Malware analysis bomb.exe.bin Malicious activity | ANY.RUN

Add for printing

File name:	bomb.exe.bin
Full analysis:	https://app.any.run/tasks/a04c5ace-1f7b-47ba-bed5-d803df4840d8
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 22, 2025, 22:23:53
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader hausbomber github stealer python autoit payload ta558 apt stegocampaign reverseloader lumma neshta screenconnect rmm-tool ngrok quasar rat evasion remote trox njrat bladabindi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	21D3C4B6869E61ACB836ECE73DD265DA
SHA1:	4D3AC5EAA89B0ACF14EED249EA774D00CF5AA2C8
SHA256:	E8582DA9A3FA365A425ED0225F7C6681E561061AA0B5285538BAE4B334B97F7C
SSDEEP:	192:UnNv1XCiAzsBhl3y9+QHzdPbw7z1OLU87glpp/bI6J4j0rVIp:ANozz9+qzZYOLU870NJlVI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- HAUSBOMBER has been detected (YARA)
  - bomb.exe.bin.exe (PID: 1560)
- Application was injected by another process
  - svchost.exe (PID: 6688)
  - svchost.exe (PID: 2668)
  - svchost.exe (PID: 7576)
  - svchost.exe (PID: 7584)
  - explorer.exe (PID: 4772)
- Runs injected code in another process
  - http185.156.72.2files5561582465oSOnryg.exe.exe (PID: 6940)
  - oSOnryg.exe (PID: 5896)
  - transformer.exe (PID: 2604)
  - celkadrobitel.exe (PID: 2324)
  - sosi.exe (PID: 9240)
- Actions looks like stealing of personal data
  - httpsgithub.combatratspluginsrawmainSystemExplorer.exe.exe (PID: 4804)
  - MSBuild.exe (PID: 7944)
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 3720)
  - cmd.exe (PID: 9932)
- Executing a file with an untrusted certificate
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 3396)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - blOahSM.exe (PID: 7660)
  - tomcat8.exe (PID: 7404)
  - svchost.exe (PID: 9580)
  - svchost.exe (PID: 8008)
  - EG11t89.exe (PID: 10440)
  - vjVPnDfx.exe (PID: 12292)
  - EG11t89.exe (PID: 14736)
  - AtomicMailVerifie.exe (PID: 15196)
  - reseptionProvider.exe (PID: 15504)
- Changes powershell execution policy (Bypass)
  - httpsdro.pm2.exe.exe (PID: 436)
  - powershell.exe (PID: 8328)
  - 2.exe (PID: 8728)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 1936)
  - powershell.exe (PID: 8064)
  - powershell.exe (PID: 8328)
  - powershell.exe (PID: 10140)
  - powershell.exe (PID: 9984)
  - powershell.exe (PID: 12588)
  - powershell.exe (PID: 13128)
  - powershell.exe (PID: 12908)
  - powershell.exe (PID: 13160)
  - powershell.exe (PID: 14320)
  - powershell.exe (PID: 14760)
  - powershell.exe (PID: 14800)
  - powershell.exe (PID: 14824)
  - powershell.exe (PID: 14948)
  - powershell.exe (PID: 13412)
- Antivirus name has been found in the command line (generic signature)
  - bitdefender.exe (PID: 7312)
  - http185.156.72.61incbitdefender.exe.exe (PID: 7580)
- STEGOCAMPAIGN has been detected (SURICATA)
  - bomb.exe.bin.exe (PID: 1560)
- Changes the autorun value in the registry
  - Wwf.exe (PID: 5080)
  - Wwf.exe (PID: 8596)
  - rxd_en_1.exe (PID: 12272)
  - ls.exe (PID: 12632)
  - 6.exe (PID: 7032)
  - syspool.exe (PID: 13536)
  - klass.exe (PID: 13760)
  - winsvchost.exe (PID: 13868)
- REVERSELOADER has been detected (SURICATA)
  - bomb.exe.bin.exe (PID: 1560)
- NESHTA mutex has been found
  - Setup.exe (PID: 7876)
  - Setup.exe (PID: 7608)
  - svchost.com (PID: 8696)
  - svchost.com (PID: 9152)
  - svchost.com (PID: 9624)
  - svchost.com (PID: 10000)
  - svchost.com (PID: 10292)
  - svchost.com (PID: 10668)
  - svchost.com (PID: 10452)
  - svchost.com (PID: 6896)
  - svchost.com (PID: 10428)
  - svchost.com (PID: 7744)
  - svchost.com (PID: 11008)
  - loader.exe (PID: 12404)
  - svchost.com (PID: 12388)
  - svchost.com (PID: 9764)
  - svchost.com (PID: 9664)
  - startud.exe (PID: 12436)
  - CryptoLocker.exe (PID: 12924)
  - svchost.com (PID: 10808)
  - CryptoWall.exe (PID: 12884)
  - svchost.com (PID: 9044)
  - LOIC.exe (PID: 12916)
  - runtimebroker.exe (PID: 12932)
  - svchost.com (PID: 10156)
  - svchost.com (PID: 9768)
  - plctkles.exe (PID: 13092)
  - svchost.com (PID: 14008)
  - svchost.com (PID: 7356)
  - svchost.com (PID: 6548)
  - svchost.com (PID: 14344)
  - svchost.com (PID: 15428)
  - svchost.com (PID: 15572)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2200)
  - MSBuild.exe (PID: 7568)
  - MSBuild.exe (PID: 4372)
  - MSBuild.exe (PID: 8996)
  - MSBuild.exe (PID: 5140)
- Connects to the CnC server
  - svchost.exe (PID: 2200)
- LUMMA mutex has been found
  - MSBuild.exe (PID: 7568)
  - MSBuild.exe (PID: 4372)
  - MSBuild.exe (PID: 8996)
  - MSBuild.exe (PID: 5140)
- QUASAR mutex has been found
  - AddInProcess32.exe (PID: 8400)
  - AddInProcess32.exe (PID: 10128)
- TROX has been detected
  - svchost.exe (PID: 9580)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 10140)
- QUASAR has been detected (SURICATA)
  - AddInProcess32.exe (PID: 8400)
- GENERIC has been found (auto)
  - httpsdro.pm2.exe.exe (PID: 436)
  - httpsdro.pm2.exe.exe (PID: 436)
  - httpsdro.pm2.exe.exe (PID: 436)
  - Ganja121.exe (PID: 9960)
  - Ganja199.exe (PID: 9980)
  - Ganja45.exe (PID: 6216)
  - syspool.exe (PID: 13536)
  - httpsdro.pm2.exe.exe (PID: 436)
  - httpsdro.pm2.exe.exe (PID: 436)
- NJRAT has been found (auto)
  - httpsdro.pm2.exe.exe (PID: 436)
  - Bloxflip%20Predictor.exe (PID: 12468)
- METASPLOIT has been found (auto)
  - 2.exe (PID: 8728)
- FORMBOOK has been found (auto)
  - httpsdro.pm2.exe.exe (PID: 436)
- STORMKITTY has been found (auto)
  - httpsdro.pm2.exe.exe (PID: 436)
- AGENTTESLA has been found (auto)
  - httpsdro.pm2.exe.exe (PID: 436)
- Scans artifacts that could help determine the target
  - MSBuild.exe (PID: 7944)
- Steals credentials from Web Browsers
  - MSBuild.exe (PID: 7944)
- Create files in the Startup directory
  - Bloxflip%20Predictor.exe (PID: 12468)
- DBATLOADER has been found (auto)
  - test1.exe (PID: 13284)
- LUMMA has been found (auto)
  - httpsdro.pm2.exe.exe (PID: 436)
- PHORPIEX has been found (auto)
  - kajmak.exe (PID: 13468)
- NJRAT mutex has been found
  - Bloxflip%20Predictor.exe (PID: 12468)
SUSPICIOUS
- Reads the date of Windows installation
  - bomb.exe.bin.exe (PID: 1560)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 3396)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
- Process requests binary or script from the Internet
  - bomb.exe.bin.exe (PID: 1560)
  - httpsdro.pm2.exe.exe (PID: 436)
  - 2.exe (PID: 8728)
- Starts a Microsoft application from unusual location
  - http185.156.72.2files5561582465oSOnryg.exe.exe (PID: 6940)
  - http185.156.72.2files53737821734eTHv9F.exe.exe (PID: 4832)
  - http185.156.72.61incledenn.exe.exe (PID: 4036)
  - httpsgithub.combatratspluginsrawmainSystemExplorer.exe.exe (PID: 4804)
  - oSOnryg.exe (PID: 5896)
  - SystemExplorer.exe (PID: 7200)
  - ledenn.exe (PID: 7424)
  - 4eTHv9F.exe (PID: 7440)
  - cron123123213.exe (PID: 7668)
  - http185.156.72.61inccron123123213.exe.exe (PID: 8000)
  - v999f8.exe (PID: 13176)
  - llll.exe (PID: 10628)
  - rxd_en_1.exe (PID: 12272)
  - v999f8.exe (PID: 5768)
  - alex123123.exe (PID: 13928)
  - cryptedcron121221.exe (PID: 14888)
  - set-2%20firmware%204.01.exe (PID: 14792)
  - ME3_setup.exe (PID: 15172)
  - rmd_en_1.exe (PID: 15208)
  - rod_en_1.exe (PID: 15224)
  - alex123123.exe (PID: 14612)
  - cron123213321.exe (PID: 14104)
- Process drops python dynamic module
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - httpsdro.pm2.exe.exe (PID: 984)
  - wwf.exe (PID: 7432)
  - 2.exe (PID: 8308)
  - 11COMPRAS1.exe (PID: 9264)
  - svchost.exe (PID: 9580)
- Executable content was dropped or overwritten
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - bomb.exe.bin.exe (PID: 1560)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - httpsdro.pm2.exe.exe (PID: 984)
  - httpsdro.pm2.exe.exe (PID: 436)
  - wwf.exe (PID: 7432)
  - wwf.exe (PID: 7752)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - blOahSM.exe (PID: 7660)
  - Setup.exe (PID: 7608)
  - Setup.exe (PID: 7876)
  - Wwf.exe (PID: 5080)
  - 2.exe (PID: 8308)
  - IMG001.exe (PID: 8336)
  - 11COMPRAS1.exe (PID: 9264)
  - svchost.com (PID: 8696)
  - svchost.exe (PID: 9580)
  - rundll32.exe (PID: 8008)
  - rundll32.exe (PID: 2168)
  - setup.exe(Live%20Protection%20Suite).exe (PID: 10564)
  - loader.exe (PID: 12404)
  - 2.exe (PID: 8728)
  - startud.exe (PID: 12436)
  - MARCUSS.exe (PID: 12448)
  - CryptoLocker.exe (PID: 12924)
  - plctkles.exe (PID: 13092)
  - LOIC.exe (PID: 12916)
  - CryptoWall.exe (PID: 12884)
  - test1.exe (PID: 13284)
  - runtimebroker.exe (PID: 12932)
  - Ganja165.exe (PID: 9160)
  - WindowsUpdateLauncher.exe (PID: 10432)
  - Ganja199.exe (PID: 9980)
  - Ganja121.exe (PID: 9960)
  - Ganja36.exe (PID: 10884)
  - rxd_en_1.exe (PID: 12272)
  - Prolin.exe (PID: 12604)
  - Ganja45.exe (PID: 6216)
  - Ganja85.exe (PID: 13436)
  - 6.exe (PID: 7032)
  - syspool.exe (PID: 13536)
  - porn.exe (PID: 10568)
  - kajmak.exe (PID: 13468)
  - IMG001.exe (PID: 10392)
  - joker12321.exe (PID: 13544)
  - MARCUSS.exe (PID: 7412)
  - plctkles.exe (PID: 7084)
  - Bloxflip%20Predictor.exe (PID: 12468)
  - loader.exe (PID: 8040)
- Reads security settings of Internet Explorer
  - bomb.exe.bin.exe (PID: 1560)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 3396)
  - bitdefender.exe (PID: 7312)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - AutoIt3_x64.exe (PID: 7388)
  - safefinder.exe (PID: 8152)
  - http185.156.72.61incbitdefender.exe.exe (PID: 7580)
  - Setup.exe (PID: 7876)
  - AutoIt3_x64.exe (PID: 7528)
  - Setup.exe (PID: 7608)
  - IMG001.exe (PID: 8336)
  - ScreenConnect.ClientSetup123.exe (PID: 7936)
  - CapCut-VideoEditing_12.1.02.exe (PID: 7612)
  - http185.156.72.61incCapCut-VideoEditing_12.1.02.exe.exe (PID: 7980)
  - IMG001.exe (PID: 10392)
  - 1.exe (PID: 8080)
  - setup.exe(Live%20Protection%20Suite).exe (PID: 10564)
  - startud.exe (PID: 12436)
  - MARCUSS.exe (PID: 12448)
  - plctkles.exe (PID: 13092)
  - test1.exe (PID: 13284)
  - svchost.exe (PID: 9580)
  - WindowsUpdateLauncher.exe (PID: 10432)
- Process drops legitimate windows executable
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - bomb.exe.bin.exe (PID: 1560)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - httpsdro.pm2.exe.exe (PID: 984)
  - httpsdro.pm2.exe.exe (PID: 436)
  - wwf.exe (PID: 7432)
  - wwf.exe (PID: 7752)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - Wwf.exe (PID: 5080)
  - 2.exe (PID: 8308)
  - 11COMPRAS1.exe (PID: 9264)
  - svchost.exe (PID: 9580)
  - 2.exe (PID: 8728)
  - joker12321.exe (PID: 13544)
- Connects to the server without a host name
  - bomb.exe.bin.exe (PID: 1560)
  - svchost.exe (PID: 2668)
  - httpsdro.pm2.exe.exe (PID: 436)
  - svchost.exe (PID: 7584)
  - 2.exe (PID: 8728)
- Connects to unusual port
  - bomb.exe.bin.exe (PID: 1560)
  - httpsdro.pm2.exe.exe (PID: 436)
  - http185.156.72.61incXClient.exe.exe (PID: 3900)
  - Worldofficee.exe (PID: 8736)
  - Worldoffice.exe (PID: 1532)
  - MSBuild.exe (PID: 7944)
  - AddInProcess32.exe (PID: 8400)
  - 2.exe (PID: 8728)
  - payload.exe (PID: 13224)
  - shell.exe (PID: 13108)
  - http185.156.72.2files7357519510Bw5ZAOe.exe.exe (PID: 5628)
  - winsvchost.exe (PID: 13868)
  - tcp_windows_amd64.exe (PID: 12876)
  - march.exe (PID: 11012)
  - vshell.exe (PID: 12316)
  - payload.exe (PID: 14528)
- The process drops C-runtime libraries
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - httpsdro.pm2.exe.exe (PID: 984)
  - wwf.exe (PID: 7432)
  - wwf.exe (PID: 7752)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - Wwf.exe (PID: 5080)
  - 2.exe (PID: 8308)
  - 11COMPRAS1.exe (PID: 9264)
  - svchost.exe (PID: 9580)
- Application launched itself
  - svchost.exe (PID: 6688)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - httpsdro.pm2.exe.exe (PID: 984)
  - svchost.exe (PID: 7576)
  - wwf.exe (PID: 7432)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 3396)
  - 2.exe (PID: 8308)
  - 11COMPRAS1.exe (PID: 9264)
  - powershell.exe (PID: 1936)
  - powershell.exe (PID: 8328)
  - svchost.exe (PID: 9580)
  - powershell.exe (PID: 7120)
- Potential Corporate Privacy Violation
  - bomb.exe.bin.exe (PID: 1560)
  - httpsdro.pm2.exe.exe (PID: 436)
  - 2.exe (PID: 8728)
  - Cp1N8fC.exe (PID: 10768)
- The executable file from the user directory is run by the CMD process
  - Wwf.exe (PID: 5080)
  - Wwf.exe (PID: 8596)
- The process checks if it is being run in the virtual environment
  - httpswww.vuelaviajero.comwp-includesimagesallonymouslyfFpY.exe.exe (PID: 1932)
  - allonymouslyfFpY.exe (PID: 7880)
  - httpsdro.pm2.exe.exe (PID: 436)
  - 2.exe (PID: 8728)
- Starts CMD.EXE for commands execution
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - httpsdro.pm2.exe.exe (PID: 436)
  - wwf.exe (PID: 7752)
  - IMG001.exe (PID: 8336)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - 2.exe (PID: 8728)
  - svchost.com (PID: 10668)
  - svchost.com (PID: 14344)
  - svchost.com (PID: 15428)
  - svchost.com (PID: 15572)
- Executing commands from a ".bat" file
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - wwf.exe (PID: 7752)
  - httpsdro.pm2.exe.exe (PID: 436)
- The process creates files with name similar to system file names
  - bomb.exe.bin.exe (PID: 1560)
  - httpsdro.pm2.exe.exe (PID: 436)
  - 2.exe (PID: 8728)
  - kajmak.exe (PID: 13468)
- Loads Python modules
  - httpsdro.pm2.exe.exe (PID: 436)
  - 2.exe (PID: 8728)
  - svchost.exe (PID: 8008)
- The process executes via Task Scheduler
  - powershell.exe (PID: 3672)
- Starts POWERSHELL.EXE for commands execution
  - httpsdro.pm2.exe.exe (PID: 436)
  - powershell.exe (PID: 1936)
  - powershell.exe (PID: 8328)
  - powershell.exe (PID: 7120)
  - F.exe (PID: 10760)
  - 2.exe (PID: 8728)
- The process executes Powershell scripts
  - httpsdro.pm2.exe.exe (PID: 436)
  - 2.exe (PID: 8728)
- Reads Microsoft Outlook installation path
  - bitdefender.exe (PID: 7312)
  - http185.156.72.61incbitdefender.exe.exe (PID: 7580)
- Reads Internet Explorer settings
  - bitdefender.exe (PID: 7312)
  - http185.156.72.61incbitdefender.exe.exe (PID: 7580)
- Starts the AutoIt3 executable file
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
- Starts itself from another location
  - httpsdro.pm2.exe.exe (PID: 436)
  - startud.exe (PID: 12436)
  - MARCUSS.exe (PID: 12448)
  - Ganja165.exe (PID: 9160)
  - Ganja121.exe (PID: 9960)
  - Ganja199.exe (PID: 9980)
  - Ganja36.exe (PID: 10884)
  - Ganja45.exe (PID: 6216)
  - plctkles.exe (PID: 13092)
  - Ganja85.exe (PID: 13436)
  - 6.exe (PID: 7032)
  - klass.exe (PID: 13928)
  - kajmak.exe (PID: 13468)
  - WindowsUpdateLauncher.exe (PID: 10432)
- There is functionality for taking screenshot (YARA)
  - http185.156.72.2files7357519510Bw5ZAOe.exe.exe (PID: 5628)
- Mutex name with non-standard characters
  - Setup.exe (PID: 7876)
  - Setup.exe (PID: 7608)
  - svchost.com (PID: 8696)
  - svchost.com (PID: 9152)
  - svchost.com (PID: 9624)
  - svchost.com (PID: 10000)
  - svchost.com (PID: 10292)
  - svchost.com (PID: 10668)
  - svchost.com (PID: 10452)
  - svchost.com (PID: 10428)
  - svchost.com (PID: 6896)
  - svchost.com (PID: 7744)
  - svchost.com (PID: 11008)
  - svchost.com (PID: 9764)
  - loader.exe (PID: 12404)
  - svchost.com (PID: 12388)
  - svchost.com (PID: 9664)
  - startud.exe (PID: 12436)
  - CryptoLocker.exe (PID: 12924)
  - svchost.com (PID: 10808)
  - CryptoWall.exe (PID: 12884)
  - svchost.com (PID: 9044)
  - LOIC.exe (PID: 12916)
  - runtimebroker.exe (PID: 12932)
  - svchost.com (PID: 10156)
  - svchost.com (PID: 9768)
  - plctkles.exe (PID: 13092)
  - svchost.com (PID: 14008)
  - svchost.com (PID: 7356)
  - svchost.com (PID: 6548)
  - svchost.com (PID: 14344)
  - svchost.com (PID: 15428)
  - svchost.com (PID: 15572)
- Starts application with an unusual extension
  - bomb.exe.bin.exe (PID: 1560)
  - ScreenConnect.ClientSetup123.exe (PID: 7936)
  - CapCut-VideoEditing_12.1.02.exe (PID: 7612)
  - http185.156.72.61incCapCut-VideoEditing_12.1.02.exe.exe (PID: 7980)
  - IMG001.exe (PID: 8336)
  - IMG001.exe (PID: 10392)
  - setup.exe(Live%20Protection%20Suite).exe (PID: 10564)
  - startud.exe (PID: 12436)
  - MARCUSS.exe (PID: 12448)
  - plctkles.exe (PID: 13092)
  - test1.exe (PID: 13284)
  - WindowsUpdateLauncher.exe (PID: 10432)
- Contacting a server suspected of hosting an CnC
  - svchost.exe (PID: 2200)
  - MSBuild.exe (PID: 7568)
  - MSBuild.exe (PID: 4372)
  - MSBuild.exe (PID: 8996)
  - MSBuild.exe (PID: 5140)
  - AddInProcess32.exe (PID: 8400)
- Executes application which crashes
  - http185.156.72.61incScreenConnect.ClientSetup123.exe.exe (PID: 7892)
  - Build.exe (PID: 13236)
- BASE64 encoded PowerShell command has been detected
  - powershell.exe (PID: 1936)
  - powershell.exe (PID: 7120)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 9124)
- Base64-obfuscated command line is found
  - powershell.exe (PID: 1936)
  - powershell.exe (PID: 7120)
- NGROK has been detected
  - httpsdro.pm2.exe.exe (PID: 436)
- Executing commands from ".cmd" file
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
- Working with threads in the GNU C Compiler (GCC) libraries related mutex has been found
  - tftp.exe (PID: 10036)
  - porn.exe (PID: 10568)
  - tftp.exe (PID: 14164)
- Searches for installed software
  - MSBuild.exe (PID: 7568)
  - MSBuild.exe (PID: 4372)
  - MSBuild.exe (PID: 8996)
  - MSBuild.exe (PID: 5140)
- The process hide an interactive prompt from the user
  - powershell.exe (PID: 8328)
- Potential TCP-based PowerShell reverse shell connection
  - powershell.exe (PID: 8328)
- The process bypasses the loading of PowerShell profile settings
  - powershell.exe (PID: 8328)
- Possibly malicious use of IEX has been detected
  - powershell.exe (PID: 8328)
- Checks for external IP
  - svchost.exe (PID: 2200)
  - AddInProcess32.exe (PID: 8400)
  - http185.156.72.2files7357519510Bw5ZAOe.exe.exe (PID: 5628)
  - Build.exe (PID: 13236)
- Found IP address in command line
  - powershell.exe (PID: 10140)
- Executes script without checking the security policy
  - powershell.exe (PID: 10140)
- Executes as Windows Service
  - VSSVC.exe (PID: 7980)
- Contacting a server suspected of hosting an Exploit Kit
  - httpsdro.pm2.exe.exe (PID: 436)
- Block-list domains
  - httpsdro.pm2.exe.exe (PID: 436)
- Creates file in the systems drive root
  - Prolin.exe (PID: 12604)
- Starts application from unusual location
  - Ganja85.exe (PID: 13436)
  - Taskmgr.exe (PID: 4012)
- Uses ATTRIB.EXE to modify file attributes
  - werefult.exe (PID: 10776)
  - F.exe (PID: 13144)
INFO
- Checks supported languages
  - bomb.exe.bin.exe (PID: 1560)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - http185.156.72.2files53737821734eTHv9F.exe.exe (PID: 4832)
  - http185.156.72.2files7357519510Bw5ZAOe.exe.exe (PID: 5628)
  - httpswww.vuelaviajero.comwp-includesimagesallonymouslyfFpY.exe.exe (PID: 1932)
  - Wwf.exe (PID: 5080)
  - httpsdro.pm2.exe.exe (PID: 984)
  - http185.156.72.61incXClient.exe.exe (PID: 3900)
  - http185.156.72.61incledenn.exe.exe (PID: 4036)
  - httpsdro.pm2.exe.exe (PID: 436)
  - httpsgithub.combatratspluginsrawmainSystemExplorer.exe.exe (PID: 4804)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 3396)
  - XClient.exe (PID: 3720)
  - SystemExplorer.exe (PID: 7200)
  - bitdefender.exe (PID: 7312)
  - wwf.exe (PID: 7432)
  - ledenn.exe (PID: 7424)
  - blOahSM.exe (PID: 7660)
  - 4eTHv9F.exe (PID: 7440)
  - wwf.exe (PID: 7752)
  - cron123123213.exe (PID: 7668)
  - allonymouslyfFpY.exe (PID: 7880)
  - http185.156.72.61incScreenConnect.ClientSetup123.exe.exe (PID: 7892)
  - ScreenConnect.ClientSetup123.exe (PID: 7936)
  - http185.156.72.61inccron123123213.exe.exe (PID: 8000)
  - safefinder.exe (PID: 8152)
  - AutoIt3_x64.exe (PID: 7388)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - http185.156.72.61incbitdefender.exe.exe (PID: 7580)
  - MSBuild.exe (PID: 7944)
  - AutoIt3_x64.exe (PID: 7528)
  - Setup.exe (PID: 7608)
  - CapCut-VideoEditing_12.1.02.exe (PID: 7612)
  - Setup.exe (PID: 7876)
  - MSBuild.exe (PID: 7568)
  - IMG001.exe (PID: 8336)
  - AddInProcess32.exe (PID: 8400)
  - tomcat8.exe (PID: 7404)
  - MSBuild.exe (PID: 4372)
  - 2.exe (PID: 8308)
  - Bw5ZAOe.exe (PID: 8348)
  - WxWorkMultiOpen.exe (PID: 8636)
  - Wwf.exe (PID: 8596)
  - WxWorkMultiOpen.exe (PID: 8652)
  - WxWorkMultiOpen.exe (PID: 8644)
  - WxWorkMultiOpen.exe (PID: 8700)
  - agent.exe (PID: 8628)
  - Setup.exe (PID: 9020)
  - Setup.exe (PID: 9028)
  - svchost.com (PID: 9204)
  - MSBuild.exe (PID: 8996)
  - svchost.com (PID: 8696)
  - MSBuild.exe (PID: 9096)
  - Worldofficee.exe (PID: 8736)
  - Worldoffice.exe (PID: 1532)
  - 2.exe (PID: 8728)
  - MSBuild.exe (PID: 5140)
  - svchost.com (PID: 9152)
  - http185.156.72.61incCapCut-VideoEditing_12.1.02.exe.exe (PID: 7980)
  - svchost.com (PID: 6548)
  - svchost.com (PID: 7356)
  - msiexec.exe (PID: 8004)
  - 11COMPRAS1.exe (PID: 9264)
  - 11COMPRAS1.exe (PID: 9412)
  - svchost.com (PID: 9624)
  - svchost.com (PID: 9768)
  - svchost.com (PID: 10000)
  - svchost.exe (PID: 9580)
  - tftp.exe (PID: 10036)
  - ngrok.exe (PID: 9544)
  - AddInProcess32.exe (PID: 10128)
  - msiexec.exe (PID: 7848)
  - svchost.com (PID: 10156)
  - svchost.com (PID: 9044)
  - msiexec.exe (PID: 9212)
  - svchost.com (PID: 9664)
  - svchost.com (PID: 9764)
  - sosi.exe (PID: 9240)
  - Client.exe (PID: 10168)
  - svchost.com (PID: 7744)
  - celkadrobitel.exe (PID: 2324)
  - transformer.exe (PID: 2604)
  - lollo.exe (PID: 9572)
  - svchost.com (PID: 6896)
  - svchost.exe (PID: 8008)
  - 1.exe (PID: 8080)
  - svchost.com (PID: 10292)
  - EG11t89.exe (PID: 10440)
  - svchost.com (PID: 10452)
  - setup.exe(Live%20Protection%20Suite).exe (PID: 10564)
  - IMG001.exe (PID: 10392)
  - svchost.com (PID: 10428)
  - svchost.com (PID: 10668)
  - svchost.com (PID: 11008)
  - loader.exe (PID: 12404)
  - Bloxflip%20Predictor.exe (PID: 12468)
  - svchost.com (PID: 10988)
  - svchost.com (PID: 12388)
  - lpsprt.exe (PID: 12488)
  - startud.exe (PID: 12436)
  - MARCUSS.exe (PID: 12448)
  - Clien123.exe (PID: 12596)
  - Prolin.exe (PID: 12604)
  - svchost.com (PID: 12840)
  - CryptoLocker.exe (PID: 12924)
  - payload.exe (PID: 13224)
  - plctkles.exe (PID: 13092)
  - CryptoWall.exe (PID: 12884)
  - startud.exe (PID: 12980)
  - trip.exe (PID: 13276)
  - runtimebroker.exe (PID: 12932)
  - Cp1N8fC.exe (PID: 10768)
  - vshell.exe (PID: 12316)
  - LOIC.exe (PID: 12916)
  - svchost.com (PID: 10808)
  - Ganja165.exe (PID: 9160)
  - 6.exe (PID: 7032)
  - Build.exe (PID: 13236)
  - vjVPnDfx.exe (PID: 12292)
  - Final123.exe (PID: 13184)
  - WindowsUpdateLauncher.exe (PID: 10432)
  - ap.exe (PID: 13152)
  - ceng.exe (PID: 13168)
  - Ganja199.exe (PID: 9980)
  - ls.exe (PID: 12632)
  - Ganja36.exe (PID: 10884)
  - tcp_windows_amd64.exe (PID: 12876)
  - werefult.exe (PID: 10776)
  - Ganja121.exe (PID: 9960)
  - porn.exe (PID: 10568)
  - https.exe (PID: 13252)
  - Ganja45.exe (PID: 6216)
  - Ganja168.exe (PID: 13408)
  - msconfig.exe (PID: 13752)
  - svchost.com (PID: 13896)
  - ZwMTvdkS2rnf9Im.exe (PID: 13600)
  - ls.exe (PID: 13684)
  - svchost.com (PID: 14008)
  - Ganja20.exe (PID: 13592)
  - Ganja85.exe (PID: 13436)
  - Ganja174.exe (PID: 13616)
  - tftp.exe (PID: 14164)
  - Ganja195.exe (PID: 13624)
  - Ganja66.exe (PID: 13452)
  - kajmak.exe (PID: 13468)
  - klass.exe (PID: 13928)
  - march.exe (PID: 11012)
  - baboon.exe (PID: 12432)
  - REXCEL~1.EXE (PID: 13872)
  - syspool.exe (PID: 13536)
  - Ganja46.exe (PID: 13476)
  - F.exe (PID: 10760)
  - joker12321.exe (PID: 13544)
  - Ganja61.exe (PID: 13416)
  - klass.exe (PID: 13760)
  - Ganja13.exe (PID: 13668)
  - Ganja113.exe (PID: 13632)
  - jtEmt5nxbRnq5jC.exe (PID: 13340)
  - Ganja107.exe (PID: 13352)
  - 80aK2YmFb6vbKeU.exe (PID: 13428)
  - Ganja54.exe (PID: 13524)
  - test1.exe (PID: 13284)
  - installer.exe (PID: 13200)
  - Doppelganger.exe (PID: 10516)
  - svchost.com (PID: 14344)
  - MARCUSS.exe (PID: 7412)
  - winsvchost.exe (PID: 13868)
  - plctkles.exe (PID: 7084)
  - c2_payload_aes.exe (PID: 13444)
  - eU80aK2YmFb6vbK.exe (PID: 9160)
  - svchost.com (PID: 13380)
  - v999f8.exe (PID: 13176)
  - Ganja151.exe (PID: 3956)
  - svchost.com (PID: 1296)
  - loader.exe (PID: 8040)
  - ap.exe (PID: 6780)
  - 2F33566DA0B91573532102.exe (PID: 13080)
  - demon.exe (PID: 13216)
  - payload.exe (PID: 14528)
  - klass.exe (PID: 9648)
  - EG11t89.exe (PID: 14736)
  - svchost.com (PID: 15428)
  - demonx64.exe (PID: 13208)
  - svchost.com (PID: 15572)
  - svchost.com (PID: 15916)
  - Ganja177.exe (PID: 15152)
  - Ganja190.exe (PID: 15232)
  - Ganja153.exe (PID: 3584)
  - Ganja39.exe (PID: 14808)
  - Ganja99.exe (PID: 14848)
  - rod_en_1.exe (PID: 15224)
  - ganja5.exe (PID: 9284)
  - PDFConverter_P2W154-zx-666.exe (PID: 14816)
  - index.exe (PID: 14832)
  - Setup.exe (PID: 14448)
  - hersey.exe (PID: 15048)
  - DumpAADUserPRT.exe (PID: 13136)
- Reads Environment values
  - bomb.exe.bin.exe (PID: 1560)
  - AutoIt3_x64.exe (PID: 7528)
  - AutoIt3_x64.exe (PID: 7388)
  - Client.exe (PID: 10168)
  - 1.exe (PID: 8080)
  - lpsprt.exe (PID: 12488)
- Disables trace logs
  - bomb.exe.bin.exe (PID: 1560)
  - AddInProcess32.exe (PID: 8400)
  - powershell.exe (PID: 8064)
  - Build.exe (PID: 13236)
  - trip.exe (PID: 13276)
- Reads the computer name
  - bomb.exe.bin.exe (PID: 1560)
  - httpswww.vuelaviajero.comwp-includesimagesallonymouslyfFpY.exe.exe (PID: 1932)
  - http185.156.72.2files7357519510Bw5ZAOe.exe.exe (PID: 5628)
  - httpsdro.pm2.exe.exe (PID: 984)
  - http185.156.72.61incXClient.exe.exe (PID: 3900)
  - httpsdro.pm2.exe.exe (PID: 436)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 3396)
  - XClient.exe (PID: 3720)
  - bitdefender.exe (PID: 7312)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - allonymouslyfFpY.exe (PID: 7880)
  - safefinder.exe (PID: 8152)
  - http185.156.72.61incScreenConnect.ClientSetup123.exe.exe (PID: 7892)
  - ScreenConnect.ClientSetup123.exe (PID: 7936)
  - http185.156.72.61incbitdefender.exe.exe (PID: 7580)
  - AutoIt3_x64.exe (PID: 7388)
  - MSBuild.exe (PID: 7944)
  - CapCut-VideoEditing_12.1.02.exe (PID: 7612)
  - AutoIt3_x64.exe (PID: 7528)
  - Setup.exe (PID: 7608)
  - MSBuild.exe (PID: 7568)
  - Wwf.exe (PID: 5080)
  - Setup.exe (PID: 7876)
  - AddInProcess32.exe (PID: 8400)
  - IMG001.exe (PID: 8336)
  - Bw5ZAOe.exe (PID: 8348)
  - MSBuild.exe (PID: 4372)
  - 2.exe (PID: 8308)
  - WxWorkMultiOpen.exe (PID: 8636)
  - WxWorkMultiOpen.exe (PID: 8652)
  - WxWorkMultiOpen.exe (PID: 8644)
  - WxWorkMultiOpen.exe (PID: 8700)
  - svchost.com (PID: 9204)
  - MSBuild.exe (PID: 8996)
  - MSBuild.exe (PID: 9096)
  - MSBuild.exe (PID: 5140)
  - http185.156.72.61incCapCut-VideoEditing_12.1.02.exe.exe (PID: 7980)
  - svchost.com (PID: 6548)
  - svchost.com (PID: 7356)
  - msiexec.exe (PID: 8004)
  - svchost.com (PID: 9768)
  - 11COMPRAS1.exe (PID: 9412)
  - Wwf.exe (PID: 8596)
  - 2.exe (PID: 8728)
  - svchost.com (PID: 10156)
  - msiexec.exe (PID: 7848)
  - AddInProcess32.exe (PID: 10128)
  - svchost.com (PID: 9044)
  - msiexec.exe (PID: 9212)
  - Setup.exe (PID: 9020)
  - Setup.exe (PID: 9028)
  - svchost.com (PID: 9664)
  - svchost.com (PID: 9764)
  - Client.exe (PID: 10168)
  - svchost.com (PID: 7744)
  - 1.exe (PID: 8080)
  - svchost.com (PID: 6896)
  - IMG001.exe (PID: 10392)
  - EG11t89.exe (PID: 10440)
  - svchost.com (PID: 10452)
  - svchost.com (PID: 10428)
  - setup.exe(Live%20Protection%20Suite).exe (PID: 10564)
  - svchost.com (PID: 12388)
  - startud.exe (PID: 12436)
  - Bloxflip%20Predictor.exe (PID: 12468)
  - MARCUSS.exe (PID: 12448)
  - svchost.exe (PID: 9580)
  - Cp1N8fC.exe (PID: 10768)
  - Ganja165.exe (PID: 9160)
  - Build.exe (PID: 13236)
  - Ganja36.exe (PID: 10884)
  - Ganja199.exe (PID: 9980)
  - ap.exe (PID: 13152)
  - ls.exe (PID: 12632)
  - tcp_windows_amd64.exe (PID: 12876)
  - vshell.exe (PID: 12316)
  - porn.exe (PID: 10568)
  - plctkles.exe (PID: 13092)
  - Ganja45.exe (PID: 6216)
  - ceng.exe (PID: 13168)
  - Prolin.exe (PID: 12604)
  - ls.exe (PID: 13684)
  - Ganja195.exe (PID: 13624)
  - Ganja85.exe (PID: 13436)
  - Ganja66.exe (PID: 13452)
  - Ganja174.exe (PID: 13616)
  - Ganja20.exe (PID: 13592)
  - march.exe (PID: 11012)
  - https.exe (PID: 13252)
  - 6.exe (PID: 7032)
  - kajmak.exe (PID: 13468)
  - klass.exe (PID: 13928)
  - ZwMTvdkS2rnf9Im.exe (PID: 13600)
  - Ganja13.exe (PID: 13668)
  - Ganja46.exe (PID: 13476)
  - test1.exe (PID: 13284)
  - Ganja113.exe (PID: 13632)
  - syspool.exe (PID: 13536)
  - Ganja107.exe (PID: 13352)
  - klass.exe (PID: 13760)
  - lpsprt.exe (PID: 12488)
  - REXCEL~1.EXE (PID: 13872)
  - ngrok.exe (PID: 9544)
  - WindowsUpdateLauncher.exe (PID: 10432)
  - winsvchost.exe (PID: 13868)
  - Doppelganger.exe (PID: 10516)
  - demon.exe (PID: 13216)
  - Final123.exe (PID: 13184)
  - ap.exe (PID: 6780)
  - klass.exe (PID: 9648)
  - baboon.exe (PID: 12432)
  - Clien123.exe (PID: 12596)
  - svchost.com (PID: 13380)
  - installer.exe (PID: 13200)
  - svchost.com (PID: 13896)
  - svchost.com (PID: 15916)
  - svchost.com (PID: 10988)
  - Ganja99.exe (PID: 14848)
  - Ganja39.exe (PID: 14808)
  - Ganja153.exe (PID: 3584)
  - tftp.exe (PID: 14164)
  - 80aK2YmFb6vbKeU.exe (PID: 13428)
  - loader.exe (PID: 8040)
- Reads the machine GUID from the registry
  - bomb.exe.bin.exe (PID: 1560)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - http185.156.72.61incXClient.exe.exe (PID: 3900)
  - wwf.exe (PID: 7752)
  - XClient.exe (PID: 3720)
  - ScreenConnect.ClientSetup123.exe (PID: 7936)
  - AutoIt3_x64.exe (PID: 7388)
  - MSBuild.exe (PID: 7944)
  - AutoIt3_x64.exe (PID: 7528)
  - AddInProcess32.exe (PID: 8400)
  - CapCut-VideoEditing_12.1.02.exe (PID: 7612)
  - http185.156.72.61incScreenConnect.ClientSetup123.exe.exe (PID: 7892)
  - MSBuild.exe (PID: 7568)
  - MSBuild.exe (PID: 9096)
  - MSBuild.exe (PID: 4372)
  - http185.156.72.61incCapCut-VideoEditing_12.1.02.exe.exe (PID: 7980)
  - 11COMPRAS1.exe (PID: 9412)
  - MSBuild.exe (PID: 8996)
  - MSBuild.exe (PID: 5140)
  - AddInProcess32.exe (PID: 10128)
  - Client.exe (PID: 10168)
  - 1.exe (PID: 8080)
  - EG11t89.exe (PID: 10440)
  - trip.exe (PID: 13276)
  - ap.exe (PID: 13152)
  - Build.exe (PID: 13236)
  - ZwMTvdkS2rnf9Im.exe (PID: 13600)
  - lpsprt.exe (PID: 12488)
  - startud.exe (PID: 12980)
  - c2_payload_aes.exe (PID: 13444)
- Process checks computer location settings
  - bomb.exe.bin.exe (PID: 1560)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 3396)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - blOahSM.exe (PID: 7660)
  - Setup.exe (PID: 7876)
  - Setup.exe (PID: 7608)
  - IMG001.exe (PID: 8336)
  - ScreenConnect.ClientSetup123.exe (PID: 7936)
  - CapCut-VideoEditing_12.1.02.exe (PID: 7612)
  - http185.156.72.61incCapCut-VideoEditing_12.1.02.exe.exe (PID: 7980)
  - IMG001.exe (PID: 10392)
  - setup.exe(Live%20Protection%20Suite).exe (PID: 10564)
  - startud.exe (PID: 12436)
  - MARCUSS.exe (PID: 12448)
  - plctkles.exe (PID: 13092)
  - test1.exe (PID: 13284)
  - WindowsUpdateLauncher.exe (PID: 10432)
- Checks proxy server information
  - bomb.exe.bin.exe (PID: 1560)
  - httpsdro.pm2.exe.exe (PID: 436)
  - bitdefender.exe (PID: 7312)
  - safefinder.exe (PID: 8152)
  - http185.156.72.61incbitdefender.exe.exe (PID: 7580)
  - AddInProcess32.exe (PID: 8400)
  - explorer.exe (PID: 4772)
  - 2.exe (PID: 8728)
  - powershell.exe (PID: 8064)
  - Build.exe (PID: 13236)
  - http185.156.72.2files7357519510Bw5ZAOe.exe.exe (PID: 5628)
  - trip.exe (PID: 13276)
  - march.exe (PID: 11012)
  - WerFault.exe (PID: 7516)
  - https.exe (PID: 13252)
  - baboon.exe (PID: 12432)
  - demonx64.exe (PID: 13208)
  - demon.exe (PID: 13216)
- Reads the software policy settings
  - bomb.exe.bin.exe (PID: 1560)
  - MSBuild.exe (PID: 4372)
  - MSBuild.exe (PID: 7568)
  - MSBuild.exe (PID: 8996)
  - MSBuild.exe (PID: 5140)
  - explorer.exe (PID: 4772)
  - Build.exe (PID: 13236)
  - WerFault.exe (PID: 7516)
- The sample compiled with english language support
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - bomb.exe.bin.exe (PID: 1560)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - httpsdro.pm2.exe.exe (PID: 984)
  - httpsdro.pm2.exe.exe (PID: 436)
  - wwf.exe (PID: 7432)
  - wwf.exe (PID: 7752)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - Setup.exe (PID: 7876)
  - Wwf.exe (PID: 5080)
  - Setup.exe (PID: 7608)
  - 2.exe (PID: 8308)
  - 11COMPRAS1.exe (PID: 9264)
  - svchost.exe (PID: 9580)
  - 2.exe (PID: 8728)
  - Prolin.exe (PID: 12604)
  - joker12321.exe (PID: 13544)
- Create files in a temporary directory
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 2464)
  - httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe (PID: 5424)
  - httpsdro.pm2.exe.exe (PID: 984)
  - httpsgithub.combatratspluginsrawmainSystemExplorer.exe.exe (PID: 4804)
  - wwf.exe (PID: 7432)
  - blOahSM.exe (PID: 7660)
  - http185.156.72.2files7124748205blOahSM.exe.exe (PID: 7620)
  - wwf.exe (PID: 7752)
  - Setup.exe (PID: 7608)
  - AutoIt3_x64.exe (PID: 7388)
  - Setup.exe (PID: 7876)
  - AutoIt3_x64.exe (PID: 7528)
  - CapCut-VideoEditing_12.1.02.exe (PID: 7612)
  - ScreenConnect.ClientSetup123.exe (PID: 7936)
  - 2.exe (PID: 8308)
  - IMG001.exe (PID: 8336)
  - http185.156.72.61incCapCut-VideoEditing_12.1.02.exe.exe (PID: 7980)
  - 11COMPRAS1.exe (PID: 9264)
  - http185.156.72.61incXClient.exe.exe (PID: 3900)
  - svchost.exe (PID: 9580)
  - rundll32.exe (PID: 8008)
  - rundll32.exe (PID: 2168)
  - msiexec.exe (PID: 9836)
  - 1.exe (PID: 8080)
  - loader.exe (PID: 12404)
  - IMG001.exe (PID: 10392)
  - startud.exe (PID: 12436)
  - MARCUSS.exe (PID: 12448)
  - CryptoLocker.exe (PID: 12924)
  - plctkles.exe (PID: 13092)
  - CryptoWall.exe (PID: 12884)
  - LOIC.exe (PID: 12916)
  - runtimebroker.exe (PID: 12932)
  - WindowsUpdateLauncher.exe (PID: 10432)
  - rxd_en_1.exe (PID: 12272)
  - Prolin.exe (PID: 12604)
  - msiexec.exe (PID: 10536)
  - 6.exe (PID: 7032)
  - 80aK2YmFb6vbKeU.exe (PID: 13428)
  - jtEmt5nxbRnq5jC.exe (PID: 13340)
  - plctkles.exe (PID: 7084)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4772)
  - Taskmgr.exe (PID: 4012)
- Creates files or folders in the user directory
  - Taskmgr.exe (PID: 4012)
  - explorer.exe (PID: 4772)
  - IMG001.exe (PID: 8336)
  - Client.exe (PID: 10168)
  - Bloxflip%20Predictor.exe (PID: 12468)
  - Ganja121.exe (PID: 9960)
  - 6.exe (PID: 7032)
  - IMG001.exe (PID: 10392)
  - syspool.exe (PID: 13536)
  - WerFault.exe (PID: 7516)
  - F.exe (PID: 10760)
  - joker12321.exe (PID: 13544)
- Reads mouse settings
  - AutoIt3_x64.exe (PID: 7388)
  - AutoIt3_x64.exe (PID: 7528)
  - 80aK2YmFb6vbKeU.exe (PID: 13428)
  - jtEmt5nxbRnq5jC.exe (PID: 13340)
  - eU80aK2YmFb6vbK.exe (PID: 9160)
- Launching a file from a Registry key
  - Wwf.exe (PID: 5080)
  - Wwf.exe (PID: 8596)
  - rxd_en_1.exe (PID: 12272)
  - ls.exe (PID: 12632)
  - 6.exe (PID: 7032)
  - syspool.exe (PID: 13536)
  - klass.exe (PID: 13760)
  - winsvchost.exe (PID: 13868)
- SCREENCONNECT has been detected
  - http185.156.72.61incScreenConnect.ClientSetup123.exe.exe (PID: 7892)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 8740)
  - msiexec.exe (PID: 9836)
- CONNECTWISE has been detected
  - msiexec.exe (PID: 8740)
  - msiexec.exe (PID: 9836)
- Creates files in the program directory
  - setup.exe(Live%20Protection%20Suite).exe (PID: 10564)
  - Ganja165.exe (PID: 9160)
  - Ganja199.exe (PID: 9980)
  - kajmak.exe (PID: 13468)
- The sample compiled with spanish language support
  - httpsdro.pm2.exe.exe (PID: 436)
  - 2.exe (PID: 8728)
- The sample compiled with turkish language support
  - httpsdro.pm2.exe.exe (PID: 436)
- Reads Microsoft Office registry keys
  - MSBuild.exe (PID: 7944)
- Launching a file from the Startup directory
  - Bloxflip%20Predictor.exe (PID: 12468)
- The sample compiled with chinese language support
  - httpsdro.pm2.exe.exe (PID: 436)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 10140)
- Application launched itself
  - chrome.exe (PID: 12812)
- Reads Internet Explorer settings
  - mshta.exe (PID: 12668)
  - mshta.exe (PID: 13268)
  - mshta.exe (PID: 12892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2057:01:07 19:44:57+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	9216
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x431e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	-
FileVersion:	1.0.0.0
InternalName:	bomb.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	bomb.exe
ProductName:	-
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

530

Monitored processes

387

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

436

"C:\Users\admin\Desktop\httpsdro.pm2.exe.exe"

C:\Users\admin\Desktop\httpsdro.pm2.exe.exe

httpsdro.pm2.exe.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\desktop\httpsdro.pm2.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

592

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

http185.156.72.2files53737821734eTHv9F.exe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

984

"C:\Users\admin\Desktop\httpsdro.pm2.exe.exe"

C:\Users\admin\Desktop\httpsdro.pm2.exe.exe

bomb.exe.bin.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\desktop\httpsdro.pm2.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1036

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1056

Ganja154.exe

C:\Users\admin\Desktop\a\Ganja154.exe

—

httpsdro.pm2.exe.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\desktop\a\ganja154.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dnsapi.dll

1296

"C:\WINDOWS\svchost.com" "C:\Users\admin\AppData\Roaming\Adobe.exe"

C:\Windows\svchost.com

—

test1.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1532

Worldoffice.exe

C:\Users\admin\Desktop\a\Worldoffice.exe

httpsdro.pm2.exe.exe

User:

admin

Company:

Apache Software Foundation

Integrity Level:

HIGH

Description:

ApacheBench command line utility

Version:

2.2.14

Modules

Images
c:\users\admin\desktop\a\worldoffice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1560

"C:\Users\admin\Desktop\bomb.exe.bin.exe"

C:\Users\admin\Desktop\bomb.exe.bin.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\bomb.exe.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1896

schtasks /Create /TN crypto_nuke_task /TR \"C:\Users\admin\Desktop\httpsdro.pm2.exe.exe\" /SC ONLOGON /RL HIGHEST /F

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1932

"C:\Users\admin\Desktop\httpswww.vuelaviajero.comwp-includesimagesallonymouslyfFpY.exe.exe"

C:\Users\admin\Desktop\httpswww.vuelaviajero.comwp-includesimagesallonymouslyfFpY.exe.exe

—

bomb.exe.bin.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\httpswww.vuelaviajero.comwp-includesimagesallonymouslyffpy.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll

Add for printing

Total events

102 206

Read events

101 782

Write events

397

Delete events

Modification events


(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 00000000000000000000000000000000030001000100010010000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000120000000000000063006F006D0065007300640065006100740068002E006A00700067003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000001200000000000000620065006E0065006600690074006D00610072002E007200740066003E0020002000000016000000000000006300680069006300610067006F0061006700610069006E00730074002E006A00700067003E0020002000000015000000000000006600720061006E00630065007700650073007400650072006E002E006A00700067003E00200020000000110000000000000067006C0061007300730072006F0063006B002E007200740066003E00200020000000160000000000000070006C0065006100730065006E006F00720074006800650072006E002E007200740066003E00200020000000120000000000000073006500610072006300680065007300690069002E0070006E0067003E00200020000000120000000000000077006500700072006500760069006F00750073002E0070006E0067003E00200020000000140000000000000062006F006D0062002E006500780065002E00620069006E002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001000000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E00000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000040400F00
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconNameVersion
Value: 1
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 7D82586800000000
(PID) Process:	(1560) bomb.exe.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1560) bomb.exe.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(1560) bomb.exe.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(1560) bomb.exe.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(1560) bomb.exe.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(1560) bomb.exe.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(1560) bomb.exe.bin.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bomb_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing

Add for printing

Executable files

561

Suspicious files

Text files

101

Unknown types

Dropped files

PID	Process	Filename		Type
2464	httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI24642\Microsoft.VC90.CRT.manifest		xml
		MD5:40E0E83698F7ADAE975D9D850A02F1DD	SHA256:A2DBF5A7EFA1C12D778B7AEF0DF678BD0E4221BFDB22612817801D4E9C99B559
1560	bomb.exe.bin.exe	C:\Users\admin\Desktop\http59.110.92.49555502.08.2022.exe.exe		binary
		MD5:CDFCBDBED27DA238C9A1B2BC34082337	SHA256:792C004627BEC0958D39F5160C77941AD4B25ACE019488D494740B22F1F4FAE0
1560	bomb.exe.bin.exe	C:\Users\admin\Desktop\http185.156.72.2files5561582465oSOnryg.exe.exe		executable
		MD5:3D37A6DE6BC9917F26B260A02C92C08C	SHA256:99B3E6C422B79B6380E218C32B400485C202C2FB89444A1C047A92E17049FCE1
1560	bomb.exe.bin.exe	C:\Users\admin\Desktop\httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe		executable
		MD5:35064DD6E1181B1F2C4F9A49F7E43E4B	SHA256:82F5D6C9AB023590EBAF3270B11F543BAAE604FAD71D63AE4F1FC8E1D90AC282
2464	httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI24642\_hashlib.pyd		executable
		MD5:6F784C403E2097D11331F8778F6D9D2C	SHA256:CDA9A6478417629CB40809AAD57BD5A884F183333506D00008D16E47368FD633
2464	httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI24642\msvcm90.dll		executable
		MD5:747612BB509B4F71291732E2F2D8A1E6	SHA256:8B34761F3F4D345359660FD05F288D94E871F2819EFE639B93EB9416E92106FB
1560	bomb.exe.bin.exe	C:\Users\admin\Desktop\http60.205.183.2325555502.08.2022.exe.exe		binary
		MD5:C79F97C9C4BBFDAFC2DC846BB4D8954E	SHA256:DD5178A892E0225352DC3DE9187DB67F348094E25D20581C18AB3789604EB53B
2464	httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI24642\data.exe.manifest		xml
		MD5:ED41D85C686D7E61C8DEECB3CA2946BA	SHA256:D1617B7026E45D242E2BF5DC6833A877959498CC4BC6B289AB05F48F9FCCE534
2464	httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI24642\bz2.pyd		executable
		MD5:51FDB7790E680A394E9936498D3A73FA	SHA256:985902E0813564981059C2F57282614F5A907DC3DF0273BA7BEF2AD64123C921
2464	httpsgithub.comupsnorwayjsdmxreleasesdownloadttu3535wwf.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI24642\msvcr90.dll		executable
		MD5:552CF56353AF11CE8E0D10EE12FDCD85	SHA256:E88299EA1A140FF758163DFFF179FFF3BC5E90E7CFBBD178D0C886DBAD184012

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

377

TCP/UDP connections

706

DNS requests

Threats

1 564

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1560	bomb.exe.bin.exe	GET	200	185.156.72.2:80	http://185.156.72.2/files/5561582465/oSOnryg.exe	unknown	—	—	unknown
1560	bomb.exe.bin.exe	GET	200	60.205.183.232:55555	http://60.205.183.232:55555/02.08.2022.exe	unknown	—	—	unknown
1560	bomb.exe.bin.exe	GET	200	59.110.92.49:5555	http://59.110.92.49:5555/02.08.2022.exe	unknown	—	—	unknown
1560	bomb.exe.bin.exe	GET	200	185.156.72.2:80	http://185.156.72.2/files/5373782173/4eTHv9F.exe	unknown	—	—	unknown
1560	bomb.exe.bin.exe	GET	404	185.156.72.2:80	http://185.156.72.2/files/7629627281/zMOdRcW.exe	unknown	—	—	unknown
2668	svchost.exe	HEAD	404	23.95.245.178:80	http://23.95.245.178/lab1/iut5r	unknown	—	—	unknown
1560	bomb.exe.bin.exe	GET	200	185.156.72.2:80	http://185.156.72.2/files/7124748205/blOahSM.exe	unknown	—	—	unknown
436	httpsdro.pm2.exe.exe	GET	404	185.156.72.2:80	http://185.156.72.2/files/7629627281/zMOdRcW.exe	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5476	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1560	bomb.exe.bin.exe	151.101.2.49:443	urlhaus.abuse.ch	FASTLY	US	whitelisted
1560	bomb.exe.bin.exe	59.110.92.49:5555	—	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	23.55.104.172 23.55.104.190 184.24.77.35 184.24.77.12 184.24.77.37	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
urlhaus.abuse.ch	151.101.2.49 151.101.130.49 151.101.194.49 151.101.66.49	whitelisted
dro.pm	86.80.32.182	unknown
github.com	140.82.121.4	whitelisted
objects.githubusercontent.com	185.199.111.133 185.199.109.133 185.199.110.133 185.199.108.133	whitelisted
www.vuelaviajero.com	208.109.201.79	unknown
www.bing.com	2.16.241.218 2.16.241.201	whitelisted

Threats

PID	Process	Class	Message
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1560	bomb.exe.bin.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1560	bomb.exe.bin.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
1560	bomb.exe.bin.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Add for printing

Process	Message
chrome.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\syyhesjv.spx directory exists )

General Info

bomb.exe.bin

21D3C4B6869E61ACB836ECE73DD265DA

4D3AC5EAA89B0ACF14EED249EA774D00CF5AA2C8

E8582DA9A3FA365A425ED0225F7C6681E561061AA0B5285538BAE4B334B97F7C

192:UnNv1XCiAzsBhl3y9+QHzdPbw7z1OLU87glpp/bI6J4j0rVIp:ANozz9+qzZYOLU870NJlVI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

HAUSBOMBER has been detected (YARA)

Application was injected by another process

Runs injected code in another process

Actions looks like stealing of personal data

Uses Task Scheduler to autorun other applications

Executing a file with an untrusted certificate

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Antivirus name has been found in the command line (generic signature)

STEGOCAMPAIGN has been detected (SURICATA)

Changes the autorun value in the registry

REVERSELOADER has been detected (SURICATA)

NESHTA mutex has been found

LUMMA has been detected (SURICATA)

Connects to the CnC server

LUMMA mutex has been found

QUASAR mutex has been found

TROX has been detected

Run PowerShell with an invisible window

QUASAR has been detected (SURICATA)

GENERIC has been found (auto)

NJRAT has been found (auto)

METASPLOIT has been found (auto)

FORMBOOK has been found (auto)

STORMKITTY has been found (auto)

AGENTTESLA has been found (auto)

Scans artifacts that could help determine the target

Steals credentials from Web Browsers

Create files in the Startup directory

DBATLOADER has been found (auto)

LUMMA has been found (auto)

PHORPIEX has been found (auto)

NJRAT mutex has been found

SUSPICIOUS

Reads the date of Windows installation

Process requests binary or script from the Internet

Starts a Microsoft application from unusual location

Process drops python dynamic module

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Connects to the server without a host name

Connects to unusual port

The process drops C-runtime libraries

Application launched itself

Potential Corporate Privacy Violation

The executable file from the user directory is run by the CMD process

The process checks if it is being run in the virtual environment

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

The process creates files with name similar to system file names

Loads Python modules

The process executes via Task Scheduler

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Starts the AutoIt3 executable file

Starts itself from another location

There is functionality for taking screenshot (YARA)

Mutex name with non-standard characters

Starts application with an unusual extension

Contacting a server suspected of hosting an CnC

Executes application which crashes

BASE64 encoded PowerShell command has been detected

Uses TASKKILL.EXE to kill process

Base64-obfuscated command line is found

NGROK has been detected