Malware analysis https://kelpmetorealiuk.com/am9jQkZVDBB/JwYtJRYoDjsCCgRePTV3KQkBWgcTWDUZJi07SQIgMldfRTAjDlJSZDUHUlJ0YAFSEzc1HgcCKScGDhojY1hfAjcyAgARZ3RaDQwtLU9dUy4nBAgWIyEPSlFyNQMBCyMqC0pRcigFGQYuY1hfBS00Bw4XZ3RaCww1KAYAAiZjWF8FKyoPSlFyNQMVBmd0Wh0GIyJPXVMtKAYGDSdjWF8LKzICGhQjLQEOEStjWF8JIz8LBAwmP09dUzEjBAoVKzQLGwssJ0wZXnNoWVtNcXBEW0UxMhlSU2Q2GAFecmAPAgF/dkwbCiZ7W19Td3NfW0UwPhNSUnB+WjBbcnZMBg0he1tbRTd7R11FIyEPDF5zcVtZUnp1X1hQZCAZUlJkNA8JXioyHh8QZ3UrSlEEY1gpEyYgGhoQNi4LBAIuJxMOTSEpB0pRBC4DGws3MQsECCM0A0IJIz8LBAwmP0ccBiwjHAYRIzICAQJndCxJDDE0Vx8HJDYfHBcqJwEODyM/C0EALStMBRA2e1pJBiw0V19FLiUfDl4vKRAGDy4nT10ld2haSlFybh0GDSYpHRxGcHYEG0ZwdltfTXJjWS1GcHYdBg10ck9cIWd0WhdVdm9PXVMjNhoDBjUjCAQKNmNYKVZxcURcVWd0WkcIKjIHA0ZwBU9dUy4vAQpGcHYNCgApKUNKUXIlAh0MLyNPXSVzdF1BU2x2RF9GcHYZDgUjNANKUQRzWVhNcXBMGxkme19BVmQzBgAAf2ADCV5yYAkbXnVgCRsAf3JMMFYhNlhSUnV0WV9Se3RdWFN3fkwaFzB3V19TeHZaVVNxYB8bEXB7WFtFNzIYXF5yYB8bEXZ7WkkWNjRfUlNkMx4dVX92TBoXMHFXW1BkMAsDCiZ7Ww== Malicious activity

Add for printing

URL:	https://kelpmetorealiuk.com/am9jQkZVDBB/JwYtJRYoDjsCCgRePTV3KQkBWgcTWDUZJi07SQIgMldfRTAjDlJSZDUHUlJ0YAFSEzc1HgcCKScGDhojY1hfAjcyAgARZ3RaDQwtLU9dUy4nBAgWIyEPSlFyNQMBCyMqC0pRcigFGQYuY1hfBS00Bw4XZ3RaCww1KAYAAiZjWF8FKyoPSlFyNQMVBmd0Wh0GIyJPXVMtKAYGDSdjWF8LKzICGhQjLQEOEStjWF8JIz8LBAwmP09dUzEjBAoVKzQLGwssJ0wZXnNoWVtNcXBEW0UxMhlSU2Q2GAFecmAPAgF/dkwbCiZ7W19Td3NfW0UwPhNSUnB+WjBbcnZMBg0he1tbRTd7R11FIyEPDF5zcVtZUnp1X1hQZCAZUlJkNA8JXioyHh8QZ3UrSlEEY1gpEyYgGhoQNi4LBAIuJxMOTSEpB0pRBC4DGws3MQsECCM0A0IJIz8LBAwmP0ccBiwjHAYRIzICAQJndCxJDDE0Vx8HJDYfHBcqJwEODyM/C0EALStMBRA2e1pJBiw0V19FLiUfDl4vKRAGDy4nT10ld2haSlFybh0GDSYpHRxGcHYEG0ZwdltfTXJjWS1GcHYdBg10ck9cIWd0WhdVdm9PXVMjNhoDBjUjCAQKNmNYKVZxcURcVWd0WkcIKjIHA0ZwBU9dUy4vAQpGcHYNCgApKUNKUXIlAh0MLyNPXSVzdF1BU2x2RF9GcHYZDgUjNANKUQRzWVhNcXBMGxkme19BVmQzBgAAf2ADCV5yYAkbXnVgCRsAf3JMMFYhNlhSUnV0WV9Se3RdWFN3fkwaFzB3V19TeHZaVVNxYB8bEXB7WFtFNzIYXF5yYB8bEXZ7WkkWNjRfUlNkMx4dVX92TBoXMHFXW1BkMAsDCiZ7Ww==
Full analysis:	https://app.any.run/tasks/c66a93f3-2016-4705-899c-d2562d188d99
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	August 22, 2024, 14:40:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion privateloader stealer loader stealc risepro redline metastealer themida lumma telegram goinjector alfac2 vidar miner netreactor
Indicators:
MD5:	97BC0459FC24D611868B371748AB774B
SHA1:	FB8644E5BC12CF2F5C25FFA710AD846226FC5BC6
SHA256:	B93F0B9CD8FF8336FA2B4A650D30E5B27788E2929A312A0F881B827CFA6E8FC8
SSDEEP:	24:2cVGLHsa9W2eWpUQDQEqMUtg+fUr8eSt7/+3q4rnpWfOIAM:hGzsT2eW/8u8rRU3qMnGOY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 2876)
  - findstr.exe (PID: 1164)
- Connects to the CnC server
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
  - RegAsm.exe (PID: 8024)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
  - RegAsm.exe (PID: 7064)
  - svchost.exe (PID: 2256)
- PRIVATELOADER has been detected (SURICATA)
  - Cakes.pif (PID: 2252)
- PRIVATELOADER has been detected (YARA)
  - Cakes.pif (PID: 2252)
- Actions looks like stealing of personal data
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
- Stealers network behavior
  - RegAsm.exe (PID: 5044)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - RegAsm.exe (PID: 8024)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
  - BitLockerToGo.exe (PID: 6744)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- STEALC has been detected (SURICATA)
  - RegAsm.exe (PID: 5044)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
  - RegAsm.exe (PID: 7064)
- Changes the autorun value in the registry
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- Create files in the Startup directory
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- Uses Task Scheduler to run other applications
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- Uses Task Scheduler to autorun other applications
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- RISEPRO has been detected (SURICATA)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- Steals credentials from Web Browsers
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
- STEALC has been detected (YARA)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- METASTEALER has been detected (SURICATA)
  - RegAsm.exe (PID: 8024)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
- ALFAC2 has been detected (YARA)
  - 2QyRq_UtqxsQHIAbniMFX4TD.exe (PID: 6516)
- GOINJECTOR has been detected (YARA)
  - 2QyRq_UtqxsQHIAbniMFX4TD.exe (PID: 6516)
- VIDAR has been detected (YARA)
  - RegAsm.exe (PID: 7816)
- LUMMA has been detected (YARA)
  - RegAsm.exe (PID: 7816)
  - 2QyRq_UtqxsQHIAbniMFX4TD.exe (PID: 6516)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - GIIJEBAECG.exe (PID: 7000)
  - svchost.exe (PID: 5112)
- REDLINE has been detected (SURICATA)
  - RegAsm.exe (PID: 8024)
- MINER has been detected (SURICATA)
  - svchost.exe (PID: 2256)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2256)
  - BitLockerToGo.exe (PID: 6744)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 7264)
  - RegAsm.exe (PID: 5044)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 7264)
- Reads security settings of Internet Explorer
  - AppFile.exe (PID: 7612)
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 4040)
- Reads the date of Windows installation
  - AppFile.exe (PID: 7612)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 4040)
- Starts CMD.EXE for commands execution
  - AppFile.exe (PID: 7612)
  - cmd.exe (PID: 5732)
  - RegAsm.exe (PID: 5044)
- Get information on the list of running processes
  - cmd.exe (PID: 5732)
- Executing commands from ".cmd" file
  - AppFile.exe (PID: 7612)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 5732)
- Application launched itself
  - cmd.exe (PID: 5732)
  - 2D1PRcgYWMLuCPVeieSk_BRu.exe (PID: 5084)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 3144)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2904)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2900)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 4040)
- Starts application with an unusual extension
  - cmd.exe (PID: 5732)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 5732)
  - Cakes.pif (PID: 2252)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - RegAsm.exe (PID: 5044)
  - 67XUzHM41G00PylAmzWoIqFr.exe (PID: 7100)
  - etzpikspwykg.exe (PID: 7876)
  - RegAsm.exe (PID: 7064)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- The executable file from the user directory is run by the CMD process
  - Cakes.pif (PID: 2384)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 5732)
- Drops the executable file immediately after the start
  - cmd.exe (PID: 5732)
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - RegAsm.exe (PID: 7064)
  - etzpikspwykg.exe (PID: 7876)
  - 67XUzHM41G00PylAmzWoIqFr.exe (PID: 7100)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- Checks for external IP
  - Cakes.pif (PID: 2252)
  - svchost.exe (PID: 2256)
- Connects to the server without a host name
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
- Checks Windows Trust Settings
  - Cakes.pif (PID: 2252)
- Process requests binary or script from the Internet
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
- Potential Corporate Privacy Violation
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
  - svchost.exe (PID: 2256)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
  - RegAsm.exe (PID: 7064)
- Reads the BIOS version
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- Windows Defender mutex has been found
  - RegAsm.exe (PID: 5044)
- Searches for installed software
  - RegAsm.exe (PID: 5044)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
- Contacting a server suspected of hosting an CnC
  - RegAsm.exe (PID: 5044)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
  - svchost.exe (PID: 2256)
  - BitLockerToGo.exe (PID: 6744)
  - RegAsm.exe (PID: 7064)
- Connects to unusual port
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - RegAsm.exe (PID: 8024)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
- The process drops Mozilla's DLL files
  - RegAsm.exe (PID: 5044)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- The process drops C-runtime libraries
  - RegAsm.exe (PID: 5044)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- There is functionality for communication over UDP network (YARA)
  - 2QyRq_UtqxsQHIAbniMFX4TD.exe (PID: 6516)
- Uses powercfg.exe to modify the power settings
  - 67XUzHM41G00PylAmzWoIqFr.exe (PID: 7100)
  - etzpikspwykg.exe (PID: 7876)
- Uses REG/REGEDIT.EXE to modify registry
  - 67XUzHM41G00PylAmzWoIqFr.exe (PID: 7100)
  - etzpikspwykg.exe (PID: 7876)
- Starts itself from another location
  - 67XUzHM41G00PylAmzWoIqFr.exe (PID: 7100)
- Drops a system driver (possible attempt to evade defenses)
  - etzpikspwykg.exe (PID: 7876)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - RegAsm.exe (PID: 7064)
- Crypto Currency Mining Activity Detected
  - svchost.exe (PID: 2256)
INFO
- Manual execution by a user
  - WinRAR.exe (PID: 7944)
  - WinRAR.exe (PID: 7264)
  - AppFile.exe (PID: 7612)
  - Cakes.pif (PID: 2252)
- Reads Environment values
  - identity_helper.exe (PID: 6280)
  - RegAsm.exe (PID: 5044)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
- Checks supported languages
  - identity_helper.exe (PID: 6280)
  - AppFile.exe (PID: 7612)
  - Cakes.pif (PID: 2384)
  - Cakes.pif (PID: 2252)
  - 2QyRq_UtqxsQHIAbniMFX4TD.exe (PID: 6516)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
  - 67XUzHM41G00PylAmzWoIqFr.exe (PID: 7100)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 3144)
  - 4lCwVLg_0DljKtIDDCoTRErf.exe (PID: 8164)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2904)
  - z_MpLT7RMuIocLiyaupw9LzI.exe (PID: 1568)
  - 2D1PRcgYWMLuCPVeieSk_BRu.exe (PID: 5084)
  - gwSSLSZ0xU50QibcGdrKQbRP.exe (PID: 8040)
  - RegAsm.exe (PID: 7816)
  - RegAsm.exe (PID: 8024)
  - RegAsm.exe (PID: 5044)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 4040)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - RngpcfTysUQpdU7wR2fIptN2.exe (PID: 1292)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2900)
  - MSBuild.exe (PID: 1948)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7264)
- The process uses the downloaded file
  - WinRAR.exe (PID: 7944)
  - msedge.exe (PID: 6564)
  - msedge.exe (PID: 6188)
- Reads the computer name
  - identity_helper.exe (PID: 6280)
  - AppFile.exe (PID: 7612)
  - Cakes.pif (PID: 2252)
  - Cakes.pif (PID: 2384)
  - 2QyRq_UtqxsQHIAbniMFX4TD.exe (PID: 6516)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2904)
  - 4lCwVLg_0DljKtIDDCoTRErf.exe (PID: 8164)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 3144)
  - 2D1PRcgYWMLuCPVeieSk_BRu.exe (PID: 5084)
  - z_MpLT7RMuIocLiyaupw9LzI.exe (PID: 1568)
  - RegAsm.exe (PID: 8024)
  - gwSSLSZ0xU50QibcGdrKQbRP.exe (PID: 8040)
  - RegAsm.exe (PID: 5044)
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 4040)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2900)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - RngpcfTysUQpdU7wR2fIptN2.exe (PID: 1292)
  - MSBuild.exe (PID: 1948)
- Create files in a temporary directory
  - AppFile.exe (PID: 7612)
  - RegAsm.exe (PID: 7816)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- Process checks computer location settings
  - AppFile.exe (PID: 7612)
  - Cakes.pif (PID: 2252)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 4040)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 6564)
- Application launched itself
  - msedge.exe (PID: 6564)
- Reads mouse settings
  - Cakes.pif (PID: 2384)
- Reads the software policy settings
  - Cakes.pif (PID: 2252)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
- Reads the machine GUID from the registry
  - Cakes.pif (PID: 2252)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 3144)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2904)
  - 2D1PRcgYWMLuCPVeieSk_BRu.exe (PID: 5084)
  - o043LIXme6sSA8i4clQKW2KX.exe (PID: 2080)
  - RegAsm.exe (PID: 8024)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 2900)
  - RngpcfTysUQpdU7wR2fIptN2.exe (PID: 1292)
- Checks proxy server information
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
- Creates files or folders in the user directory
  - Cakes.pif (PID: 2252)
  - RegAsm.exe (PID: 5044)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
  - RegAsm.exe (PID: 8024)
- Reads product name
  - RegAsm.exe (PID: 5044)
- Reads CPU info
  - RegAsm.exe (PID: 5044)
- Creates files in the program directory
  - RegAsm.exe (PID: 5044)
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- Themida protector has been detected
  - Kshs9aBa54K7gtVI1PtDHOPc.exe (PID: 7348)
- .NET Reactor protector has been detected
  - jpsiDihqLPCLuQfJHTzRQmu7.exe (PID: 5532)
- Attempting to use instant messaging service
  - RegAsm.exe (PID: 7064)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Lumma

(PID) Process(6516) 2QyRq_UtqxsQHIAbniMFX4TD.exe

C2 (9)deicedosmzj.shop

southedhiscuso.shop

cagedwifedsozm.shop

consciousourwi.shop

interactiedovspm.shop

torubleeodsmzo.shop

charecteristicdxp.shop

potentioallykeos.shop

weiggheticulop.shop

(PID) Process(7000) GIIJEBAECG.exe

C2 (8)deicedosmzj.shop

southedhiscuso.shop

cagedwifedsozm.shop

consciousourwi.shop

interactiedovspm.shop

charecteristicdxp.shop

potentioallykeos.shop

weiggheticulop.shop

Vidar

(PID) Process(7816) RegAsm.exe

C2https://t.me/jamelwt

URLhttps://steamcommunity.com/profiles/76561199761128941

Strings (239)INSERT_KEY_HERE

lstrcpyA

GetEnvironmentVariableA

GdipSaveImageToStream

History

runas

ssfn*

GetProcAddress

lstrcatA

OpenEventA

CloseHandle

Sleep

GetUserDefaultLangID

VirtualAllocExNuma

VirtualFree

GetSystemInfo

HeapAlloc

GetComputerNameA

GetProcessHeap

GetCurrentProcess

lstrlenA

ExitProcess

GlobalMemoryStatusEx

GetSystemTime

SystemTimeToFileTime

gdi32.dll

user32.dll

crypt32.dll

ntdll.dll

CreateDCA

GetDeviceCaps

ReleaseDC

CryptStringToBinaryA

sscanf

NtQueryInformationProcess

HAL9TH

JohnDoe

DISPLAY

%hu/%hu/%hu

GetFileAttributesA

GlobalLock

GlobalSize

CreateToolhelp32Snapshot

IsWow64Process

Process32Next

GetLocalTime

GetTimeZoneInformation

GetSystemPowerStatus

GetVolumeInformationA

Process32First

GetLocaleInfoA

GetUserDefaultLocaleName

GetModuleFileNameA

FindNextFileA

SetEnvironmentVariableA

LocalAlloc

GetFileSizeEx

SetFilePointer

FindFirstFileA

VirtualProtect

GetLogicalProcessorInformationEx

GetLastError

MultiByteToWideChar

GlobalFree

WideCharToMultiByte

TerminateProcess

GetCurrentProcessId

rstrtmgr.dll

CreateCompatibleBitmap

SelectObject

BitBlt

DeleteObject

CreateCompatibleDC

GdipGetImageEncodersSize

GdipGetImageEncoders

GdipCreateBitmapFromHBITMA

GdiplusStartup

GdiplusShutdown

GdipDisposeImage

GetHGlobalFromStream

CreateStreamOnHGlobal

CoUninitialize

CoInitialize

CoCreateInstance

BCryptGenerateSymmetricKey

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptSetProperty

BCryptDestroyKey

BCryptOpenAlgorithmProvider

GetWindowRect

GetDesktopWindow

GetDC

EnumDisplayDevicesA

GetKeyboardLayoutList

CharToOemW

RegQueryValueExA

RegEnumKeyExA

RegOpenKeyExA

RegEnumValueA

CryptBinaryToStringA

CryptUnprotectData

SHGetFolderPathA

InternetOpenUrlA

InternetConnectA

InternetCloseHandle

InternetOpenA

HttpSendRequestA

HttpOpenRequestA

InternetReadFile

InternetCrackUrlA

StrStrA

PathMatchSpecA

GetModuleFileNameExA

RmStartSession

RmRegisterResources

RmEndSession

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

sqlite3_close

sqlite3_column_bytes

sqlite3_column_blob

encrypted_key

PATH

C:\ProgramData\nss3.dll

NSS_Shutdown

PK11_GetInternalKeySlot

PK11_FreeSlot

PK11_Authenticate

PK11SDR_Decrypt

C:\ProgramData\

SELECT origin_url, username_value, password_value FROM logins

Soft:

Host:

Password:

Opera

OperaGX

Network

.txt

TRUE

FALSE

SELECT name, value FROM autofill

History

SELECT url FROM urls LIMIT 1000

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

Name:

Month:

Year:

Card:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

guid

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

SELECT fieldname, value FROM moz_formhistory

SELECT url FROM moz_places LIMIT 1000

cookies.sqlite

formhistory.sqlite

places.sqlite

Plugins

Local Extension Settings

Sync Extension Settings

Opera Stable

Opera GX Stable

CURRENT

chrome-extension_

_0.indexeddb.leveldb

profiles.ini

chrome

opera

firefox

Wallets

%08lX%04lX%lu

SOFTWARE\Microsoft\Windows NT\CurrentVersion

x64

%d/%d/%d %d:%d:%d

HARDWARE\DESCRIPTION\System\CentralProcessor\0

ProcessorNameString

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayVersion

msvcp140.dll

softokn3.dll

vcruntime140.dll

\Temp\

.exe

open

%LOCALAPPDATA%

%USERPROFILE%

%PROGRAMFILES%

%PROGRAMFILES_86%

*.lnk

Files

\Local Storage\leveldb\CURRENT

\Local Storage\leveldb

\Telegram Desktop\

D877F783D5D3EF8C*

map*

A7FDF864FBC10B77*

A92DAA6EA6F891F2*

F8806DD0C461824F*

Tox

*.tox

*.ini

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375

Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\

\Outlook\accounts.txt

Pidgin

accounts.xml

token:

Software\Valve\Steam

config.vdf

DialogConfig.vdf

DialogConfigOverlay*.vdf

libraryfolders.vdf

loginusers.vdf

\Steam\

\Discord\tokens.txt

/c timeout /t 5 & del /f /q "

" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\system32\cmd.exe

Content-Type: multipart/form-data; boundary=----

Content-Disposition: form-data; name="

build

token

message

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

screenshot.jpg

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

295

Monitored processes

157

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4104 --field-trial-handle=2360,i,4764247487226501945,2188056700144361192,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

420

"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\GIIJEBAECG.exe"

C:\Windows\SysWOW64\cmd.exe

—

RegAsm.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll

508

"C:\Users\admin\Documents\piratemamm\2D1PRcgYWMLuCPVeieSk_BRu.exe"

C:\Users\admin\Documents\piratemamm\2D1PRcgYWMLuCPVeieSk_BRu.exe

—

2D1PRcgYWMLuCPVeieSk_BRu.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

4294967295

Modules

Images
c:\users\admin\documents\piratemamm\2d1prcgywmlucpveiesk_bru.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

736

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7484 --field-trial-handle=2360,i,4764247487226501945,2188056700144361192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

780

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=8140 --field-trial-handle=2360,i,4764247487226501945,2188056700144361192,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

812

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=8664 --field-trial-handle=2360,i,4764247487226501945,2188056700144361192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

892

C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

—

etzpikspwykg.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Power Settings Command-Line Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

940

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

schtasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1048

"C:\Users\admin\Documents\piratemamm\2D1PRcgYWMLuCPVeieSk_BRu.exe"

C:\Users\admin\Documents\piratemamm\2D1PRcgYWMLuCPVeieSk_BRu.exe

—

2D1PRcgYWMLuCPVeieSk_BRu.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

4294967295

Modules

Images
c:\users\admin\documents\piratemamm\2d1prcgywmlucpveiesk_bru.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

1060

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5896 --field-trial-handle=2360,i,4764247487226501945,2188056700144361192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

42 114

Read events

41 612

Write events

363

Delete events

139

Modification events


(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge
Operation:	write	Name:	UsageStatsInSample
Value: 1
(PID) Process:	(6564) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(6564) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	urlstats
Value: 0

Add for printing

Executable files

Suspicious files

538

Text files

233

Unknown types

Dropped files

PID	Process	Filename		Type
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11dabd.TMP		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11dabd.TMP		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF11dabd.TMP		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11daad.TMP		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF11db0b.TMP		—
		MD5:—	SHA256:—
6564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

115

TCP/UDP connections

168

DNS requests

162

Threats

123

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2340	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7520	svchost.exe	HEAD	200	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724898796&P2=404&P3=2&P4=XnajDrNgxI%2f3u4qqJVLpKuaI38w42eCW9Jx3g4qVhxNvl0qhV8y44%2fQXlqN2mi1LAQT6sy4B6jFOU3O8js4dOw%3d%3d	unknown	—	—	whitelisted
5284	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7520	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724898796&P2=404&P3=2&P4=XnajDrNgxI%2f3u4qqJVLpKuaI38w42eCW9Jx3g4qVhxNvl0qhV8y44%2fQXlqN2mi1LAQT6sy4B6jFOU3O8js4dOw%3d%3d	unknown	—	—	whitelisted
7520	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724898796&P2=404&P3=2&P4=XnajDrNgxI%2f3u4qqJVLpKuaI38w42eCW9Jx3g4qVhxNvl0qhV8y44%2fQXlqN2mi1LAQT6sy4B6jFOU3O8js4dOw%3d%3d	unknown	—	—	whitelisted
7448	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7520	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724898796&P2=404&P3=2&P4=XnajDrNgxI%2f3u4qqJVLpKuaI38w42eCW9Jx3g4qVhxNvl0qhV8y44%2fQXlqN2mi1LAQT6sy4B6jFOU3O8js4dOw%3d%3d	unknown	—	—	whitelisted
7520	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724898796&P2=404&P3=2&P4=XnajDrNgxI%2f3u4qqJVLpKuaI38w42eCW9Jx3g4qVhxNvl0qhV8y44%2fQXlqN2mi1LAQT6sy4B6jFOU3O8js4dOw%3d%3d	unknown	—	—	whitelisted
7520	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724898796&P2=404&P3=2&P4=XnajDrNgxI%2f3u4qqJVLpKuaI38w42eCW9Jx3g4qVhxNvl0qhV8y44%2fQXlqN2mi1LAQT6sy4B6jFOU3O8js4dOw%3d%3d	unknown	—	—	whitelisted
7520	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724898796&P2=404&P3=2&P4=XnajDrNgxI%2f3u4qqJVLpKuaI38w42eCW9Jx3g4qVhxNvl0qhV8y44%2fQXlqN2mi1LAQT6sy4B6jFOU3O8js4dOw%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2876	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2212	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6564	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
6884	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6884	msedge.exe	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6884	msedge.exe	13.107.246.67:443	edge-mobile-static.azureedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6884	msedge.exe	18.245.60.45:443	kelpmetorealiuk.com	—	US	unknown
6884	msedge.exe	13.107.6.158:443	business.bing.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.186.78	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.67	whitelisted
kelpmetorealiuk.com	18.245.60.45 18.245.60.104 18.245.60.23 18.245.60.47	unknown
business.bing.com	13.107.6.158	whitelisted
max.maxtrackmax.org	188.114.96.3 188.114.97.3	unknown
tepadas.azurewebsites.net	20.119.16.44	unknown
www.bing.com	184.86.251.10 184.86.251.27 184.86.251.9 184.86.251.4 184.86.251.7 184.86.251.25 184.86.251.11 184.86.251.28 184.86.251.30 2.23.209.175 2.23.209.182 2.23.209.177 2.23.209.176 2.23.209.183 2.23.209.181 2.23.209.160 2.23.209.162 2.23.209.185 2.23.209.173 2.23.209.189 2.23.209.186 2.23.209.166 184.86.251.15 184.86.251.14 2.23.209.178 2.23.209.171 2.23.209.168 2.23.209.167	whitelisted

Threats

PID	Process	Class	Message
2252	Cakes.pif	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
2252	Cakes.pif	A Network Trojan was detected	ET MALWARE PrivateLoader CnC Activity (GET)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
2252	Cakes.pif	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2252	Cakes.pif	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
2252	Cakes.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2252	Cakes.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2252	Cakes.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2252	Cakes.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2252	Cakes.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host

5 ETPRO signatures available at the full report

Add for printing

Process	Message
msedge.exe	[0822/144144.182:WARNING:device_ticket.cc(151)] Timed out waiting for device ticket. Canceling async operation.
msedge.exe	[0822/144145.511:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\050a7ae8-8fa4-4a38-87c4-c0ef33333dc6: The system cannot find the file specified. (0x2)
msedge.exe	[0822/144145.519:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\050a7ae8-8fa4-4a38-87c4-c0ef33333dc6: The system cannot find the file specified. (0x2)
msedge.exe	[0822/144145.539:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\050a7ae8-8fa4-4a38-87c4-c0ef33333dc6: The system cannot find the file specified. (0x2)
msedge.exe	[0822/144145.540:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\050a7ae8-8fa4-4a38-87c4-c0ef33333dc6: The system cannot find the file specified. (0x2)
Kshs9aBa54K7gtVI1PtDHOPc.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

97BC0459FC24D611868B371748AB774B

FB8644E5BC12CF2F5C25FFA710AD846226FC5BC6

B93F0B9CD8FF8336FA2B4A650D30E5B27788E2929A312A0F881B827CFA6E8FC8

24:2cVGLHsa9W2eWpUQDQEqMUtg+fUr8eSt7/+3q4rnpWfOIAM:hGzsT2eW/8u8rRU3qMnGOY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Antivirus name has been found in the command line (generic signature)

Connects to the CnC server

PRIVATELOADER has been detected (SURICATA)

PRIVATELOADER has been detected (YARA)

Actions looks like stealing of personal data

Stealers network behavior

STEALC has been detected (SURICATA)

Changes the autorun value in the registry

Create files in the Startup directory

Uses Task Scheduler to run other applications

Uses Task Scheduler to autorun other applications

RISEPRO has been detected (SURICATA)

Steals credentials from Web Browsers

STEALC has been detected (YARA)

METASTEALER has been detected (SURICATA)

ALFAC2 has been detected (YARA)

GOINJECTOR has been detected (YARA)

VIDAR has been detected (YARA)

LUMMA has been detected (YARA)

REDLINE has been detected (SURICATA)

MINER has been detected (SURICATA)

LUMMA has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Get information on the list of running processes

Executing commands from ".cmd" file

Using 'findstr.exe' to search for text patterns in files and output

Application launched itself

Starts application with an unusual extension

Executable content was dropped or overwritten

The executable file from the user directory is run by the CMD process

Drops a file with a rarely used extension (PIF)

Drops the executable file immediately after the start

Checks for external IP

Connects to the server without a host name

Checks Windows Trust Settings

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Reads the BIOS version

Windows Defender mutex has been found

Searches for installed software

Contacting a server suspected of hosting an CnC

Connects to unusual port

The process drops Mozilla's DLL files

The process drops C-runtime libraries

There is functionality for communication over UDP network (YARA)

Uses powercfg.exe to modify the power settings

Uses REG/REGEDIT.EXE to modify registry

Starts itself from another location

Drops a system driver (possible attempt to evade defenses)

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Crypto Currency Mining Activity Detected

INFO

Manual execution by a user

Reads Environment values

Checks supported languages

Executable content was dropped or overwritten

The process uses the downloaded file

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Reads Microsoft Office registry keys

Application launched itself

Reads mouse settings

Reads the software policy settings