Malware analysis SamplePEC2.zip Malicious activity | ANY.RUN

Add for printing

File name:	SamplePEC2.zip
Full analysis:	https://app.any.run/tasks/71e3c76c-a789-49c4-9417-38e5569beee9
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. SystemBC is a Remote Access Trojan (RAT) that can hide communication with the Command and Control server, and deposit other malware strains. Malware Trends Tracker >>>
Analysis date:	March 04, 2025, 04:23:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec loader opendir evasion lumma stealer winscp tool tas17 hausbomber netreactor systembc proxyware themida
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	80EFFAD0D13E9E8030FE4C4910E39D86
SHA1:	7363F3E6C419E3D1ADFE35C8A964EDCEC70CE86A
SHA256:	EF9EA600B37205B89471CA612FF435C2095E76E5E36A5CF46175EF3DD8A264C4
SSDEEP:	6144:xWPAOUq9pmQ02sGO7wp9CaRcqWXQF+wKt7zvyG4v:xORpmQ02sbE9iqWg0wGyVv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- HAUSBOMBER has been detected (YARA)
  - New Text Document.exe (PID: 7652)
- Executing a file with an untrusted certificate
  - reCAPTCHA.exe (PID: 6392)
  - netdriver.exe (PID: 5452)
  - winnet.exe (PID: 7408)
  - rundrive.exe (PID: 4620)
  - winnet.exe (PID: 4304)
  - rundrive.exe (PID: 1452)
  - oioq.exe (PID: 5204)
  - oioq.exe (PID: 7528)
  - reCAPTCHA.exe (PID: 1012)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2196)
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- Connects to the CnC server
  - svchost.exe (PID: 2196)
- LUMMA mutex has been found
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- Actions looks like stealing of personal data
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- TAS17 has been detected
  - netdriver.exe (PID: 5452)
  - winnet.exe (PID: 7408)
  - rundrive.exe (PID: 4620)
  - winnet.exe (PID: 4304)
  - rundrive.exe (PID: 1452)
- Steals credentials from Web Browsers
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 5964)
  - cmd.exe (PID: 7580)
  - cmd.exe (PID: 6032)
  - cmd.exe (PID: 8016)
  - cmd.exe (PID: 7248)
  - cmd.exe (PID: 8168)
- Request from PowerShell which ran from CMD.EXE
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- Dynamically loads an assembly (POWERSHELL)
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 7152)
  - powershell.exe (PID: 5972)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- LUMMA has been detected (YARA)
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- SYSTEMBC mutex has been found
  - oioq.exe (PID: 7528)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - New Text Document.bin.exe (PID: 5344)
  - New Text Document.exe (PID: 7652)
  - reCAPTCHA.exe (PID: 6392)
  - reCAPTCHA.exe (PID: 1012)
- Process requests binary or script from the Internet
  - New Text Document.exe (PID: 7652)
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- Executable content was dropped or overwritten
  - New Text Document.bin.exe (PID: 5344)
  - New Text Document.exe (PID: 7652)
  - netdriver.exe (PID: 5452)
- Reads Microsoft Outlook installation path
  - New Text Document.bin.exe (PID: 5344)
- There is functionality for taking screenshot (YARA)
  - New Text Document.bin.exe (PID: 5344)
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- Reads Internet Explorer settings
  - New Text Document.bin.exe (PID: 5344)
- Reads the date of Windows installation
  - New Text Document.exe (PID: 7652)
- Connects to the server without a host name
  - New Text Document.exe (PID: 7652)
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- Potential Corporate Privacy Violation
  - New Text Document.exe (PID: 7652)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 7152)
  - powershell.exe (PID: 5972)
- Checks for external IP
  - curl.exe (PID: 2392)
  - curl.exe (PID: 1244)
- Application launched itself
  - TORRENTOLD-1.exe (PID: 3968)
  - 1337X-1.exe (PID: 4008)
- Connects to unusual port
  - reCAPTCHA.exe (PID: 6392)
  - service.exe (PID: 7732)
  - InstallUtil.exe (PID: 8152)
  - service.exe (PID: 7212)
  - service.exe (PID: 2268)
  - oioq.exe (PID: 7528)
  - reCAPTCHA.exe (PID: 1012)
- WINSCP has been detected
  - netdriver.exe (PID: 5452)
- Start notepad (likely ransomware note)
  - reCAPTCHA.exe (PID: 6392)
  - reCAPTCHA.exe (PID: 1012)
- Reads the BIOS version
  - netdriver.exe (PID: 5452)
  - winnet.exe (PID: 7408)
  - rundrive.exe (PID: 4620)
  - oioq.exe (PID: 5204)
  - winnet.exe (PID: 4304)
  - rundrive.exe (PID: 1452)
  - oioq.exe (PID: 7528)
- Executes application which crashes
  - TORRENTOLD-1.exe (PID: 3968)
  - 1337X-1.exe (PID: 4008)
  - reCAPTCHA.exe (PID: 6392)
- Contacting a server suspected of hosting an CnC
  - 1337X-1.exe (PID: 4212)
  - TORRENTOLD-1.exe (PID: 5528)
  - svchost.exe (PID: 2196)
- Process drops legitimate windows executable
  - New Text Document.exe (PID: 7652)
- Starts CMD.EXE for commands execution
  - kinddevelopers.exe (PID: 7988)
  - rocktrainingss.exe (PID: 720)
  - tg01985462ss.exe (PID: 7196)
  - tg01985462s.exe (PID: 7612)
  - kinddevelopers.exe (PID: 728)
  - kinddevelopers.exe (PID: 6676)
- Executing commands from a ".bat" file
  - kinddevelopers.exe (PID: 7988)
  - rocktrainingss.exe (PID: 720)
  - tg01985462ss.exe (PID: 7196)
  - tg01985462s.exe (PID: 7612)
  - kinddevelopers.exe (PID: 6676)
  - kinddevelopers.exe (PID: 728)
- Executes script without checking the security policy
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- Possibly malicious use of IEX has been detected
  - cmd.exe (PID: 5964)
  - cmd.exe (PID: 7580)
  - cmd.exe (PID: 6032)
  - cmd.exe (PID: 8016)
  - cmd.exe (PID: 7248)
  - cmd.exe (PID: 8168)
- Starts a Microsoft application from unusual location
  - kinddevelopers.exe (PID: 7988)
  - rocktrainingss.exe (PID: 720)
  - tg01985462ss.exe (PID: 7196)
  - tg01985462s.exe (PID: 7612)
  - kinddevelopers.exe (PID: 728)
  - kinddevelopers.exe (PID: 6676)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 5964)
  - cmd.exe (PID: 7580)
  - cmd.exe (PID: 6032)
  - cmd.exe (PID: 8016)
  - cmd.exe (PID: 7248)
  - cmd.exe (PID: 8168)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 5964)
  - cmd.exe (PID: 7580)
  - cmd.exe (PID: 6032)
  - cmd.exe (PID: 8016)
  - cmd.exe (PID: 7248)
  - cmd.exe (PID: 8168)
- Searches for installed software
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- The process executes via Task Scheduler
  - oioq.exe (PID: 5204)
  - oioq.exe (PID: 7528)
INFO
- Manual execution by a user
  - New Text Document.bin.exe (PID: 5344)
  - WinRAR.exe (PID: 1912)
  - New Text Document.exe (PID: 7652)
  - InstallUtil.exe (PID: 8152)
  - winnet.exe (PID: 4304)
  - rundrive.exe (PID: 1452)
  - service.exe (PID: 2268)
  - service.exe (PID: 7212)
  - Taskmgr.exe (PID: 6036)
  - alreadyorganization.exe (PID: 856)
  - InstallUtil.exe (PID: 920)
  - Taskmgr.exe (PID: 7968)
  - InstallUtil.exe (PID: 4976)
  - fscan.exe (PID: 7436)
  - kinddevelopers.exe (PID: 728)
  - alreadyorganization.exe (PID: 2236)
  - kinddevelopers.exe (PID: 6676)
  - reCAPTCHA.exe (PID: 1012)
- Checks supported languages
  - New Text Document.bin.exe (PID: 5344)
  - New Text Document.exe (PID: 7652)
  - fscan.exe (PID: 7020)
  - helper.exe (PID: 7508)
  - curl.exe (PID: 2392)
  - 1337X-1.exe (PID: 4008)
  - TORRENTOLD-1.exe (PID: 3968)
  - 1337X-1.exe (PID: 4212)
  - TORRENTOLD-1.exe (PID: 5528)
  - reCAPTCHA.exe (PID: 6392)
  - netdriver.exe (PID: 5452)
  - winnet.exe (PID: 7408)
  - rundrive.exe (PID: 4620)
  - service.exe (PID: 7732)
  - kinddevelopers.exe (PID: 7988)
  - alreadyorganization.exe (PID: 6148)
  - InstallUtil.exe (PID: 8152)
  - rocktraining.exe (PID: 736)
  - rocktrainingss.exe (PID: 720)
  - tg01985462ss.exe (PID: 7196)
  - tg01985462s.exe (PID: 7612)
  - winnet.exe (PID: 4304)
  - oioq.exe (PID: 5204)
  - rundrive.exe (PID: 1452)
  - service.exe (PID: 2268)
  - service.exe (PID: 7212)
  - alreadyorganization.exe (PID: 856)
  - InstallUtil.exe (PID: 920)
  - alreadyorganization.exe (PID: 2236)
  - InstallUtil.exe (PID: 4976)
  - fscan.exe (PID: 7436)
  - oioq.exe (PID: 7528)
  - kinddevelopers.exe (PID: 728)
  - kinddevelopers.exe (PID: 6676)
  - reCAPTCHA.exe (PID: 1012)
  - curl.exe (PID: 1244)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1912)
- Reads the computer name
  - New Text Document.bin.exe (PID: 5344)
  - New Text Document.exe (PID: 7652)
  - reCAPTCHA.exe (PID: 6392)
  - 1337X-1.exe (PID: 4008)
  - TORRENTOLD-1.exe (PID: 3968)
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
  - curl.exe (PID: 2392)
  - netdriver.exe (PID: 5452)
  - winnet.exe (PID: 7408)
  - rundrive.exe (PID: 4620)
  - InstallUtil.exe (PID: 8152)
  - alreadyorganization.exe (PID: 6148)
  - rocktraining.exe (PID: 736)
  - winnet.exe (PID: 4304)
  - oioq.exe (PID: 5204)
  - rundrive.exe (PID: 1452)
  - alreadyorganization.exe (PID: 856)
  - InstallUtil.exe (PID: 920)
  - InstallUtil.exe (PID: 4976)
  - oioq.exe (PID: 7528)
  - alreadyorganization.exe (PID: 2236)
  - reCAPTCHA.exe (PID: 1012)
  - curl.exe (PID: 1244)
- Reads the software policy settings
  - New Text Document.exe (PID: 7652)
  - slui.exe (PID: 7524)
  - 1337X-1.exe (PID: 4212)
  - TORRENTOLD-1.exe (PID: 5528)
  - slui.exe (PID: 7052)
- Checks proxy server information
  - New Text Document.exe (PID: 7652)
  - New Text Document.bin.exe (PID: 5344)
  - reCAPTCHA.exe (PID: 6392)
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - slui.exe (PID: 7052)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
  - reCAPTCHA.exe (PID: 1012)
- Reads the machine GUID from the registry
  - New Text Document.exe (PID: 7652)
  - InstallUtil.exe (PID: 8152)
  - alreadyorganization.exe (PID: 6148)
  - rocktraining.exe (PID: 736)
  - alreadyorganization.exe (PID: 856)
  - InstallUtil.exe (PID: 920)
  - InstallUtil.exe (PID: 4976)
  - alreadyorganization.exe (PID: 2236)
- Application launched itself
  - Acrobat.exe (PID: 7836)
  - AcroCEF.exe (PID: 7760)
- Process checks computer location settings
  - New Text Document.exe (PID: 7652)
- Execution of CURL command
  - reCAPTCHA.exe (PID: 6392)
  - reCAPTCHA.exe (PID: 1012)
- Creates files in the program directory
  - netdriver.exe (PID: 5452)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 3896)
  - WerFault.exe (PID: 6872)
  - WerFault.exe (PID: 6416)
- The sample compiled with english language support
  - New Text Document.exe (PID: 7652)
- Create files in a temporary directory
  - kinddevelopers.exe (PID: 7988)
  - rocktrainingss.exe (PID: 720)
  - tg01985462ss.exe (PID: 7196)
  - tg01985462s.exe (PID: 7612)
  - kinddevelopers.exe (PID: 6676)
  - kinddevelopers.exe (PID: 728)
- Disables trace logs
  - New Text Document.exe (PID: 7652)
  - powershell.exe (PID: 6384)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 6516)
  - powershell.exe (PID: 4172)
  - powershell.exe (PID: 5972)
  - powershell.exe (PID: 7152)
- .NET Reactor protector has been detected
  - TORRENTOLD-1.exe (PID: 5528)
  - 1337X-1.exe (PID: 4212)
- Themida protector has been detected
  - rundrive.exe (PID: 4620)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 7968)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0001
ZipCompression:	None
ZipModifyDate:	2024:05:09 01:02:54
ZipCRC:	0xda87f413
ZipCompressedSize:	193730
ZipUncompressedSize:	193730
ZipFileName:	New Text Document.bin.zip

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

222

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

720

"C:\Users\admin\Desktop\New folder\a\rocktrainingss.exe"

C:\Users\admin\Desktop\New folder\a\rocktrainingss.exe

—

New Text Document.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.22621.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\desktop\new folder\a\rocktrainingss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

728

"C:\Users\admin\Desktop\New folder\a\kinddevelopers.exe"

C:\Users\admin\Desktop\New folder\a\kinddevelopers.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.22621.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\desktop\new folder\a\kinddevelopers.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

736

"C:\Users\admin\Desktop\New folder\a\rocktraining.exe"

C:\Users\admin\Desktop\New folder\a\rocktraining.exe

—

New Text Document.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Psmtcceefv

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\new folder\a\rocktraining.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

856

"C:\Users\admin\Desktop\New folder\a\alreadyorganization.exe"

C:\Users\admin\Desktop\New folder\a\alreadyorganization.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Tyesdh

Exit code:

4294967295

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\new folder\a\alreadyorganization.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

920

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

.NET Framework installation utility

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1012

"C:\Users\admin\Desktop\New folder\a\reCAPTCHA.exe"

C:\Users\admin\Desktop\New folder\a\reCAPTCHA.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

PixlrUltimate Optimizer Inc.

Version:

3.0.0.0

Modules

Images
c:\users\admin\desktop\new folder\a\recaptcha.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1040

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2796 --field-trial-handle=1412,i,10492769816856788330,3536615027479939223,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1244

"curl" ip.sb

C:\Windows\System32\curl.exe

reCAPTCHA.exe

User:

admin

Company:

curl, https://curl.se/

Integrity Level:

MEDIUM

Description:

The curl executable

Exit code:

Version:

8.4.0

Modules

Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll

1388

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2672 --field-trial-handle=1412,i,10492769816856788330,3536615027479939223,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1452

"C:\Users\admin\Desktop\New folder\a\rundrive.exe"

C:\Users\admin\Desktop\New folder\a\rundrive.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\new folder\a\rundrive.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

58 854

Read events

58 739

Write events

Delete events

Modification events


(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\SamplePEC2.zip
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(7332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:

Add for printing

Executable files

Suspicious files

128

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5344	New Text Document.bin.exe	C:\Users\admin\Desktop\New folder\New Text Document.exe		executable
		MD5:A239A27C2169AF388D4F5BE6B52F272C	SHA256:98E895F711226A32BFAB152E224279D859799243845C46E550C2D32153C619FC
1912	WinRAR.exe	C:\Users\admin\Desktop\New Text Document.bin.exe		executable
		MD5:0B0D247AA1F24C2F5867B3BF29F69450	SHA256:A6E7292E734C3A15CFA654BBA8DEA72A2F55F1C24CF6BBDC2FD7E63887E9315A
7856	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt		text
		MD5:435A2848635000011362434779A69452	SHA256:A75D2985F849008EB9C7B32A17330C52F48C345D2A0A35F03A757DA063356C8E
7760	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old~RF122ea9.TMP		text
		MD5:7383516745DEC1E86152192435F92D1F	SHA256:E22D34BBD915EEB277D4F4138D176EACE5577CF035EF7C2C80A4BC4D9B6C0E1D
7760	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RF122e9a.TMP		text
		MD5:ED7D8AAE48211E2BFAF557130572C62A	SHA256:A5CF8D8ADC86DCA357396AF7E3A24A116072D5C1E5552EEB76601AE2673DED6E
7856	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7856		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
7856	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal		binary
		MD5:BCC47216EDB988B7F866B68F89989054	SHA256:ABE885984DEC55069A5885200BC1787AB3E622F833718F41A4EAB5F0426ADF1F
7856	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
7856	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-03-04 04-25-03-913.log		text
		MD5:460C6041966002D8384A18C895A65EB0	SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
7760	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

246

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7680	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7652	New Text Document.exe	GET	—	195.201.179.80:80	http://pcbuilts.com/AntiRat.exe	unknown	—	—	unknown
7652	New Text Document.exe	GET	—	195.201.179.80:80	http://pcbuilts.com/sonic.exe	unknown	—	—	unknown
7652	New Text Document.exe	GET	—	195.201.179.80:80	http://pcbuilts.com/sonic.exe	unknown	—	—	unknown
7652	New Text Document.exe	GET	—	195.201.179.80:80	http://pcbuilts.com/XClient.exe	unknown	—	—	unknown
7652	New Text Document.exe	GET	—	195.201.179.80:80	http://pcbuilts.com/Ext.exe	unknown	—	—	unknown
7224	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7224	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	20.190.160.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
7680	backgroundTaskHost.exe	20.103.156.88:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7680	backgroundTaskHost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7224	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	172.217.16.206	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	20.190.160.64 20.190.160.67 20.190.160.3 20.190.160.17 40.126.32.68 20.190.160.20 40.126.32.72 20.190.160.128	whitelisted
ocsp.digicert.com	2.23.77.188 184.30.131.245	whitelisted
arc.msn.com	20.103.156.88	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

Threats

PID	Process	Class	Message
7652	New Text Document.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
7652	New Text Document.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
7652	New Text Document.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
7652	New Text Document.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 31
7652	New Text Document.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
7652	New Text Document.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
7652	New Text Document.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7652	New Text Document.exe	Misc activity	ET INFO Packed Executable Download
7652	New Text Document.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7652	New Text Document.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Add for printing

No debug info

General Info

SamplePEC2.zip

80EFFAD0D13E9E8030FE4C4910E39D86

7363F3E6C419E3D1ADFE35C8A964EDCEC70CE86A

EF9EA600B37205B89471CA612FF435C2095E76E5E36A5CF46175EF3DD8A264C4

6144:xWPAOUq9pmQ02sGO7wp9CaRcqWXQF+wKt7zvyG4v:xORpmQ02sbE9iqWg0wGyVv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

HAUSBOMBER has been detected (YARA)

Executing a file with an untrusted certificate

LUMMA has been detected (SURICATA)

Connects to the CnC server

LUMMA mutex has been found

Actions looks like stealing of personal data

TAS17 has been detected

Steals credentials from Web Browsers

Run PowerShell with an invisible window

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Request from PowerShell which ran from CMD.EXE

Dynamically loads an assembly (POWERSHELL)

Downloads the requested resource (POWERSHELL)

LUMMA has been detected (YARA)

SYSTEMBC mutex has been found

SUSPICIOUS

Reads security settings of Internet Explorer

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Reads Microsoft Outlook installation path

There is functionality for taking screenshot (YARA)

Reads Internet Explorer settings

Reads the date of Windows installation

Connects to the server without a host name

Potential Corporate Privacy Violation

Checks for external IP

Application launched itself

Connects to unusual port

WINSCP has been detected

Start notepad (likely ransomware note)

Reads the BIOS version

Executes application which crashes

Contacting a server suspected of hosting an CnC

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Executes script without checking the security policy

Possibly malicious use of IEX has been detected

Starts a Microsoft application from unusual location

Uses base64 encoding (POWERSHELL)

Starts POWERSHELL.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Searches for installed software

The process executes via Task Scheduler

INFO

Manual execution by a user

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

Reads the software policy settings

Checks proxy server information

Reads the machine GUID from the registry

Application launched itself

Process checks computer location settings

Execution of CURL command

Creates files in the program directory

Creates files or folders in the user directory

The sample compiled with english language support

Create files in a temporary directory

Disables trace logs

.NET Reactor protector has been detected

Themida protector has been detected

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF