File name:

sgfds.exe

Full analysis: https://app.any.run/tasks/5a663c86-d28e-4bb0-930b-fe2e1996b911
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 10, 2024, 18:07:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
stealc
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

5409B0FC8B14C5B24F5DB3EDE8CEF555

SHA1:

9F6BEB3B72E1956860CDC4683FCB788B2B912713

SHA256:

DAF4E8849A3B6011BFF41CC2C7DECEE8C769A4EBF2BE3D7316930F40448DDB25

SSDEEP:

6144:xDqqUVAQRStvSYEVUtpkuU7mK/ncXdkUHC0j0rRZ:AtVA+fitpXU7mWcNkwrQrRZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected (SURICATA)

      • RegAsm.exe (PID: 4440)

    • Connects to the CnC server

      • RegAsm.exe (PID: 4440)

    • Stealers network behavior

      • RegAsm.exe (PID: 4440)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 4440)

    • STEALC has been detected (YARA)

      • RegAsm.exe (PID: 4440)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 4440)

  • SUSPICIOUS

    • Windows Defender mutex has been found

      • RegAsm.exe (PID: 4440)

    • Reads security settings of Internet Explorer

      • RegAsm.exe (PID: 4440)

    • Searches for installed software

      • RegAsm.exe (PID: 4440)

    • Executable content was dropped or overwritten

      • RegAsm.exe (PID: 4440)

    • Process requests binary or script from the Internet

      • RegAsm.exe (PID: 4440)

    • The process drops Mozilla's DLL files

      • RegAsm.exe (PID: 4440)

    • Process drops legitimate windows executable

      • RegAsm.exe (PID: 4440)

    • The process drops C-runtime libraries

      • RegAsm.exe (PID: 4440)

    • Checks Windows Trust Settings

      • RegAsm.exe (PID: 4440)

    • Contacting a server suspected of hosting an CnC

      • RegAsm.exe (PID: 4440)

    • Potential Corporate Privacy Violation

      • RegAsm.exe (PID: 4440)

    • Connects to the server without a host name

      • RegAsm.exe (PID: 4440)

    • Starts CMD.EXE for commands execution

      • RegAsm.exe (PID: 4440)

  • INFO

    • Checks supported languages

      • sgfds.exe (PID: 6988)
      • RegAsm.exe (PID: 4440)

    • Checks proxy server information

      • RegAsm.exe (PID: 4440)

    • Reads the computer name

      • RegAsm.exe (PID: 4440)
      • sgfds.exe (PID: 6988)

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 4440)

    • Reads Environment values

      • RegAsm.exe (PID: 4440)

    • Reads product name

      • RegAsm.exe (PID: 4440)

    • Reads CPU info

      • RegAsm.exe (PID: 4440)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 4440)

    • Reads the software policy settings

      • RegAsm.exe (PID: 4440)

    • Creates files in the program directory

      • RegAsm.exe (PID: 4440)

    • The process uses the downloaded file

      • RegAsm.exe (PID: 4440)

    • Process checks computer location settings

      • RegAsm.exe (PID: 4440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Stealc

(PID) Process(4440) RegAsm.exe
C246.8.231.109
Strings (353)INSERT_KEY_HERE
09
10
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://46.8.231.109
george
|
/c4754d4f680ead72.php
/1309cdeb8f4c8736/
default
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:10 17:07:18+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 198144
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x3255e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: diffident kerosines
CompanyName: walkouts dashboard
FileDescription: dig twiddlier keeks
FileVersion: 1.0.0.0
InternalName: VQP.exe
LegalCopyright: Copyright 2024
OriginalFileName: VQP.exe
ProductName: postfire frolicker
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sgfds.exe no specs conhost.exe no specs #STEALC regasm.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
876"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\adminFCFBGIDAEH.exe"C:\Windows\SysWOW64\cmd.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1840\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4060\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4440"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
sgfds.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Stealc
(PID) Process(4440) RegAsm.exe
C246.8.231.109
Strings (353)INSERT_KEY_HERE
09
10
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://46.8.231.109
george
|
/c4754d4f680ead72.php
/1309cdeb8f4c8736/
default
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
5044"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\adminCFBAKEHIEB.exe"C:\Windows\SysWOW64\cmd.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6988"C:\Users\admin\Desktop\sgfds.exe" C:\Users\admin\Desktop\sgfds.exeexplorer.exe
User:
admin
Company:
walkouts dashboard
Integrity Level:
MEDIUM
Description:
dig twiddlier keeks
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sgfds.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesgfds.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 874
Read events
3 871
Write events
3
Delete events
0

Modification events

(PID) Process:(4440) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4440) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4440) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
14
Suspicious files
10
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4440RegAsm.exeC:\ProgramData\HJJJJKEHCAKFBFHJKEHCFIIDAEsqlite
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
4440RegAsm.exeC:\ProgramData\DGIJECGDbinary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
4440RegAsm.exeC:\ProgramData\JDGIIJJDHDGCGDHIJDAKJKKKFH
MD5:
SHA256:
4440RegAsm.exeC:\ProgramData\mozglue.dllexecutable
MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
4440RegAsm.exeC:\ProgramData\BAKFBKEHsqlite
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
4440RegAsm.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\vcruntime140[1].dllexecutable
MD5:A37EE36B536409056A86F50E67777DD7
SHA256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
4440RegAsm.exeC:\ProgramData\HDBKFHIJKJKECAAAECAEbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
4440RegAsm.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\msvcp140[1].dllexecutable
MD5:5FF1FCA37C466D6723EC67BE93B51442
SHA256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
4440RegAsm.exeC:\ProgramData\DAEBFHJKJEBFCBFHDAEGbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
4440RegAsm.exeC:\ProgramData\FCBAEHCAEGDHJKFHJKFIJKJEGHbinary
MD5:46D41A1929939B3AD11C639CC2347541
SHA256:AD30E08D89E9460B5DF8D9CD1E9DA068FB201E06303CCD449E197C739C9EFF5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
26
DNS requests
5
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4440
RegAsm.exe
GET
200
46.8.231.109:80
http://46.8.231.109/
unknown
unknown
6052
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4440
RegAsm.exe
POST
200
46.8.231.109:80
http://46.8.231.109/c4754d4f680ead72.php
unknown
unknown
6428
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4440
RegAsm.exe
POST
200
46.8.231.109:80
http://46.8.231.109/c4754d4f680ead72.php
unknown
unknown
4440
RegAsm.exe
POST
200
46.8.231.109:80
http://46.8.231.109/c4754d4f680ead72.php
unknown
unknown
4440
RegAsm.exe
POST
200
46.8.231.109:80
http://46.8.231.109/c4754d4f680ead72.php
unknown
unknown
4440
RegAsm.exe
GET
200
46.8.231.109:80
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
unknown
unknown
4440
RegAsm.exe
POST
200
46.8.231.109:80
http://46.8.231.109/c4754d4f680ead72.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6052
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6428
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4440
RegAsm.exe
46.8.231.109:80
Fiord Networks, UAB
RU
malicious
6052
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6428
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6052
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
kaysons-group.com
  • 162.240.152.163
unknown

Threats

PID
Process
Class
Message
4440
RegAsm.exe
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
4440
RegAsm.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc HTTP POST Request
4440
RegAsm.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting browsers Config from C2
4440
RegAsm.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting plugins Config from C2
4440
RegAsm.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Submitting System Information to C2
4440
RegAsm.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
4440
RegAsm.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
4440
RegAsm.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4440
RegAsm.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4440
RegAsm.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sgfds.exe