Malware analysis https://tlniurl.com/2yI2Nm Malicious activity

Add for printing

URL:	https://tlniurl.com/2yI2Nm
Full analysis:	https://app.any.run/tasks/a50626b3-fe19-4b84-a5a9-504d195c230f
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Socks5systemz is a botnet that utilizes its infection capabilities to establish a network of compromised devices. These devices are then used to forward malicious traffic. The criminals behind this malware sell access to the infected endpoints to other threat actors. Socks5systemz maintains control over thousands of devices and communicates with them using specific commands. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	August 27, 2024, 16:35:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	privateloader evasion stealer loader risepro stealc metastealer lumma telegram themida vidar miner netreactor socks5systemz proxy
Indicators:
MD5:	96116E57FF2EC2C85536336F40379023
SHA1:	6EB76F4F49C4BA9C83EA62B0CF6A58AC81A7E021
SHA256:	D7C972C6CE6D5BF64379989F54D89C059EB80B6821D4CDCBBDFD8EC68D8625EB
SSDEEP:	3:N8BLMCJ2u7In:29xJI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- PRIVATELOADER has been detected (SURICATA)
  - RegAsm.exe (PID: 8148)
- Connects to the CnC server
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 7584)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - RegAsm.exe (PID: 7872)
- Actions looks like stealing of personal data
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - RegAsm.exe (PID: 7188)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)
- Changes the autorun value in the registry
  - r6q6JmYR_6_fcVa1QPSFfaP_.exe (PID: 6180)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
- Create files in the Startup directory
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
- Uses Task Scheduler to run other applications
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
- Uses Task Scheduler to autorun other applications
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
- STEALC has been detected (SURICATA)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 7584)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - RegAsm.exe (PID: 7872)
- Stealers network behavior
  - RegAsm.exe (PID: 7880)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
- RISEPRO has been detected (SURICATA)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
- METASTEALER has been detected (SURICATA)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
- Steals credentials from Web Browsers
  - RegAsm.exe (PID: 7880)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
- STEALC has been detected (YARA)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
- VIDAR has been detected (YARA)
  - RegAsm.exe (PID: 7872)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2256)
  - RegAsm.exe (PID: 7188)
- MINER has been detected (SURICATA)
  - svchost.exe (PID: 2256)
- SOCKS5SYSTEMZ has been detected (SURICATA)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 6012)
  - RegAsm.exe (PID: 8148)
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
  - RegAsm.exe (PID: 7880)
- Connects to the server without a host name
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 7872)
- Checks for external IP
  - RegAsm.exe (PID: 8148)
  - svchost.exe (PID: 2256)
- Drops the executable file immediately after the start
  - RegAsm.exe (PID: 8148)
  - qkchg0C_fbivUrDTBKGVcjOy.exe (PID: 644)
  - r6q6JmYR_6_fcVa1QPSFfaP_.exe (PID: 6180)
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - RegAsm.exe (PID: 7880)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - lfgB18sExFkw57rHGoT4q1wy.exe (PID: 6444)
  - RegAsm.exe (PID: 7584)
  - etzpikspwykg.exe (PID: 6120)
  - RegAsm.exe (PID: 7872)
  - etzpikspwykg.exe (PID: 6856)
- Reads security settings of Internet Explorer
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - RegAsm.exe (PID: 7872)
- Checks Windows Trust Settings
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)
- Potential Corporate Privacy Violation
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
  - svchost.exe (PID: 2256)
  - RegAsm.exe (PID: 7584)
- Executable content was dropped or overwritten
  - RegAsm.exe (PID: 8148)
  - qkchg0C_fbivUrDTBKGVcjOy.exe (PID: 644)
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
  - r6q6JmYR_6_fcVa1QPSFfaP_.exe (PID: 6180)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - RegAsm.exe (PID: 7880)
  - lfgB18sExFkw57rHGoT4q1wy.exe (PID: 6444)
  - etzpikspwykg.exe (PID: 6120)
  - RegAsm.exe (PID: 7584)
  - etzpikspwykg.exe (PID: 6856)
  - conhost.exe (PID: 7276)
- Process requests binary or script from the Internet
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
- Reads the Windows owner or organization settings
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
- Reads the BIOS version
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
- Windows Defender mutex has been found
  - RegAsm.exe (PID: 7880)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
- Application launched itself
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 7028)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 7636)
- Searches for installed software
  - RegAsm.exe (PID: 7880)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7188)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)
- Contacting a server suspected of hosting an CnC
  - RegAsm.exe (PID: 7880)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - RegAsm.exe (PID: 7584)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - RegAsm.exe (PID: 7872)
- Connects to unusual port
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - BitLockerToGo.exe (PID: 6156)
- The process drops Mozilla's DLL files
  - RegAsm.exe (PID: 7880)
- The process drops C-runtime libraries
  - RegAsm.exe (PID: 7880)
- Reads the date of Windows installation
  - RegAsm.exe (PID: 7880)
- Starts CMD.EXE for commands execution
  - RegAsm.exe (PID: 7880)
- Starts SC.EXE for service management
  - lfgB18sExFkw57rHGoT4q1wy.exe (PID: 6444)
- Uses powercfg.exe to modify the power settings
  - lfgB18sExFkw57rHGoT4q1wy.exe (PID: 6444)
  - etzpikspwykg.exe (PID: 6120)
  - etzpikspwykg.exe (PID: 6856)
- Drops a system driver (possible attempt to evade defenses)
  - etzpikspwykg.exe (PID: 6120)
  - etzpikspwykg.exe (PID: 6856)
- Executes as Windows Service
  - etzpikspwykg.exe (PID: 6120)
- Crypto Currency Mining Activity Detected
  - svchost.exe (PID: 2256)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)
INFO
- Checks supported languages
  - identity_helper.exe (PID: 7432)
  - identity_helper.exe (PID: 6224)
  - File.exe (PID: 6976)
  - RegAsm.exe (PID: 8148)
  - qkchg0C_fbivUrDTBKGVcjOy.exe (PID: 644)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 7028)
  - K19IWhrfNWdXtcCnwIi9Qf7Z.exe (PID: 2816)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 7636)
  - 1dyNvxHMcZ07Eq_AoDxKfm7S.exe (PID: 568)
  - lfgB18sExFkw57rHGoT4q1wy.exe (PID: 6444)
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - aShIe9YIu4jLD1sHwgbHHKIP.exe (PID: 7156)
  - r6q6JmYR_6_fcVa1QPSFfaP_.exe (PID: 6180)
  - YvQe0ulKhIUU6gEiJH7POcRG.exe (PID: 7648)
  - RegAsm.exe (PID: 7872)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - BitLockerToGo.exe (PID: 6156)
  - RegAsm.exe (PID: 7584)
  - adminCAKKJKKECF.exe (PID: 1636)
  - RegAsm.exe (PID: 7188)
  - adminAKFCFBAAEH.exe (PID: 1492)
  - etzpikspwykg.exe (PID: 6120)
  - identity_helper.exe (PID: 3784)
  - identity_helper.exe (PID: 4100)
  - etzpikspwykg.exe (PID: 6856)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 2876)
  - OpenWith.exe (PID: 3036)
  - msedge.exe (PID: 7764)
  - Taskmgr.exe (PID: 6904)
  - msedge.exe (PID: 7716)
- Application launched itself
  - msedge.exe (PID: 2876)
  - msedge.exe (PID: 7764)
  - msedge.exe (PID: 7716)
- Reads the computer name
  - identity_helper.exe (PID: 6224)
  - identity_helper.exe (PID: 7432)
  - File.exe (PID: 6976)
  - RegAsm.exe (PID: 8148)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 7028)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 7636)
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
  - aShIe9YIu4jLD1sHwgbHHKIP.exe (PID: 7156)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - 1dyNvxHMcZ07Eq_AoDxKfm7S.exe (PID: 568)
  - YvQe0ulKhIUU6gEiJH7POcRG.exe (PID: 7648)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - adminAKFCFBAAEH.exe (PID: 1492)
  - RegAsm.exe (PID: 7584)
  - adminCAKKJKKECF.exe (PID: 1636)
  - RegAsm.exe (PID: 7188)
  - identity_helper.exe (PID: 3784)
  - RegAsm.exe (PID: 7872)
  - identity_helper.exe (PID: 4100)
- Reads Environment values
  - identity_helper.exe (PID: 6224)
  - identity_helper.exe (PID: 7432)
  - RegAsm.exe (PID: 7880)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - identity_helper.exe (PID: 3784)
  - RegAsm.exe (PID: 7872)
  - identity_helper.exe (PID: 4100)
- Manual execution by a user
  - File.exe (PID: 6976)
  - Taskmgr.exe (PID: 6904)
  - Taskmgr.exe (PID: 5276)
  - msedge.exe (PID: 7224)
  - msedge.exe (PID: 6872)
  - msedge.exe (PID: 7764)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6012)
- Reads the machine GUID from the registry
  - File.exe (PID: 6976)
  - RegAsm.exe (PID: 8148)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 7636)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 7028)
  - aShIe9YIu4jLD1sHwgbHHKIP.exe (PID: 7156)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)
- Creates files in the program directory
  - File.exe (PID: 6976)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - lfgB18sExFkw57rHGoT4q1wy.exe (PID: 6444)
  - RegAsm.exe (PID: 7872)
- Reads the software policy settings
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 1780)
  - nXZiPmY6HDzQDc9KL8meHuLZ.exe (PID: 6984)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7188)
  - RegAsm.exe (PID: 7872)
- Process checks computer location settings
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
- Checks proxy server information
  - RegAsm.exe (PID: 8148)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - screenshotsvideoeditor32_64.exe (PID: 7372)
  - RegAsm.exe (PID: 7872)
- Creates files or folders in the user directory
  - RegAsm.exe (PID: 8148)
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
  - RegAsm.exe (PID: 7872)
- Reads security settings of Internet Explorer
  - OpenWith.exe (PID: 3036)
  - notepad.exe (PID: 812)
  - Taskmgr.exe (PID: 6904)
- Create files in a temporary directory
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
  - qkchg0C_fbivUrDTBKGVcjOy.exe (PID: 644)
  - K19IWhrfNWdXtcCnwIi9Qf7Z.exe (PID: 2816)
  - RegAsm.exe (PID: 7872)
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
- Creates a software uninstall entry
  - qkchg0C_fbivUrDTBKGVcjOy.tmp (PID: 368)
- Reads product name
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)
- Reads CPU info
  - RegAsm.exe (PID: 7880)
  - RegAsm.exe (PID: 1780)
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)
- Themida protector has been detected
  - 0F5VKPLjrrBWzMrqKGvCrMjU.exe (PID: 7716)
- .NET Reactor protector has been detected
  - nyjXX53CD_EmphlkPOHix9__.exe (PID: 3692)
- Attempting to use instant messaging service
  - RegAsm.exe (PID: 7584)
  - RegAsm.exe (PID: 7872)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Vidar

(PID) Process(7872) RegAsm.exe

C2https://t.me/jamelwt

URLhttps://steamcommunity.com/profiles/76561199761128941

Strings (239)INSERT_KEY_HERE

lstrcpyA

GetEnvironmentVariableA

GdipSaveImageToStream

History

runas

ssfn*

GetProcAddress

lstrcatA

OpenEventA

CloseHandle

Sleep

GetUserDefaultLangID

VirtualAllocExNuma

VirtualFree

GetSystemInfo

HeapAlloc

GetComputerNameA

GetProcessHeap

GetCurrentProcess

lstrlenA

ExitProcess

GlobalMemoryStatusEx

GetSystemTime

SystemTimeToFileTime

gdi32.dll

user32.dll

crypt32.dll

ntdll.dll

CreateDCA

GetDeviceCaps

ReleaseDC

CryptStringToBinaryA

sscanf

NtQueryInformationProcess

HAL9TH

JohnDoe

DISPLAY

%hu/%hu/%hu

GetFileAttributesA

GlobalLock

GlobalSize

CreateToolhelp32Snapshot

IsWow64Process

Process32Next

GetLocalTime

GetTimeZoneInformation

GetSystemPowerStatus

GetVolumeInformationA

Process32First

GetLocaleInfoA

GetUserDefaultLocaleName

GetModuleFileNameA

FindNextFileA

SetEnvironmentVariableA

LocalAlloc

GetFileSizeEx

SetFilePointer

FindFirstFileA

VirtualProtect

GetLogicalProcessorInformationEx

GetLastError

MultiByteToWideChar

GlobalFree

WideCharToMultiByte

TerminateProcess

GetCurrentProcessId

rstrtmgr.dll

CreateCompatibleBitmap

SelectObject

BitBlt

DeleteObject

CreateCompatibleDC

GdipGetImageEncodersSize

GdipGetImageEncoders

GdipCreateBitmapFromHBITMA

GdiplusStartup

GdiplusShutdown

GdipDisposeImage

GetHGlobalFromStream

CreateStreamOnHGlobal

CoUninitialize

CoInitialize

CoCreateInstance

BCryptGenerateSymmetricKey

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptSetProperty

BCryptDestroyKey

BCryptOpenAlgorithmProvider

GetWindowRect

GetDesktopWindow

GetDC

EnumDisplayDevicesA

GetKeyboardLayoutList

CharToOemW

RegQueryValueExA

RegEnumKeyExA

RegOpenKeyExA

RegEnumValueA

CryptBinaryToStringA

CryptUnprotectData

SHGetFolderPathA

InternetOpenUrlA

InternetConnectA

InternetCloseHandle

InternetOpenA

HttpSendRequestA

HttpOpenRequestA

InternetReadFile

InternetCrackUrlA

StrStrA

PathMatchSpecA

GetModuleFileNameExA

RmStartSession

RmRegisterResources

RmEndSession

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

sqlite3_close

sqlite3_column_bytes

sqlite3_column_blob

encrypted_key

PATH

C:\ProgramData\nss3.dll

NSS_Shutdown

PK11_GetInternalKeySlot

PK11_FreeSlot

PK11_Authenticate

PK11SDR_Decrypt

C:\ProgramData\

SELECT origin_url, username_value, password_value FROM logins

Soft:

Host:

Password:

Opera

OperaGX

Network

.txt

TRUE

FALSE

SELECT name, value FROM autofill

History

SELECT url FROM urls LIMIT 1000

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

Name:

Month:

Year:

Card:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

guid

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

SELECT fieldname, value FROM moz_formhistory

SELECT url FROM moz_places LIMIT 1000

cookies.sqlite

formhistory.sqlite

places.sqlite

Plugins

Local Extension Settings

Sync Extension Settings

Opera Stable

Opera GX Stable

CURRENT

chrome-extension_

_0.indexeddb.leveldb

profiles.ini

chrome

opera

firefox

Wallets

%08lX%04lX%lu

SOFTWARE\Microsoft\Windows NT\CurrentVersion

x64

%d/%d/%d %d:%d:%d

HARDWARE\DESCRIPTION\System\CentralProcessor\0

ProcessorNameString

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayVersion

msvcp140.dll

softokn3.dll

vcruntime140.dll

\Temp\

.exe

open

%LOCALAPPDATA%

%USERPROFILE%

%PROGRAMFILES%

%PROGRAMFILES_86%

*.lnk

Files

\Local Storage\leveldb\CURRENT

\Local Storage\leveldb

\Telegram Desktop\

D877F783D5D3EF8C*

map*

A7FDF864FBC10B77*

A92DAA6EA6F891F2*

F8806DD0C461824F*

Tox

*.tox

*.ini

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375

Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\

\Outlook\accounts.txt

Pidgin

accounts.xml

token:

Software\Valve\Steam

config.vdf

DialogConfig.vdf

DialogConfigOverlay*.vdf

libraryfolders.vdf

loginusers.vdf

\Steam\

\Discord\tokens.txt

/c timeout /t 5 & del /f /q "

" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\system32\cmd.exe

Content-Type: multipart/form-data; boundary=----

Content-Disposition: form-data; name="

build

token

message

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

screenshot.jpg

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

330

Monitored processes

191

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

320

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5924 --field-trial-handle=2328,i,2424936344080586181,9433577600098485305,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

368

"C:\Users\admin\AppData\Local\Temp\is-QFHG8.tmp\qkchg0C_fbivUrDTBKGVcjOy.tmp" /SL5="$B032C,3502296,54272,C:\Users\admin\Documents\piratemamm\qkchg0C_fbivUrDTBKGVcjOy.exe"

C:\Users\admin\AppData\Local\Temp\is-QFHG8.tmp\qkchg0C_fbivUrDTBKGVcjOy.tmp

qkchg0C_fbivUrDTBKGVcjOy.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Version:

51.50.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-qfhg8.tmp\qkchg0c_fbivurdtbkgvcjoy.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

508

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6992 --field-trial-handle=2204,i,2891986865210262061,16738758779565796642,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

568

C:\Users\admin\Documents\piratemamm\1dyNvxHMcZ07Eq_AoDxKfm7S.exe

—

RegAsm.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Auto File System Format Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\documents\piratemamm\1dynvxhmcz07eq_aodxkfm7s.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

568

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

adminAKFCFBAAEH.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

644

C:\Users\admin\Documents\piratemamm\qkchg0C_fbivUrDTBKGVcjOy.exe

RegAsm.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

Screenshots Video Editor Setup

Version:

Modules

Images
c:\users\admin\documents\piratemamm\qkchg0c_fbivurdtbkgvcjoy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

812

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Downloads\arch373\o1

C:\Windows\System32\notepad.exe

—

OpenWith.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

888

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

964

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2204,i,2891986865210262061,16738758779565796642,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1064

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6624 --field-trial-handle=2328,i,2424936344080586181,9433577600098485305,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

72 476

Read events

71 818

Write events

630

Delete events

Modification events


(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:	write	Name:	L1WatermarkLowPart
Value: 0
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:	write	Name:	L1WatermarkHighPart
Value: 0
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value: 0
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 0
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value: 830087204
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31127711
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1076) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0

Add for printing

Executable files

Suspicious files

711

Text files

390

Unknown types

Dropped files

PID	Process	Filename		Type
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF129bfa.TMP		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF129bfa.TMP		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF129c09.TMP		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF129c29.TMP		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF129c29.TMP		—
		MD5:—	SHA256:—
2876	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

112

TCP/UDP connections

208

DNS requests

168

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7444	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725325149&P2=404&P3=2&P4=V6dj7L50N2dS0aecM8H0%2bCLst%2fXy4WImd2BHEatSg64rTlASOqJ4GDYGClZ5pu3h27tVE%2fX3ncL1YfT40ZDHrQ%3d%3d	unknown	—	—	whitelisted
1556	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1280	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1556	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7444	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725325149&P2=404&P3=2&P4=V6dj7L50N2dS0aecM8H0%2bCLst%2fXy4WImd2BHEatSg64rTlASOqJ4GDYGClZ5pu3h27tVE%2fX3ncL1YfT40ZDHrQ%3d%3d	unknown	—	—	whitelisted
7444	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725325149&P2=404&P3=2&P4=V6dj7L50N2dS0aecM8H0%2bCLst%2fXy4WImd2BHEatSg64rTlASOqJ4GDYGClZ5pu3h27tVE%2fX3ncL1YfT40ZDHrQ%3d%3d	unknown	—	—	whitelisted
7444	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725325149&P2=404&P3=2&P4=V6dj7L50N2dS0aecM8H0%2bCLst%2fXy4WImd2BHEatSg64rTlASOqJ4GDYGClZ5pu3h27tVE%2fX3ncL1YfT40ZDHrQ%3d%3d	unknown	—	—	whitelisted
7444	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725325149&P2=404&P3=2&P4=V6dj7L50N2dS0aecM8H0%2bCLst%2fXy4WImd2BHEatSg64rTlASOqJ4GDYGClZ5pu3h27tVE%2fX3ncL1YfT40ZDHrQ%3d%3d	unknown	—	—	whitelisted
7444	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725325149&P2=404&P3=2&P4=V6dj7L50N2dS0aecM8H0%2bCLst%2fXy4WImd2BHEatSg64rTlASOqJ4GDYGClZ5pu3h27tVE%2fX3ncL1YfT40ZDHrQ%3d%3d	unknown	—	—	whitelisted
7444	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9e987a3f-7b8b-495b-a173-197137c9bbfc?P1=1725325149&P2=404&P3=2&P4=V6dj7L50N2dS0aecM8H0%2bCLst%2fXy4WImd2BHEatSg64rTlASOqJ4GDYGClZ5pu3h27tVE%2fX3ncL1YfT40ZDHrQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3352	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4316	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4600	msedge.exe	172.67.178.102:443	aphodivarusesuvid.com	—	—	unknown
2876	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
4600	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4600	msedge.exe	188.114.96.3:443	tlniurl.com	CLOUDFLARENET	NL	malicious
4600	msedge.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4600	msedge.exe	94.245.104.56:443	api.edgeoffer.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
tlniurl.com	188.114.96.3 188.114.97.3	malicious
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
api.edgeoffer.microsoft.com	94.245.104.56	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
bzib.nelreports.net	23.48.23.26 23.48.23.51	whitelisted
aphodivarusesuvid.com	172.67.178.102 104.21.88.116	unknown
mikedownload.net	188.72.236.196	unknown

Threats

PID	Process	Class	Message
8148	RegAsm.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
8148	RegAsm.exe	A Network Trojan was detected	ET MALWARE PrivateLoader CnC Activity (GET)
8148	RegAsm.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
8148	RegAsm.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
8148	RegAsm.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
8148	RegAsm.exe	A Network Trojan was detected	ET MALWARE PrivateLoader CnC Activity (POST)
8148	RegAsm.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
8148	RegAsm.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
8148	RegAsm.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in

3 ETPRO signatures available at the full report

Add for printing

Process	Message
0F5VKPLjrrBWzMrqKGvCrMjU.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

https://tlniurl.com/2yI2Nm

96116E57FF2EC2C85536336F40379023

6EB76F4F49C4BA9C83EA62B0CF6A58AC81A7E021

D7C972C6CE6D5BF64379989F54D89C059EB80B6821D4CDCBBDFD8EC68D8625EB

3:N8BLMCJ2u7In:29xJI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PRIVATELOADER has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

Changes the autorun value in the registry

Create files in the Startup directory

Uses Task Scheduler to run other applications

Uses Task Scheduler to autorun other applications

STEALC has been detected (SURICATA)

Stealers network behavior

RISEPRO has been detected (SURICATA)

METASTEALER has been detected (SURICATA)

Steals credentials from Web Browsers

STEALC has been detected (YARA)

VIDAR has been detected (YARA)

LUMMA has been detected (SURICATA)

MINER has been detected (SURICATA)

SOCKS5SYSTEMZ has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Connects to the server without a host name

Checks for external IP

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Reads the Windows owner or organization settings

Reads the BIOS version

Windows Defender mutex has been found

Application launched itself

Searches for installed software

Contacting a server suspected of hosting an CnC

Connects to unusual port

The process drops Mozilla's DLL files

The process drops C-runtime libraries

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Drops a system driver (possible attempt to evade defenses)

Executes as Windows Service

Crypto Currency Mining Activity Detected

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Checks supported languages

Reads Microsoft Office registry keys

Application launched itself

Reads the computer name

Reads Environment values

Manual execution by a user

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Creates files in the program directory

Reads the software policy settings

Process checks computer location settings

Checks proxy server information

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Create files in a temporary directory

Creates a software uninstall entry

Reads product name

Reads CPU info

Themida protector has been detected

.NET Reactor protector has been detected

Attempting to use instant messaging service

Malware configuration

Vidar