File name:	electrum-doge.exe.virus.exe
Full analysis:	https://app.any.run/tasks/3ce7bc05-50a2-4fd1-b421-41265ce14a81
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 27, 2024, 14:58:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware advancedinstaller loader rat rurat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	7396075595568A6AE175AEE87BCA0C04
SHA1:	2A6EC1A995910A382B9B0C57D1AD0233FBF4E7C7
SHA256:	DBD91B94E3583DC487A96D43441329144B087302CE575608DD1D5EA7F781C0AB
SSDEEP:	49152:jvqoRVggrUeL357KT1/72xgdiL+8n4+zsg5T6D0LuX0t8s10YRi7autKyXxhYTRE:QgrUej57a5qed2RAX86

.exe	\|	Win64 Executable (generic) (18)
.exe	\|	Win32 Executable (generic) (2.9)
.exe	\|	Generic Win/DOS Executable (1.3)
.exe	\|	DOS Executable Generic (1.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:10:26 15:31:42+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.15
CodeSize:	1505792
InitializedDataSize:	610304
UninitializedDataSize:	-
EntryPoint:	0x122273
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	3.2.5.0
ProductVersionNumber:	3.2.5.0
FileFlagsMask:	0x003f
FileFlags:	Debug
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Electrum-DOGE
FileDescription:	Electrum-DOGE Installer
FileVersion:	3.2.5
InternalName:	electrum-doge
LegalCopyright:	Copyright (C) 2024 Electrum-DOGE
OriginalFileName:	electrum-doge.exe
ProductName:	Electrum-DOGE
ProductVersion:	3.2.5


(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:	delete value	Name:	4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:	write	Name:	Blob
Value: 040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:	write	Name:	Blob
Value: 5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Electrum-DOGE AiTemp
Operation:	write	Name:	{A63A14C9-C128-4502-912C-910AC0EC537F}
Value: /i "C:\Users\admin\AppData\Local\Temp\AIE6574.tmp" AI_SETUPEXEPATH="C:\Users\admin\Desktop\electrum-doge.exe.virus.exe" SETUPEXEDIR="C:\Users\admin\Desktop\" ADDLOCAL=RequiredApplication_3,MainFeature,RequiredApplication,RequiredApplication_10,RequiredApplication_1,RequiredApplication_2,RequiredApplication_4,RequiredApplication_5,RequiredApplication_6,RequiredApplication_7,RequiredApplication_8,RequiredApplication_9 ALLUSERS="1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\RequiredApplication\set.msiC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\9last.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\10setup2.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\1display.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\4h.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\5pause.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\6last.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\7SecurityCenter.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\8display2.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\setup3.batC:\Users\admin\AppData\Roaming\Electrum-DOGE\Electrum-DOGE\prerequisites\3.1setuphd.bat" AI_PREREQDIRS="C:\Users\admin\AppData\Roaming" AI_MISSING_PREREQS="Required Application_1\|DOGE Block Data\|Required Application_3\|Required Application_3.1\|Required Application_4\|Required Application_5\|Required Application_6\|Required Application_7\|Required Application_8\|Required Application_9\|Required Application_10" AI_DETECTED_INTERNET_CONNECTION="1" APPDIR="C:\Program Files (x86)\Electrum-DOGE\" TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\Desktop\electrum-doge.exe.virus.exe" AI_SETUPEXEPATH="C:\Users\admin\Desktop\electrum-doge.exe.virus.exe"
(PID) Process:	(2600) electrum-doge.exe.virus.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	{A63A14C9-C128-4502-912C-910AC0EC537F}
Value: "C:\Users\admin\Desktop\electrum-doge.exe.virus.exe" /cmdloc "HKCU\Software\Electrum-DOGE AiTemp\{A63A14C9-C128-4502-912C-910AC0EC537F}"
(PID) Process:	(4536) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoTrayItemsDisplay
Value: 1
(PID) Process:	(3988) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoTrayItemsDisplay
Value: 1
(PID) Process:	(2324) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoTrayItemsDisplay
Value: 1
(PID) Process:	(6040) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{85766b69-88da-16fc-8b49-3ab6508fd096}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 01000000040009E6DC40DB01
(PID) Process:	(6040) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties
Operation:	write	Name:	Completed
Value: 1

PID	Process	Filename		Type
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E		binary
		MD5:E2DBDF1E81E0B267C9CB61E12D3614B9	SHA256:D3FA0E2C9091AD253DAC518AD5BB0A5E7C53852A368F2B32E061D8E908B740E0
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\MSI78D0.tmp		executable
		MD5:D8D35C923ABF8429B35EDCD43FBB803A	SHA256:3AB49159965665944C8653C74AD21A4FA2AE807E7C0AF6E069E71EAE46155070
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\AIE6574.tmp		executable
		MD5:F37DD1842AC9F9FC9DFCF61C07594659	SHA256:0B127666BE52C78D1F302DFA8DFFC44648092BE87CE8D6A020F8B1D9F393AC0C
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\MSI7842.tmp		executable
		MD5:DFE7442A09A0809F22E0806040A0202E	SHA256:1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_31F97CB4EED5F63EC6C160F57DE1CB43		binary
		MD5:DCA6BD763BFE471EEA840FE4A8260616	SHA256:8488AD87DE6BCC7051796CEAD7219E06BB0EA84F4424A6DA2CB0B48E30A926B1
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\MSI7C7A.tmp		executable
		MD5:DFE7442A09A0809F22E0806040A0202E	SHA256:1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\shi77A5.tmp		executable
		MD5:84A34BF3486F7B9B7035DB78D78BDD1E	SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\MSI7C8B.tmp		executable
		MD5:DFE7442A09A0809F22E0806040A0202E	SHA256:1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_2600\exclamic		image
		MD5:3DBA38E7A6085876E79F162F9985618C	SHA256:593F94EF1405422B3E453F4422B22C990D84303668D60344C6FD257318E92428
2600	electrum-doge.exe.virus.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_2600\custicon		image
		MD5:3EAEBDADE778394F06B29659C9C01ED7	SHA256:719E644C31D0CC6B891F6A1253655DFBA39A3B78E06D24817BE1D8492B172B48

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2600	electrum-doge.exe.virus.exe	HEAD	200	85.17.9.90:80	http://minisoftupdate.app/doge/installer.msi	unknown	—	—	—
2600	electrum-doge.exe.virus.exe	GET	200	85.17.9.90:80	http://minisoftupdate.app/doge/installer.msi	unknown	—	—	—
1620	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1620	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2600	electrum-doge.exe.virus.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDBaeQD%2BWq7ntwZtvlw%3D%3D	unknown	—	—	whitelisted
2600	electrum-doge.exe.virus.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted
4308	msiexec.exe	GET	200	142.250.185.68:80	http://www.google.com/	unknown	—	—	whitelisted
4308	msiexec.exe	GET	200	85.17.9.90:80	http://minisoftupdate.app/doge/set.msi	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1620	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2600	electrum-doge.exe.virus.exe	85.17.9.90:80	minisoftupdate.app	LeaseWeb Netherlands B.V.	NL	unknown
1620	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1620	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	172.217.18.14	whitelisted
minisoftupdate.app	85.17.9.90	unknown
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
ocsp.globalsign.com	104.18.21.226 104.18.20.226	whitelisted
www.google.com	142.250.185.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
r.bing.com	92.123.104.27 92.123.104.18 92.123.104.28 92.123.104.26 92.123.104.19 92.123.104.24 92.123.104.23 92.123.104.21 92.123.104.31 92.123.104.46 92.123.104.54 92.123.104.47 92.123.104.42 92.123.104.57 92.123.104.53 92.123.104.48 92.123.104.44 92.123.104.43	whitelisted
www.bing.com	92.123.104.29 92.123.104.28 92.123.104.24 92.123.104.31 92.123.104.26 92.123.104.21 92.123.104.23 92.123.104.20 92.123.104.27 92.123.104.12 92.123.104.11 92.123.104.16 92.123.104.18 92.123.104.19 92.123.104.14 92.123.104.15	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY Observed MSI Download
—	—	Potential Corporate Privacy Violation	ET HUNTING Suspicious Windows Installer UA for non-MSI

Process	Message
rutserv.exe	27-11-2024_14:59:07:788#T:Error NTSetPrivilege - SE_DEBUG_NAME
rutserv.exe	TMainService.Start
rutserv.exe	MSG_KEEP_ALIVE
rutserv.exe	27-11-2024_14:59:45:161#T:MSG_KEEP_ALIVE
rutserv.exe	27-11-2024_15:00:14:708#T:MSG_KEEP_ALIVE
rutserv.exe	MSG_KEEP_ALIVE
rutserv.exe	27-11-2024_15:00:46:864#T:MSG_KEEP_ALIVE
rutserv.exe	MSG_KEEP_ALIVE

General Info

electrum-doge.exe.virus.exe

7396075595568A6AE175AEE87BCA0C04

2A6EC1A995910A382B9B0C57D1AD0233FBF4E7C7

DBD91B94E3583DC487A96D43441329144B087302CE575608DD1D5EA7F781C0AB

49152:jvqoRVggrUeL357KT1/72xgdiL+8n4+zsg5T6D0LuX0t8s10YRi7autKyXxhYTRE:QgrUej57a5qed2RAX86

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADVANCEDINSTALLER has been detected (SURICATA)

Run PowerShell with an invisible window

Changes powershell execution policy (RemoteSigned)

Executing a file with an untrusted certificate

Uses Task Scheduler to run other applications

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Access to an unwanted program domain was detected

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Adds/modifies Windows certificates

Process drops legitimate windows executable

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Kill processes via PowerShell

Uses REG/REGEDIT.EXE to modify registry

The process drops C-runtime libraries

Executes as Windows Service

Likely accesses (executes) a file from the Public directory

The process executes via Task Scheduler

Uses ATTRIB.EXE to modify file attributes

Application launched itself

PowerShell delay command usage (probably sleep evasion)

Connects to SMTP port

Connects to unusual port

Potential Corporate Privacy Violation

The process executes Powershell scripts

The process bypasses the loading of PowerShell profile settings

The process hide an interactive prompt from the user

INFO

Reads the computer name

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Sends debugging messages

Executable content was dropped or overwritten

Drops Remote Utils RAT executable file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information