setup_Mini.exe (PID: 296)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - avira_ru_asu80.exe (PID: 3472)
  - AnyDesk.exe (PID: 1028)
  - rcsetup153.exe (PID: 2392)
  - dpsetup_en.exe (PID: 2260)
  - Ashampoo Backup 2023.exe (PID: 904)
  - ZoomInstaller.exe (PID: 3956)
  - adguardInstaller.exe (PID: 1952)
  - Teams_windows_x64.exe (PID: 3164)
SUSPICIOUS
- Reads the Internet Settings
  - HitmanPro.exe (PID: 1864)
  - cispro_installer.exe (PID: 3028)
  - 360cse_official_13.5.2044.0.exe (PID: 1036)
  - cav_installer.exe (PID: 2220)
  - chromodosetup.exe (PID: 1860)
  - CocCocSetup.exe (PID: 2444)
  - SignalSetup.exe (PID: 4036)
  - adawaresafebrowser.exe (PID: 3108)
  - avg_secure_browser_setup.exe (PID: 3296)
  - Aol_Shield.exe (PID: 3312)
  - Bitwarden-Installer-2023.12.0.exe (PID: 2908)
  - icedragonsetup.exe (PID: 3384)
  - ciscomplete_installer.exe (PID: 900)
  - ccleaner_browser_setup.exe (PID: 1296)
  - Yandex.exe (PID: 3668)
  - dragonsetup.exe (PID: 2912)
  - Skype-8.110.0.218.exe (PID: 3516)
  - setup-volga.exe (PID: 3664)
  - ccav_installer.exe (PID: 3040)
  - getscreen.exe (PID: 1420)
  - Firefox Setup 115.5.0esr.exe (PID: 3348)
  - avast_secure_browser_setup.exe (PID: 3876)
  - cfw_installer.exe (PID: 2448)
  - ccsetup619.exe (PID: 2248)
- Process drops legitimate windows executable
  - ccsetup619.exe (PID: 2248)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - setup_1.0.5.1360.exe (PID: 3484)
  - GlassWireSetup.exe (PID: 3860)
  - AutoLogger.exe (PID: 2112)
  - norton_secure_browser_setup.exe (PID: 1928)
  - avira_ru_asu80.exe (PID: 3472)
  - mpam-feX64.exe (PID: 1904)
  - cispremium_installer.exe (PID: 3704)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - Windows10Upgrade9252.exe (PID: 2116)
  - Teams_windows_x64.exe (PID: 3164)
  - compass-win.exe (PID: 3720)
  - ZoomInstaller.exe (PID: 3956)
  - rcsetup153.exe (PID: 2392)
  - Disk-O_setup.exe (PID: 328)
  - 360TS_Setup_Mini.exe (PID: 296)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - getsusp64.exe (PID: 1032)
  - adguardInstaller.exe (PID: 1952)
  - dpsetup_en.exe (PID: 2260)
  - AnyDesk.exe (PID: 1028)
  - Ashampoo Backup 2023.exe (PID: 904)
- Connects to unusual port
  - Disk-O_setup.exe (PID: 328)
  - compass-win.exe (PID: 3720)
  - Ashampoo Backup 2023.exe (PID: 904)
  - avira_ru_asu80.exe (PID: 3472)
  - 360TS_Setup_Mini.exe (PID: 296)
  - mpam-feX64.exe (PID: 1904)
  - norton_secure_browser_setup.exe (PID: 1928)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - getsusp64.exe (PID: 1032)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - Windows10Upgrade9252.exe (PID: 2116)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - Teams_windows_x64.exe (PID: 3164)
  - ZoomInstaller.exe (PID: 3956)
  - rcsetup153.exe (PID: 2392)
  - cispremium_installer.exe (PID: 3704)
  - AutoLogger.exe (PID: 2112)
  - GlassWireSetup.exe (PID: 3860)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - setup_1.0.5.1360.exe (PID: 3484)
  - dpsetup_en.exe (PID: 2260)
  - adguardInstaller.exe (PID: 1952)
  - AnyDesk.exe (PID: 1028)
- Starts CMD.EXE for commands execution
  - ZoomInstaller.exe (PID: 3956)
INFO
- Reads the computer name
  - HitmanPro.exe (PID: 1864)
  - cispro_installer.exe (PID: 3028)
  - 360cse_official_13.5.2044.0.exe (PID: 1036)
  - cav_installer.exe (PID: 2220)
  - chromodosetup.exe (PID: 1860)
  - CocCocSetup.exe (PID: 2444)
  - SignalSetup.exe (PID: 4036)
  - adawaresafebrowser.exe (PID: 3108)
  - avg_secure_browser_setup.exe (PID: 3296)
  - Aol_Shield.exe (PID: 3312)
  - icedragonsetup.exe (PID: 3384)
  - Bitwarden-Installer-2023.12.0.exe (PID: 2908)
  - ciscomplete_installer.exe (PID: 900)
  - ccleaner_browser_setup.exe (PID: 1296)
  - Yandex.exe (PID: 3668)
  - dragonsetup.exe (PID: 2912)
  - Skype-8.110.0.218.exe (PID: 3516)
  - setup-volga.exe (PID: 3664)
  - ccav_installer.exe (PID: 3040)
  - getscreen.exe (PID: 1420)
  - Firefox Setup 115.5.0esr.exe (PID: 3348)
  - avast_secure_browser_setup.exe (PID: 3876)
  - cfw_installer.exe (PID: 2448)
  - ccsetup619.exe (PID: 2248)
  - setup_1.0.5.1360.exe (PID: 3484)
  - mpam-feX64.exe (PID: 1904)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - norton_secure_browser_setup.exe (PID: 1928)
  - avira_ru_asu80.exe (PID: 3472)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - GlassWireSetup.exe (PID: 3860)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - compass-win.exe (PID: 3720)
  - cispremium_installer.exe (PID: 3704)
  - AutoLogger.exe (PID: 2112)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - getsusp64.exe (PID: 1032)
  - Windows10Upgrade9252.exe (PID: 2116)
  - ZoomInstaller.exe (PID: 3956)
  - adguardInstaller.exe (PID: 1952)
  - Disk-O_setup.exe (PID: 328)
  - wmpnscfg.exe (PID: 3588)
  - AnyDesk.exe (PID: 1028)
  - Ashampoo Backup 2023.exe (PID: 904)
  - dpsetup_en.exe (PID: 2260)
  - 360TS_Setup_Mini.exe (PID: 296)
  - rcsetup153.exe (PID: 2392)
  - Teams_windows_x64.exe (PID: 3164)
  - wmpnscfg.exe (PID: 5032)
  - wmpnscfg.exe (PID: 5052)
  - wmpnscfg.exe (PID: 5432)
  - wmpnscfg.exe (PID: 5408)
- Checks supported languages
  - HitmanPro.exe (PID: 1864)
  - cispro_installer.exe (PID: 3028)
  - 360cse_official_13.5.2044.0.exe (PID: 1036)
  - cav_installer.exe (PID: 2220)
  - chromodosetup.exe (PID: 1860)
  - CocCocSetup.exe (PID: 2444)
  - SignalSetup.exe (PID: 4036)
  - adawaresafebrowser.exe (PID: 3108)
  - avg_secure_browser_setup.exe (PID: 3296)
  - Aol_Shield.exe (PID: 3312)
  - Bitwarden-Installer-2023.12.0.exe (PID: 2908)
  - ciscomplete_installer.exe (PID: 900)
  - ccleaner_browser_setup.exe (PID: 1296)
  - Yandex.exe (PID: 3668)
  - dragonsetup.exe (PID: 2912)
  - Skype-8.110.0.218.exe (PID: 3516)
  - setup-volga.exe (PID: 3664)
  - ccav_installer.exe (PID: 3040)
  - getscreen.exe (PID: 1420)
  - Firefox Setup 115.5.0esr.exe (PID: 3348)
  - icedragonsetup.exe (PID: 3384)
  - avast_secure_browser_setup.exe (PID: 3876)
  - cfw_installer.exe (PID: 2448)
  - ccsetup619.exe (PID: 2248)
  - cispremium_installer.exe (PID: 3704)
  - avira_ru_asu80.exe (PID: 3472)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - GlassWireSetup.exe (PID: 3860)
  - getsusp64.exe (PID: 1032)
  - mpam-feX64.exe (PID: 1904)
  - norton_secure_browser_setup.exe (PID: 1928)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - Teams_windows_x64.exe (PID: 3164)
  - setup_1.0.5.1360.exe (PID: 3484)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - Windows10Upgrade9252.exe (PID: 2116)
  - AutoLogger.exe (PID: 2112)
  - rcsetup153.exe (PID: 2392)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - compass-win.exe (PID: 3720)
  - ZoomInstaller.exe (PID: 3956)
  - adguardInstaller.exe (PID: 1952)
  - dpsetup_en.exe (PID: 2260)
  - AnyDesk.exe (PID: 1028)
  - Ashampoo Backup 2023.exe (PID: 904)
  - Disk-O_setup.exe (PID: 328)
  - 360TS_Setup_Mini.exe (PID: 296)
  - wmpnscfg.exe (PID: 3588)
  - wmpnscfg.exe (PID: 5052)
  - wmpnscfg.exe (PID: 5432)
  - wmpnscfg.exe (PID: 5408)
  - wmpnscfg.exe (PID: 5032)
- Create files in a temporary directory
  - HitmanPro.exe (PID: 1864)
  - cispro_installer.exe (PID: 3028)
  - Bitwarden-Installer-2023.12.0.exe (PID: 2908)
  - 360cse_official_13.5.2044.0.exe (PID: 1036)
  - cav_installer.exe (PID: 2220)
  - chromodosetup.exe (PID: 1860)
  - CocCocSetup.exe (PID: 2444)
  - SignalSetup.exe (PID: 4036)
  - adawaresafebrowser.exe (PID: 3108)
  - avg_secure_browser_setup.exe (PID: 3296)
  - Aol_Shield.exe (PID: 3312)
  - ciscomplete_installer.exe (PID: 900)
  - ccleaner_browser_setup.exe (PID: 1296)
  - Yandex.exe (PID: 3668)
  - dragonsetup.exe (PID: 2912)
  - Skype-8.110.0.218.exe (PID: 3516)
  - setup-volga.exe (PID: 3664)
  - ccav_installer.exe (PID: 3040)
  - getscreen.exe (PID: 1420)
  - icedragonsetup.exe (PID: 3384)
  - Firefox Setup 115.5.0esr.exe (PID: 3348)
  - avast_secure_browser_setup.exe (PID: 3876)
  - cfw_installer.exe (PID: 2448)
  - ccsetup619.exe (PID: 2248)
- Reads the machine GUID from the registry
  - setup_1.0.5.1360.exe (PID: 3484)
  - avira_ru_asu80.exe (PID: 3472)
  - AutoLogger.exe (PID: 2112)
  - GlassWireSetup.exe (PID: 3860)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - mpam-feX64.exe (PID: 1904)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - norton_secure_browser_setup.exe (PID: 1928)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - getsusp64.exe (PID: 1032)
  - compass-win.exe (PID: 3720)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - Windows10Upgrade9252.exe (PID: 2116)
  - cispremium_installer.exe (PID: 3704)
  - rcsetup153.exe (PID: 2392)
  - ZoomInstaller.exe (PID: 3956)
  - dpsetup_en.exe (PID: 2260)
  - 360TS_Setup_Mini.exe (PID: 296)
  - Teams_windows_x64.exe (PID: 3164)
  - Disk-O_setup.exe (PID: 328)
  - adguardInstaller.exe (PID: 1952)
  - Ashampoo Backup 2023.exe (PID: 904)
  - AnyDesk.exe (PID: 1028)
- Reads Environment values
  - setup_1.0.5.1360.exe (PID: 3484)
  - kaspersky4win202121.15.8.493ru_42131.exe (PID: 1600)
  - avira_ru_asu80.exe (PID: 3472)
  - mpam-feX64.exe (PID: 1904)
  - GlassWireSetup.exe (PID: 3860)
  - AutoLogger.exe (PID: 2112)
  - eset_nod32_antivirus_live_installer.exe (PID: 1376)
  - zafwSetupWeb_158_213_19411.exe (PID: 3888)
  - Pro32 Getscreen Dashboard (beta) Setup.exe (PID: 3620)
  - norton_secure_browser_setup.exe (PID: 1928)
  - getsusp64.exe (PID: 1032)
  - cispremium_installer.exe (PID: 3704)
  - Windows10Upgrade9252.exe (PID: 2116)
  - compass-win.exe (PID: 3720)
  - Sandboxie-Plus-x64-v1.12.3.exe (PID: 2676)
  - dpsetup_en.exe (PID: 2260)
  - 360TS_Setup_Mini.exe (PID: 296)
  - ZoomInstaller.exe (PID: 3956)
  - Disk-O_setup.exe (PID: 328)
  - rcsetup153.exe (PID: 2392)
  - adguardInstaller.exe (PID: 1952)
  - Ashampoo Backup 2023.exe (PID: 904)
  - AnyDesk.exe (PID: 1028)
  - Teams_windows_x64.exe (PID: 3164)
- Manual execution by a user
  - wmpnscfg.exe (PID: 3588)
  - wmpnscfg.exe (PID: 5032)
  - wmpnscfg.exe (PID: 5052)
  - wmpnscfg.exe (PID: 5432)
  - wmpnscfg.exe (PID: 5408)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

NjRat

(PID) Process(3472) avira_ru_asu80.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_6

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\b81df7dfaa813acb7fe22c7b622b980f

Splitter|'|'|

Versionim523

(PID) Process(3620) Pro32 Getscreen Dashboard (beta) Setup.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_16

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\929707e988404aa0d681162abf513f95

Splitter|'|'|

Versionim523

(PID) Process(3484) setup_1.0.5.1360.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_18

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\892f4e76dbb1b9ca103338dc9b19620b

Splitter|'|'|

Versionim523

(PID) Process(2392) rcsetup153.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_17

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\0fe68385c5f377e396a67118c6a77776

Splitter|'|'|

Versionim523

(PID) Process(1952) adguardInstaller.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_2

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\b730317ea8be59f965d8fb5002575011

Splitter|'|'|

Versionim523

(PID) Process(3704) cispremium_installer.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_7

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\6f15623457da9b73454088bcb9ff2696

Splitter|'|'|

Versionim523

(PID) Process(296) 360TS_Setup_Mini.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_1

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\805df23f12c79b2fa05b1aa3503f1441

Splitter|'|'|

Versionim523

(PID) Process(2112) AutoLogger.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_5

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\efaecb90eae69dd252202aee5d69554c

Splitter|'|'|

Versionim523

(PID) Process(904) Ashampoo Backup 2023.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_4

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\c78f6759a4a6528d196cbc6be048825d

Splitter|'|'|

Versionim523

(PID) Process(2260) dpsetup_en.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_10

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\a88f484863334fc67d2cc0883db157d0

Splitter|'|'|

Versionim523

(PID) Process(3956) ZoomInstaller.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_23

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\99963dc0751bd49309cc9c72993b2593

Splitter|'|'|

Versionim523

(PID) Process(3860) GlassWireSetup.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_13

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\628f3922c8f5b02ddb3ea4e73a43ccb8

Splitter|'|'|

Versionim523

(PID) Process(2676) Sandboxie-Plus-x64-v1.12.3.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_17

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\2f533f7adada87cd7c1475e1989bceb2

Splitter|'|'|

Versionim523

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:10:03 09:51:19+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.33
CodeSize:	214528
InitializedDataSize:	382464
UninitializedDataSize:	-
EntryPoint:	0x21d50
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	3.8.34.330
ProductVersionNumber:	3.8.34.330
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Sophos B.V.
FileDescription:	HitmanPro 3.8
FileVersion:	3, 8, 34, 330
InternalName:	HitmanPro38
LegalCopyright:	© 2006-2023 Sophos B.V.
OriginalFileName:	HitmanPro.exe
ProductName:	HitmanPro
ProductVersion:	3.8.34.330

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

144

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

272

netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\rcsetup153.exe" "rcsetup153.exe" ENABLE

C:\Windows\System32\netsh.exe

—

rcsetup153.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

296

"C:\Users\admin\AppData\Local\Temp\360TS_Setup_Mini.exe"

C:\Users\admin\AppData\Local\Temp\360TS_Setup_Mini.exe

ccsetup619.exe

User:

admin

Company:

Qihoo 360 Technology Co. Ltd.

Integrity Level:

MEDIUM

Description:

360 Total Security Online Installer

Exit code:

4294967295

Version:

6, 6, 0, 1054

Modules

Images
c:\users\admin\appdata\local\temp\360ts_setup_mini.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

NjRat

(PID) Process(296) 360TS_Setup_Mini.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_1

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\805df23f12c79b2fa05b1aa3503f1441

Splitter|'|'|

Versionim523

328

"C:\Users\admin\AppData\Local\Temp\Disk-O_setup.exe"

C:\Users\admin\AppData\Local\Temp\Disk-O_setup.exe

ccsetup619.exe

User:

admin

Company:

Mail.Ru

Integrity Level:

MEDIUM

Description:

Disk-O:

Exit code:

Version:

23.10.0031

Modules

Images
c:\users\admin\appdata\local\temp\disk-o_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

372

netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\setup_1.0.5.1360.exe" "setup_1.0.5.1360.exe" ENABLE

C:\Windows\System32\netsh.exe

—

setup_1.0.5.1360.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

684

netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" "AnyDesk.exe" ENABLE

C:\Windows\System32\netsh.exe

—

AnyDesk.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

824

netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\eset_nod32_antivirus_live_installer.exe" "eset_nod32_antivirus_live_installer.exe" ENABLE

C:\Windows\System32\netsh.exe

—

eset_nod32_antivirus_live_installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

900

"C:\Users\admin\AppData\Local\Temp\ciscomplete_installer.exe"

C:\Users\admin\AppData\Local\Temp\ciscomplete_installer.exe

—

icedragonsetup.exe

User:

admin

Company:

COMODO

Integrity Level:

MEDIUM

Description:

COMODO Internet Security

Exit code:

Version:

12, 2, 2, 8012

Modules

Images
c:\users\admin\appdata\local\temp\ciscomplete_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

904

"C:\Users\admin\AppData\Local\Temp\Ashampoo Backup 2023.exe"

C:\Users\admin\AppData\Local\Temp\Ashampoo Backup 2023.exe

ccsetup619.exe

User:

admin

Company:

Ashampoo GmbH & Co. KG

Integrity Level:

MEDIUM

Description:

Ashampoo Backup 2023 Setup

Exit code:

4294967295

Version:

17.03

Modules

Images
c:\users\admin\appdata\local\temp\ashampoo backup 2023.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

NjRat

(PID) Process(904) Ashampoo Backup 2023.exe

C25.tcp.eu.ngrok.io

Ports13064

BotnetWar_4

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\c78f6759a4a6528d196cbc6be048825d

Splitter|'|'|

Versionim523

1028

"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe"

C:\Users\admin\AppData\Local\Temp\AnyDesk.exe

ccsetup619.exe

User:

admin

Company:

AnyDesk Software GmbH

Integrity Level:

MEDIUM

Description:

AnyDesk

Exit code:

Version:

8.0.6

Modules

Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1032

"C:\Users\admin\AppData\Local\Temp\getsusp64.exe"

C:\Users\admin\AppData\Local\Temp\getsusp64.exe

ccsetup619.exe

User:

admin

Company:

Musarubra US LLC

Integrity Level:

MEDIUM

Description:

Trellix GetSusp

Exit code:

Version:

5.0.0.27

Modules

Images
c:\users\admin\appdata\local\temp\getsusp64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

Add for printing

Total events

37 975

Read events

36 704

Write events

1 271

Delete events

Modification events


(PID) Process:	(1864) HitmanPro.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1864) HitmanPro.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1864) HitmanPro.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1864) HitmanPro.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3028) cispro_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3028) cispro_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3028) cispro_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3028) cispro_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2908) Bitwarden-Installer-2023.12.0.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2908) Bitwarden-Installer-2023.12.0.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1864	HitmanPro.exe	C:\Users\admin\AppData\Local\Temp\cispro_installer.exe		executable
		MD5:38C92EB268848204064F254A91EA5531	SHA256:8FBB87EFAF68BB33EFAE0E26D4AF10542E593F038843AABA68B0930FCDFEE148
1860	chromodosetup.exe	C:\Users\admin\AppData\Local\Temp\CocCocSetup.exe		executable
		MD5:F74C16C04D42828C5FF50E715FC184BD	SHA256:E05DC07D070985CB3815FCFD0F3E4CFE84CA4F30C7F153BA6103AF82E4188023
3108	adawaresafebrowser.exe	C:\Users\admin\AppData\Local\Temp\avg_secure_browser_setup.exe		executable
		MD5:06ED20A09C2F52272EE64B211E79CDAA	SHA256:F4881AF5EF96D012470CDDD5B13742DEB0476C9F86DE7E5CC4CB765ACF4B63A0
2220	cav_installer.exe	C:\Users\admin\AppData\Local\Temp\chromodosetup.exe		executable
		MD5:1A0AC4D95483290D69374596EEA77674	SHA256:C7B3CF561E5B06D6B7BB040FD7DC7047B57F96EE4E2A843FA30F145A72F1FE21
900	ciscomplete_installer.exe	C:\Users\admin\AppData\Local\Temp\ccleaner_browser_setup.exe		executable
		MD5:0A5D533924E54138234BBC602B17F379	SHA256:D97D18253482325156001578F19C98152CD120284E9BF3812D54449E83D285B8
4036	SignalSetup.exe	C:\Users\admin\AppData\Local\Temp\adawaresafebrowser.exe		executable
		MD5:7B8F210FDC8DB05345A70C6C249C0154	SHA256:2F1281FF75BA53A46E5C6334D134FC9120AA5BC5BD7D4E347E77FEC74EBA78D8
3668	Yandex.exe	C:\Users\admin\AppData\Local\Temp\dragonsetup.exe		executable
		MD5:5C4605D146EC5183380A6FE0E121CD59	SHA256:E0EA038058E29FF48574FA2EBFE0FB0E1777130DA35FD6F30216F5DB5217F3DD
3312	Aol_Shield.exe	C:\Users\admin\AppData\Local\Temp\icedragonsetup.exe		executable
		MD5:0449735CCDF6E4438E4AEA020E2EC21C	SHA256:FB32692E6E7D0C9E4B5D3E9BD8DCC6406418ABAA3DCD90AA3D7FB58C9C54432C
2912	dragonsetup.exe	C:\Users\admin\AppData\Local\Temp\Skype-8.110.0.218.exe		executable
		MD5:521A4750A90025E40CA7EF85995F98CE	SHA256:C3CEE47C3E52925B40C88208F84E8DAAFB4E15C82899FB1FA1EF0DF6CE30F59F
3384	icedragonsetup.exe	C:\Users\admin\AppData\Local\Temp\ciscomplete_installer.exe		executable
		MD5:360A0EAEC8EE7562D0752DB3B2FD0698	SHA256:8C67EC53064A484658C4F257400FE1EAC441EDC544560158F09BBB157E262262

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2588	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1600	kaspersky4win202121.15.8.493ru_42131.exe	3.67.62.142:13064	5.tcp.eu.ngrok.io	AMAZON-02	DE	malicious
3472	avira_ru_asu80.exe	3.67.62.142:13064	5.tcp.eu.ngrok.io	AMAZON-02	DE	malicious
1032	getsusp64.exe	3.67.62.142:13064	5.tcp.eu.ngrok.io	AMAZON-02	DE	malicious
1928	norton_secure_browser_setup.exe	3.67.62.142:13064	5.tcp.eu.ngrok.io	AMAZON-02	DE	malicious
3484	setup_1.0.5.1360.exe	3.67.62.142:13064	5.tcp.eu.ngrok.io	AMAZON-02	DE	malicious
2112	AutoLogger.exe	3.67.62.142:13064	5.tcp.eu.ngrok.io	AMAZON-02	DE	malicious

DNS requests

Domain	IP	Reputation
5.tcp.eu.ngrok.io	3.67.62.142 18.158.58.205	malicious

Threats

PID	Process	Class	Message
1080	svchost.exe	Misc activity	ET INFO DNS Query to a *.ngrok domain (ngrok.io)
1080	svchost.exe	Misc activity	ET INFO DNS Query to a *.ngrok domain (ngrok.io)
1080	svchost.exe	Misc activity	ET INFO DNS Query to a *.ngrok domain (ngrok.io)
3472	avira_ru_asu80.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
1928	norton_secure_browser_setup.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
3484	setup_1.0.5.1360.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
296	360TS_Setup_Mini.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
1904	mpam-feX64.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
328	Disk-O_setup.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
1032	getsusp64.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

59 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

HitmanPro.exe

B84E2AFEB7244F937FCAFAB3B370AD33

59161AA7ECAE65873602B7B4AF2C3775BA8ACF1E

A6812FD8220DBB68939414E3A8F9D7BE24DC7BC2EC190A841723C01C8EDD2C12

98304:LfLIQ/0hFPfUG8UOCn9wNB7plQR04lVIOmweMibgzSQcyyXe6w24HBJcMxUsT/Gj:LmgcuW6osKe

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

NjRAT is detected

NJRAT has been detected (YARA)

NJRAT has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Reads the Internet Settings

Process drops legitimate windows executable

Uses NETSH.EXE to add a firewall rule or allowed programs

Connects to unusual port

Starts CMD.EXE for commands execution

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Reads Environment values

Manual execution by a user

Malware configuration

NjRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

NjRat

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

NjRat

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings