File name:	StatusRotatorv3.exe
Full analysis:	https://app.any.run/tasks/9c9f2c5e-0069-4c2c-b698-383f5651f21a
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 28, 2026, 14:11:03
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer crypto-regex uac
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	648D1FBFD92B3ABC4806F2066A9532CD
SHA1:	FA2EC3FC0C4277C46E34C93E4326EFFEB547C737
SHA256:	CBF79383588F6CAA31FF2F8ECD26A4ED49B3CC21DF67BFFC2D171E5B3B4A25DB
SSDEEP:	768:BBDnOnA0FPMQP3FDRGTEWivBEnioNOmFQshUS5Ci4XftX4Civk8ks9j:BBD4AyD4TR09mFSSIXqLFj

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2026:03:25 16:03:54+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	31744
InitializedDataSize:	26624
UninitializedDataSize:	-
EntryPoint:	0x7bd4
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(2952) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(2016) ktmutil.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2016) ktmutil.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2016) ktmutil.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5704) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\Shell\Open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(7896) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7896) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7896) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7896) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4136) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\Shell\Open\command
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
2100	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_StatusRotatorv3._501acbfcc131b4d816c6fd775077fb6b1a9f6_d23804ef_4f428000-2a45-4ba4-a94f-8c0a162df93c\Report.wer		—
		MD5:—	SHA256:—
2100	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8671.tmp.dmp		binary
		MD5:A893478C2EC67C6DA0D7C7CACDAD129B	SHA256:0D5730B06CE747AC7D51C68F35B2E58B3EEB5433CC9064252E4D85989317A82F
2016	ktmutil.exe	C:\ProgramData\vstos		text
		MD5:94D10CA666CD15D88D864F49F900F296	SHA256:47DAB8765F0ABCAC024A7980FF9CEE8A408B7BD970E0B0733EA60FE23A4D1A2B
2016	ktmutil.exe	C:\ProgramData\bungee.boo		executable
		MD5:626A3DC7A2BA5CC18B1CC1386EA76CB2	SHA256:E255095F9C715BEF905E060B605FC4995E60849201FE9FB19FC94065113F7419
2100	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER877D.tmp.xml		xml
		MD5:8D9AF4381B548CBC9F5F46F4D7DA3485	SHA256:2A604392CB6443DD47F148DC3022A06B5AFC93E41263910F5EF77708C8E87585
2100	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER874D.tmp.WERInternalMetadata.xml		xml
		MD5:1319FB3E870E0D21691E77F62B4D662C	SHA256:07A9B7760B111408ADEB9059D9F502363B115E9A27C0EA0244F571CC9C10DE65
2100	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\StatusRotatorv3.exe.684.dmp		binary
		MD5:A7EFCFA5AC6DBB4EE626CF393C1FCB77	SHA256:D5432E0453ED8F1791D627D9F591AF19DE4628BE3A8B2D69AD7FD04925C40F83
2016	ktmutil.exe	C:\Users\admin\AppData\Roaming\Microsoft\245659.vbs		text
		MD5:BFEEAEED8F2A0B9585692A8CACC352BD	SHA256:CA194C9013FA53B45947341BC755C7C9F84BDFFEFF0AF20B94943DF166DF6B6F
2016	ktmutil.exe	C:\Users\admin\AppData\Local\Temp\9504884593179\LOG.old		text
		MD5:9CE74081E45313828CD43602C77AFA50	SHA256:F7D8FBB80CAB6EA050876C0E5A75552DCD8B5E86C3B40C6DBD010EF06FA16362
2016	ktmutil.exe	C:\Users\admin\AppData\Local\Temp\9504884593179\CURRENT		text
		MD5:6DE46ED1E4E3A2CA9CF0C6D2C5BB98CA	SHA256:A197CC479C3BC03EF7B8D2B228F02A9BFC8C7CC6343719C5E26BEBC0CA4ECF06

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
3044	svchost.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
684	StatusRotatorv3.exe	GET	200	8.8.8.8:443	https://dns.google/resolve?name=steamcommunity.com&type=A	US	—	241 b	unknown
684	StatusRotatorv3.exe	GET	200	8.8.8.8:443	https://dns.google/resolve?name=steamcommunity.com&type=A	US	text	241 b	unknown
3044	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
684	StatusRotatorv3.exe	GET	302	2.22.96.50:80	http://steamcommunity.com/profiles/76561198764661885/ajaxaliases/	US	—	—	unknown
684	StatusRotatorv3.exe	GET	200	8.8.8.8:443	https://dns.google/resolve?name=nuzzyservices.com&type=A	US	text	313 b	unknown
684	StatusRotatorv3.exe	GET	200	172.67.212.208:80	http://nuzzyservices.com/Stb/PokerFace/init.php?id=xzbaEDDt0UPd8Y	US	text	12.6 Mb	unknown
2016	ktmutil.exe	GET	200	8.8.8.8:443	https://dns.google/resolve?name=nuzzyservices.com&type=A	US	text	314 b	unknown
2016	ktmutil.exe	GET	200	8.8.8.8:443	https://dns.google/resolve?name=nuzzyservices.com&type=A	US	text	314 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
3044	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7352	slui.exe	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3044	svchost.exe	23.55.110.211:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
3044	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5208	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2952	slui.exe	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3044	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
google.com	142.251.208.174	whitelisted
crl.microsoft.com	23.55.110.211 23.55.110.193 184.24.77.12 184.24.77.42 184.24.77.6 184.24.77.23	whitelisted
www.microsoft.com	88.221.169.152 23.59.18.102	whitelisted
dns.google	8.8.8.8 8.8.4.4	whitelisted
steamcommunity.com	104.102.49.106	whitelisted
www.google.com	142.251.153.119 142.251.152.119 142.251.151.119 142.251.155.119 142.251.156.119 142.251.157.119 142.251.154.119 142.251.150.119	whitelisted
nuzzyservices.com	188.114.96.3 188.114.97.3	unknown
watson.events.data.microsoft.com	172.178.240.162	whitelisted

PID	Process	Class	Message
5276	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
684	StatusRotatorv3.exe	Misc activity	ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
2016	ktmutil.exe	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
2016	ktmutil.exe	A Network Trojan was detected	SUSPICIOUS [ANY.RUN] Base64-encoded PE file download via HTTP
2016	ktmutil.exe	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
2016	ktmutil.exe	A Network Trojan was detected	SUSPICIOUS [ANY.RUN] Base64-encoded PE file download via HTTP
2016	ktmutil.exe	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
2016	ktmutil.exe	A Network Trojan was detected	SUSPICIOUS [ANY.RUN] Base64-encoded PE file download via HTTP
2956	curl.exe	Potentially Bad Traffic	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)

General Info

StatusRotatorv3.exe

648D1FBFD92B3ABC4806F2066A9532CD

FA2EC3FC0C4277C46E34C93E4326EFFEB547C737

CBF79383588F6CAA31FF2F8ECD26A4ED49B3CC21DF67BFFC2D171E5B3B4A25DB

768:BBDnOnA0FPMQP3FDRGTEWivBEnioNOmFQshUS5Ci4XftX4Civk8ks9j:BBD4AyD4TR09mFSSIXqLFj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Bypass User Account Control (Modify registry)

Bypass User Account Control (ComputerDefaults)

Steals credentials from Web Browsers

SUSPICIOUS

Found regular expressions for crypto-addresses (YARA)

Executable content was dropped or overwritten

Starts CMD.EXE with AutoRun commands disabled

Delegate execute modification

The process executes VB scripts

Runs shell command (SCRIPT)

Starts CMD.EXE for commands execution

File deletion via cmd.exe

Starts CMD.EXE with special quote handling

Execution of CURL command

Possible stealing from crypto wallets

INFO

Reads security settings of Internet Explorer

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Reads the machine GUID from the registry

Create files in a temporary directory

Execution of CURL command

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings