analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New Text Document.bin.exe

Full analysis: https://app.any.run/tasks/75ed53aa-a3fc-4c47-aafe-39877eb1e7c8
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: May 26, 2024, 02:35:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hausbomber
dcrat
loader
ipfs
redline
opendir
evasion
stealer
agenttesla
ftp
exfiltration
smtp
formbook
xloader
remote
xworm
lokibot
trojan
spyware
asyncrat
phorpiex
gcleaner
adware
innosetup
bruteforce
cmsbrute
pifagor
ransomware
meta
metastealer
discord
ssh
phishing
lumma
socks5systemz
proxy
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0B0D247AA1F24C2F5867B3BF29F69450

SHA1:

48DE9F34226FD7F637E2379365BE035AF5C0DF1A

SHA256:

A6E7292E734C3A15CFA654BBA8DEA72A2F55F1C24CF6BBDC2FD7E63887E9315A

SSDEEP:

12288:dcgCzNHJj96xfKJStJkRm3bYXob0AnmFMcaGQxkZVVVVVVVVVAtVVVUvqGV:UQKgLIQmFuGQxklvqO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • New Text Document.bin.exe (PID: 3976)
      • STHealthClient.exe (PID: 1620)
      • New Text Document.exe (PID: 2032)
      • rtx.exe (PID: 3392)
      • Bypass3_Pure_Mode.exe (PID: 2484)
      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • SrbijaSetupHokej.exe (PID: 2940)
      • sharonzx.exe (PID: 2616)
      • SrbijaSetupHokej.exe (PID: 1128)
      • ChromeSetup.exe (PID: 2072)
      • sharonzx.exe (PID: 4040)
      • GoogleUpdateSetup.exe (PID: 2304)
      • GoogleUpdate.exe (PID: 2992)
      • svchost.exe (PID: 1880)
      • crt.exe (PID: 4160)
      • crt.exe (PID: 4840)
      • crt.tmp (PID: 4880)
      • cdplayer.exe (PID: 5116)
      • sdf34ert3etgrthrthfghfghjfgh.exe (PID: 5620)
      • conhost.exe (PID: 5352)
      • vpn-1002.exe (PID: 4512)
      • o2i3jroi23joj23ikrjokij3oroi.exe (PID: 6000)
      • tdrpload.exe (PID: 4608)
      • katCA8C.tmp (PID: 5684)
      • 472111564.exe (PID: 6056)
      • Pirate_24S.exe (PID: 4388)
      • cmd.exe (PID: 5452)
      • 222.exe (PID: 4984)
      • 888.exe (PID: 5648)
      • 109.0.5414.120_chrome_installer.exe (PID: 5952)
      • Discord.exe (PID: 4640)
      • yar.exe (PID: 4924)
      • e_win.exe (PID: 4240)
      • install.exe (PID: 3756)
      • setup_1715277229.6072824.exe (PID: 4952)
      • pojgysef.exe (PID: 4388)
      • work.exe (PID: 5760)
      • setup.exe (PID: 4380)
    • HAUSBOMBER has been detected (YARA)

      • New Text Document.exe (PID: 2032)
    • DCRAT has been detected (YARA)

      • New Text Document.exe (PID: 2032)
    • REDLINE has been detected (YARA)

      • crypted.exe (PID: 1980)
    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 824)
      • RegSvcs.exe (PID: 2368)
      • sharonzx.exe (PID: 4040)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • katCA8C.tmp (PID: 5684)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • MSBuild.exe (PID: 4248)
    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 824)
      • RegSvcs.exe (PID: 2368)
      • sharonzx.exe (PID: 4040)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • netbtugc.exe (PID: 3412)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • katD46F.tmp (PID: 4552)
      • New Text Document.exe (PID: 2032)
      • Discord.exe (PID: 4640)
      • taskhostw.exe (PID: 5816)
      • katCA8C.tmp (PID: 5684)
      • MSBuild.exe (PID: 4248)
    • Changes the autorun value in the registry

      • rtx.exe (PID: 3392)
      • tdrpload.exe (PID: 4608)
      • 472111564.exe (PID: 6056)
      • Discord.exe (PID: 4640)
      • yar.exe (PID: 4924)
      • setup.exe (PID: 4380)
    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 824)
      • RegSvcs.exe (PID: 2368)
      • RegSvcs.exe (PID: 3640)
      • gHIvTf22qvmZjum.exe (PID: 5868)
    • Connects to the CnC server

      • RegSvcs.exe (PID: 2368)
      • sharonzx.exe (PID: 4040)
      • sysblardsv.exe (PID: 5060)
      • New Text Document.exe (PID: 2032)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • syslmgrsvc.exe (PID: 3268)
      • MSBuild.exe (PID: 4248)
      • cdplayer.exe (PID: 5224)
    • AGENTTESLA has been detected (SURICATA)

      • RegSvcs.exe (PID: 2368)
      • gHIvTf22qvmZjum.exe (PID: 5868)
    • Create files in the Startup directory

      • XClient.exe (PID: 2832)
      • svchost.exe (PID: 1880)
      • Discord.exe (PID: 4640)
    • FORMBOOK has been detected (YARA)

      • rooma.exe (PID: 1116)
      • netbtugc.exe (PID: 3412)
    • Uses Task Scheduler to run other applications

      • sharonzx.exe (PID: 2616)
      • Discord.exe (PID: 4640)
      • yar.exe (PID: 4924)
    • XWORM has been detected (YARA)

      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • svchost.exe (PID: 1880)
      • Discord.exe (PID: 4640)
    • Lokibot is detected

      • sharonzx.exe (PID: 4040)
      • sharonzx.exe (PID: 4040)
    • LOKIBOT has been detected (SURICATA)

      • sharonzx.exe (PID: 4040)
    • LOKIBOT has been detected (YARA)

      • sharonzx.exe (PID: 4040)
    • ASYNCRAT has been detected (YARA)

      • vax.exe (PID: 2320)
      • my.exe (PID: 4480)
    • Steals credentials

      • netbtugc.exe (PID: 3412)
      • katCA8C.tmp (PID: 5684)
    • Starts CMD.EXE for self-deleting

      • inte.exe (PID: 6028)
      • katCA8C.tmp (PID: 5684)
      • univ.exe (PID: 6084)
      • univ.exe (PID: 2828)
    • Changes the Windows auto-update feature

      • sysblardsv.exe (PID: 5060)
      • syslmgrsvc.exe (PID: 3268)
    • Changes appearance of the Explorer extensions

      • sysblardsv.exe (PID: 5060)
      • syslmgrsvc.exe (PID: 3268)
    • Changes Security Center notification settings

      • sysblardsv.exe (PID: 5060)
      • syslmgrsvc.exe (PID: 3268)
    • FORMBOOK has been detected (SURICATA)

      • New Text Document.exe (PID: 2032)
    • Creates a writable file in the system directory

      • cmd.exe (PID: 5452)
    • PHORPIEX has been detected (SURICATA)

      • syslmgrsvc.exe (PID: 3268)
    • GCLEANER has been detected (SURICATA)

      • univ.exe (PID: 6084)
      • univ.exe (PID: 2828)
    • Deletes shadow copies

      • cmd.exe (PID: 5160)
      • cmd.exe (PID: 5676)
      • cmd.exe (PID: 5384)
    • Renames files like ransomware

      • e_win.exe (PID: 4240)
    • UAC/LUA settings modification

      • reg.exe (PID: 4204)
    • Starts CertUtil for downloading files

      • cmd.exe (PID: 4228)
    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 4228)
    • METASTEALER has been detected (SURICATA)

      • MSBuild.exe (PID: 4248)
    • LUMMA has been detected (YARA)

      • up2date.exe (PID: 4256)
      • udated.exe (PID: 5144)
    • Known privilege escalation attack

      • dllhost.exe (PID: 8184)
    • SOCKS5SYSTEMZ has been detected (SURICATA)

      • cdplayer.exe (PID: 5224)
  • SUSPICIOUS

    • Reads the Internet Settings

      • New Text Document.bin.exe (PID: 3976)
      • New Text Document.exe (PID: 2032)
      • STHealthClient.exe (PID: 1620)
      • go.exe (PID: 2368)
      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 3992)
      • RegSvcs.exe (PID: 2368)
      • Bypass3_Pure_Mode.exe (PID: 2484)
      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • sharonzx.exe (PID: 2616)
      • sharonzx.exe (PID: 4040)
      • GoogleUpdate.exe (PID: 2424)
      • RegSvcs.exe (PID: 1604)
      • netbtugc.exe (PID: 3412)
      • svchost.exe (PID: 1880)
      • katCA8C.tmp (PID: 5684)
      • conhost.exe (PID: 5352)
      • cmd.exe (PID: 5856)
      • inte.exe (PID: 6028)
      • vpn-1002.exe (PID: 4512)
      • powershell.exe (PID: 4568)
      • cmd.exe (PID: 4584)
      • powershell.exe (PID: 5184)
      • sysblardsv.exe (PID: 5060)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • cmd.exe (PID: 992)
      • katD46F.tmp (PID: 4552)
      • Pirate_24S.exe (PID: 4388)
      • wscript.exe (PID: 5448)
      • regedt32.exe (PID: 4936)
      • syslmgrsvc.exe (PID: 3268)
      • 222.exe (PID: 4984)
      • cmd.exe (PID: 4816)
      • regedt32.exe (PID: 5968)
      • univ.exe (PID: 6084)
      • 888.exe (PID: 5648)
      • cmd.exe (PID: 5040)
      • univ.exe (PID: 2828)
      • yar.exe (PID: 4924)
      • Discord.exe (PID: 4640)
      • e_win.exe (PID: 4240)
      • f.exe (PID: 2328)
      • mshta.exe (PID: 5664)
      • install.exe (PID: 3756)
      • GameService.exe (PID: 5364)
      • certutil.exe (PID: 5092)
      • GameService.exe (PID: 5700)
      • GameService.exe (PID: 5760)
      • GameService.exe (PID: 4284)
      • GameService.exe (PID: 4712)
      • certutil.exe (PID: 6016)
      • GameService.exe (PID: 4204)
      • GameService.exe (PID: 5120)
      • GameService.exe (PID: 5812)
      • MSBuild.exe (PID: 4248)
      • pojgysef.exe (PID: 4388)
      • work.exe (PID: 5760)
      • GoogleUpdate.exe (PID: 4592)
      • eee01.exe (PID: 4712)
      • eee01.exe (PID: 8392)
      • cdplayer.exe (PID: 5224)
    • Reads Microsoft Outlook installation path

      • New Text Document.bin.exe (PID: 3976)
    • Reads security settings of Internet Explorer

      • New Text Document.bin.exe (PID: 3976)
      • New Text Document.exe (PID: 2032)
      • Bypass3_Pure_Mode.exe (PID: 2484)
      • sharonzx.exe (PID: 2616)
      • katCA8C.tmp (PID: 5684)
      • conhost.exe (PID: 5352)
      • inte.exe (PID: 6028)
      • vpn-1002.exe (PID: 4512)
      • sysblardsv.exe (PID: 5060)
      • katD46F.tmp (PID: 4552)
      • Pirate_24S.exe (PID: 4388)
      • syslmgrsvc.exe (PID: 3268)
      • 222.exe (PID: 4984)
      • univ.exe (PID: 6084)
      • 888.exe (PID: 5648)
      • univ.exe (PID: 2828)
      • Discord.exe (PID: 4640)
      • yar.exe (PID: 4924)
      • e_win.exe (PID: 4240)
      • f.exe (PID: 2328)
      • install.exe (PID: 3756)
      • GameService.exe (PID: 5364)
      • GameService.exe (PID: 5700)
      • GameService.exe (PID: 4284)
      • GameService.exe (PID: 5760)
      • GameService.exe (PID: 4712)
      • GameService.exe (PID: 4204)
      • GameService.exe (PID: 5120)
      • GameService.exe (PID: 5812)
      • pojgysef.exe (PID: 4388)
      • work.exe (PID: 5760)
      • cdplayer.exe (PID: 5224)
    • Executable content was dropped or overwritten

      • New Text Document.bin.exe (PID: 3976)
      • New Text Document.exe (PID: 2032)
      • STHealthClient.exe (PID: 1620)
      • rtx.exe (PID: 3392)
      • Bypass3_Pure_Mode.exe (PID: 2484)
      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • SrbijaSetupHokej.exe (PID: 2940)
      • sharonzx.exe (PID: 2616)
      • SrbijaSetupHokej.exe (PID: 1128)
      • ChromeSetup.exe (PID: 2072)
      • sharonzx.exe (PID: 4040)
      • GoogleUpdateSetup.exe (PID: 2304)
      • GoogleUpdate.exe (PID: 2992)
      • svchost.exe (PID: 1880)
      • netbtugc.exe (PID: 3412)
      • crt.exe (PID: 4160)
      • crt.exe (PID: 4840)
      • crt.tmp (PID: 4880)
      • cdplayer.exe (PID: 5116)
      • sdf34ert3etgrthrthfghfghjfgh.exe (PID: 5620)
      • conhost.exe (PID: 5352)
      • vpn-1002.exe (PID: 4512)
      • o2i3jroi23joj23ikrjokij3oroi.exe (PID: 6000)
      • tdrpload.exe (PID: 4608)
      • katCA8C.tmp (PID: 5684)
      • 472111564.exe (PID: 6056)
      • Pirate_24S.exe (PID: 4388)
      • cmd.exe (PID: 5452)
      • 222.exe (PID: 4984)
      • 888.exe (PID: 5648)
      • 109.0.5414.120_chrome_installer.exe (PID: 5952)
      • yar.exe (PID: 4924)
      • Discord.exe (PID: 4640)
      • install.exe (PID: 3756)
      • setup_1715277229.6072824.exe (PID: 4952)
      • pojgysef.exe (PID: 4388)
      • setup.exe (PID: 4380)
      • work.exe (PID: 5760)
    • Reads Internet Explorer settings

      • New Text Document.bin.exe (PID: 3976)
    • Reads settings of System Certificates

      • New Text Document.exe (PID: 2032)
      • RegSvcs.exe (PID: 824)
      • GoogleUpdate.exe (PID: 2424)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • katCA8C.tmp (PID: 5684)
      • vpn-1002.exe (PID: 4512)
      • katD46F.tmp (PID: 4552)
      • Discord.exe (PID: 4640)
      • MSBuild.exe (PID: 4248)
      • GoogleUpdate.exe (PID: 4592)
    • Potential Corporate Privacy Violation

      • New Text Document.exe (PID: 2032)
      • rtx.exe (PID: 3392)
      • certutil.exe (PID: 5092)
    • Process requests binary or script from the Internet

      • New Text Document.exe (PID: 2032)
      • STHealthClient.exe (PID: 1620)
    • Connects to unusual port

      • New Text Document.exe (PID: 2032)
      • RegSvcs.exe (PID: 3008)
      • example.exe (PID: 2392)
      • RegSvcs.exe (PID: 2368)
      • rtx.exe (PID: 3392)
      • csrss.exe (PID: 1280)
      • XClient.exe (PID: 2832)
      • vax.exe (PID: 2320)
      • svchost.exe (PID: 1880)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • sysblardsv.exe (PID: 5060)
      • syslmgrsvc.exe (PID: 3268)
      • yar.exe (PID: 4924)
      • Discord.exe (PID: 4640)
      • certutil.exe (PID: 5092)
      • MSBuild.exe (PID: 4248)
      • cdplayer.exe (PID: 5224)
    • Connects to the server without a host name

      • New Text Document.exe (PID: 2032)
      • inte.exe (PID: 6028)
      • sysblardsv.exe (PID: 5060)
      • univ.exe (PID: 6084)
      • syslmgrsvc.exe (PID: 3268)
      • univ.exe (PID: 2828)
    • Creates file in the systems drive root

      • ntvdm.exe (PID: 936)
    • Accesses Microsoft Outlook profiles

      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 824)
      • RegSvcs.exe (PID: 2368)
      • sharonzx.exe (PID: 4040)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • gHIvTf22qvmZjum.exe (PID: 5868)
    • Connects to FTP

      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 2368)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • rtx.exe (PID: 3392)
    • Connects to SMTP port

      • RegSvcs.exe (PID: 824)
      • RegSvcs.exe (PID: 3640)
      • rtx.exe (PID: 3392)
    • The process checks if it is being run in the virtual environment

      • New Text Document.exe (PID: 2032)
    • Application launched itself

      • rtx.exe (PID: 1240)
      • sharonzx.exe (PID: 2616)
      • gHIvTf22qvmZjum.exe (PID: 368)
      • setup.exe (PID: 4380)
      • GameService.exe (PID: 5364)
      • GameService.exe (PID: 5700)
      • GameService.exe (PID: 4284)
      • GameService.exe (PID: 5760)
      • GameService.exe (PID: 4204)
      • GameService.exe (PID: 5120)
      • GameService.exe (PID: 4712)
      • GameService.exe (PID: 5812)
      • setup.exe (PID: 5604)
      • GoogleUpdate.exe (PID: 3848)
    • The process creates files with name similar to system file names

      • rtx.exe (PID: 3392)
      • New Text Document.exe (PID: 2032)
      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • svchost.exe (PID: 1880)
    • Process drops legitimate windows executable

      • New Text Document.exe (PID: 2032)
      • sharonzx.exe (PID: 2616)
      • sharonzx.exe (PID: 4040)
      • crt.tmp (PID: 4880)
      • Pirate_24S.exe (PID: 4388)
      • cmd.exe (PID: 5452)
    • Starts a Microsoft application from unusual location

      • sharonzx.exe (PID: 2616)
      • sharonzx.exe (PID: 4040)
    • Checks for external IP

      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • RegSvcs.exe (PID: 1604)
      • svchost.exe (PID: 1880)
    • Device Retrieving External IP Address Detected

      • csrss.exe (PID: 1280)
      • XClient.exe (PID: 2832)
    • Reads Mozilla Firefox installation path

      • sharonzx.exe (PID: 4040)
    • Reads the Windows owner or organization settings

      • SrbijaSetupHokej.tmp (PID: 1072)
      • crt.tmp (PID: 4880)
    • Loads DLL from Mozilla Firefox

      • sharonzx.exe (PID: 4040)
      • netbtugc.exe (PID: 3412)
    • Contacting a server suspected of hosting an CnC

      • sharonzx.exe (PID: 4040)
      • New Text Document.exe (PID: 2032)
      • cdplayer.exe (PID: 5224)
    • Disables SEHOP

      • GoogleUpdate.exe (PID: 2992)
    • Creates/Modifies COM task schedule object

      • GoogleUpdate.exe (PID: 580)
    • Executes as Windows Service

      • GoogleUpdate.exe (PID: 3848)
    • Process drops SQLite DLL files

      • netbtugc.exe (PID: 3412)
    • The process drops C-runtime libraries

      • crt.tmp (PID: 4880)
    • Starts application with an unusual extension

      • sdf34ert3etgrthrthfghfghjfgh.exe (PID: 5620)
      • o2i3jroi23joj23ikrjokij3oroi.exe (PID: 6000)
    • Drops 7-zip archiver for unpacking

      • conhost.exe (PID: 5352)
      • 222.exe (PID: 4984)
      • 888.exe (PID: 5648)
    • Checks Windows Trust Settings

      • katCA8C.tmp (PID: 5684)
      • vpn-1002.exe (PID: 4512)
      • katD46F.tmp (PID: 4552)
    • Starts CMD.EXE for commands execution

      • conhost.exe (PID: 5352)
      • vpn-1002.exe (PID: 4512)
      • inte.exe (PID: 6028)
      • katCA8C.tmp (PID: 5684)
      • wscript.exe (PID: 5448)
      • 222.exe (PID: 4984)
      • univ.exe (PID: 6084)
      • 888.exe (PID: 5648)
      • univ.exe (PID: 2828)
      • e_win.exe (PID: 4240)
      • f.exe (PID: 2328)
      • av_downloader.exe (PID: 5612)
      • av_downloader.exe (PID: 4576)
      • install.exe (PID: 3756)
      • pojgysef.exe (PID: 4388)
    • Executing commands from a ".bat" file

      • conhost.exe (PID: 5352)
      • vpn-1002.exe (PID: 4512)
      • 222.exe (PID: 4984)
      • 888.exe (PID: 5648)
      • av_downloader.exe (PID: 5612)
      • av_downloader.exe (PID: 4576)
      • install.exe (PID: 3756)
      • pojgysef.exe (PID: 4388)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5856)
      • cmd.exe (PID: 4816)
      • cmd.exe (PID: 5040)
      • cmd.exe (PID: 4228)
    • Probably download files using WebClient

      • cmd.exe (PID: 4584)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4580)
      • cmd.exe (PID: 6076)
      • cmd.exe (PID: 1044)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4584)
    • Searches for installed software

      • katCA8C.tmp (PID: 5684)
      • katD46F.tmp (PID: 4552)
      • MSBuild.exe (PID: 4248)
      • setup.exe (PID: 4380)
    • Starts itself from another location

      • tdrpload.exe (PID: 4608)
      • 472111564.exe (PID: 6056)
      • syslmgrsvc.exe (PID: 3268)
    • Unusual connection from system programs

      • powershell.exe (PID: 4568)
      • powershell.exe (PID: 5184)
    • The Powershell connects to the Internet

      • powershell.exe (PID: 5184)
      • powershell.exe (PID: 4568)
    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4112)
      • cmd.exe (PID: 4228)
    • The process executes VB scripts

      • Pirate_24S.exe (PID: 4388)
    • Executing commands from ".cmd" file

      • wscript.exe (PID: 5448)
      • install.exe (PID: 3756)
    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 5452)
    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5448)
      • mshta.exe (PID: 5664)
    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 5452)
    • Uses REG/REGEDIT.EXE to modify registry

      • regedt32.exe (PID: 4936)
      • regedt32.exe (PID: 5968)
      • cmd.exe (PID: 4228)
    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5452)
    • Creates files like ransomware instruction

      • e_win.exe (PID: 4240)
    • The process executes via Task Scheduler

      • taskhostw.exe (PID: 5816)
      • yar.exe (PID: 1944)
    • Starts SC.EXE for service management

      • cmd.exe (PID: 4140)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 4948)
    • The executable file from the user directory is run by the CMD process

      • work.exe (PID: 5760)
    • Reads the date of Windows installation

      • setup.exe (PID: 5604)
    • Creates a software uninstall entry

      • setup.exe (PID: 4380)
    • Reads browser cookies

      • MSBuild.exe (PID: 4248)
    • Connects to SSH

      • rtx.exe (PID: 3392)
  • INFO

    • Checks supported languages

      • New Text Document.bin.exe (PID: 3976)
      • New Text Document.exe (PID: 2032)
      • wmpnscfg.exe (PID: 2304)
      • STHealthUp.exe (PID: 308)
      • STHealthClient.exe (PID: 1620)
      • GGWS_UPLOAD.exe (PID: 1844)
      • MyCheckBack.exe (PID: 2240)
      • go.exe (PID: 2368)
      • aaaaaaaa.exe (PID: 2472)
      • crypted.exe (PID: 1980)
      • toolspub1.exe (PID: 3220)
      • wxijgyp.exe (PID: 2944)
      • RegSvcs.exe (PID: 3008)
      • zwuivg.exe (PID: 2480)
      • RegSvcs.exe (PID: 824)
      • example.exe (PID: 2392)
      • rtx.exe (PID: 1240)
      • backdoor.exe (PID: 2644)
      • rtx.exe (PID: 3392)
      • asdf.exe (PID: 2600)
      • wsiopohwqsd.exe (PID: 1120)
      • RegSvcs.exe (PID: 3992)
      • QEwecfyhj.exe (PID: 3024)
      • RegSvcs.exe (PID: 3432)
      • tsaplQyj.exe (PID: 1556)
      • RegSvcs.exe (PID: 2368)
      • sharonzx.exe (PID: 2616)
      • Bypass3_Pure_Mode.exe (PID: 2484)
      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • rooma.exe (PID: 1116)
      • SrbijaSetupHokej.exe (PID: 2940)
      • SrbijaSetupHokej.tmp (PID: 3184)
      • sharonzx.exe (PID: 4040)
      • SrbijaSetupHokej.tmp (PID: 1072)
      • SrbijaSetupHokej.exe (PID: 1128)
      • ChromeSetup.exe (PID: 2072)
      • GoogleUpdateSetup.exe (PID: 2304)
      • GoogleUpdate.exe (PID: 1284)
      • GoogleUpdate.exe (PID: 2992)
      • GoogleUpdate.exe (PID: 2696)
      • GoogleUpdate.exe (PID: 580)
      • GoogleUpdate.exe (PID: 948)
      • GoogleUpdate.exe (PID: 2424)
      • GoogleUpdate.exe (PID: 3848)
      • vax.exe (PID: 2320)
      • gywervcyuj.exe (PID: 2972)
      • RegSvcs.exe (PID: 1604)
      • xxxz.exe (PID: 2912)
      • ngown.exe (PID: 1804)
      • RegSvcs.exe (PID: 3640)
      • svchost.exe (PID: 1880)
      • gHIvTf22qvmZjum.exe (PID: 368)
      • crt.exe (PID: 4160)
      • crt.tmp (PID: 4168)
      • crt.exe (PID: 4840)
      • crt.tmp (PID: 4880)
      • cdplayer.exe (PID: 5116)
      • conhost.exe (PID: 5352)
      • cdplayer.exe (PID: 5224)
      • sdf34ert3etgrthrthfghfghjfgh.exe (PID: 5620)
      • katCA8C.tmp (PID: 5684)
      • inte.exe (PID: 6028)
      • mode.com (PID: 5884)
      • o2i3jroi23joj23ikrjokij3oroi.exe (PID: 6000)
      • vpn-1002.exe (PID: 4512)
      • tdrpload.exe (PID: 4608)
      • katD46F.tmp (PID: 4552)
      • sysblardsv.exe (PID: 5060)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • 472111564.exe (PID: 6056)
      • 222.exe (PID: 4984)
      • syslmgrsvc.exe (PID: 3268)
      • Pirate_24S.exe (PID: 4388)
      • nc.exe (PID: 5556)
      • pub11.exe (PID: 5020)
      • 1733825023.exe (PID: 5788)
      • mode.com (PID: 1136)
      • univ.exe (PID: 6084)
      • nine.exe (PID: 3116)
      • 888.exe (PID: 5648)
      • mode.com (PID: 1488)
      • univ.exe (PID: 2828)
      • 109.0.5414.120_chrome_installer.exe (PID: 5952)
      • Discord.exe (PID: 4640)
      • setup.exe (PID: 4380)
      • my.exe (PID: 4480)
      • setup.exe (PID: 4860)
      • yar.exe (PID: 4924)
      • e_win.exe (PID: 4240)
      • f.exe (PID: 2328)
      • install.exe (PID: 3756)
      • yar.exe (PID: 1944)
      • taskhostw.exe (PID: 5816)
      • av_downloader.exe (PID: 5612)
      • update_3.exe (PID: 736)
      • update.exe (PID: 4936)
      • av_downloader.exe (PID: 4576)
      • GameService.exe (PID: 5364)
      • GameService.exe (PID: 5768)
      • GameService.exe (PID: 5700)
      • up2date.exe (PID: 4256)
      • GameService.exe (PID: 4284)
      • GameService.exe (PID: 3904)
      • GameService.exe (PID: 5944)
      • GameService.exe (PID: 5760)
      • GameService.exe (PID: 5960)
      • setup_1715277229.6072824.exe (PID: 4952)
      • GameService.exe (PID: 5712)
      • GameService.exe (PID: 4204)
      • GameService.exe (PID: 4712)
      • GameService.exe (PID: 2984)
      • GameService.exe (PID: 5120)
      • MSBuild.exe (PID: 4248)
      • GameService.exe (PID: 5812)
      • GameService.exe (PID: 4604)
      • GameService.exe (PID: 4488)
      • GameService.exe (PID: 5704)
      • GameService.exe (PID: 2976)
      • GameService.exe (PID: 4996)
      • pojgysef.exe (PID: 4388)
      • work.exe (PID: 5760)
      • udated.exe (PID: 5144)
      • pgsthse.exe (PID: 2328)
      • setup.exe (PID: 5604)
      • setup.exe (PID: 2820)
      • eee01.exe (PID: 4712)
      • GoogleCrashHandler.exe (PID: 4204)
      • GoogleUpdateOnDemand.exe (PID: 2912)
      • GoogleUpdate.exe (PID: 4592)
      • GoogleUpdate.exe (PID: 5420)
      • eee01.exe (PID: 8392)
    • Reads the computer name

      • New Text Document.bin.exe (PID: 3976)
      • New Text Document.exe (PID: 2032)
      • wmpnscfg.exe (PID: 2304)
      • STHealthUp.exe (PID: 308)
      • STHealthClient.exe (PID: 1620)
      • GGWS_UPLOAD.exe (PID: 1844)
      • go.exe (PID: 2368)
      • MyCheckBack.exe (PID: 2240)
      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 824)
      • rtx.exe (PID: 3392)
      • RegSvcs.exe (PID: 3992)
      • RegSvcs.exe (PID: 3432)
      • sharonzx.exe (PID: 2616)
      • RegSvcs.exe (PID: 2368)
      • Bypass3_Pure_Mode.exe (PID: 2484)
      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • SrbijaSetupHokej.tmp (PID: 3184)
      • sharonzx.exe (PID: 4040)
      • SrbijaSetupHokej.tmp (PID: 1072)
      • GoogleUpdate.exe (PID: 1284)
      • GoogleUpdate.exe (PID: 2992)
      • GoogleUpdate.exe (PID: 2696)
      • GoogleUpdate.exe (PID: 580)
      • GoogleUpdate.exe (PID: 2424)
      • GoogleUpdate.exe (PID: 948)
      • GoogleUpdate.exe (PID: 3848)
      • vax.exe (PID: 2320)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • gHIvTf22qvmZjum.exe (PID: 368)
      • svchost.exe (PID: 1880)
      • crt.tmp (PID: 4168)
      • crt.tmp (PID: 4880)
      • cdplayer.exe (PID: 5116)
      • katCA8C.tmp (PID: 5684)
      • conhost.exe (PID: 5352)
      • inte.exe (PID: 6028)
      • vpn-1002.exe (PID: 4512)
      • katD46F.tmp (PID: 4552)
      • sysblardsv.exe (PID: 5060)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • Pirate_24S.exe (PID: 4388)
      • syslmgrsvc.exe (PID: 3268)
      • pub11.exe (PID: 5020)
      • 222.exe (PID: 4984)
      • univ.exe (PID: 6084)
      • 888.exe (PID: 5648)
      • 109.0.5414.120_chrome_installer.exe (PID: 5952)
      • Discord.exe (PID: 4640)
      • setup.exe (PID: 4380)
      • univ.exe (PID: 2828)
      • yar.exe (PID: 4924)
      • my.exe (PID: 4480)
      • e_win.exe (PID: 4240)
      • f.exe (PID: 2328)
      • taskhostw.exe (PID: 5816)
      • yar.exe (PID: 1944)
      • install.exe (PID: 3756)
      • GameService.exe (PID: 5364)
      • GameService.exe (PID: 5768)
      • GameService.exe (PID: 5700)
      • GameService.exe (PID: 3904)
      • GameService.exe (PID: 4284)
      • GameService.exe (PID: 5944)
      • GameService.exe (PID: 5960)
      • GameService.exe (PID: 5760)
      • setup_1715277229.6072824.exe (PID: 4952)
      • GameService.exe (PID: 5712)
      • GameService.exe (PID: 4712)
      • GameService.exe (PID: 2984)
      • GameService.exe (PID: 4204)
      • MSBuild.exe (PID: 4248)
      • GameService.exe (PID: 4604)
      • GameService.exe (PID: 5704)
      • GameService.exe (PID: 5120)
      • GameService.exe (PID: 4488)
      • GameService.exe (PID: 5812)
      • GameService.exe (PID: 2976)
      • GameService.exe (PID: 4996)
      • pojgysef.exe (PID: 4388)
      • work.exe (PID: 5760)
      • setup.exe (PID: 5604)
      • GoogleCrashHandler.exe (PID: 4204)
      • GoogleUpdate.exe (PID: 5420)
      • GoogleUpdate.exe (PID: 4592)
      • cdplayer.exe (PID: 5224)
      • eee01.exe (PID: 4712)
    • Checks proxy server information

      • New Text Document.bin.exe (PID: 3976)
      • netbtugc.exe (PID: 3412)
      • katCA8C.tmp (PID: 5684)
      • inte.exe (PID: 6028)
      • vpn-1002.exe (PID: 4512)
      • sysblardsv.exe (PID: 5060)
      • katD46F.tmp (PID: 4552)
      • syslmgrsvc.exe (PID: 3268)
      • univ.exe (PID: 6084)
      • univ.exe (PID: 2828)
      • certutil.exe (PID: 5092)
      • cdplayer.exe (PID: 5224)
    • Reads the machine GUID from the registry

      • New Text Document.bin.exe (PID: 3976)
      • New Text Document.exe (PID: 2032)
      • STHealthClient.exe (PID: 1620)
      • STHealthUp.exe (PID: 308)
      • GGWS_UPLOAD.exe (PID: 1844)
      • MyCheckBack.exe (PID: 2240)
      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 824)
      • rtx.exe (PID: 3392)
      • RegSvcs.exe (PID: 3992)
      • sharonzx.exe (PID: 2616)
      • RegSvcs.exe (PID: 3432)
      • RegSvcs.exe (PID: 2368)
      • Bypass3_Pure_Mode.exe (PID: 2484)
      • csrss.exe (PID: 1280)
      • XClient.exe (PID: 2832)
      • sharonzx.exe (PID: 4040)
      • GoogleUpdate.exe (PID: 1284)
      • GoogleUpdate.exe (PID: 2992)
      • GoogleUpdate.exe (PID: 948)
      • GoogleUpdate.exe (PID: 2424)
      • GoogleUpdate.exe (PID: 3848)
      • vax.exe (PID: 2320)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • gHIvTf22qvmZjum.exe (PID: 368)
      • svchost.exe (PID: 1880)
      • katCA8C.tmp (PID: 5684)
      • inte.exe (PID: 6028)
      • vpn-1002.exe (PID: 4512)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • sysblardsv.exe (PID: 5060)
      • katD46F.tmp (PID: 4552)
      • syslmgrsvc.exe (PID: 3268)
      • pub11.exe (PID: 5020)
      • univ.exe (PID: 6084)
      • Discord.exe (PID: 4640)
      • my.exe (PID: 4480)
      • yar.exe (PID: 4924)
      • univ.exe (PID: 2828)
      • e_win.exe (PID: 4240)
      • f.exe (PID: 2328)
      • taskhostw.exe (PID: 5816)
      • yar.exe (PID: 1944)
      • MSBuild.exe (PID: 4248)
      • setup.exe (PID: 4380)
      • setup.exe (PID: 5604)
      • GoogleUpdate.exe (PID: 5420)
      • GoogleUpdate.exe (PID: 4592)
      • eee01.exe (PID: 4712)
      • cdplayer.exe (PID: 5224)
    • Manual execution by a user

      • New Text Document.exe (PID: 2032)
      • wmpnscfg.exe (PID: 2304)
    • Reads Environment values

      • New Text Document.exe (PID: 2032)
      • STHealthClient.exe (PID: 1620)
      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 824)
      • RegSvcs.exe (PID: 3992)
      • RegSvcs.exe (PID: 3432)
      • RegSvcs.exe (PID: 2368)
      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • vax.exe (PID: 2320)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • svchost.exe (PID: 1880)
      • katCA8C.tmp (PID: 5684)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • katD46F.tmp (PID: 4552)
      • Discord.exe (PID: 4640)
      • MSBuild.exe (PID: 4248)
    • Disables trace logs

      • New Text Document.exe (PID: 2032)
      • STHealthClient.exe (PID: 1620)
      • RegSvcs.exe (PID: 3008)
      • RegSvcs.exe (PID: 3992)
      • RegSvcs.exe (PID: 2368)
      • csrss.exe (PID: 1280)
      • XClient.exe (PID: 2832)
      • RegSvcs.exe (PID: 1604)
      • svchost.exe (PID: 1880)
      • powershell.exe (PID: 4568)
      • powershell.exe (PID: 5184)
      • gHIvTf22qvmZjum.exe (PID: 5868)
      • Discord.exe (PID: 4640)
      • MSBuild.exe (PID: 4248)
    • Reads the software policy settings

      • New Text Document.exe (PID: 2032)
      • RegSvcs.exe (PID: 824)
      • GoogleUpdate.exe (PID: 2424)
      • GoogleUpdate.exe (PID: 3848)
      • RegSvcs.exe (PID: 1604)
      • RegSvcs.exe (PID: 3640)
      • katCA8C.tmp (PID: 5684)
      • vpn-1002.exe (PID: 4512)
      • katD46F.tmp (PID: 4552)
      • Discord.exe (PID: 4640)
      • MSBuild.exe (PID: 4248)
      • GoogleUpdate.exe (PID: 4592)
    • Reads mouse settings

      • go.exe (PID: 2368)
      • wxijgyp.exe (PID: 2944)
      • zwuivg.exe (PID: 2480)
      • wsiopohwqsd.exe (PID: 1120)
      • tsaplQyj.exe (PID: 1556)
      • QEwecfyhj.exe (PID: 3024)
      • gywervcyuj.exe (PID: 2972)
      • ngown.exe (PID: 1804)
    • Application launched itself

      • msedge.exe (PID: 824)
      • msedge.exe (PID: 736)
      • msedge.exe (PID: 2256)
      • chrome.exe (PID: 5012)
    • Create files in a temporary directory

      • wxijgyp.exe (PID: 2944)
      • New Text Document.exe (PID: 2032)
      • zwuivg.exe (PID: 2480)
      • rtx.exe (PID: 3392)
      • wsiopohwqsd.exe (PID: 1120)
      • QEwecfyhj.exe (PID: 3024)
      • tsaplQyj.exe (PID: 1556)
      • SrbijaSetupHokej.exe (PID: 2940)
      • sharonzx.exe (PID: 2616)
      • SrbijaSetupHokej.exe (PID: 1128)
      • ChromeSetup.exe (PID: 2072)
      • gywervcyuj.exe (PID: 2972)
      • ngown.exe (PID: 1804)
      • netbtugc.exe (PID: 3412)
      • crt.exe (PID: 4160)
      • crt.exe (PID: 4840)
      • crt.tmp (PID: 4880)
      • conhost.exe (PID: 5352)
      • vpn-1002.exe (PID: 4512)
      • sysblardsv.exe (PID: 5060)
      • 222.exe (PID: 4984)
      • Pirate_24S.exe (PID: 4388)
      • syslmgrsvc.exe (PID: 3268)
      • 888.exe (PID: 5648)
      • av_downloader.exe (PID: 5612)
      • av_downloader.exe (PID: 4576)
      • install.exe (PID: 3756)
      • pojgysef.exe (PID: 4388)
      • work.exe (PID: 5760)
    • Creates files in the program directory

      • rtx.exe (PID: 3392)
      • GoogleUpdateSetup.exe (PID: 2304)
      • GoogleUpdate.exe (PID: 2992)
      • GoogleUpdate.exe (PID: 2696)
      • GoogleUpdate.exe (PID: 580)
      • GoogleUpdate.exe (PID: 2424)
      • GoogleUpdate.exe (PID: 948)
      • GoogleUpdate.exe (PID: 3848)
      • cdplayer.exe (PID: 5116)
      • katCA8C.tmp (PID: 5684)
      • katD46F.tmp (PID: 4552)
      • 109.0.5414.120_chrome_installer.exe (PID: 5952)
      • cdplayer.exe (PID: 5224)
      • setup.exe (PID: 4380)
      • setup.exe (PID: 5604)
      • GoogleUpdate.exe (PID: 4592)
    • Creates files or folders in the user directory

      • XClient.exe (PID: 2832)
      • csrss.exe (PID: 1280)
      • sharonzx.exe (PID: 2616)
      • sharonzx.exe (PID: 4040)
      • vax.exe (PID: 2320)
      • netbtugc.exe (PID: 3412)
      • svchost.exe (PID: 1880)
      • crt.tmp (PID: 4880)
      • katCA8C.tmp (PID: 5684)
      • vpn-1002.exe (PID: 4512)
      • inte.exe (PID: 6028)
      • sysblardsv.exe (PID: 5060)
      • katD46F.tmp (PID: 4552)
      • syslmgrsvc.exe (PID: 3268)
      • univ.exe (PID: 6084)
      • univ.exe (PID: 2828)
      • Discord.exe (PID: 4640)
      • yar.exe (PID: 4924)
      • e_win.exe (PID: 4240)
      • certutil.exe (PID: 5092)
      • setup_1715277229.6072824.exe (PID: 4952)
    • Reads security settings of Internet Explorer

      • netbtugc.exe (PID: 3412)
      • regedt32.exe (PID: 4936)
      • regedt32.exe (PID: 5968)
      • certutil.exe (PID: 5092)
      • dllhost.exe (PID: 8184)
    • Drops the executable file immediately after the start

      • netbtugc.exe (PID: 3412)
    • Creates a software uninstall entry

      • crt.tmp (PID: 4880)
    • Reads product name

      • katCA8C.tmp (PID: 5684)
      • katD46F.tmp (PID: 4552)
      • MSBuild.exe (PID: 4248)
    • Reads CPU info

      • katCA8C.tmp (PID: 5684)
      • katD46F.tmp (PID: 4552)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5184)
    • Dropped object may contain TOR URL's

      • New Text Document.exe (PID: 2032)
    • Reads Internet Explorer settings

      • mshta.exe (PID: 5664)
    • Checks transactions between databases Windows and Oracle

      • eee01.exe (PID: 4712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(824) RegSvcs.exe
Protocolsmtp
Hostmail.worlorderbillions.top
Port587
PasswordvqpF.#;cCodu
(PID) Process(3640) RegSvcs.exe
Protocolsmtp
Hostmail.worlorderbillions.top
Port587
Password3^?r?mtxk(kt

Formbook

(PID) Process(1116) rooma.exe
C2www.3xfootball.com/fo8o/
Strings (160)wZ22jDxn8hwtYnnk/w==
q7/IljAuWKUjP9LzhVY6WZAW9xV7Lg==
anq78FxRDdKIkSoWlEQ4UEY=
eoSThluq4iN+Rc41zntRhYHb6g==
O7h30riqRAahR9T5HRI7p/6UE1viZkY=
aRcJ4yR+JIlEsDUz7RliR0c=
P2kk3YkFysLZ/xr8j/NT
j7IAjFzbh8BedRjGafGC
90ZjYDDmDegov0HX93hL+BrlCg==
VsB/tN7GW0IFCVxBK3vSdgciaRw=
H2irRWi3sEVnQwpn
mhcjIf6APjHV6w==
HAYqkhKqQwlU/+84
jtQLwFdZ6cHaVA==
AcSWbce98Gsa3H82yeOI6PU=
P/hl4kjf5lO9sx8CPgVLtN0=
FyorLjEqBPkYxd/H21pCdCXeTRU=
2mA3Vksr7QqmQYRh
zN7V+QxiOiJucVyPV4tnoEEC8Q==
vOXO5TwZqh4J
aBo2kIefHxtRX9tg+blTqCBUoaSmUA==
ym9QCdS0FskyRQW1K8aS
QHqoCUeH3RU=
+UJdoYhH0dD7h9tu
Gc2LVVpZN7Z5TpULwg8=
4civn4lQpEI=
joSQgk4Zulvmr5FllmCK
OBlNjAjPL0wWVzbYOvk5KRX20vA=
GHL66NFKaYDm0cPfSOTb
jgQX31OVhboCZNs=
iHkmyaL+z9Qv6pxULDjbdg==
uQwC+RvpT7YO1adGimLC
pMIXi/72muqkB92h5rtgXF8K1wWh
LPlp6EDzMKb54YJ+PsJG
74LKKYDwOswIEZH8
32HxZtOweLPzgYOtapw=
jbsLo3quFldiNGxZd/pl4Q==
MBujXUAtHYKkJhltfDsCIA==
+9Zoakef2z7Z4HWZ3vQOWwgitgY=
E3ZGa1Mxh8TVks2o6Jq+2AcLwwY=
LpD8ktMaPtn+36mfdJE=
PA9jrCXW5/545XgBZQ==
9IdSnrZ6FejIUA==
zmTz3LjDiW9gHw==
RjQA3SM/LSY/Vm+AzFk9XRqEHgI=
cA2gKXAjjUvKHQ==
H1UWMp77XV0Vfzckjz5d6JEInA==
zMTMqYuyvylNTKeyWdAV5G8=
R8FUU7VPz5oOWA==
NqVC3s+EEmnc3ZB3qmGgisk=
hWkeFU0k8euvtAzROivfAFADzQ==
ZLMTNMbPaM6Mll+gaI5SqsEl
/5M+8u4pdcT0o1M=
klXyGLgc/igvqqUE/agIQcuKH6nW
sbpIMePNoeasuAlnNmE=
w9h15yT/GUabbUYOxle5kro+olk=
5jPmD22F+yGZXaG4STUWJ/LEr+xF
32UZpKuV1T7ISCfS
XBqwal9KQYlJn30jirmREQzvp+02
d6noklWTPPb0jA==
J59j4FW+S9Dq9KOQuLAY2wE9nq61
+vj5urFvIEJOnr4mZNdu
tHYXzDTgsf6ddg==
xpRPfdi+yRdY/2c=
XGuo+LeH4w966ZOpW5DbeGUIbw425TnS+g==
netbtugc.exe
verclsid.exe
chkdsk.exe
mshta.exe
sdiagnhost.exe
taskkill.exe
msdt.exe
winver.exe
rundll32.exe
ReAgentc.exe
Utilman.exe
msiexec.exe
kernel32.dll
advapi32.dll
ws2_32.dll
USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
COMPUTERNAME
ProgramFiles
/c copy "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Google\Chrome\User Data\Default\Login Data
SeShutdownPrivilege
\BaseNamedObjects
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control:
Origin: http://
Content-Type: application/x-www-form-urlencoded
Accept:
Referer: http://
Accept-Language:
Accept-Encoding:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
-noexit "& ""
PowerShell.exe
\Opera Software\Opera Stable
kernel32.dll
user32.dll
wininet.dll
rg.ini
Recovery
profiles.ini
guid
Connection: close
pass
token
email
login
signin
account
persistent
GET
GET
PUT
POST
OPTIONS
User-Agent:
API-
MS-W
_301 Moved
_302 Found
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
(PID) Process(3412) netbtugc.exe
C2www.3xfootball.com/fo8o/
Strings (160)wZ22jDxn8hwtYnnk/w==
q7/IljAuWKUjP9LzhVY6WZAW9xV7Lg==
anq78FxRDdKIkSoWlEQ4UEY=
eoSThluq4iN+Rc41zntRhYHb6g==
O7h30riqRAahR9T5HRI7p/6UE1viZkY=
aRcJ4yR+JIlEsDUz7RliR0c=
P2kk3YkFysLZ/xr8j/NT
j7IAjFzbh8BedRjGafGC
90ZjYDDmDegov0HX93hL+BrlCg==
VsB/tN7GW0IFCVxBK3vSdgciaRw=
H2irRWi3sEVnQwpn
mhcjIf6APjHV6w==
HAYqkhKqQwlU/+84
jtQLwFdZ6cHaVA==
AcSWbce98Gsa3H82yeOI6PU=
P/hl4kjf5lO9sx8CPgVLtN0=
FyorLjEqBPkYxd/H21pCdCXeTRU=
2mA3Vksr7QqmQYRh
zN7V+QxiOiJucVyPV4tnoEEC8Q==
vOXO5TwZqh4J
aBo2kIefHxtRX9tg+blTqCBUoaSmUA==
ym9QCdS0FskyRQW1K8aS
QHqoCUeH3RU=
+UJdoYhH0dD7h9tu
Gc2LVVpZN7Z5TpULwg8=
4civn4lQpEI=
joSQgk4Zulvmr5FllmCK
OBlNjAjPL0wWVzbYOvk5KRX20vA=
GHL66NFKaYDm0cPfSOTb
jgQX31OVhboCZNs=
iHkmyaL+z9Qv6pxULDjbdg==
uQwC+RvpT7YO1adGimLC
pMIXi/72muqkB92h5rtgXF8K1wWh
LPlp6EDzMKb54YJ+PsJG
74LKKYDwOswIEZH8
32HxZtOweLPzgYOtapw=
jbsLo3quFldiNGxZd/pl4Q==
MBujXUAtHYKkJhltfDsCIA==
+9Zoakef2z7Z4HWZ3vQOWwgitgY=
E3ZGa1Mxh8TVks2o6Jq+2AcLwwY=
LpD8ktMaPtn+36mfdJE=
PA9jrCXW5/545XgBZQ==
9IdSnrZ6FejIUA==
zmTz3LjDiW9gHw==
RjQA3SM/LSY/Vm+AzFk9XRqEHgI=
cA2gKXAjjUvKHQ==
H1UWMp77XV0Vfzckjz5d6JEInA==
zMTMqYuyvylNTKeyWdAV5G8=
R8FUU7VPz5oOWA==
NqVC3s+EEmnc3ZB3qmGgisk=
hWkeFU0k8euvtAzROivfAFADzQ==
ZLMTNMbPaM6Mll+gaI5SqsEl
/5M+8u4pdcT0o1M=
klXyGLgc/igvqqUE/agIQcuKH6nW
sbpIMePNoeasuAlnNmE=
w9h15yT/GUabbUYOxle5kro+olk=
5jPmD22F+yGZXaG4STUWJ/LEr+xF
32UZpKuV1T7ISCfS
XBqwal9KQYlJn30jirmREQzvp+02
d6noklWTPPb0jA==
J59j4FW+S9Dq9KOQuLAY2wE9nq61
+vj5urFvIEJOnr4mZNdu
tHYXzDTgsf6ddg==
xpRPfdi+yRdY/2c=
XGuo+LeH4w966ZOpW5DbeGUIbw425TnS+g==
netbtugc.exe
verclsid.exe
chkdsk.exe
mshta.exe
sdiagnhost.exe
taskkill.exe
msdt.exe
winver.exe
rundll32.exe
ReAgentc.exe
Utilman.exe
msiexec.exe
kernel32.dll
advapi32.dll
ws2_32.dll
USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
COMPUTERNAME
ProgramFiles
/c copy "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Google\Chrome\User Data\Default\Login Data
SeShutdownPrivilege
\BaseNamedObjects
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control:
Origin: http://
Content-Type: application/x-www-form-urlencoded
Accept:
Referer: http://
Accept-Language:
Accept-Encoding:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
-noexit "& ""
PowerShell.exe
\Opera Software\Opera Stable
kernel32.dll
user32.dll
wininet.dll
rg.ini
Recovery
profiles.ini
guid
Connection: close
pass
token
email
login
signin
account
persistent
GET
GET
PUT
POST
OPTIONS
User-Agent:
API-
MS-W
_301 Moved
_302 Found
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle

XWorm

(PID) Process(2832) XClient.exe
C245.141.27.41:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.4
Mutex9ZF9ZsOZGh1T1r1n
(PID) Process(1280) csrss.exe
C245.141.26.119:1996
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.4
MutexwHK5NlknpAL3Lk1X
(PID) Process(1880) svchost.exe
C285.203.4.146:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.4
MutexeItTbYBfBYihwkyW
(PID) Process(4640) Discord.exe
C2https://pastebin.com/raw/Xuc6dzua:<123456789>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.6
USB drop nameUSB.exe
MutexbEeZ4MhyYSkjMJ8j

AsyncRat

(PID) Process(2320) vax.exe
C2 (1)185.196.10.81
Ports (1)4449
VersionVenom RAT + HVNC + Stealer + Grabber v6.0.3
Options
AutoRunfalse
Mutexwrteyuiooo
InstallFolder%AppData%
Certificates
Cert1MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcN...
Server_SignatureMEd1CD8iTeY7YWWzU44VHmQiwZS0TqUpDmIWlmo0xiZD7K2igThi817GSA28/UBclqmoHVBHFzuue93FAc4ZcQ+RC7CaTRV+xP4PHhapIzCKMPZJgQ8rIFeJ52qZki6XkIMdZaql0Abkf4xbxuBvtAfARl3Hzx63Jf0zc0OexIs=
Keys
AES3c5e0e0cefb94aaa704b50bdbf5dd46c7955034f9d83305435430b78f745d551
SaltVenomRATByVenom
(PID) Process(4480) my.exe
C2 (1)127.0.0.1
Ports (1)8848
Version1.0.7
Options
AutoRunfalse
MutexDcRatMutex_qwqdanchun
InstallFolder%AppData%
Certificates
Cert1MIICLTCCAZagAwIBAgIVALkjCXUqNpWpON/3oq3YOq49NK8LMA0GCSqGSIb3DQEBDQUAMGExEjAQBgNVBAMMCU15IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDgwMTEyMDQyN1oXDTM0MDUxMDEyMDQyN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ...
Server_Signaturebe5s8dxLLMy6Li3DursjAj/o3Xw068NUtbdZExXKlm/UTk8VHfvX3W0yBc7qcXqyfVrxQ0L0MBzBLuZgFz86cmleQJkUh2ldYAStNJcXGNa3Rm30LOg+WDqpfRN70uGrxpqpCVftgFy7iS+Z6vIC267l2q6lQ5wx/dWuaQQP7Kg=
Keys
AESb86153efa26d23c860c6babd692d71879bf261887b5584950d9ec2ce05d7321b
SaltDcRatByqwqdanchun

Lumma

(PID) Process(4256) up2date.exe
C2 (8)plaintediousidowsko.shop
acceptabledcooeprs.shop
miniaturefinerninewjs.shop
sweetsquarediaslw.shop
zippyfinickysofwps.shop
boredimperissvieos.shop
holicisticscrarws.shop
obsceneclassyjuwks.shop
(PID) Process(5144) udated.exe
C2 (8)plaintediousidowsko.shop
acceptabledcooeprs.shop
miniaturefinerninewjs.shop
sweetsquarediaslw.shop
zippyfinickysofwps.shop
boredimperissvieos.shop
holicisticscrarws.shop
obsceneclassyjuwks.shop
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x21d50
UninitializedDataSize: -
InitializedDataSize: 119296
CodeSize: 214528
LinkerVersion: 14.33
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2023:10:03 07:51:19+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
388
Monitored processes
264
Malicious processes
81
Suspicious processes
14

Behavior graph

Click at the process to see the details
start new text document.bin.exe #HAUSBOMBER new text document.exe wmpnscfg.exe no specs sthealthup.exe no specs sthealthclient.exe ggws_upload.exe no specs mycheckback.exe no specs go.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #REDLINE crypted.exe aaaaaaaa.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs toolspub1.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wxijgyp.exe no specs regsvcs.exe ntvdm.exe zwuivg.exe no specs #AGENTTESLA regsvcs.exe rtx.exe no specs example.exe backdoor.exe asdf.exe rtx.exe msedge.exe no specs msedge.exe no specs wsiopohwqsd.exe no specs regsvcs.exe #FORMBOOK rooma.exe no specs qewecfyhj.exe no specs regsvcs.exe no specs tsaplqyj.exe no specs #AGENTTESLA regsvcs.exe sharonzx.exe bypass3_pure_mode.exe #XWORM xclient.exe #XWORM csrss.exe #FORMBOOK netbtugc.exe srbijasetuphokej.exe srbijasetuphokej.tmp no specs schtasks.exe no specs #LOKIBOT sharonzx.exe srbijasetuphokej.exe srbijasetuphokej.tmp no specs chromesetup.exe googleupdate.exe no specs googleupdatesetup.exe googleupdate.exe googleupdate.exe no specs googleupdate.exe no specs googleupdate.exe googleupdate.exe no specs googleupdate.exe #ASYNCRAT vax.exe msedge.exe no specs gywervcyuj.exe no specs regsvcs.exe xxxz.exe ngown.exe no specs #AGENTTESLA regsvcs.exe ghivtf22qvmzjum.exe no specs #XWORM svchost.exe crt.exe crt.tmp no specs crt.exe crt.tmp firefox.exe no specs cdplayer.exe #SOCKS5SYSTEMZ cdplayer.exe conhost.exe sdf34ert3etgrthrthfghfghjfgh.exe katca8c.tmp cmd.exe no specs mode.com no specs attrib.exe no specs o2i3jroi23joj23ikrjokij3oroi.exe inte.exe vpn-1002.exe no specs vpn-1002.exe katd46f.tmp tdrpload.exe cmd.exe no specs powershell.exe cmd.exe no specs taskkill.exe no specs powershell.exe sysblardsv.exe #AGENTTESLA ghivtf22qvmzjum.exe cmd.exe no specs 472111564.exe 222.exe cmd.exe no specs timeout.exe no specs #PHORPIEX syslmgrsvc.exe pirate_24s.exe no specs pirate_24s.exe wscript.exe no specs cmd.exe reg.exe no specs find.exe no specs takeown.exe no specs nc.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs regedt32.exe no specs regedit.exe no specs control.exe no specs ping.exe no specs pub11.exe no specs cmd.exe no specs mode.com no specs attrib.exe no specs 1733825023.exe no specs regedt32.exe no specs regedit.exe no specs 888.exe #GCLEANER univ.exe nine.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs mode.com no specs attrib.exe no specs 109.0.5414.120_chrome_installer.exe #GCLEANER univ.exe setup.exe #XWORM discord.exe setup.exe no specs #ASYNCRAT my.exe no specs yar.exe cmd.exe no specs taskkill.exe no specs schtasks.exe no specs schtasks.exe no specs e_win.exe no specs cmd.exe no specs vssadmin.exe no specs f.exe no specs cmd.exe no specs vssadmin.exe no specs install.exe yar.exe no specs taskhostw.exe update_3.exe no specs update_3.exe av_downloader.exe no specs update.exe no specs cmd.exe no specs mshta.exe no specs cmd.exe no specs vssadmin.exe no specs update.exe av_downloader.exe cmd.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs attrib.exe no specs gameservice.exe no specs certutil.exe #LUMMA up2date.exe gameservice.exe sc.exe no specs gameservice.exe no specs gameservice.exe gameservice.exe no specs gameservice.exe gameservice.exe no specs cmd.exe no specs sc.exe no specs gameservice.exe no specs setup_1715277229.6072824.exe gameservice.exe sc.exe no specs gameservice.exe no specs certutil.exe no specs gameservice.exe gameservice.exe no specs schtasks.exe no specs #METASTEALER msbuild.exe gameservice.exe gameservice.exe no specs timeout.exe no specs cmd.exe no specs sc.exe no specs gameservice.exe no specs gameservice.exe gameservice.exe no specs gameservice.exe gameservice.exe no specs cmd.exe no specs pojgysef.exe cmd.exe no specs work.exe #LUMMA udated.exe pgsthse.exe no specs setup.exe no specs setup.exe no specs eee01.exe no specs googlecrashhandler.exe no specs googleupdate.exe googleupdateondemand.exe no specs googleupdate.exe no specs chrome.exe no specs chrome.exe no specs CMSTPLUA eee01.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Users\admin\Desktop\New Text Document.bin.exe" C:\Users\admin\Desktop\New Text Document.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\new text document.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2032"C:\Users\admin\Desktop\New Text Document.exe" C:\Users\admin\Desktop\New Text Document.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\new text document.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2304"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
308"C:\Users\admin\Desktop\a\STHealthUp.exe" C:\Users\admin\Desktop\a\STHealthUp.exeNew Text Document.exe
User:
admin
Integrity Level:
MEDIUM
Description:
STHealthUp
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\a\sthealthup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1620"C:\Users\admin\Desktop\a\STHealthClient.exe" C:\Users\admin\Desktop\a\STHealthClient.exe
New Text Document.exe
User:
admin
Integrity Level:
MEDIUM
Description:
STHealthClient
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\a\sthealthclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1844"C:\Users\admin\Desktop\a\GGWS_UPLOAD.exe" C:\Users\admin\Desktop\a\GGWS_UPLOAD.exeNew Text Document.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
GGWS_UPLOAD
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\a\ggws_upload.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2240"C:\Users\admin\Desktop\a\MyCheckBack.exe" C:\Users\admin\Desktop\a\MyCheckBack.exeNew Text Document.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MyCheckBack
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\a\mycheckback.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2368"C:\Users\admin\Desktop\a\go.exe" C:\Users\admin\Desktop\a\go.exeNew Text Document.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\a\go.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2256"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/accountC:\Program Files\Microsoft\Edge\Application\msedge.exe
go.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
4294967295
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
736"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/videoC:\Program Files\Microsoft\Edge\Application\msedge.exego.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
188 648
Read events
184 101
Write events
4 308
Delete events
239

Modification events

(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(3976) New Text Document.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
(PID) Process:(2032) New Text Document.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\New Text Document_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
393
Suspicious files
478
Text files
251
Unknown types
6

Dropped files

PID
Process
Filename
Type
824msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5:
SHA256:
860msedge.exe
MD5:
SHA256:
2256msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF115bc9.TMP
MD5:
SHA256:
2256msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2032New Text Document.exeC:\Users\admin\Desktop\a\STHealthUp.exeexecutable
MD5:E78473BCA17B8E1E7353570719B5AD0C
SHA256:F81DE3B76D2E7F5166C6029CBD9918DCC6C8649BB0D9F869A76E141B3ABCA791
2032New Text Document.exeC:\Users\admin\Desktop\a\beacon.exeexecutable
MD5:927EE11071594552182A02D7B0B971FA
SHA256:A82983039FD8A63E3AC15D731AF598519AEDCDFEDAD67C793699F96CF4510ECF
3976New Text Document.bin.exeC:\Users\admin\Desktop\Пароли Chrome.csvcsv
MD5:64F50AFB35DD16EE46F187015CEE84CE
SHA256:C2D389870DE77426A31A8C478E0FDDCBBEA7A3733B453806317914E6F946EA91
2256msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF115bf8.TMP
MD5:
SHA256:
2032New Text Document.exeC:\Users\admin\Desktop\a\GGWS_UPLOAD.exeexecutable
MD5:CBAA1A61C93704F1540E48A8DD9BAC14
SHA256:44C5191F1061CC9340498B5841AC6B3E2488CA5B5E5E8A812687BBF864125A61
2032New Text Document.exeC:\Users\admin\Desktop\a\MyCheckBack.exeexecutable
MD5:58D9DA67F31BE50170DADD4FF9A837AD
SHA256:AB644D098073465A00E4CF0A550E9D9EAB99AB84D0876FA490A7CF79B46384E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
902
TCP/UDP connections
7 793
DNS requests
2 015
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1620
STHealthClient.exe
GET
200
47.104.173.216:8081
http://47.104.173.216:8081/server.txt
unknown
unknown
2032
New Text Document.exe
GET
200
47.104.173.216:8081
http://47.104.173.216:8081/STHealthClient.exe
unknown
unknown
2032
New Text Document.exe
GET
200
47.104.173.216:8081
http://47.104.173.216:8081/MyCheckBack.exe
unknown
unknown
2032
New Text Document.exe
GET
200
147.45.47.102:57893
http://147.45.47.102:57893/cost/go.exe
unknown
unknown
2032
New Text Document.exe
GET
200
114.132.120.166:8080
http://114.132.120.166:8080/beacon.exe
unknown
unknown
1620
STHealthClient.exe
GET
200
47.104.173.216:8081
http://47.104.173.216:8081/STHealthUpdate.exe
unknown
unknown
2032
New Text Document.exe
GET
200
5.42.66.47:80
http://5.42.66.47/files/time2time.exe
unknown
unknown
2032
New Text Document.exe
GET
200
47.104.173.216:8081
http://47.104.173.216:8081/GGWS_UPLOAD.exe
unknown
unknown
2032
New Text Document.exe
GET
200
158.160.165.129:80
http://okkolus.com/downloads/toolspub1.exe
unknown
unknown
2032
New Text Document.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9f2c84c6e21cb662
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
2032
New Text Document.exe
151.101.130.49:443
urlhaus.abuse.ch
FASTLY
US
unknown
2032
New Text Document.exe
141.8.192.6:80
a0984086.xsph.ru
Sprinthost.ru LLC
RU
unknown
2032
New Text Document.exe
47.104.173.216:8081
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1620
STHealthClient.exe
47.104.173.216:8081
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2032
New Text Document.exe
114.132.120.166:8080
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
2032
New Text Document.exe
147.45.47.102:57893
OOO FREEnet Group
RU
unknown

DNS requests

Domain
IP
Reputation
urlhaus.abuse.ch
  • 151.101.130.49
  • 151.101.194.49
  • 151.101.2.49
  • 151.101.66.49
whitelisted
a0984086.xsph.ru
  • 141.8.192.6
unknown
transfer.adttemp.com.br
  • 104.196.109.209
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.youtube.com
  • 142.250.184.206
  • 172.217.23.110
  • 216.58.212.174
  • 142.250.185.238
  • 142.250.186.46
  • 142.250.185.110
  • 142.250.185.206
  • 142.250.181.238
  • 142.250.185.142
  • 142.250.184.238
  • 142.250.185.78
  • 142.250.185.174
  • 216.58.206.46
  • 142.250.186.78
  • 172.217.18.14
  • 216.58.206.78
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
accounts.google.com
  • 108.177.15.84
shared
www.facebook.com
  • 157.240.0.35
whitelisted
consent.youtube.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 184.86.251.27
  • 184.86.251.22
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
2032
New Text Document.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
2032
New Text Document.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2032
New Text Document.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2032
New Text Document.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
138 ETPRO signatures available at the full report
No debug info