Malware analysis DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2 Malicious activity

Add for printing

File name:	DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2
Full analysis:	https://app.any.run/tasks/82b8d963-9bc0-4296-8f97-5fa058a09171
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 12, 2024, 06:16:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	D21BF3852BB27FB6F5459D2CF2BCD51C
SHA1:	E59309BBE58C9584517E4BB50FF499DFFB29D7B0
SHA256:	DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2
SSDEEP:	98304:l0PKfpT5I7CM4MU91UI22IT1PD2222222721vFdGBeQN0aFvGSSRkrlcfABLqI1a:7X0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- AGENTTESLA is detected
  - MBAMService.exe (PID: 6596)
- Actions looks like stealing of personal data
  - MBAMService.exe (PID: 6596)
SUSPICIOUS
- Drops the executable file immediately after the start
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - MBVpnTunnelService.exe (PID: 6324)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 6596)
  - MBAMService.exe (PID: 3188)
- Searches for installed software
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - MBAMService.exe (PID: 6596)
- Reads the BIOS version
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMService.exe (PID: 6596)
  - mbupdatrV5.exe (PID: 3076)
- Creates files in the driver directory
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - MBVpnTunnelService.exe (PID: 6324)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 3188)
  - MBAMService.exe (PID: 6596)
- The process verifies whether the antivirus software is installed
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBVpnTunnelService.exe (PID: 6324)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 3188)
  - Malwarebytes.exe (PID: 6140)
  - MBAMService.exe (PID: 6596)
  - Malwarebytes.exe (PID: 4236)
  - Malwarebytes.exe (PID: 1664)
  - MBAMWsc.exe (PID: 1116)
  - MBAMInstallerService.exe (PID: 7052)
  - mbupdatrV5.exe (PID: 3076)
  - MBAMWsc.exe (PID: 4424)
- Executes as Windows Service
  - MBAMInstallerService.exe (PID: 7052)
  - MBAMService.exe (PID: 6596)
- Executable content was dropped or overwritten
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - MBVpnTunnelService.exe (PID: 6324)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 3188)
  - MBAMService.exe (PID: 6596)
- Drops 7-zip archiver for unpacking
  - MBAMInstallerService.exe (PID: 7052)
- The process creates files with name similar to system file names
  - MBAMInstallerService.exe (PID: 7052)
- Process drops legitimate windows executable
  - MBAMInstallerService.exe (PID: 7052)
  - MBAMService.exe (PID: 6596)
- Drops a system driver (possible attempt to evade defenses)
  - MBAMInstallerService.exe (PID: 7052)
  - MBVpnTunnelService.exe (PID: 6324)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 3188)
  - MBAMService.exe (PID: 6596)
- Changes Internet Explorer settings (feature browser emulation)
  - MBAMInstallerService.exe (PID: 7052)
  - MBAMService.exe (PID: 6596)
- Adds/modifies Windows certificates
  - MBAMInstallerService.exe (PID: 7052)
  - MBAMService.exe (PID: 6596)
- The process drops C-runtime libraries
  - MBAMInstallerService.exe (PID: 7052)
  - MBAMService.exe (PID: 6596)
- Checks Windows Trust Settings
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 6596)
- Creates/Modifies COM task schedule object
  - MBAMService.exe (PID: 6596)
- Reads security settings of Internet Explorer
  - MBAMService.exe (PID: 6596)
  - ig.exe (PID: 3136)
  - Malwarebytes.exe (PID: 1664)
- Creates or modifies Windows services
  - MBAMService.exe (PID: 6596)
  - MBAMService.exe (PID: 3188)
- Application launched itself
  - Malwarebytes.exe (PID: 6140)
- Starts application from unusual location
  - MBAMService.exe (PID: 6596)
- The process checks if it is being run in the virtual environment
  - MBAMService.exe (PID: 6596)
- Creates a software uninstall entry
  - MBAMInstallerService.exe (PID: 7052)
INFO
- Create files in a temporary directory
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
- Checks supported languages
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - MBVpnTunnelService.exe (PID: 6324)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 3188)
  - MBAMService.exe (PID: 6596)
  - MBAMWsc.exe (PID: 4424)
  - Malwarebytes.exe (PID: 6140)
  - Malwarebytes.exe (PID: 1664)
  - Malwarebytes.exe (PID: 4236)
  - mbupdatrV5.exe (PID: 3076)
  - MBAMWsc.exe (PID: 1116)
  - ig.exe (PID: 3136)
- Reads the machine GUID from the registry
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 6596)
  - mbupdatrV5.exe (PID: 3076)
- Reads the computer name
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - MBVpnTunnelService.exe (PID: 6324)
  - drvinst.exe (PID: 6452)
  - MBAMService.exe (PID: 3188)
  - MBAMService.exe (PID: 6596)
  - MBAMWsc.exe (PID: 4424)
  - Malwarebytes.exe (PID: 1664)
  - Malwarebytes.exe (PID: 6140)
  - Malwarebytes.exe (PID: 4236)
  - MBAMWsc.exe (PID: 1116)
  - mbupdatrV5.exe (PID: 3076)
  - ig.exe (PID: 3136)
- Reads the software policy settings
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - drvinst.exe (PID: 6452)
  - Malwarebytes.exe (PID: 1664)
  - MBAMService.exe (PID: 6596)
- Creates files in the program directory
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - MBAMInstallerService.exe (PID: 7052)
  - MBVpnTunnelService.exe (PID: 6324)
  - MBAMService.exe (PID: 6596)
  - Malwarebytes.exe (PID: 1664)
  - mbupdatrV5.exe (PID: 3076)
- Checks proxy server information
  - DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe (PID: 6372)
  - Malwarebytes.exe (PID: 1664)
- Adds/modifies Windows certificates
  - drvinst.exe (PID: 6452)
- Reads CPU info
  - MBAMService.exe (PID: 6596)
- Reads the time zone
  - MBAMService.exe (PID: 6596)
- Reads Environment values
  - MBAMService.exe (PID: 6596)
- Creates files or folders in the user directory
  - Malwarebytes.exe (PID: 1664)
- Manual execution by a user
  - Malwarebytes.exe (PID: 6140)
- Process checks computer location settings
  - Malwarebytes.exe (PID: 1664)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:30 16:19:50+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	752640
InitializedDataSize:	1798144
UninitializedDataSize:	-
EntryPoint:	0x6f66d
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	5.1.8.108
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Malwarebytes
FileDescription:	Malwarebytes Setup
FileVersion:	5.1.8.108
LegalCopyright:	Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
InternalName:	MBSetup.exe
OriginalFileName:	MBSetup.exe
ProductName:	Malwarebytes

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

156

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1116

"C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 0 /status on true /updatesubstatus none /scansubstatus none /settingssubstatus none

C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe

—

MBAMService.exe

User:

SYSTEM

Company:

Malwarebytes

Integrity Level:

SYSTEM

Exit code:

Version:

3.1.0.245

Modules

Images
c:\program files\malwarebytes\anti-malware\mbamwsc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll

1664

"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe

MBAMService.exe

User:

admin

Company:

Malwarebytes

Integrity Level:

MEDIUM

Description:

Malwarebytes

Version:

5.0.0.894

Modules

Images
c:\program files\malwarebytes\anti-malware\malwarebytes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2904

ig.exe reseed

C:\Program Files\Malwarebytes\Anti-Malware\ig.exe

—

MBAMService.exe

User:

admin

Company:

MalwareBytes

Integrity Level:

LOW

Description:

Malware Scanner

Exit code:

7929856

Version:

1.0.4.8

Modules

Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3076

"C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no

C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\mbupdatrV5.exe

—

MBAMService.exe

User:

SYSTEM

Company:

Malwarebytes

Integrity Level:

SYSTEM

Description:

Malwarebytes Component Updater

Exit code:

Version:

3.1.0.464

Modules

Images
c:\programdata\malwarebytes\mbamservice\updatrpkg\mbupdatrv5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\iphlpapi.dll

3136

ig.exe secure

C:\Users\admin\AppData\LocalLow\IGDump\sec\ig.exe

—

MBAMService.exe

User:

admin

Company:

MalwareBytes

Integrity Level:

LOW

Description:

Malware Scanner

Exit code:

3235811341

Version:

1.0.4.8

Modules

Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3188

"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

MBAMInstallerService.exe

User:

SYSTEM

Company:

Malwarebytes

Integrity Level:

SYSTEM

Description:

Malwarebytes Service

Exit code:

Version:

3.2.0.1314

Modules

Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll

3356

ig.exe reseed

C:\Program Files\Malwarebytes\Anti-Malware\ig.exe

—

MBAMService.exe

User:

admin

Company:

MalwareBytes

Integrity Level:

LOW

Description:

Malware Scanner

Exit code:

4653056

Version:

1.0.4.8

Modules

Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3476

c:\windows\system32\help.exe /?

C:\Windows\SysWOW64\help.exe

—

ig.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Command Line Help Utility

Exit code:

3221225506

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

4024

C:\Windows\SysWOW64\help.exe

—

ig.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Command Line Help Utility

Exit code:

3221225506

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

4236

"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe

Malwarebytes.exe

User:

admin

Company:

Malwarebytes

Integrity Level:

MEDIUM

Description:

Malwarebytes

Exit code:

Version:

5.0.0.894

Modules

Images
c:\program files\malwarebytes\anti-malware\malwarebytes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

260 769

Read events

259 842

Write events

900

Delete events

Modification events


(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:	write	Name:	id
Value: d7977ef24dbe417faa0547043a8a75a5
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:	write	Name:	id
Value: d7977ef24dbe417faa0547043a8a75a5
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:	delete value	Name:	IrisFirstRun
Value:
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:	write	Name:	UserName
Value: admin
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:	write	Name:	ProductCode
Value: MBAM-C
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:	write	Name:	ProductBuild
Value: consumer
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:	write	Name:	ProgramDirectory
Value: C:\Program Files\Malwarebytes\Anti-Malware
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:	write	Name:	LocalAppDataDir
Value: C:\Users\admin\AppData\Local
(PID) Process:	(6372) DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:	write	Name:	Channel
Value: release

Add for printing

Executable files

1 449

Suspicious files

307

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7052	MBAMInstallerService.exe	C:\Windows\Temp\MBInstallTemp75213305587211efaa87525400f121ed\ctlrpkg.7z		—
		MD5:—	SHA256:—
7052	MBAMInstallerService.exe	C:\Windows\Temp\MBInstallTemp75213305587211efaa87525400f121ed\dbclspkg.7z		—
		MD5:—	SHA256:—
7052	MBAMInstallerService.exe	C:\Windows\Temp\MBInstallTemp75213305587211efaa87525400f121ed\dotnetpkg.7z		—
		MD5:—	SHA256:—
7052	MBAMInstallerService.exe	C:\Windows\Temp\MBInstallTemp75213305587211efaa87525400f121ed\servicepkg\BaltimoreCyberTrustRoot.crt		text
		MD5:379A301592736712C9A60676C50CF19B	SHA256:CC7400692BD90E1B5FC44E11C8DD7C788CBB462F52EA3F3DECB579E4D51EB268
7052	MBAMInstallerService.exe	C:\Windows\Temp\MBInstallTemp75213305587211efaa87525400f121ed\servicepkg.7z		compressed
		MD5:905F64B39ED5AF2DD76353E26C5B41AE	SHA256:ECFE2D5BFD7EAFDD6630476AFA38309B78A9925B6760DF2F905A1657F4E697DE
6372	DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	C:\Program Files (x86)\mbamtestfile.dat		text
		MD5:9F06243ABCB89C70E0C331C61D871FA7	SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
7052	MBAMInstallerService.exe	C:\Windows\Temp\MBInstallTemp75213305587211efaa87525400f121ed\servicepkg\mbtun.crt		text
		MD5:999947F703B1F6B7550C3C61709676D7	SHA256:015FF65C00D6D109B034685987D2E4892158D893677855255F9CF52E7BE60188
6372	DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe		executable
		MD5:4DC92B52E48B9A7E209307DEF43F0FA4	SHA256:461727E42566CD84E4161D5332131956041E02E3D81CFEC07C22862FA4B6D3D4
6372	DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2.exe	C:\ProgramData\mbamtestfile.dat		text
		MD5:9F06243ABCB89C70E0C331C61D871FA7	SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
7052	MBAMInstallerService.exe	C:\Windows\Temp\MBInstallTemp75213305587211efaa87525400f121ed\servicepkg\DigiCertEVRoot.crt		text
		MD5:D25E0F479B9601EDF2C9C2DAD7BA2706	SHA256:63FF360AAFDE5FF959FB9671EC27002F99CBFAE4907B410046B6A1B0F51CBA9E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2212	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/CSPCA.crl	unknown	—	—	whitelisted
6596	MBAMService.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202013.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/tspca.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	—	—	whitelisted
2212	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6836	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6808	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1164	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5336	SearchApp.exe	2.16.110.170:443	www.bing.com	Akamai International B.V.	DE	unknown
—	—	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2212	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6780	backgroundTaskHost.exe	2.16.110.170:443	www.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.181.238	whitelisted
www.bing.com	2.16.110.170 2.16.110.168 2.16.110.179 2.16.110.193 2.16.110.123 2.16.110.171 2.16.110.138	whitelisted
login.live.com	40.126.32.74 20.190.160.20 40.126.32.134 20.190.160.22 20.190.160.14 40.126.32.76 40.126.32.68 40.126.32.72	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253 40.113.110.67	whitelisted
fd.api.iris.microsoft.com	20.103.156.88 20.74.19.45	whitelisted
th.bing.com	2.16.110.170 2.16.110.168 2.16.110.179 2.16.110.193 2.16.110.123 2.16.110.171 2.16.110.138	whitelisted
api2.amplitude.com	52.42.217.47 54.148.87.143 44.228.30.247 44.227.165.250 35.82.18.48 54.201.95.115 35.162.246.214 100.20.208.28 44.238.127.4 35.155.145.183 35.163.33.86 35.163.199.124 35.80.222.250 35.84.62.203 35.165.49.51 44.238.196.27	whitelisted
arc.msn.com	20.103.156.88	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Malwarebytes.exe	Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1664. Message ID: [0x2509].
Malwarebytes.exe	Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 6140. Message ID: [0x2509].
Malwarebytes.exe	Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 4236. Message ID: [0x2509].

General Info

DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2

D21BF3852BB27FB6F5459D2CF2BCD51C

E59309BBE58C9584517E4BB50FF499DFFB29D7B0

DE9C4E8B4B0C756EEE4E39221C1E4E0E11C2E67EFFB828E27DE3C4B4470CCFF2

98304:l0PKfpT5I7CM4MU91UI22IT1PD2222222721vFdGBeQN0aFvGSSRkrlcfABLqI1a:7X0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AGENTTESLA is detected

Actions looks like stealing of personal data

SUSPICIOUS

Drops the executable file immediately after the start

Searches for installed software

Reads the BIOS version

Creates files in the driver directory

The process verifies whether the antivirus software is installed

Executes as Windows Service

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

The process creates files with name similar to system file names

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

Changes Internet Explorer settings (feature browser emulation)

Adds/modifies Windows certificates

The process drops C-runtime libraries

Checks Windows Trust Settings

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

Creates or modifies Windows services

Application launched itself

Starts application from unusual location

The process checks if it is being run in the virtual environment

Creates a software uninstall entry

INFO

Create files in a temporary directory

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Reads the software policy settings

Creates files in the program directory

Checks proxy server information

Adds/modifies Windows certificates

Reads CPU info

Reads the time zone

Reads Environment values

Creates files or folders in the user directory

Manual execution by a user

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules