Malware analysis https://gamedrive.org/resident-evil-requiem-hypervisor-bypass-installation-guide-kirigiri/ Malicious activity

Add for printing

URL:	https://gamedrive.org/resident-evil-requiem-hypervisor-bypass-installation-guide-kirigiri/
Full analysis:	https://app.any.run/tasks/e726d0d4-2ada-4ba6-a39d-90131d376a21
Verdict:	Malicious activity
Threats:	The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 28, 2026, 11:23:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	anti-evasion evasion hijackloader loader stealer susp-powershell python xor-url arechclient2 rat backdoor generic
Indicators:
MD5:	92CFCA12E4DF27116FF85967AB732B2A
SHA1:	8ADD6368EFBD0ABCE4852C73738DCC99E5A5CF07
SHA256:	E13611624CD3783B3EDED5A7B07A3FDC464758BCA9598B9A056DCBF21EC35F5B
SSDEEP:	3:N8lDMJQQRIKB3INkAMWMlML4RL9WMCn:2y+QRIpkp0L4RLwf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- HIJACKLOADER has been detected (YARA)
  - ElHandler.exe (PID: 8616)
  - Pz6MQQ0XM.exe (PID: 7312)
- Actions looks like stealing of personal data
  - ElHandler.exe (PID: 8616)
- Steals credentials from Web Browsers
  - ElHandler.exe (PID: 8616)
- Changes powershell execution policy (Bypass)
  - ElHandler.exe (PID: 8616)
- Modifies registry (POWERSHELL)
  - powershell.exe (PID: 6956)
- ARECHCLIENT2 has been detected (YARA)
  - wslservice.exe (PID: 7824)
- XORed URL has been found (YARA)
  - wslservice.exe (PID: 7824)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - lnstaIer.exe (PID: 8776)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 7576)
  - cmd.exe (PID: 3436)
  - cmd.exe (PID: 4704)
  - cmd.exe (PID: 3584)
  - cmd.exe (PID: 7036)
  - ElHandler.exe (PID: 8616)
- Accesses local storage devices (Win32_LogicalDisk) (SCRIPT)
  - powershell.exe (PID: 2680)
- Checks for external IP
  - lnstaIer.exe (PID: 8776)
  - svchost.exe (PID: 2292)
- Possible stealing from browsers
  - ElHandler.exe (PID: 8616)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 8372)
  - powershell.exe (PID: 6956)
- Possible stealing from password managers
  - ElHandler.exe (PID: 8616)
- Searches for installed software
  - ElHandler.exe (PID: 8616)
- Found IP address in command line
  - powershell.exe (PID: 8372)
  - powershell.exe (PID: 6956)
- The process executes Powershell scripts
  - powershell.exe (PID: 8372)
- The process bypasses the loading of PowerShell profile settings
  - ElHandler.exe (PID: 8616)
- Possible stealing from crypto wallets
  - ElHandler.exe (PID: 8616)
- Possible stealing of email data
  - ElHandler.exe (PID: 8616)
- Starts a new process with hidden mode (POWERSHELL)
  - powershell.exe (PID: 6956)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 6956)
- Receives information about network interfaces and IP addresses (POWERSHELL)
  - powershell.exe (PID: 6956)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 6956)
- Gets path to any of the special folders (POWERSHELL)
  - powershell.exe (PID: 6956)
- Uses sleep to delay execution (POWERSHELL)
  - powershell.exe (PID: 6956)
- Possible path obfuscation (POWERSHELL)
  - powershell.exe (PID: 6956)
- Process drops python dynamic module
  - powershell.exe (PID: 6956)
- Loads Python modules
  - wslservice.exe (PID: 7824)
INFO
- Drops script file
  - WinRAR.exe (PID: 3636)
  - firefox.exe (PID: 7452)
  - lnstaIer.exe (PID: 8776)
  - powershell.exe (PID: 2680)
  - powershell.exe (PID: 6880)
  - powershell.exe (PID: 7244)
  - powershell.exe (PID: 1856)
  - powershell.exe (PID: 4304)
  - powershell.exe (PID: 8372)
  - powershell.exe (PID: 6956)
- Application launched itself
  - firefox.exe (PID: 6156)
  - firefox.exe (PID: 7452)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 3636)
- Checks supported languages
  - lnstaIer.exe (PID: 8776)
  - Pz6MQQ0XM.exe (PID: 7312)
  - ElHandler.exe (PID: 8616)
  - Crisp.exe (PID: 1512)
  - wslservice.exe (PID: 7824)
- Reads the machine GUID from the registry
  - lnstaIer.exe (PID: 8776)
  - ElHandler.exe (PID: 8616)
  - wslservice.exe (PID: 7824)
- Manual execution by a user
  - WinRAR.exe (PID: 3636)
- Create files in a temporary directory
  - lnstaIer.exe (PID: 8776)
  - Pz6MQQ0XM.exe (PID: 7312)
  - Crisp.exe (PID: 1512)
- Checks operating system version
  - lnstaIer.exe (PID: 8776)
- Creates files or folders in the user directory
  - lnstaIer.exe (PID: 8776)
  - Pz6MQQ0XM.exe (PID: 7312)
- Checks proxy server information
  - slui.exe (PID: 796)
  - lnstaIer.exe (PID: 8776)
  - powershell.exe (PID: 8372)
  - powershell.exe (PID: 6956)
  - wslservice.exe (PID: 7824)
- Uses string replace method (POWERSHELL)
  - powershell.exe (PID: 2680)
- There is functionality for taking screenshot (YARA)
  - lnstaIer.exe (PID: 8776)
- Reads the computer name
  - lnstaIer.exe (PID: 8776)
  - Pz6MQQ0XM.exe (PID: 7312)
  - ElHandler.exe (PID: 8616)
  - Crisp.exe (PID: 1512)
  - wslservice.exe (PID: 7824)
- Creates files in the program directory
  - Pz6MQQ0XM.exe (PID: 7312)
- Disables trace logs
  - powershell.exe (PID: 8372)
  - powershell.exe (PID: 6956)
  - wslservice.exe (PID: 7824)
- Gets a random number, or selects objects randomly from a collection (POWERSHELL)
  - powershell.exe (PID: 6956)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 6956)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 6956)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6956)
- User-Agent configuration (POWERSHELL)
  - powershell.exe (PID: 6956)
- Failed to connect to remote server (POWERSHELL)
  - powershell.exe (PID: 8372)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 8372)
- The executable file from the user directory is run by the Powershell process
  - wslservice.exe (PID: 7824)
- Reads Environment values
  - wslservice.exe (PID: 7824)
- Found Base64 encoded text manipulation via PowerShell (YARA)
  - powershell.exe (PID: 6956)
- Python executable
  - wslservice.exe (PID: 7824)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

xor-url

(PID) Process(7824) wslservice.exe

Decrypted-URLs (14)http://dl.google.com/chrome/install/375.126/chrome_installer.exe]

https://bsc-dataseed1.binance.org/

https://bsc-dataseed1.defibit.io/

https://bsc-dataseed1.ninicoin.io/O

https://bsc-dataseed2.binance.org/0

https://bsc-dataseed2.defibit.io/

https://bsc-dataseed2.ninicoin.io/

https://bsc-dataseed3.binance.org/

https://bsc-dataseed3.defibit.io/

https://bsc-dataseed3.ninicoin.io/

https://bsc-dataseed4.binance.org/A

https://bsc-dataseed4.defibit.io/k

https://bsc-dataseed4.ninicoin.io/

https://github.com

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

204

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

796

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1352

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

ElHandler.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1512

C:\Users\admin\AppData\Roaming\nt_authenticate_rtm\Crisp.exe

—

Pz6MQQ0XM.exe

User:

admin

Company:

Crisp IM SAS

Integrity Level:

MEDIUM

Description:

Crisp

Exit code:

Version:

6.0.68

Modules

Images
c:\windows\syswow64\input.dll
c:\users\admin\appdata\roaming\nt_authenticate_rtm\crisp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll

1524

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1856

powershell -Command "Get-CimInstance Win32_ComputerSystem | Select-Object Manufacturer"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1984

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4260 -prefsLen 39411 -prefMapHandle 5492 -prefMapSize 272981 -jsInitHandle 3692 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 6008 -initialChannelId {b839056a-33ad-46a4-8e9c-8fd022211701} -parentPid 7452 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7452" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll

2092

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2292

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2348

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

ElHandler.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2360

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

43 689

Read events

43 644

Write events

Delete events

Modification events


(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\Free Downloaded Files.zip
(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(8776) lnstaIer.exe	Key:	HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0
Operation:	write	Name:	GUID
Value: 70DC385A6E14F1118001444553540000
(PID) Process:	(8372) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

2 090

Dropped files

PID	Process	Filename		Type
7452	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
7452	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.bin		binary
		MD5:5152D8F49F1AD4219D935611EFE18437	SHA256:9A6E50715E3C49A43E3D622EDE7E37ECF0767342B3039B8B0AE25BBE4FF6F66E
7452	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7452	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
7452	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.bin		binary
		MD5:3134ED3F12E4F4F8643DB90043B0FD7B	SHA256:26E4F122034D7A03F6DA0E707799B09CBEEBDAF8D7A3133A1F7BD894AC72EEA1
7452	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7452	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7452	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7452	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.bin		binary
		MD5:3734BAC2A873A9FAB0D38BE3D715F0CF	SHA256:2B0572C8C15A9AF9C9A4A899A5CDE033BFD8B13CC26C949E6DDF7A2DA6242499
7452	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

320

TCP/UDP connections

144

DNS requests

194

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7452	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	binary	90 b	unknown
7452	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	binary	8 b	unknown
7452	firefox.exe	POST	200	172.217.168.67:80	http://o.pki.goog/we2	US	binary	280 b	whitelisted
7452	firefox.exe	POST	200	172.217.168.67:80	http://o.pki.goog/we2	US	binary	280 b	whitelisted
7452	firefox.exe	POST	200	172.217.168.67:80	http://o.pki.goog/we2	US	binary	281 b	whitelisted
7452	firefox.exe	GET	200	151.101.129.91:443	https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=url-parser-default-unknown-schemes-interventions&bucket=main&_expected=0	US	binary	274 b	unknown
7452	firefox.exe	GET	200	151.101.129.91:443	https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/url-parser-default-unknown-schemes-interventions/changeset?_expected=1743513175300&_since=%221726769128879%22	US	binary	1.76 Kb	unknown
7452	firefox.exe	GET	200	151.101.129.91:443	https://firefox.settings.services.mozilla.com/v1/	US	binary	1.20 Kb	unknown
7452	firefox.exe	GET	200	172.67.216.195:443	https://gamedrive.org/resident-evil-requiem-hypervisor-bypass-installation-guide-kirigiri/	US	binary	325 Kb	unknown
7452	firefox.exe	POST	—	172.217.168.67:80	http://o.pki.goog/we2	US	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5524	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6768	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8176	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7452	firefox.exe	151.101.129.91:443	firefox.settings.services.mozilla.com	FASTLY	US	whitelisted
7452	firefox.exe	172.67.216.195:443	gamedrive.org	CLOUDFLARENET	US	malicious
7452	firefox.exe	172.217.16.164:443	www.google.com	GOOGLE	US	whitelisted
7452	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.36.110	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
firefox.settings.services.mozilla.com	151.101.129.91 151.101.65.91 151.101.1.91 151.101.193.91	whitelisted
mozilla.map.fastly.net	151.101.129.91 151.101.65.91 151.101.1.91 151.101.193.91 2a04:4e42:600::347 2a04:4e42:200::347 2a04:4e42:400::347 2a04:4e42::347	whitelisted
gamedrive.org	172.67.216.195 104.21.24.40 2606:4700:3036::6815:1828 2606:4700:3037::ac43:d8c3	malicious
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	151.101.193.91 151.101.1.91 151.101.129.91 151.101.65.91	whitelisted
spocs.getpocket.com	151.101.1.91 151.101.193.91 151.101.65.91 151.101.129.91	whitelisted
example.org	104.18.3.24 104.18.2.24	whitelisted

Threats

PID	Process	Class	Message
2292	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2292	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2292	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to .cfd TLD
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to .cfd TLD
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to .cfd TLD
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to .cfd TLD
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to .cfd TLD
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to .cfd TLD
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to .cfd TLD

Add for printing

No debug info

General Info

https://gamedrive.org/resident-evil-requiem-hypervisor-bypass-installation-guide-kirigiri/

92CFCA12E4DF27116FF85967AB732B2A

8ADD6368EFBD0ABCE4852C73738DCC99E5A5CF07

E13611624CD3783B3EDED5A7B07A3FDC464758BCA9598B9A056DCBF21EC35F5B

3:N8lDMJQQRIKB3INkAMWMlML4RL9WMCn:2y+QRIpkp0L4RLwf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

HIJACKLOADER has been detected (YARA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Changes powershell execution policy (Bypass)

Modifies registry (POWERSHELL)

ARECHCLIENT2 has been detected (YARA)

XORed URL has been found (YARA)

SUSPICIOUS

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Accesses local storage devices (Win32_LogicalDisk) (SCRIPT)

Checks for external IP

Possible stealing from browsers

Bypass execution policy to execute commands

Possible stealing from password managers

Searches for installed software

Found IP address in command line

The process executes Powershell scripts

The process bypasses the loading of PowerShell profile settings

Possible stealing from crypto wallets

Possible stealing of email data

Starts a new process with hidden mode (POWERSHELL)

Gets or sets the security protocol (POWERSHELL)

Receives information about network interfaces and IP addresses (POWERSHELL)

Uses base64 encoding (POWERSHELL)

Gets path to any of the special folders (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Possible path obfuscation (POWERSHELL)

Process drops python dynamic module

Loads Python modules

INFO

Drops script file

Application launched itself

Reads security settings of Internet Explorer

Checks supported languages

Reads the machine GUID from the registry

Manual execution by a user

Create files in a temporary directory

Checks operating system version

Creates files or folders in the user directory

Checks proxy server information

Uses string replace method (POWERSHELL)

There is functionality for taking screenshot (YARA)

Reads the computer name

Creates files in the program directory

Disables trace logs

Gets a random number, or selects objects randomly from a collection (POWERSHELL)

Gets data length (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

User-Agent configuration (POWERSHELL)

Failed to connect to remote server (POWERSHELL)

Script raised an exception (POWERSHELL)

The executable file from the user directory is run by the Powershell process

Reads Environment values

Found Base64 encoded text manipulation via PowerShell (YARA)

Python executable

Malware configuration

xor-url

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information