File name:	electrum-doge.exe.virus.exe
Full analysis:	https://app.any.run/tasks/3ce7bc05-50a2-4fd1-b421-41265ce14a81
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 27, 2024, 14:58:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware advancedinstaller loader rat rurat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	7396075595568A6AE175AEE87BCA0C04
SHA1:	2A6EC1A995910A382B9B0C57D1AD0233FBF4E7C7
SHA256:	DBD91B94E3583DC487A96D43441329144B087302CE575608DD1D5EA7F781C0AB
SSDEEP:	49152:jvqoRVggrUeL357KT1/72xgdiL+8n4+zsg5T6D0LuX0t8s10YRi7autKyXxhYTRE:QgrUej57a5qed2RAX86

.exe	\|	Win64 Executable (generic) (18)
.exe	\|	Win32 Executable (generic) (2.9)
.exe	\|	Generic Win/DOS Executable (1.3)
.exe	\|	DOS Executable Generic (1.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:10:26 15:31:42+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.15
CodeSize:	1505792
InitializedDataSize:	610304
UninitializedDataSize:	-
EntryPoint:	0x122273
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	3.2.5.0
ProductVersionNumber:	3.2.5.0
FileFlagsMask:	0x003f
FileFlags:	Debug
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Electrum-DOGE
FileDescription:	Electrum-DOGE Installer
FileVersion:	3.2.5
InternalName:	electrum-doge
LegalCopyright:	Copyright (C) 2024 Electrum-DOGE
OriginalFileName:	electrum-doge.exe
ProductName:	Electrum-DOGE
ProductVersion:	3.2.5


(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:	delete value	Name:	4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:	write	Name:	Blob
Value: 040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:	write	Name:	Blob
Value: 5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Electrum-DOGE AiTemp
Operation:	write	Name:	{A63A14C9-C128-4502-912C-910AC0EC537F}
Value: /i "C:\Users\admin\AppData\Local\Temp\AIE6574.tmp" AI_SETUPEXEPATH="C:\Users\admin\Desktop\electrum-doge.exe.virus.exe" SETUPEXEDIR="C:\Users\admin\Desktop\" ADDLOCAL=RequiredApplication_3,MainFeature,RequiredApplication,RequiredApplication_10,RequiredApplication_1,RequiredApplication_2,RequiredApplication_4,RequiredApplication_5,RequiredApplication_6,RequiredApplication_7,RequiredApplication_8,RequiredApplication_9 ALLUSERS="1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\RequiredApplication\set.msiC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\9last.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\10setup2.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\1display.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\4h.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\5pause.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\6last.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\7SecurityCenter.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\8display2.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\setup3.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\3.1setuphd.bat" AI_PREREQDIRS="C:\Users\admin\AppData\Roaming" AI_MISSING_PREREQS="Required Application_1\|DOGE Block Data\|Required Application_3\|Required Application_3.1\|Required Application_4\|Required Application_5\|Required Application_6\|Required Application_7\|Required Application_8\|Required Application_9\|Required Application_10" AI_DETECTED_INTERNET_CONNECTION="1" APPDIR="C:\Program Files (x86)\Electrum-DOGE\" TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\Desktop\electrum-doge.exe.virus.exe" AI_SETUPEXEPATH="C:\Users\admin\Desktop\electrum-doge.exe.virus.exe"
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	{A63A14C9-C128-4502-912C-910AC0EC537F}
Value: "C:\Users\admin\Desktop\electrum-doge.exe.virus.exe" /cmdloc "HKCU\Software\Electrum-DOGE AiTemp\{A63A14C9-C128-4502-912C-910AC0EC537F}"
(PID) Process:	(4536) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoTrayItemsDisplay
Value: 1
(PID) Process:	(3988) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoTrayItemsDisplay
Value: 1
(PID) Process:	(2324) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoTrayItemsDisplay
Value: 1
(PID) Process:	(6040) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{85766b69-88da-16fc-8b49-3ab6508fd096}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 01000000040009E6DC40DB01
(PID) Process:	(6040) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties
Operation:	write	Name:	Completed
Value: 1

PID	Process	Filename		Type
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E		der
		MD5:EA6AA67503900DCD62FF6BAD24905677	SHA256:9B8D999B53505F75140F4D5F759245D20D1C100CE870D2C03B826E2109CE1877
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\AIE6574.tmp.part		executable
		MD5:F37DD1842AC9F9FC9DFCF61C07594659	SHA256:0B127666BE52C78D1F302DFA8DFFC44648092BE87CE8D6A020F8B1D9F393AC0C
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\AIE6574.tmp		executable
		MD5:F37DD1842AC9F9FC9DFCF61C07594659	SHA256:0B127666BE52C78D1F302DFA8DFFC44648092BE87CE8D6A020F8B1D9F393AC0C
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_31F97CB4EED5F63EC6C160F57DE1CB43		binary
		MD5:0A618767A30C0F1FB00F83AC38F0E6D0	SHA256:490E35E686946BD5BAF38083379686414A088E4F8274E5852746EE4333C00B32
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\shi77A5.tmp		executable
		MD5:84A34BF3486F7B9B7035DB78D78BDD1E	SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\MSI7CAC.tmp		executable
		MD5:DFE7442A09A0809F22E0806040A0202E	SHA256:1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\MSI78D0.tmp		executable
		MD5:D8D35C923ABF8429B35EDCD43FBB803A	SHA256:3AB49159965665944C8653C74AD21A4FA2AE807E7C0AF6E069E71EAE46155070
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_2600\completi		image
		MD5:45B0E074F96A859ADAE198187AB9FA11	SHA256:050282E679AC80F6A357FFF92F1E7A95D30A06B35247E25CBFD2DD8CEEE1A412
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\MSI7C8B.tmp		executable
		MD5:DFE7442A09A0809F22E0806040A0202E	SHA256:1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
4308	msiexec.exe	C:\Users\admin\AppData\Local\Temp\tin78DD.tmp.part		html
		MD5:D16B976B5D7FA00D2131FD3112CF5239	SHA256:84E38160742628C8775512131C31B9B0A9C70BAB7C95E6D62615D6035ABEE777

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2600	electrum-doge.exe.virus.exe	GET	200	85.17.9.90:80	http://minisoftupdate.app/doge/installer.msi	unknown	—	—	unknown
2600	electrum-doge.exe.virus.exe	HEAD	200	85.17.9.90:80	http://minisoftupdate.app/doge/installer.msi	unknown	—	—	unknown
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2600	electrum-doge.exe.virus.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDBaeQD%2BWq7ntwZtvlw%3D%3D	unknown	—	—	whitelisted
4308	msiexec.exe	GET	200	142.250.185.68:80	http://www.google.com/	unknown	—	—	whitelisted
4308	msiexec.exe	GET	200	85.17.9.90:80	http://minisoftupdate.app/doge/set.msi	unknown	—	—	unknown
4308	msiexec.exe	GET	200	142.250.185.68:80	http://www.google.com/	unknown	—	—	whitelisted
4840	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSE67Nbq3jfQQg8yXEpbmqLTNn7XwQUm1%2BwNrqdBq4ZJ73AoCLAi4s4d%2B0CEAQpSJ3GllI6wH5wI4fONbY%3D	unknown	—	—	whitelisted
2600	electrum-doge.exe.virus.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1620	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2600	electrum-doge.exe.virus.exe	85.17.9.90:80	minisoftupdate.app	LeaseWeb Netherlands B.V.	NL	unknown
1620	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1620	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	172.217.18.14	whitelisted
minisoftupdate.app	85.17.9.90	unknown
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
ocsp.globalsign.com	104.18.21.226 104.18.20.226	whitelisted
www.google.com	142.250.185.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
r.bing.com	92.123.104.27 92.123.104.18 92.123.104.28 92.123.104.26 92.123.104.19 92.123.104.24 92.123.104.23 92.123.104.21 92.123.104.31 92.123.104.46 92.123.104.54 92.123.104.47 92.123.104.42 92.123.104.57 92.123.104.53 92.123.104.48 92.123.104.44 92.123.104.43	whitelisted
www.bing.com	92.123.104.29 92.123.104.28 92.123.104.24 92.123.104.31 92.123.104.26 92.123.104.21 92.123.104.23 92.123.104.20 92.123.104.27 92.123.104.12 92.123.104.11 92.123.104.16 92.123.104.18 92.123.104.19 92.123.104.14 92.123.104.15	whitelisted

PID	Process	Class	Message
4840	msiexec.exe	Potential Corporate Privacy Violation	ET POLICY Observed MSI Download
4840	msiexec.exe	Potential Corporate Privacy Violation	ET HUNTING Suspicious Windows Installer UA for non-MSI

Process	Message
rutserv.exe	27-11-2024_14:59:07:788#T:Error NTSetPrivilege - SE_DEBUG_NAME
rutserv.exe	TMainService.Start
rutserv.exe	MSG_KEEP_ALIVE
rutserv.exe	27-11-2024_14:59:45:161#T:MSG_KEEP_ALIVE
rutserv.exe	27-11-2024_15:00:14:708#T:MSG_KEEP_ALIVE
rutserv.exe	MSG_KEEP_ALIVE
rutserv.exe	27-11-2024_15:00:46:864#T:MSG_KEEP_ALIVE
rutserv.exe	MSG_KEEP_ALIVE

General Info

electrum-doge.exe.virus.exe

7396075595568A6AE175AEE87BCA0C04

2A6EC1A995910A382B9B0C57D1AD0233FBF4E7C7

DBD91B94E3583DC487A96D43441329144B087302CE575608DD1D5EA7F781C0AB

49152:jvqoRVggrUeL357KT1/72xgdiL+8n4+zsg5T6D0LuX0t8s10YRi7autKyXxhYTRE:QgrUej57a5qed2RAX86

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADVANCEDINSTALLER has been detected (SURICATA)

Run PowerShell with an invisible window

Changes powershell execution policy (RemoteSigned)

Executing a file with an untrusted certificate

Uses Task Scheduler to run other applications

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Executable content was dropped or overwritten

Access to an unwanted program domain was detected

Reads security settings of Internet Explorer

Adds/modifies Windows certificates

Starts CMD.EXE for commands execution

Starts process via Powershell

Executing commands from a ".bat" file

Checks Windows Trust Settings

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

Kill processes via PowerShell

Uses REG/REGEDIT.EXE to modify registry

The process drops C-runtime libraries

Executes as Windows Service

Likely accesses (executes) a file from the Public directory

Uses ATTRIB.EXE to modify file attributes

PowerShell delay command usage (probably sleep evasion)

Application launched itself

Connects to SMTP port

Connects to unusual port

Potential Corporate Privacy Violation

The process bypasses the loading of PowerShell profile settings

The process executes Powershell scripts

The process hide an interactive prompt from the user

The process executes via Task Scheduler

INFO

Checks supported languages

Checks proxy server information

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the software policy settings

Executable content was dropped or overwritten

Sends debugging messages

Drops Remote Utils RAT executable file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information