Malware analysis https://bazaar.abuse.ch/sample/e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893/ Malicious activity

Add for printing

URL:	https://bazaar.abuse.ch/sample/e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893/
Full analysis:	https://app.any.run/tasks/eb377e1b-f5d6-4e4b-aee9-eec1f52e2474
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 20, 2024, 12:43:39
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer python netreactor miner cybergate rat
Indicators:
MD5:	7776CF0AFB535A87BF0E2E520C83DC2A
SHA1:	8EB84EC9B09ECFEAC6705D0FF0381A4D94770966
SHA256:	D6BFBD119CC75EDE793F4ADF37AB61DB2C3FDED5866925D57B85473B47D9B907
SSDEEP:	3:N8N0uDWWLXHG/VIcIGThCWUdfWxdUjV8BwB:23pWzIGcTd+bUpQi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - UnifiedStub-installer.exe (PID: 876)
  - rsEngineSvc.exe (PID: 3140)
  - rsVPNSvc.exe (PID: 8128)
  - rsDNSSvc.exe (PID: 5372)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 872)
  - rundll32.exe (PID: 6104)
- CYBERGATE has been detected (YARA)
  - rsEngineSvc.exe (PID: 3140)
- Steals credentials from Web Browsers
  - rsEngineSvc.exe (PID: 3140)
SUSPICIOUS
- Drops the executable file immediately after the start
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.exe (PID: 4544)
  - clipgrab-3.9.10-portable.exe (PID: 6840)
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - vc_redist.x86.exe (PID: 8080)
  - vc_redist.x86.exe (PID: 3244)
  - prod0.exe (PID: 8112)
  - fztqbxpk.exe (PID: 7220)
  - UnifiedStub-installer.exe (PID: 876)
- Executable content was dropped or overwritten
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.exe (PID: 4544)
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - clipgrab-3.9.10-portable.exe (PID: 6840)
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - vc_redist.x86.exe (PID: 8080)
  - vc_redist.x86.exe (PID: 3244)
  - prod0.exe (PID: 8112)
  - fztqbxpk.exe (PID: 7220)
  - UnifiedStub-installer.exe (PID: 876)
- Application launched itself
  - Taskmgr.exe (PID: 7160)
  - rsAppUI.exe (PID: 8168)
  - rsAppUI.exe (PID: 4068)
  - rsAppUI.exe (PID: 6332)
- Reads the Windows owner or organization settings
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
- Process drops python dynamic module
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
- Starts a Microsoft application from unusual location
  - vc_redist.x86.exe (PID: 8080)
  - vc_redist.x86.exe (PID: 3244)
- Process drops legitimate windows executable
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - vc_redist.x86.exe (PID: 8080)
  - fztqbxpk.exe (PID: 7220)
  - UnifiedStub-installer.exe (PID: 876)
- The process drops C-runtime libraries
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - UnifiedStub-installer.exe (PID: 876)
- Searches for installed software
  - vc_redist.x86.exe (PID: 3244)
  - UnifiedStub-installer.exe (PID: 876)
  - rsVPNSvc.exe (PID: 8128)
  - rsEngineSvc.exe (PID: 3140)
- Reads the date of Windows installation
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - prod0.exe (PID: 8112)
  - rsEngineSvc.exe (PID: 3140)
  - rsEDRSvc.exe (PID: 7368)
- Reads security settings of Internet Explorer
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - rsWSC.exe (PID: 5920)
  - rsEngineSvc.exe (PID: 5500)
  - rsEDRSvc.exe (PID: 7856)
  - rsEngineSvc.exe (PID: 3140)
  - clipgrab.exe (PID: 7624)
  - rsVPNSvc.exe (PID: 8144)
  - rsDNSSvc.exe (PID: 5288)
- Creates a software uninstall entry
  - UnifiedStub-installer.exe (PID: 876)
- Executes as Windows Service
  - rsSyncSvc.exe (PID: 7420)
  - rsWSC.exe (PID: 1680)
  - rsClientSvc.exe (PID: 7352)
  - rsEngineSvc.exe (PID: 3140)
  - rsEDRSvc.exe (PID: 7368)
  - WmiApSrv.exe (PID: 2328)
  - rsVPNClientSvc.exe (PID: 6372)
  - rsVPNSvc.exe (PID: 8128)
  - WmiApSrv.exe (PID: 6360)
  - rsDNSResolver.exe (PID: 6516)
  - rsDNSClientSvc.exe (PID: 7552)
  - WmiApSrv.exe (PID: 8212)
  - rsDNSSvc.exe (PID: 5372)
- Executes application which crashes
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
- Loads Python modules
  - python.exe (PID: 3908)
  - python.exe (PID: 6648)
  - python.exe (PID: 2144)
  - python.exe (PID: 4284)
  - python.exe (PID: 4308)
  - python.exe (PID: 3784)
  - python.exe (PID: 7268)
  - python.exe (PID: 6816)
  - python.exe (PID: 5516)
  - python.exe (PID: 7500)
  - python.exe (PID: 1116)
  - python.exe (PID: 7904)
  - python.exe (PID: 6324)
  - python.exe (PID: 6748)
  - python.exe (PID: 6272)
  - python.exe (PID: 8068)
  - python.exe (PID: 7752)
  - python.exe (PID: 7176)
  - python.exe (PID: 7856)
  - python.exe (PID: 5724)
  - python.exe (PID: 2876)
  - python.exe (PID: 7080)
  - python.exe (PID: 7316)
- Adds/modifies Windows certificates
  - clipgrab.exe (PID: 7624)
  - UnifiedStub-installer.exe (PID: 876)
  - rsWSC.exe (PID: 5920)
  - rsEngineSvc.exe (PID: 3140)
- Drops a system driver (possible attempt to evade defenses)
  - UnifiedStub-installer.exe (PID: 876)
- Drops 7-zip archiver for unpacking
  - UnifiedStub-installer.exe (PID: 876)
- The process creates files with name similar to system file names
  - UnifiedStub-installer.exe (PID: 876)
- Checks Windows Trust Settings
  - UnifiedStub-installer.exe (PID: 876)
  - rsWSC.exe (PID: 5920)
  - rsEngineSvc.exe (PID: 5500)
  - rsWSC.exe (PID: 1680)
  - rsEDRSvc.exe (PID: 7856)
  - rsEngineSvc.exe (PID: 3140)
  - rsEDRSvc.exe (PID: 7368)
  - rsVPNSvc.exe (PID: 8144)
  - rsDNSSvc.exe (PID: 5288)
- Creates files in the driver directory
  - UnifiedStub-installer.exe (PID: 876)
- Uses RUNDLL32.EXE to load library
  - UnifiedStub-installer.exe (PID: 876)
- Creates or modifies Windows services
  - rundll32.exe (PID: 872)
  - UnifiedStub-installer.exe (PID: 876)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - UnifiedStub-installer.exe (PID: 876)
- Dropped object may contain URLs of mainers pools
  - rsEngineSvc.exe (PID: 3140)
- Reads the BIOS version
  - rsEDRSvc.exe (PID: 7368)
  - rsEngineSvc.exe (PID: 3140)
- The process checks if it is being run in the virtual environment
  - rsEngineSvc.exe (PID: 3140)
  - rsVPNSvc.exe (PID: 8128)
  - rsDNSSvc.exe (PID: 5372)
- Process checks is Powershell's Script Block Logging on
  - rsEDRSvc.exe (PID: 7368)
- There is functionality for taking screenshot (YARA)
  - rsHelper.exe (PID: 6548)
- Read startup parameters
  - rsEngineSvc.exe (PID: 3140)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 7984)
  - cmd.exe (PID: 8676)
- Starts CMD.EXE for commands execution
  - rsDNSSvc.exe (PID: 5372)
INFO
- Application launched itself
  - firefox.exe (PID: 6764)
  - firefox.exe (PID: 6744)
- Manual execution by a user
  - Taskmgr.exe (PID: 7852)
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.exe (PID: 4544)
  - WinRAR.exe (PID: 7192)
  - Taskmgr.exe (PID: 7160)
- Checks supported languages
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.exe (PID: 4544)
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - clipgrab-3.9.10-portable.exe (PID: 6840)
  - vc_redist.x86.exe (PID: 8080)
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - clipgrab.exe (PID: 7624)
  - ffmpeg.exe (PID: 6604)
  - ffmpeg.exe (PID: 6968)
  - vc_redist.x86.exe (PID: 3244)
  - rsSyncSvc.exe (PID: 7888)
  - rsSyncSvc.exe (PID: 7420)
  - python.exe (PID: 2144)
  - fztqbxpk.exe (PID: 7220)
  - python.exe (PID: 4308)
  - python.exe (PID: 3908)
  - python.exe (PID: 6648)
  - python.exe (PID: 3784)
  - python.exe (PID: 4284)
  - python.exe (PID: 6816)
  - python.exe (PID: 5516)
  - python.exe (PID: 7500)
  - python.exe (PID: 1116)
  - python.exe (PID: 7268)
  - python.exe (PID: 6324)
  - python.exe (PID: 7904)
  - QtWebEngineProcess.exe (PID: 400)
  - python.exe (PID: 6748)
  - python.exe (PID: 6272)
  - QtWebEngineProcess.exe (PID: 7060)
  - QtWebEngineProcess.exe (PID: 6520)
  - QtWebEngineProcess.exe (PID: 6808)
  - python.exe (PID: 7176)
  - python.exe (PID: 7752)
  - python.exe (PID: 7856)
  - QtWebEngineProcess.exe (PID: 7348)
  - python.exe (PID: 5724)
  - QtWebEngineProcess.exe (PID: 8044)
  - QtWebEngineProcess.exe (PID: 7232)
  - rsWSC.exe (PID: 5920)
  - rsWSC.exe (PID: 1680)
  - rsClientSvc.exe (PID: 6804)
  - rsClientSvc.exe (PID: 7352)
  - rsEngineSvc.exe (PID: 5500)
  - rsEngineSvc.exe (PID: 3140)
  - QtWebEngineProcess.exe (PID: 8128)
  - python.exe (PID: 2876)
  - rsEDRSvc.exe (PID: 7856)
  - rsEDRSvc.exe (PID: 7368)
  - EPP.exe (PID: 7700)
  - python.exe (PID: 8068)
  - rsHelper.exe (PID: 6548)
  - QtWebEngineProcess.exe (PID: 6920)
  - rsAppUI.exe (PID: 2232)
  - rsAppUI.exe (PID: 7828)
  - rsAppUI.exe (PID: 8168)
  - rsAppUI.exe (PID: 8028)
  - rsLitmus.A.exe (PID: 7412)
  - rsAppUI.exe (PID: 7940)
  - python.exe (PID: 7080)
  - ffmpeg.exe (PID: 6804)
  - python.exe (PID: 7316)
  - ffmpeg.exe (PID: 1108)
  - rsVPNClientSvc.exe (PID: 7416)
  - rsVPNClientSvc.exe (PID: 6372)
  - rsVPNSvc.exe (PID: 8144)
  - rsVPNSvc.exe (PID: 8128)
  - rsAppUI.exe (PID: 4068)
  - VPN.exe (PID: 7012)
  - rsAppUI.exe (PID: 3648)
  - rsAppUI.exe (PID: 5092)
  - rsDNSClientSvc.exe (PID: 1492)
  - rsAppUI.exe (PID: 6660)
  - rsAppUI.exe (PID: 2820)
  - rsDNSClientSvc.exe (PID: 7552)
  - rsDNSResolver.exe (PID: 7008)
  - rsDNSResolver.exe (PID: 5724)
  - rsDNSResolver.exe (PID: 6516)
  - rsDNSSvc.exe (PID: 5288)
  - rsDNSSvc.exe (PID: 5372)
  - DNS.exe (PID: 5712)
  - rsAppUI.exe (PID: 6332)
  - rsAppUI.exe (PID: 8384)
  - rsAppUI.exe (PID: 8404)
  - rsAppUI.exe (PID: 8428)
  - rsAppUI.exe (PID: 8952)
  - rsAppUI.exe (PID: 9016)
- The process uses the downloaded file
  - firefox.exe (PID: 6764)
  - WinRAR.exe (PID: 7192)
  - rsEngineSvc.exe (PID: 3140)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 7160)
  - Taskmgr.exe (PID: 7136)
  - runonce.exe (PID: 4760)
  - runonce.exe (PID: 5772)
- Create files in a temporary directory
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.exe (PID: 4544)
  - clipgrab-3.9.10-portable.exe (PID: 6840)
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - vc_redist.x86.exe (PID: 3244)
  - prod0.exe (PID: 8112)
  - fztqbxpk.exe (PID: 7220)
  - UnifiedStub-installer.exe (PID: 876)
  - rsAppUI.exe (PID: 8168)
  - python.exe (PID: 7316)
  - rsAppUI.exe (PID: 4068)
  - rsEngineSvc.exe (PID: 3140)
  - rsAppUI.exe (PID: 6332)
- Reads the computer name
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - vc_redist.x86.exe (PID: 3244)
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - clipgrab.exe (PID: 7624)
  - rsSyncSvc.exe (PID: 7888)
  - rsSyncSvc.exe (PID: 7420)
  - python.exe (PID: 5724)
  - python.exe (PID: 7176)
  - rsWSC.exe (PID: 5920)
  - rsWSC.exe (PID: 1680)
  - rsClientSvc.exe (PID: 6804)
  - rsClientSvc.exe (PID: 7352)
  - rsEngineSvc.exe (PID: 5500)
  - rsEngineSvc.exe (PID: 3140)
  - python.exe (PID: 2876)
  - rsEDRSvc.exe (PID: 7856)
  - rsEDRSvc.exe (PID: 7368)
  - rsHelper.exe (PID: 6548)
  - rsAppUI.exe (PID: 8168)
  - rsAppUI.exe (PID: 8028)
  - rsAppUI.exe (PID: 2232)
  - python.exe (PID: 7080)
  - python.exe (PID: 7316)
  - rsVPNClientSvc.exe (PID: 6372)
  - rsVPNClientSvc.exe (PID: 7416)
  - rsVPNSvc.exe (PID: 8144)
  - rsVPNSvc.exe (PID: 8128)
  - rsAppUI.exe (PID: 4068)
  - rsAppUI.exe (PID: 3648)
  - rsAppUI.exe (PID: 2820)
  - rsDNSClientSvc.exe (PID: 7552)
  - rsDNSResolver.exe (PID: 5724)
  - rsDNSResolver.exe (PID: 6516)
  - rsDNSSvc.exe (PID: 5288)
  - rsDNSClientSvc.exe (PID: 1492)
  - rsDNSSvc.exe (PID: 5372)
  - rsAppUI.exe (PID: 6332)
  - rsAppUI.exe (PID: 8384)
  - rsAppUI.exe (PID: 8404)
- Reads the software policy settings
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - WerFault.exe (PID: 2480)
  - WerFault.exe (PID: 6892)
  - clipgrab.exe (PID: 7624)
  - rsEngineSvc.exe (PID: 5500)
  - rsEDRSvc.exe (PID: 7856)
  - rsWSC.exe (PID: 1680)
  - rsEngineSvc.exe (PID: 3140)
  - rsEDRSvc.exe (PID: 7368)
  - rsWSC.exe (PID: 5920)
  - rsVPNSvc.exe (PID: 8128)
  - rsVPNSvc.exe (PID: 8144)
  - rsDNSSvc.exe (PID: 5288)
  - rsDNSSvc.exe (PID: 5372)
- Reads the machine GUID from the registry
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - ffmpeg.exe (PID: 6968)
  - ffmpeg.exe (PID: 6604)
  - clipgrab.exe (PID: 7624)
  - python.exe (PID: 4284)
  - python.exe (PID: 2144)
  - python.exe (PID: 6648)
  - python.exe (PID: 4308)
  - python.exe (PID: 3908)
  - python.exe (PID: 6816)
  - python.exe (PID: 6324)
  - python.exe (PID: 7500)
  - python.exe (PID: 1116)
  - python.exe (PID: 7904)
  - python.exe (PID: 6748)
  - python.exe (PID: 6272)
  - python.exe (PID: 8068)
  - python.exe (PID: 7176)
  - python.exe (PID: 7752)
  - python.exe (PID: 5724)
  - python.exe (PID: 7268)
  - python.exe (PID: 3784)
  - rsWSC.exe (PID: 5920)
  - rsWSC.exe (PID: 1680)
  - rsEngineSvc.exe (PID: 5500)
  - rsEngineSvc.exe (PID: 3140)
  - python.exe (PID: 2876)
  - rsEDRSvc.exe (PID: 7856)
  - rsEDRSvc.exe (PID: 7368)
  - rsAppUI.exe (PID: 8168)
  - ffmpeg.exe (PID: 6804)
  - python.exe (PID: 7080)
  - python.exe (PID: 7316)
  - rsVPNSvc.exe (PID: 8144)
  - ffmpeg.exe (PID: 1108)
  - rsVPNSvc.exe (PID: 8128)
  - rsAppUI.exe (PID: 4068)
  - rsHelper.exe (PID: 6548)
  - rsDNSSvc.exe (PID: 5288)
  - rsDNSSvc.exe (PID: 5372)
  - rsAppUI.exe (PID: 6332)
- Checks proxy server information
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - WerFault.exe (PID: 2480)
  - WerFault.exe (PID: 6892)
  - python.exe (PID: 7176)
  - python.exe (PID: 5724)
  - rsWSC.exe (PID: 5920)
  - python.exe (PID: 2876)
  - rsAppUI.exe (PID: 8168)
  - python.exe (PID: 7080)
  - python.exe (PID: 7316)
  - rsAppUI.exe (PID: 4068)
  - rsAppUI.exe (PID: 6332)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7192)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 6764)
- Creates files in the program directory
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
  - UnifiedStub-installer.exe (PID: 876)
  - rsWSC.exe (PID: 5920)
  - rsEngineSvc.exe (PID: 3140)
  - rsEngineSvc.exe (PID: 5500)
  - rsEDRSvc.exe (PID: 7856)
  - rsEDRSvc.exe (PID: 7368)
  - rsVPNSvc.exe (PID: 8144)
  - rsVPNSvc.exe (PID: 8128)
  - rsDNSResolver.exe (PID: 5724)
  - rsDNSResolver.exe (PID: 6516)
  - rsDNSSvc.exe (PID: 5288)
  - rsDNSSvc.exe (PID: 5372)
- Creates a software uninstall entry
  - clipgrab-3.9.10-portable.tmp (PID: 6808)
- Process checks computer location settings
  - e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893.tmp (PID: 6832)
  - prod0.exe (PID: 8112)
  - QtWebEngineProcess.exe (PID: 400)
  - rsAppUI.exe (PID: 7828)
  - rsAppUI.exe (PID: 7940)
  - rsVPNSvc.exe (PID: 8128)
  - rsAppUI.exe (PID: 5092)
  - rsAppUI.exe (PID: 6660)
  - rsAppUI.exe (PID: 4068)
  - rsAppUI.exe (PID: 8168)
  - rsAppUI.exe (PID: 6332)
  - rsAppUI.exe (PID: 8428)
  - rsAppUI.exe (PID: 8952)
  - rsAppUI.exe (PID: 9016)
- Reads Environment values
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - rsEngineSvc.exe (PID: 3140)
  - rsEDRSvc.exe (PID: 7368)
  - rsAppUI.exe (PID: 8168)
  - rsVPNSvc.exe (PID: 8128)
  - rsAppUI.exe (PID: 4068)
  - rsDNSSvc.exe (PID: 5372)
  - rsAppUI.exe (PID: 6332)
- Disables trace logs
  - prod0.exe (PID: 8112)
  - UnifiedStub-installer.exe (PID: 876)
  - rsEngineSvc.exe (PID: 3140)
  - rsEDRSvc.exe (PID: 7368)
  - rsVPNSvc.exe (PID: 8128)
  - rsDNSSvc.exe (PID: 5372)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 2480)
  - clipgrab.exe (PID: 7624)
  - WerFault.exe (PID: 6892)
  - UnifiedStub-installer.exe (PID: 876)
  - rsWSC.exe (PID: 5920)
  - rsEngineSvc.exe (PID: 3140)
  - rsAppUI.exe (PID: 8168)
  - rsAppUI.exe (PID: 2232)
  - rsVPNSvc.exe (PID: 8128)
  - rsAppUI.exe (PID: 4068)
  - rsAppUI.exe (PID: 2820)
  - rsDNSSvc.exe (PID: 5372)
  - rsAppUI.exe (PID: 6332)
  - rsAppUI.exe (PID: 8404)
- Reads the time zone
  - QtWebEngineProcess.exe (PID: 400)
  - runonce.exe (PID: 4760)
  - rsEDRSvc.exe (PID: 7368)
  - rsEngineSvc.exe (PID: 3140)
  - rsVPNSvc.exe (PID: 8128)
  - runonce.exe (PID: 5772)
  - rsDNSSvc.exe (PID: 5372)
- .NET Reactor protector has been detected
  - UnifiedStub-installer.exe (PID: 876)
  - rsWSC.exe (PID: 1680)
  - rsEngineSvc.exe (PID: 3140)
  - rsEDRSvc.exe (PID: 7368)
  - rsHelper.exe (PID: 6548)
- Reads product name
  - rsEDRSvc.exe (PID: 7368)
  - rsEngineSvc.exe (PID: 3140)
  - rsAppUI.exe (PID: 8168)
  - rsAppUI.exe (PID: 4068)
  - rsAppUI.exe (PID: 6332)
- Reads CPU info
  - rsEDRSvc.exe (PID: 7368)
  - rsEngineSvc.exe (PID: 3140)
  - rsVPNSvc.exe (PID: 8128)
  - rsDNSSvc.exe (PID: 5372)
- Reads mouse settings
  - rsEngineSvc.exe (PID: 3140)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

309

Monitored processes

160

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

368

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

python.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

400

"C:\Program Files (x86)\ClipGrab\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-databases --disable-gpu-compositing --service-pipe-token=8383712626691625480 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8383712626691625480 --renderer-client-id=4 --mojo-platform-channel-handle=2856 /prefetch:1

C:\Program Files (x86)\ClipGrab\QtWebEngineProcess.exe

—

clipgrab.exe

User:

admin

Company:

The Qt Company Ltd.

Integrity Level:

HIGH

Description:

Qt Qtwebengineprocess

Version:

5.12.6.0

Modules

Images
c:\program files (x86)\clipgrab\qtwebengineprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

460

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

python.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

508

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

python.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

872

"C:\WINDOWS\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\System32\rundll32.exe

UnifiedStub-installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll

876

.\UnifiedStub-installer.exe /silent

C:\Users\admin\AppData\Local\Temp\7zS43CDC113\UnifiedStub-installer.exe

fztqbxpk.exe

User:

admin

Company:

Reason Software Company Inc.

Integrity Level:

HIGH

Description:

UnifiedStub

Exit code:

Version:

6.0.6

Modules

Images
c:\users\admin\appdata\local\temp\7zs43cdc113\unifiedstub-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1064

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\System32\grpconv.exe

—

runonce.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Progman Group Converter

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1108

ffmpeg -bsfs

C:\Program Files (x86)\ClipGrab\ffmpeg.exe

—

python.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files (x86)\clipgrab\ffmpeg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1116

"C:\Program Files (x86)\ClipGrab\python\python.exe" "" --version

C:\Program Files (x86)\ClipGrab\python\python.exe

—

clipgrab.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

HIGH

Description:

Python

Exit code:

Version:

3.8.9

Modules

Images
c:\program files (x86)\clipgrab\python\python.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

1116

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

rsDNSResolver.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

205 691

Read events

204 851

Write events

608

Delete events

232

Modification events


(PID) Process:	(6744) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: 873FB5F900000000
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 54C2B6F900000000
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Progress
Value: 0
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Progress
Value: 1
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:	delete value	Name:	installer.taskbarpin.win10.enabled
Value:
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 0
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Theme
Value: 1
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Enabled
Value: 1
(PID) Process:	(6764) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 1

Add for printing

Executable files

1 007

Suspicious files

625

Text files

144

Unknown types

Dropped files

PID	Process	Filename		Type
6764	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.bin		binary
		MD5:297E88D7CEB26E549254EC875649F4EB	SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\AlternateServices.bin		binary
		MD5:71C3A1132EB0FB99889FC702D85D10C8	SHA256:333C02F73B4C619EBC22B1F8A097AA2D148A53FA659170800E0729CA14412A2B
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.js		text
		MD5:046A14EFA4E7F08F4C3102E8A5BC1FC9	SHA256:99CBCEAB70F4A4775A40D6BCF385D943B5A4888965F9945499917D400E01D8BF
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journal		binary
		MD5:E6505DD8454820690CE8941B6AFCA64F	SHA256:EBB1746DD5FFFD91DC15197B17FB309D49E2208B4505D85BBDF8935E6BC9CD8D
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmp		dbf
		MD5:4006DDC2918B16C7EF5516C58373842B	SHA256:269EA23B77EDE0874628BD8611BCC5A3E87E0C44CA8A821C0D028B929D4F468F
6764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.js		text
		MD5:046A14EFA4E7F08F4C3102E8A5BC1FC9	SHA256:99CBCEAB70F4A4775A40D6BCF385D943B5A4888965F9945499917D400E01D8BF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

107

TCP/UDP connections

262

DNS requests

172

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6764	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
6764	firefox.exe	POST	200	216.58.206.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6764	firefox.exe	POST	200	216.58.206.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6764	firefox.exe	POST	200	216.58.206.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6764	firefox.exe	POST	200	216.58.206.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6764	firefox.exe	POST	200	23.53.40.123:80	http://r11.o.lencr.org/	unknown	—	—	unknown
6764	firefox.exe	POST	200	216.58.206.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6764	firefox.exe	POST	200	23.53.40.161:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6764	firefox.exe	POST	—	216.58.206.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6764	firefox.exe	POST	200	216.58.206.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5956	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2120	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4760	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
6764	firefox.exe	34.117.188.166:443	contile.services.mozilla.com	—	—	unknown
6764	firefox.exe	216.58.212.170:443	safebrowsing.googleapis.com	—	—	whitelisted
6764	firefox.exe	151.101.66.49:443	bazaar.abuse.ch	FASTLY	US	unknown
6764	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
6764	firefox.exe	34.107.243.93:443	push.services.mozilla.com	—	—	unknown
6764	firefox.exe	216.58.206.35:80	o.pki.goog	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
bazaar.abuse.ch	151.101.66.49 151.101.194.49 151.101.2.49 151.101.130.49	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
p2.shared.global.fastly.net	151.101.66.49 151.101.194.49 151.101.2.49 151.101.130.49	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
example.org	93.184.215.14	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
spocs.getpocket.com	34.117.188.166	whitelisted
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	unknown

Threats

PID	Process	Class	Message
2232	rsAppUI.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
2232	rsAppUI.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io

Add for printing

Process	Message
clipgrab.exe	QObject::connect: signal not found in QTreeView
clipgrab.exe	"C:\\Program Files (x86)\\ClipGrab\\python\\python.exe: can't find '__main__' module in ''\r\n"
clipgrab.exe	"WARNING: [youtube:tab] Incomplete data received. Retrying (1/3)...\nWARNING: [youtube:tab] Incomplete data received. Retrying (2/3)...\nWARNING: [youtube:tab] Incomplete data received. Retrying (3/3)...\nWARNING: [youtube:tab] Incomplete data received. Giving up after 3 retries\n"
clipgrab.exe	""
rsEngineSvc.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
clipgrab.exe	"WARNING: [youtube:tab] Incomplete data received. Retrying (1/3)...\nWARNING: [youtube:tab] Incomplete data received. Retrying (2/3)...\nWARNING: [youtube:tab] Incomplete data received. Retrying (3/3)...\nWARNING: [youtube:tab] Incomplete data received. Giving up after 3 retries\n"
rsEDRSvc.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll"...
clipgrab.exe	"WARNING: [youtube] Failed to download m3u8 information: HTTP Error 429: Too Many Requests\n"
clipgrab.exe	Discovered video: "CHARGE - Blender Open Movie"
clipgrab.exe	"C:/Users/admin/Desktop" "CHARGE - Blender Open Movie"

General Info

https://bazaar.abuse.ch/sample/e92c5cf7509dd9792fac8202fb08295dfc9e5f18663db81bf07990de1bc85893/

7776CF0AFB535A87BF0E2E520C83DC2A

8EB84EC9B09ECFEAC6705D0FF0381A4D94770966

D6BFBD119CC75EDE793F4ADF37AB61DB2C3FDED5866925D57B85473B47D9B907

3:N8N0uDWWLXHG/VIcIGThCWUdfWxdUjV8BwB:23pWzIGcTd+bUpQi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Changes the autorun value in the registry

CYBERGATE has been detected (YARA)

Steals credentials from Web Browsers

SUSPICIOUS

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Application launched itself

Reads the Windows owner or organization settings

Process drops python dynamic module

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

The process drops C-runtime libraries

Searches for installed software

Reads the date of Windows installation

Reads security settings of Internet Explorer

Creates a software uninstall entry

Executes as Windows Service

Executes application which crashes

Loads Python modules

Adds/modifies Windows certificates

Drops a system driver (possible attempt to evade defenses)

Drops 7-zip archiver for unpacking

The process creates files with name similar to system file names

Checks Windows Trust Settings

Creates files in the driver directory

Uses RUNDLL32.EXE to load library

Creates or modifies Windows services

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Dropped object may contain URLs of mainers pools

Reads the BIOS version

The process checks if it is being run in the virtual environment

Process checks is Powershell's Script Block Logging on

There is functionality for taking screenshot (YARA)

Read startup parameters

Process uses IPCONFIG to clear DNS cache

Starts CMD.EXE for commands execution

INFO

Application launched itself

Manual execution by a user

Checks supported languages

The process uses the downloaded file

Reads security settings of Internet Explorer

Create files in a temporary directory

Reads the computer name

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

Executable content was dropped or overwritten

Reads Microsoft Office registry keys

Creates files in the program directory

Creates a software uninstall entry

Process checks computer location settings

Reads Environment values

Disables trace logs

Creates files or folders in the user directory

Reads the time zone

.NET Reactor protector has been detected

Reads product name

Reads CPU info

Reads mouse settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information