Malware analysis dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe Malicious activity

Add for printing

File name:	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe
Full analysis:	https://app.any.run/tasks/f3103aa7-9a7f-43cd-9ac4-127f96630d4b
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 20:06:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rat rms remote autoit evasion github aspack delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	5DF0CF8B8AA7E56884F71DA3720FB2C6
SHA1:	0610E911ADE5D666A45B41F771903170AF58A05A
SHA256:	DD396A3F66AD728660023CB116235F3CB1C35D679A155B08EC6A9CCAF966C360
SSDEEP:	196608:NjIrZDbMLq8TKqTNNRYWzmf1e4Qx/PMPTZPkTGX9sqiL/aVvTAs:N2Z4DRYWXdaZPGy9sJL/aVv/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Disables Windows Defender
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
- UAC/LUA settings modification
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - regedit.exe (PID: 7192)
- RMS is detected
  - regedit.exe (PID: 7192)
  - regedit.exe (PID: 3900)
  - rutserv.exe (PID: 6004)
- RMS mutex has been found
  - rfusclient.exe (PID: 5116)
  - rfusclient.exe (PID: 6468)
  - rutserv.exe (PID: 6004)
  - rfusclient.exe (PID: 2420)
- RMS has been detected (YARA)
  - rutserv.exe (PID: 6004)
  - rfusclient.exe (PID: 6468)
  - rfusclient.exe (PID: 5116)
- Starts NET.EXE to view/add/change user profiles
  - net.exe (PID: 7180)
  - cmd.exe (PID: 2564)
- Starts NET.EXE to view/change users localgroup
  - net.exe (PID: 5260)
  - net.exe (PID: 5164)
  - net.exe (PID: 2268)
  - cmd.exe (PID: 2564)
  - net.exe (PID: 3784)
  - net.exe (PID: 7472)
  - net.exe (PID: 7360)
  - net.exe (PID: 4040)
  - net.exe (PID: 7828)
  - net.exe (PID: 7980)
- Uses Task Scheduler to run other applications
  - taskhost.exe (PID: 8112)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
- Uses Task Scheduler to autorun other applications
  - taskhost.exe (PID: 8112)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
- Starts NET.EXE to view/change login properties
  - cmd.exe (PID: 2564)
  - net.exe (PID: 9080)
SUSPICIOUS
- Executable content was dropped or overwritten
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - wini.exe (PID: 7620)
  - cheat.exe (PID: 7812)
  - P.exe (PID: 8168)
  - R8.exe (PID: 904)
  - winlog.exe (PID: 6576)
  - Rar.exe (PID: 6480)
  - taskhost.exe (PID: 8112)
  - RDPWInst.exe (PID: 2040)
  - taskhostw.exe (PID: 5136)
- Reads security settings of Internet Explorer
  - ShellExperienceHost.exe (PID: 7676)
  - wini.exe (PID: 7620)
  - cheat.exe (PID: 7812)
  - ink.exe (PID: 6264)
  - winit.exe (PID: 8076)
  - R8.exe (PID: 904)
- The process executes VB scripts
  - wini.exe (PID: 7620)
  - R8.exe (PID: 904)
  - cmd.exe (PID: 7984)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 8140)
  - cmd.exe (PID: 2564)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 8056)
  - wscript.exe (PID: 5984)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 8056)
  - winit.exe (PID: 8076)
  - wscript.exe (PID: 5984)
  - winlogon.exe (PID: 5988)
  - wscript.exe (PID: 2908)
  - taskhost.exe (PID: 8112)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 8140)
  - cmd.exe (PID: 1040)
  - cmd.exe (PID: 7984)
  - cmd.exe (PID: 9120)
- Executes as Windows Service
  - rutserv.exe (PID: 6004)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 8056)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - winit.exe (PID: 8076)
  - wscript.exe (PID: 5984)
  - winlogon.exe (PID: 5988)
  - wscript.exe (PID: 2908)
  - taskhost.exe (PID: 8112)
  - winlogon.exe (PID: 6824)
  - taskhostw.exe (PID: 5136)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 8140)
  - cmd.exe (PID: 2564)
  - cmd.exe (PID: 9120)
- Restarts service on failure
  - sc.exe (PID: 7476)
- Windows service management via SC.EXE
  - sc.exe (PID: 7640)
  - sc.exe (PID: 728)
  - sc.exe (PID: 6036)
  - sc.exe (PID: 4108)
  - sc.exe (PID: 8084)
  - sc.exe (PID: 7384)
  - sc.exe (PID: 6744)
  - sc.exe (PID: 4452)
  - sc.exe (PID: 6068)
  - sc.exe (PID: 7800)
  - sc.exe (PID: 4180)
  - sc.exe (PID: 6640)
  - sc.exe (PID: 7656)
  - sc.exe (PID: 7880)
- Potential Corporate Privacy Violation
  - rutserv.exe (PID: 6004)
  - winit.exe (PID: 8076)
  - svchost.exe (PID: 2196)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - taskhost.exe (PID: 8112)
  - taskhostw.exe (PID: 5136)
- The process creates files with name similar to system file names
  - cheat.exe (PID: 7812)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
- Connects to unusual port
  - rutserv.exe (PID: 6004)
- Sets the service to start on system boot
  - sc.exe (PID: 7756)
  - sc.exe (PID: 7888)
- Stops a currently running service
  - sc.exe (PID: 2692)
  - sc.exe (PID: 1128)
  - sc.exe (PID: 7256)
  - sc.exe (PID: 7228)
  - sc.exe (PID: 6480)
  - sc.exe (PID: 5892)
  - sc.exe (PID: 8184)
- Application launched itself
  - rfusclient.exe (PID: 6468)
- There is functionality for taking screenshot (YARA)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 2268)
  - cmd.exe (PID: 7796)
  - cmd.exe (PID: 8084)
  - cmd.exe (PID: 7200)
  - cmd.exe (PID: 1188)
  - cmd.exe (PID: 7340)
  - cmd.exe (PID: 6572)
  - cmd.exe (PID: 5984)
  - cmd.exe (PID: 5776)
  - cmd.exe (PID: 8172)
  - cmd.exe (PID: 780)
  - cmd.exe (PID: 7804)
  - cmd.exe (PID: 5968)
  - cmd.exe (PID: 7824)
  - cmd.exe (PID: 4756)
  - cmd.exe (PID: 5072)
  - cmd.exe (PID: 6048)
  - cmd.exe (PID: 8028)
  - cmd.exe (PID: 7256)
  - cmd.exe (PID: 5720)
  - cmd.exe (PID: 2564)
  - RDPWInst.exe (PID: 2040)
- Uses NETSH.EXE to change the status of the firewall
  - cmd.exe (PID: 5384)
- Checks for external IP
  - svchost.exe (PID: 2196)
  - winit.exe (PID: 8076)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - taskhostw.exe (PID: 5136)
- The process verifies whether the antivirus software is installed
  - winit.exe (PID: 8076)
  - icacls.exe (PID: 7216)
  - icacls.exe (PID: 8020)
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - icacls.exe (PID: 7300)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 7356)
  - cmd.exe (PID: 5436)
  - cmd.exe (PID: 8004)
  - cmd.exe (PID: 4040)
  - cmd.exe (PID: 1272)
  - cmd.exe (PID: 8100)
  - cmd.exe (PID: 2908)
  - cmd.exe (PID: 1132)
  - cmd.exe (PID: 2108)
  - cmd.exe (PID: 5072)
  - cmd.exe (PID: 8176)
  - cmd.exe (PID: 1188)
  - cmd.exe (PID: 5176)
  - cmd.exe (PID: 6048)
  - cmd.exe (PID: 7728)
  - cmd.exe (PID: 5528)
  - cmd.exe (PID: 8164)
  - cmd.exe (PID: 8108)
  - cmd.exe (PID: 7192)
  - cmd.exe (PID: 2908)
  - cmd.exe (PID: 4488)
  - cmd.exe (PID: 7392)
  - cmd.exe (PID: 8188)
  - cmd.exe (PID: 5352)
  - cmd.exe (PID: 6816)
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 7288)
  - cmd.exe (PID: 7476)
  - cmd.exe (PID: 7988)
  - cmd.exe (PID: 7384)
  - cmd.exe (PID: 7284)
  - cmd.exe (PID: 6272)
  - cmd.exe (PID: 7368)
  - cmd.exe (PID: 2100)
  - cmd.exe (PID: 4000)
  - cmd.exe (PID: 5548)
  - cmd.exe (PID: 8048)
  - cmd.exe (PID: 904)
  - cmd.exe (PID: 2092)
  - cmd.exe (PID: 1812)
  - cmd.exe (PID: 6872)
  - cmd.exe (PID: 5164)
  - cmd.exe (PID: 7476)
  - cmd.exe (PID: 6592)
  - cmd.exe (PID: 7800)
  - cmd.exe (PID: 4424)
  - cmd.exe (PID: 6644)
  - cmd.exe (PID: 7184)
  - cmd.exe (PID: 5968)
  - cmd.exe (PID: 7204)
  - cmd.exe (PID: 6736)
  - cmd.exe (PID: 8104)
  - cmd.exe (PID: 4236)
  - cmd.exe (PID: 644)
  - cmd.exe (PID: 3020)
  - cmd.exe (PID: 2268)
  - cmd.exe (PID: 1096)
  - cmd.exe (PID: 4528)
  - cmd.exe (PID: 2320)
  - cmd.exe (PID: 6824)
  - cmd.exe (PID: 7808)
  - cmd.exe (PID: 5528)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 7984)
  - cmd.exe (PID: 9120)
- Starts application with an unusual extension
  - cmd.exe (PID: 7984)
  - cmd.exe (PID: 2564)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 5384)
- Process drops legitimate windows executable
  - RDPWInst.exe (PID: 2040)
- Lists all scheduled tasks in specific format
  - schtasks.exe (PID: 7252)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 8488)
  - schtasks.exe (PID: 8500)
  - schtasks.exe (PID: 8508)
  - schtasks.exe (PID: 8564)
  - schtasks.exe (PID: 8584)
  - schtasks.exe (PID: 8596)
  - schtasks.exe (PID: 8668)
  - schtasks.exe (PID: 8688)
  - schtasks.exe (PID: 8696)
  - schtasks.exe (PID: 8716)
  - schtasks.exe (PID: 8756)
  - schtasks.exe (PID: 8772)
  - schtasks.exe (PID: 8780)
  - schtasks.exe (PID: 8400)
  - schtasks.exe (PID: 8472)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 7612)
- Connects to FTP
  - taskhostw.exe (PID: 5136)
- The process executes via Task Scheduler
  - taskhostw.exe (PID: 5508)
INFO
- Creates files in the program directory
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - cheat.exe (PID: 7812)
  - P.exe (PID: 8168)
  - winit.exe (PID: 8076)
- Reads mouse settings
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - winit.exe (PID: 8076)
  - taskhost.exe (PID: 8112)
- The sample compiled with english language support
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - wini.exe (PID: 7620)
  - P.exe (PID: 8168)
  - cheat.exe (PID: 7812)
  - R8.exe (PID: 904)
  - Rar.exe (PID: 6480)
  - taskhost.exe (PID: 8112)
  - RDPWInst.exe (PID: 2040)
  - taskhostw.exe (PID: 5136)
- Reads the computer name
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - ShellExperienceHost.exe (PID: 7676)
  - wini.exe (PID: 7620)
  - rutserv.exe (PID: 2236)
  - rutserv.exe (PID: 660)
  - rutserv.exe (PID: 6004)
  - rutserv.exe (PID: 6388)
  - rfusclient.exe (PID: 5116)
  - cheat.exe (PID: 7812)
  - rfusclient.exe (PID: 6468)
  - ink.exe (PID: 6264)
  - P.exe (PID: 8168)
  - rfusclient.exe (PID: 2420)
  - winit.exe (PID: 8076)
  - R8.exe (PID: 904)
- Checks supported languages
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - wini.exe (PID: 7620)
  - ShellExperienceHost.exe (PID: 7676)
  - rutserv.exe (PID: 660)
  - rutserv.exe (PID: 2236)
  - rutserv.exe (PID: 6388)
  - rutserv.exe (PID: 6004)
  - winit.exe (PID: 8076)
  - rfusclient.exe (PID: 6468)
  - cheat.exe (PID: 7812)
  - P.exe (PID: 8168)
  - ink.exe (PID: 6264)
  - rfusclient.exe (PID: 5116)
  - taskhost.exe (PID: 8112)
  - rfusclient.exe (PID: 2420)
  - R8.exe (PID: 904)
- Create files in a temporary directory
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
  - winit.exe (PID: 8076)
- Process checks computer location settings
  - wini.exe (PID: 7620)
  - cheat.exe (PID: 7812)
  - R8.exe (PID: 904)
- Reads the machine GUID from the registry
  - ink.exe (PID: 6264)
- The process uses AutoIt
  - dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe (PID: 7480)
- Checks proxy server information
  - ink.exe (PID: 6264)
  - winit.exe (PID: 8076)
- Manual execution by a user
  - notepad.exe (PID: 8056)
  - msedge.exe (PID: 8200)
- Creates files or folders in the user directory
  - winit.exe (PID: 8076)
- Reads CPU info
  - winit.exe (PID: 8076)
- Reads the software policy settings
  - winit.exe (PID: 8076)
- Aspack has been detected
  - rutserv.exe (PID: 6004)
  - rfusclient.exe (PID: 6468)
  - rfusclient.exe (PID: 5116)
- Compiled with Borland Delphi (YARA)
  - rutserv.exe (PID: 6004)
  - rfusclient.exe (PID: 6468)
  - rfusclient.exe (PID: 5116)
- Changes the display of characters in the console
  - cmd.exe (PID: 7984)
  - cmd.exe (PID: 2564)
- Application launched itself
  - msedge.exe (PID: 8200)
  - msedge.exe (PID: 6416)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:11:19 10:51:15+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	581120
InitializedDataSize:	9926656
UninitializedDataSize:	-
EntryPoint:	0x27f4a
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

665

Monitored processes

509

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

300

icacls "C:\Program Files (x86)\Zaxar" /deny admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

536

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

536

icacls "C:\ProgramData\Norton" /deny admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

632

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

632

C:\WINDOWS\system32\cmd.exe /C schtasks /Delete /TN "GoogleUpdateTaskMachineUA" /F

C:\Windows\SysWOW64\cmd.exe

—

winlogon.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

644

icacls "C:\Windows\Fonts\Mysql" /deny admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

644

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

644

C:\WINDOWS\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

—

dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

660

rutserv.exe /silentinstall

C:\ProgramData\Windows\rutserv.exe

—

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\programdata\windows\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

660

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

35 266

Read events

34 910

Write events

235

Delete events

121

Modification events


(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Operation:	write	Name:	John
Value: 0
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Operation:	write	Name:	John
Value: 0
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableIOAVProtection
Value: 1
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableBehaviorMonitoring
Value: 1
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableOnAccessProtection
Value: 1
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableRawWriteNotification
Value: 1
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	DisableBlockAltFirstSeen
Value: 1
(PID) Process:	(7480) dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	LocalSettingOverrideSpynetRepting
Value: 0

Add for printing

Executable files

Suspicious files

521

Text files

157

Unknown types

Dropped files

PID	Process	Filename		Type
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\ProgramData\Microsoft\Check\Check.txt		—
		MD5:—	SHA256:—
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\Users\admin\AppData\Local\Temp\autBBC0.tmp		binary
		MD5:7B5818F70DA8C573F74BE380A6658570	SHA256:7985A07B0E5795C7DFAC7489B91A9B15CE9C0534DA1FFC2AE385F9FCAEFE92AB
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\Users\admin\AppData\Local\Temp\autBBC2.tmp		binary
		MD5:5404EFC351CB385071F39AA5C8E466BF	SHA256:F8556F9FC9ED0A3B54EB475A12B0FAD77B9BA5EA26761F0795440741F6B40C55
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\Users\admin\AppData\Local\Temp\autBBC1.tmp		binary
		MD5:0E65104906591BA1FAB714B173A460FB	SHA256:83B28E026DE4CE5588039491968A4E360C7334CEEAFC0E64A63BB19EFDE7F985
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\ProgramData\Microsoft\Intel\wini.exe		executable
		MD5:F9A9B17C831721033458D59BF69F45B6	SHA256:9276D1BB2CD48FDF46161DEAF7AD4B0DBCEF9655D462584E104BD3F2A8C944CE
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\ProgramData\Microsoft\temp\Clean.bat		text
		MD5:041E144A6429A6926771B0469B901630	SHA256:1134B862F4D0CE10466742BEB334C06C2386E85ACAD72725DDB1CECB1871B312
7620	wini.exe	C:\ProgramData\Windows\winit.exe		executable
		MD5:03A781BB33A21A742BE31DEB053221F3	SHA256:E95FC3E7ED9EC61BA7214CC3FE5D869E2EE22ABBEAC3052501813BB2B6DDE210
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\ProgramData\Microsoft\temp\H.bat		text
		MD5:76303BB3BB0FAA707000DF998D8C9F3D	SHA256:A33AF2B70AD8FEA8900B6BD31AC7B0AAB8A2B8B79E3E27ADAFBD34BDFCB67549
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\Users\admin\AppData\Local\Temp\autBBD3.tmp		binary
		MD5:A71F2FF7DE001638ABA284E64351AA97	SHA256:8E750661ACD11C039FC9F97F5ACB89C0814A0DEB13F53299BE4FD15B4AE22859
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	C:\ProgramData\Microsoft\temp\5.xml		text
		MD5:487497F0FAACCBF26056D9470EB3ECED	SHA256:9A8EFBD09C9CC1EE7E8FF76EA60846B5CD5A47CDAAE8E92331F3B7B6A5DB4BE5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

127

DNS requests

122

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	304	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	92.123.22.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	92.123.22.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
8076	winit.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	whitelisted
4560	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4560	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2040	RDPWInst.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
2104	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5496	MoUsoCoreWorker.exe	92.123.22.101:80	www.microsoft.com	AKAMAI-AS	AT	whitelisted
2104	svchost.exe	92.123.22.101:80	www.microsoft.com	AKAMAI-AS	AT	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	92.123.22.101 95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.160.130 40.126.32.136 40.126.32.68 20.190.160.17 40.126.32.72 40.126.32.76 20.190.160.131 40.126.32.138 20.190.159.2 40.126.31.73 40.126.31.0 40.126.31.67 40.126.31.69 20.190.159.0 20.190.159.131 20.190.159.73	whitelisted
ocsp.digicert.com	2.23.77.188 2.17.190.73	whitelisted
rms-server.tektonit.ru	77.223.119.187	unknown
boglogov.site	—	unknown
www.bing.com	2.16.241.218 2.16.241.205 92.123.104.52 92.123.104.53 92.123.104.38 92.123.104.41 92.123.104.36 92.123.104.50 92.123.104.46 92.123.104.47 92.123.104.49 92.123.104.10 92.123.104.32 92.123.104.14 92.123.104.26 92.123.104.22 92.123.104.13 92.123.104.18 92.123.104.12 92.123.104.21 92.123.104.17 92.123.104.9	whitelisted

Threats

PID	Process	Class	Message
6004	rutserv.exe	Potential Corporate Privacy Violation	REMOTE [ANY.RUN] Remote Access Tool Has been detected
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
8076	winit.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
8076	winit.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in DNS Lookup)
7480	dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in TLS SNI)
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
8112	taskhost.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

Add for printing

Process	Message
rutserv.exe	TMainService.Start
rutserv.exe	GUID_CONSOLE_DISPLAY_STATE
rutserv.exe	MSG_KEEP_ALIVE
rutserv.exe	15-05-2025_20:07:08:378#T:Msg code: 3
rutserv.exe	15-05-2025_20:07:08:378#T:Msg Size: 104
rutserv.exe	15-05-2025_20:07:08:378#T:MSG_KEEP_ALIVE
rutserv.exe	MSG_KEEP_ALIVE
rutserv.exe	15-05-2025_20:07:39:171#T:Msg code: 3
rutserv.exe	15-05-2025_20:07:39:171#T:MSG_KEEP_ALIVE
rutserv.exe	15-05-2025_20:07:39:171#T:Msg Size: 104

General Info

dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe

5DF0CF8B8AA7E56884F71DA3720FB2C6

0610E911ADE5D666A45B41F771903170AF58A05A

DD396A3F66AD728660023CB116235F3CB1C35D679A155B08EC6A9CCAF966C360

196608:NjIrZDbMLq8TKqTNNRYWzmf1e4Qx/PMPTZPkTGX9sqiL/aVvTAs:N2Z4DRYWXdaZPGy9sJL/aVv/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables Windows Defender

UAC/LUA settings modification

RMS is detected

RMS mutex has been found

RMS has been detected (YARA)

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

Uses Task Scheduler to run other applications

Uses Task Scheduler to autorun other applications

Starts NET.EXE to view/change login properties

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process executes VB scripts

Uses REG/REGEDIT.EXE to modify registry

Runs shell command (SCRIPT)

Executing commands from a ".bat" file

Uses TIMEOUT.EXE to delay execution

Executes as Windows Service

Starts CMD.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Restarts service on failure

Windows service management via SC.EXE

Potential Corporate Privacy Violation

The process creates files with name similar to system file names

Connects to unusual port

Sets the service to start on system boot

Stops a currently running service

Application launched itself

There is functionality for taking screenshot (YARA)

Uses NETSH.EXE to add a firewall rule or allowed programs

Uses NETSH.EXE to change the status of the firewall

Checks for external IP

The process verifies whether the antivirus software is installed

Uses ICACLS.EXE to modify access control lists

Uses TASKKILL.EXE to kill process

Starts application with an unusual extension

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

Lists all scheduled tasks in specific format

Deletes scheduled task without confirmation

Process uses IPCONFIG to clear DNS cache

Connects to FTP

The process executes via Task Scheduler

INFO

Creates files in the program directory

Reads mouse settings

The sample compiled with english language support

Reads the computer name

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

The process uses AutoIt

Checks proxy server information

Manual execution by a user

Creates files or folders in the user directory

Reads CPU info

Reads the software policy settings

Aspack has been detected

Compiled with Borland Delphi (YARA)

Changes the display of characters in the console

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE