Malware analysis HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe Malicious activity

Add for printing

File name:	HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe
Full analysis:	https://app.any.run/tasks/c53db868-4ac8-4ef7-9062-42944edb4b2b
Verdict:	Malicious activity
Threats:	PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	February 19, 2024, 11:53:11
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion privateloader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	269D7E74E4B21A2FC0E66907C77FC0BC
SHA1:	FC09525A2F93BF089D0B02C5220E7EE452E64747
SHA256:	E6EA98B046B11A35EFA0AC1243F6190FF4D4247A35784E65A9FEAAF4918AE779
SSDEEP:	49152:bsM2FT2gKUQyBStGWDAj/nhVSo5/+XdbfZgEh+STw7ZOjaw9ZCRMX8MkXw8hZHMc:bYFT2hRyBkGCK/h4o5WXdTOEh+6w7rRN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
  - setup_installer.exe (PID: 2848)
  - karotima_2.exe (PID: 3212)
  - setup_install.exe (PID: 3464)
  - setup_installer.exe (PID: 3088)
  - setup_install.exe (PID: 1792)
  - karotima_2.exe (PID: 3556)
  - setup_installer.exe (PID: 920)
  - setup_install.exe (PID: 3260)
  - setup_installer.exe (PID: 3248)
  - setup_install.exe (PID: 1288)
  - karotima_2.exe (PID: 3016)
  - setup_installer.exe (PID: 4052)
  - setup_install.exe (PID: 3460)
  - karotima_2.exe (PID: 3276)
  - setup_installer.exe (PID: 3068)
  - setup_install.exe (PID: 2100)
  - karotima_2.exe (PID: 880)
  - setup_install.exe (PID: 2584)
  - setup_installer.exe (PID: 2396)
  - karotima_2.exe (PID: 3192)
- PRIVATELOADER has been detected (YARA)
  - karotima_1.exe (PID: 2624)
  - karotima_1.exe (PID: 480)
  - karotima_1.exe (PID: 3272)
  - karotima_1.exe (PID: 1692)
SUSPICIOUS
- Executable content was dropped or overwritten
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
  - setup_installer.exe (PID: 2848)
  - karotima_2.exe (PID: 3212)
  - setup_install.exe (PID: 3464)
  - setup_installer.exe (PID: 3088)
  - setup_install.exe (PID: 1792)
  - karotima_2.exe (PID: 3556)
  - setup_installer.exe (PID: 920)
  - setup_install.exe (PID: 3260)
  - setup_installer.exe (PID: 3248)
  - setup_install.exe (PID: 1288)
  - karotima_2.exe (PID: 3016)
  - setup_installer.exe (PID: 4052)
  - setup_install.exe (PID: 3460)
  - karotima_2.exe (PID: 3276)
  - setup_installer.exe (PID: 3068)
  - setup_install.exe (PID: 2100)
  - karotima_2.exe (PID: 880)
  - setup_installer.exe (PID: 2396)
  - setup_install.exe (PID: 2584)
  - karotima_2.exe (PID: 3192)
- Reads security settings of Internet Explorer
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
  - setup_installer.exe (PID: 2848)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 712)
  - setup_installer.exe (PID: 3088)
  - setup_installer.exe (PID: 920)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2516)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2268)
  - setup_installer.exe (PID: 3248)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3652)
  - setup_installer.exe (PID: 4052)
  - setup_installer.exe (PID: 3068)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 1584)
  - setup_installer.exe (PID: 2396)
- Drops 7-zip archiver for unpacking
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
- Reads the Internet Settings
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
  - setup_installer.exe (PID: 2848)
  - karotima_1.exe (PID: 2624)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 712)
  - setup_installer.exe (PID: 3088)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2516)
  - setup_installer.exe (PID: 920)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2268)
  - setup_installer.exe (PID: 3248)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3652)
  - setup_installer.exe (PID: 4052)
  - setup_installer.exe (PID: 3068)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 1584)
  - setup_installer.exe (PID: 2396)
- The executable file from the user directory is run by the CMD process
  - karotima_2.exe (PID: 3212)
  - karotima_2.exe (PID: 3556)
  - karotima_1.exe (PID: 480)
  - karotima_1.exe (PID: 3272)
  - karotima_2.exe (PID: 3140)
  - karotima_1.exe (PID: 2624)
  - karotima_2.exe (PID: 3016)
  - karotima_1.exe (PID: 3024)
  - karotima_2.exe (PID: 3276)
  - karotima_1.exe (PID: 1692)
  - karotima_2.exe (PID: 880)
  - karotima_1.exe (PID: 1340)
  - karotima_2.exe (PID: 3192)
  - karotima_1.exe (PID: 2936)
- Reads settings of System Certificates
  - karotima_1.exe (PID: 2624)
  - karotima_1.exe (PID: 480)
  - karotima_1.exe (PID: 3272)
  - karotima_1.exe (PID: 3024)
  - karotima_1.exe (PID: 1692)
  - karotima_1.exe (PID: 1340)
  - karotima_1.exe (PID: 2936)
- Adds/modifies Windows certificates
  - karotima_1.exe (PID: 2624)
- Process drops legitimate windows executable
  - karotima_2.exe (PID: 3212)
  - karotima_2.exe (PID: 3556)
  - karotima_2.exe (PID: 3016)
  - karotima_2.exe (PID: 3276)
  - karotima_2.exe (PID: 880)
  - karotima_2.exe (PID: 3192)
- Checks for external IP
  - karotima_1.exe (PID: 2624)
  - karotima_1.exe (PID: 480)
  - karotima_1.exe (PID: 3272)
  - karotima_1.exe (PID: 3024)
  - karotima_1.exe (PID: 1692)
  - karotima_1.exe (PID: 1340)
  - karotima_1.exe (PID: 2936)
- Starts CMD.EXE for commands execution
  - setup_install.exe (PID: 1792)
  - setup_install.exe (PID: 3260)
  - setup_install.exe (PID: 3464)
  - setup_install.exe (PID: 1288)
  - setup_install.exe (PID: 3460)
  - setup_install.exe (PID: 2100)
  - setup_install.exe (PID: 2584)
INFO
- Reads the computer name
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
  - setup_installer.exe (PID: 2848)
  - setup_install.exe (PID: 3464)
  - karotima_1.exe (PID: 2624)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 712)
  - setup_installer.exe (PID: 3088)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2516)
  - karotima_1.exe (PID: 480)
  - setup_installer.exe (PID: 920)
  - setup_install.exe (PID: 3260)
  - karotima_1.exe (PID: 3272)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2268)
  - setup_installer.exe (PID: 3248)
  - setup_install.exe (PID: 1288)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3652)
  - karotima_1.exe (PID: 3024)
  - setup_installer.exe (PID: 4052)
  - setup_install.exe (PID: 3460)
  - karotima_1.exe (PID: 1692)
  - setup_installer.exe (PID: 3068)
  - setup_install.exe (PID: 2100)
  - karotima_1.exe (PID: 1340)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 1584)
  - setup_installer.exe (PID: 2396)
  - karotima_1.exe (PID: 2936)
  - setup_install.exe (PID: 2584)
  - setup_install.exe (PID: 1792)
- Checks supported languages
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
  - setup_installer.exe (PID: 2848)
  - setup_install.exe (PID: 3464)
  - karotima_2.exe (PID: 3212)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 712)
  - setup_installer.exe (PID: 3088)
  - setup_install.exe (PID: 1792)
  - karotima_2.exe (PID: 3556)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2516)
  - karotima_1.exe (PID: 480)
  - setup_installer.exe (PID: 920)
  - setup_install.exe (PID: 3260)
  - karotima_1.exe (PID: 3272)
  - karotima_2.exe (PID: 3140)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2268)
  - karotima_1.exe (PID: 3024)
  - karotima_1.exe (PID: 2624)
  - setup_installer.exe (PID: 3248)
  - setup_install.exe (PID: 1288)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3652)
  - karotima_2.exe (PID: 3016)
  - setup_install.exe (PID: 3460)
  - karotima_1.exe (PID: 1692)
  - karotima_2.exe (PID: 3276)
  - setup_installer.exe (PID: 4052)
  - setup_installer.exe (PID: 3068)
  - setup_install.exe (PID: 2100)
  - karotima_1.exe (PID: 1340)
  - karotima_2.exe (PID: 880)
  - setup_installer.exe (PID: 2396)
  - setup_install.exe (PID: 2584)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 1584)
  - karotima_2.exe (PID: 3192)
  - karotima_1.exe (PID: 2936)
- Create files in a temporary directory
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3216)
  - setup_installer.exe (PID: 2848)
  - karotima_1.exe (PID: 2624)
  - karotima_2.exe (PID: 3212)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 712)
  - setup_installer.exe (PID: 3088)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2516)
  - karotima_2.exe (PID: 3556)
  - setup_installer.exe (PID: 920)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2268)
  - setup_installer.exe (PID: 3248)
  - karotima_2.exe (PID: 3016)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3652)
  - setup_installer.exe (PID: 4052)
  - karotima_2.exe (PID: 3276)
  - setup_installer.exe (PID: 3068)
  - karotima_2.exe (PID: 880)
  - setup_installer.exe (PID: 2396)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 1584)
  - karotima_2.exe (PID: 3192)
- Reads the software policy settings
  - karotima_1.exe (PID: 2624)
  - karotima_1.exe (PID: 480)
  - karotima_1.exe (PID: 3272)
  - karotima_1.exe (PID: 3024)
  - karotima_1.exe (PID: 1692)
  - karotima_1.exe (PID: 1340)
  - karotima_1.exe (PID: 2936)
- Reads the machine GUID from the registry
  - karotima_1.exe (PID: 2624)
  - karotima_1.exe (PID: 480)
  - karotima_1.exe (PID: 3272)
  - karotima_1.exe (PID: 3024)
  - karotima_1.exe (PID: 1692)
  - karotima_1.exe (PID: 1340)
  - karotima_1.exe (PID: 2936)
- Manual execution by a user
  - explorer.exe (PID: 1348)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 712)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 984)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2516)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 2268)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 3652)
  - setup_installer.exe (PID: 3068)
  - HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe (PID: 1584)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

PrivateLoader

(PID) Process(2624) karotima_1.exe

C2 (2)http://wfsdragon.ru/api/setStats.php

37.0.11.41

Attributes

Payload (2)http://37.0.8.235/proxies.txt

http://136.144.41.201/server.txt

Strings (288)CryptAcquireContextA

Advapi32.dll

Crypto++ RNG

ipinfo.io/widget

country

db-ip.com

data-api-key="

/self

countryCode

www.maxmind.com/geoip/v2.1/city/me

iso_code

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

http://37.0.8.235/proxies.txt

:1080

http://136.144.41.201/server.txt

HOST:

http://wfsdragon.ru/api/setStats.php

37.0.11.41

links

extensions

wininet.dll

https://

SetIncrement|ColdWallet

SetIncrement|BrowserWallet

SetIncrement|CryptoWallet

GetCryptoSleeping

SetIncrement|NoCryptoWallet

net_country_code

os_country_code

browsers

Chrome:

Edge:

ip_country

AddExtensionStat|

AddLoggerStat|

SetIncrement|ww_starts

false

iplis.ru/1S3fd7.mp3

iplis.ru/1G8Fx7.mp3

iplis.ru/1pRXr7.txt

iplis.ru/1BV4j7.mp4

yobit.net

yobit.io

zb.com

binance.com

huobi.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

bittrex.com

gate.io

exmo.com

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

livecoin.net

mercatox.com

localbitcoins.com

korbit.co.kr

bitmex.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

blockchain.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinbase.com

coinome.com

bitso.com

coinpayments.net

luno.com

coinexchange.io

bitmax.io

btc-alpha.com

bitbank.cc

independentreserve.com

bitmart.com

cex.io

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

lbank.info

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

btc-trade.com.ua

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

localtrade.cc

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

kuna.io

cointiger.com

cashierest.com

liquid.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

stex.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

btcmarkets.net

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Login Data

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Roaming

\Opera Software\Opera Stable

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

version

\Secure Preferences

filter_browsers

browser

use_open_browser

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

msedge.exe

\extensions.settings

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

\resources.pak

chrome

chrome.exe

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

Guest Profile

System Profile

Error!

ext_url

cfg_url

data=

/base/api/getData.php

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

User32.dll

CharToOemA

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

http://

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

(PID) Process(480) karotima_1.exe

C2 (2)http://wfsdragon.ru/api/setStats.php

37.0.11.41

Attributes

Payload (2)http://37.0.8.235/proxies.txt

http://136.144.41.201/server.txt

Strings (288)CryptAcquireContextA

Advapi32.dll

Crypto++ RNG

ipinfo.io/widget

country

db-ip.com

data-api-key="

/self

countryCode

www.maxmind.com/geoip/v2.1/city/me

iso_code

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

http://37.0.8.235/proxies.txt

:1080

http://136.144.41.201/server.txt

HOST:

http://wfsdragon.ru/api/setStats.php

37.0.11.41

links

extensions

wininet.dll

https://

SetIncrement|ColdWallet

SetIncrement|BrowserWallet

SetIncrement|CryptoWallet

GetCryptoSleeping

SetIncrement|NoCryptoWallet

net_country_code

os_country_code

browsers

Chrome:

Edge:

ip_country

AddExtensionStat|

AddLoggerStat|

SetIncrement|ww_starts

false

iplis.ru/1S3fd7.mp3

iplis.ru/1G8Fx7.mp3

iplis.ru/1pRXr7.txt

iplis.ru/1BV4j7.mp4

yobit.net

yobit.io

zb.com

binance.com

huobi.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

bittrex.com

gate.io

exmo.com

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

livecoin.net

mercatox.com

localbitcoins.com

korbit.co.kr

bitmex.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

blockchain.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinbase.com

coinome.com

bitso.com

coinpayments.net

luno.com

coinexchange.io

bitmax.io

btc-alpha.com

bitbank.cc

independentreserve.com

bitmart.com

cex.io

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

lbank.info

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

btc-trade.com.ua

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

localtrade.cc

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

kuna.io

cointiger.com

cashierest.com

liquid.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

stex.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

btcmarkets.net

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Login Data

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Roaming

\Opera Software\Opera Stable

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

version

\Secure Preferences

filter_browsers

browser

use_open_browser

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

msedge.exe

\extensions.settings

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

\resources.pak

chrome

chrome.exe

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

Guest Profile

System Profile

Error!

ext_url

cfg_url

data=

/base/api/getData.php

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

User32.dll

CharToOemA

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

http://

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

(PID) Process(3272) karotima_1.exe

C2 (2)http://wfsdragon.ru/api/setStats.php

37.0.11.41

Attributes

Payload (2)http://37.0.8.235/proxies.txt

http://136.144.41.201/server.txt

Strings (288)CryptAcquireContextA

Advapi32.dll

Crypto++ RNG

ipinfo.io/widget

country

db-ip.com

data-api-key="

/self

countryCode

www.maxmind.com/geoip/v2.1/city/me

iso_code

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

http://37.0.8.235/proxies.txt

:1080

http://136.144.41.201/server.txt

HOST:

http://wfsdragon.ru/api/setStats.php

37.0.11.41

links

extensions

wininet.dll

https://

SetIncrement|ColdWallet

SetIncrement|BrowserWallet

SetIncrement|CryptoWallet

GetCryptoSleeping

SetIncrement|NoCryptoWallet

net_country_code

os_country_code

browsers

Chrome:

Edge:

ip_country

AddExtensionStat|

AddLoggerStat|

SetIncrement|ww_starts

false

iplis.ru/1S3fd7.mp3

iplis.ru/1G8Fx7.mp3

iplis.ru/1pRXr7.txt

iplis.ru/1BV4j7.mp4

yobit.net

yobit.io

zb.com

binance.com

huobi.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

bittrex.com

gate.io

exmo.com

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

livecoin.net

mercatox.com

localbitcoins.com

korbit.co.kr

bitmex.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

blockchain.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinbase.com

coinome.com

bitso.com

coinpayments.net

luno.com

coinexchange.io

bitmax.io

btc-alpha.com

bitbank.cc

independentreserve.com

bitmart.com

cex.io

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

lbank.info

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

btc-trade.com.ua

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

localtrade.cc

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

kuna.io

cointiger.com

cashierest.com

liquid.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

stex.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

btcmarkets.net

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Login Data

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Roaming

\Opera Software\Opera Stable

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

version

\Secure Preferences

filter_browsers

browser

use_open_browser

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

msedge.exe

\extensions.settings

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

\resources.pak

chrome

chrome.exe

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

Guest Profile

System Profile

Error!

ext_url

cfg_url

data=

/base/api/getData.php

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

User32.dll

CharToOemA

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

http://

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

(PID) Process(1692) karotima_1.exe

C2 (2)http://wfsdragon.ru/api/setStats.php

37.0.11.41

Attributes

Payload (2)http://37.0.8.235/proxies.txt

http://136.144.41.201/server.txt

Strings (288)CryptAcquireContextA

Advapi32.dll

Crypto++ RNG

ipinfo.io/widget

country

db-ip.com

data-api-key="

/self

countryCode

www.maxmind.com/geoip/v2.1/city/me

iso_code

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

http://37.0.8.235/proxies.txt

:1080

http://136.144.41.201/server.txt

HOST:

http://wfsdragon.ru/api/setStats.php

37.0.11.41

links

extensions

wininet.dll

https://

SetIncrement|ColdWallet

SetIncrement|BrowserWallet

SetIncrement|CryptoWallet

GetCryptoSleeping

SetIncrement|NoCryptoWallet

net_country_code

os_country_code

browsers

Chrome:

Edge:

ip_country

AddExtensionStat|

AddLoggerStat|

SetIncrement|ww_starts

false

iplis.ru/1S3fd7.mp3

iplis.ru/1G8Fx7.mp3

iplis.ru/1pRXr7.txt

iplis.ru/1BV4j7.mp4

yobit.net

yobit.io

zb.com

binance.com

huobi.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

bittrex.com

gate.io

exmo.com

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

livecoin.net

mercatox.com

localbitcoins.com

korbit.co.kr

bitmex.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

blockchain.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinbase.com

coinome.com

bitso.com

coinpayments.net

luno.com

coinexchange.io

bitmax.io

btc-alpha.com

bitbank.cc

independentreserve.com

bitmart.com

cex.io

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

lbank.info

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

btc-trade.com.ua

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

localtrade.cc

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

kuna.io

cointiger.com

cashierest.com

liquid.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

stex.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

btcmarkets.net

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Login Data

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Roaming

\Opera Software\Opera Stable

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

version

\Secure Preferences

filter_browsers

browser

use_open_browser

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

msedge.exe

\extensions.settings

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

\resources.pak

chrome

chrome.exe

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

Guest Profile

System Profile

Error!

ext_url

cfg_url

data=

/base/api/getData.php

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

User32.dll

CharToOemA

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

http://

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:08:01 02:44:18+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x35d8
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

129

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

480

karotima_1.exe

C:\Users\admin\AppData\Local\Temp\7zS01C55F68\karotima_1.exe

cmd.exe

User:

admin

Company:

SoftWare Portal

Integrity Level:

HIGH

Description:

SoftWare Portal

Exit code:

Version:

2.0.1.3

Modules

Images
c:\users\admin\appdata\local\temp\7zs01c55f68\karotima_1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

PrivateLoader

(PID) Process(480) karotima_1.exe

C2 (2)http://wfsdragon.ru/api/setStats.php

37.0.11.41

Attributes

Payload (2)http://37.0.8.235/proxies.txt

http://136.144.41.201/server.txt

Strings (288)CryptAcquireContextA

Advapi32.dll

Crypto++ RNG

ipinfo.io/widget

country

db-ip.com

data-api-key="

/self

countryCode

www.maxmind.com/geoip/v2.1/city/me

iso_code

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

http://37.0.8.235/proxies.txt

:1080

http://136.144.41.201/server.txt

HOST:

http://wfsdragon.ru/api/setStats.php

37.0.11.41

links

extensions

wininet.dll

https://

SetIncrement|ColdWallet

SetIncrement|BrowserWallet

SetIncrement|CryptoWallet

GetCryptoSleeping

SetIncrement|NoCryptoWallet

net_country_code

os_country_code

browsers

Chrome:

Edge:

ip_country

AddExtensionStat|

AddLoggerStat|

SetIncrement|ww_starts

false

iplis.ru/1S3fd7.mp3

iplis.ru/1G8Fx7.mp3

iplis.ru/1pRXr7.txt

iplis.ru/1BV4j7.mp4

yobit.net

yobit.io

zb.com

binance.com

huobi.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

bittrex.com

gate.io

exmo.com

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

livecoin.net

mercatox.com

localbitcoins.com

korbit.co.kr

bitmex.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

blockchain.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinbase.com

coinome.com

bitso.com

coinpayments.net

luno.com

coinexchange.io

bitmax.io

btc-alpha.com

bitbank.cc

independentreserve.com

bitmart.com

cex.io

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

lbank.info

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

btc-trade.com.ua

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

localtrade.cc

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

kuna.io

cointiger.com

cashierest.com

liquid.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

stex.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

btcmarkets.net

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Login Data

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Roaming

\Opera Software\Opera Stable

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

version

\Secure Preferences

filter_browsers

browser

use_open_browser

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

msedge.exe

\extensions.settings

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

\resources.pak

chrome

chrome.exe

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

Guest Profile

System Profile

Error!

ext_url

cfg_url

data=

/base/api/getData.php

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

User32.dll

CharToOemA

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

http://

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

712

"C:\Users\admin\AppData\Local\Temp\HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe"

C:\Users\admin\AppData\Local\Temp\HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\heur-trojan.win32.chapak.gen-e6ea98b046b11a35.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

784

C:\Windows\system32\cmd.exe /c karotima_2.exe

C:\Windows\System32\cmd.exe

—

setup_install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225477

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

880

karotima_2.exe

C:\Users\admin\AppData\Local\Temp\7zSCFBAE888\karotima_2.exe

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

3221225477

Modules

Images
c:\users\admin\appdata\local\temp\7zscfbae888\karotima_2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

920

"C:\Users\admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\admin\AppData\Local\Temp\setup_installer.exe

HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

HIGH

Description:

7z Setup SFX

Exit code:

Version:

19.00

Modules

Images
c:\users\admin\appdata\local\temp\setup_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

984

"C:\Users\admin\AppData\Local\Temp\HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe"

C:\Users\admin\AppData\Local\Temp\HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\heur-trojan.win32.chapak.gen-e6ea98b046b11a35.exe
c:\windows\system32\ntdll.dll

1020

C:\Windows\system32\cmd.exe /c karotima_1.exe

C:\Windows\System32\cmd.exe

—

setup_install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1124

C:\Windows\system32\cmd.exe /c karotima_2.exe

C:\Windows\System32\cmd.exe

—

setup_install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225477

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1288

"C:\Users\admin\AppData\Local\Temp\7zS0BC37758\setup_install.exe"

C:\Users\admin\AppData\Local\Temp\7zS0BC37758\setup_install.exe

setup_installer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\7zs0bc37758\setup_install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\7zs0bc37758\libcurlpp.dll
c:\users\admin\appdata\local\temp\7zs0bc37758\libcurl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1340

karotima_1.exe

C:\Users\admin\AppData\Local\Temp\7zSCFBAE888\karotima_1.exe

cmd.exe

User:

admin

Company:

SoftWare Portal

Integrity Level:

HIGH

Description:

SoftWare Portal

Exit code:

Version:

2.0.1.3

Modules

Images
c:\users\admin\appdata\local\temp\7zscfbae888\karotima_1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

59 161

Read events

58 949

Write events

207

Delete events

Modification events


(PID) Process:	(3216) HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3216) HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3216) HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3216) HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2848) setup_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2848) setup_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2848) setup_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2848) setup_installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2624) karotima_1.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2624) karotima_1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:	delete value	Name:	9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3216	HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe	C:\Users\admin\AppData\Local\Temp\setup_installer.exe		executable
		MD5:78418BFB23C7ADF70828F675E990DE49	SHA256:B14218CB639C6AFA35A66CF418035CE10475B53F5386896A44327FD48D8447C8
2624	karotima_1.exe	C:\Users\admin\AppData\Local\Temp\TarF6C5.tmp		cat
		MD5:9C0C641C06238516F27941AA1166D427	SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
3088	setup_installer.exe	C:\Users\admin\AppData\Local\Temp\7zS01C55F68\karotima_1.txt		executable
		MD5:9108AD5775C76CCCBB4EADF02DE24F5D	SHA256:C9D5525B2F2B76087121039EE1C23ED35508E60F653479722EC64EA3A064878E
712	HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe	C:\Users\admin\AppData\Local\Temp\nsd5408.tmp		binary
		MD5:014267B90BA471BBCA37D701DA0442E1	SHA256:91967A0E7AB2D7DEBD5595CE65D3C04097AB598ED335BB408293CA0D675E26D2
3088	setup_installer.exe	C:\Users\admin\AppData\Local\Temp\7zS01C55F68\karotima_2.txt		executable
		MD5:80E74CF9F38C5712C6C2432A509C8BC7	SHA256:9FF44C4DA853CDBE606D2CFE4D04B410C3AE603ACF0F1D3F75195B6236E0E123
3216	HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe	C:\Users\admin\AppData\Local\Temp\nszF29E.tmp		binary
		MD5:3FEC823D49C8904225F06457032E67FB	SHA256:3419917D41DCD6BE83B6ADA618E7471AB085DF1AC223CCFE92557B21ADC50D75
2848	setup_installer.exe	C:\Users\admin\AppData\Local\Temp\7zS02B5ADD7\karotima_1.txt		executable
		MD5:9108AD5775C76CCCBB4EADF02DE24F5D	SHA256:C9D5525B2F2B76087121039EE1C23ED35508E60F653479722EC64EA3A064878E
2848	setup_installer.exe	C:\Users\admin\AppData\Local\Temp\7zS02B5ADD7\karotima_2.txt		executable
		MD5:80E74CF9F38C5712C6C2432A509C8BC7	SHA256:9FF44C4DA853CDBE606D2CFE4D04B410C3AE603ACF0F1D3F75195B6236E0E123
3464	setup_install.exe	C:\Users\admin\AppData\Local\Temp\7zS02B5ADD7\karotima_2.exe		executable
		MD5:80E74CF9F38C5712C6C2432A509C8BC7	SHA256:9FF44C4DA853CDBE606D2CFE4D04B410C3AE603ACF0F1D3F75195B6236E0E123
2848	setup_installer.exe	C:\Users\admin\AppData\Local\Temp\7zS02B5ADD7\libwinpthread-1.dll		executable
		MD5:1E0D62C34FF2E649EBC5C372065732EE	SHA256:509CB1D1443B623A02562AC760BCED540E327C65157FFA938A22F75E38155723

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2624	karotima_1.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5ea8adc661810059	unknown	compressed	65.2 Kb	unknown
3272	karotima_1.exe	GET	403	104.18.146.235:80	http://www.maxmind.com/geoip/v2.1/city/me	unknown	html	4.41 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2624	karotima_1.exe	34.117.186.192:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2624	karotima_1.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
2624	karotima_1.exe	37.0.8.235:80	—	—	NL	unknown
480	karotima_1.exe	34.117.186.192:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown
480	karotima_1.exe	37.0.8.235:80	—	—	NL	unknown
3272	karotima_1.exe	34.117.186.192:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown
3024	karotima_1.exe	34.117.186.192:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown

DNS requests

Domain	IP	Reputation
wxkeww.xyz	—	unknown
ipinfo.io	34.117.186.192	shared
ctldl.windowsupdate.com	93.184.221.240	whitelisted
dns.msftncsi.com	131.107.255.255	shared
db-ip.com	104.26.4.15 172.67.75.166 104.26.5.15	whitelisted
api.db-ip.com	104.26.5.15 172.67.75.166 104.26.4.15	shared
www.maxmind.com	104.18.146.235 104.18.145.235	whitelisted

Threats

PID	Process	Class	Message
2624	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2624	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
480	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
480	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
3272	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3272	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
3024	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3024	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
1692	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
1692	karotima_1.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)

Add for printing

No debug info

General Info

HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe

269D7E74E4B21A2FC0E66907C77FC0BC

FC09525A2F93BF089D0B02C5220E7EE452E64747

E6EA98B046B11A35EFA0AC1243F6190FF4D4247A35784E65A9FEAAF4918AE779

49152:bsM2FT2gKUQyBStGWDAj/nhVSo5/+XdbfZgEh+STw7ZOjaw9ZCRMX8MkXw8hZHMc:bYFT2hRyBkGCK/h4o5WXdTOEh+6w7rRN

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

PRIVATELOADER has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Drops 7-zip archiver for unpacking

Reads the Internet Settings

The executable file from the user directory is run by the CMD process

Reads settings of System Certificates

Adds/modifies Windows certificates

Process drops legitimate windows executable

Checks for external IP

Starts CMD.EXE for commands execution

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads the software policy settings

Reads the machine GUID from the registry

Manual execution by a user

Malware configuration

PrivateLoader

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

PrivateLoader

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings