Malware analysis OP53532 Harumi new order.scr Malicious activity

Add for printing

File name:	OP53532 Harumi new order.scr
Full analysis:	https://app.any.run/tasks/9b135335-c084-4d3a-9333-c413f78f2452
Verdict:	Malicious activity
Threats:	First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system. Malware Trends Tracker >>>
Analysis date:	January 08, 2025, 01:38:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	purecrypter netreactor amsi-bypass
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	CA2CB33B0542CDBA0673C3F0A81A2F7F
SHA1:	066C0FC9236C6EB5AD69A3F8F095A793A9D5789A
SHA256:	F3FF932BD931EE266567CD0422A067FD38281164C534026B57D740658AA056C3
SSDEEP:	1536:fVNVW2hI6JgXRL320VVNVWbBBk6CzVxEVFC:fVNVHJCR72qVNVYBBk6CzVxEVFC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
Client LanguagePack Package
DotNetRollup
DotNetRollup 481
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
Hello Face Package
InternetExplorer Optional Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MediaPlayer Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
OpenSSH Client Package
OpenSSH Client Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
ProfessionalEdition
ProfessionalEdition
QuickAssist Package
QuickAssist Package
RollupFix
RollupFix
ServicingStack
ServicingStack
ServicingStack 3989
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
TabletPCMath Package
TabletPCMath Package
UserExperience Desktop Package
UserExperience Desktop Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package

Add for printing

MALICIOUS
- PURECRYPTER has been detected (YARA)
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Create files in the Startup directory
  - OP53532 Harumi new order.scr.exe (PID: 4668)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Process uses IPCONFIG to discard the IP address configuration
  - cmd.exe (PID: 6576)
- Starts CMD.EXE for commands execution
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Process uses IPCONFIG to renew DHCP configuration
  - cmd.exe (PID: 7088)
- Possibly patching Antimalware Scan Interface function (YARA)
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Executes application which crashes
  - InstallUtil.exe (PID: 7064)
- Executable content was dropped or overwritten
  - OP53532 Harumi new order.scr.exe (PID: 4668)
INFO
- Disables trace logs
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Reads the machine GUID from the registry
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Process checks computer location settings
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Creates files or folders in the user directory
  - OP53532 Harumi new order.scr.exe (PID: 4668)
  - WerFault.exe (PID: 628)
- Checks proxy server information
  - OP53532 Harumi new order.scr.exe (PID: 4668)
  - WerFault.exe (PID: 628)
- .NET Reactor protector has been detected
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Checks supported languages
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Reads the computer name
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Reads the software policy settings
  - WerFault.exe (PID: 628)
- Manual execution by a user
  - InstallUtil.exe (PID: 7064)
- The process uses the downloaded file
  - OP53532 Harumi new order.scr.exe (PID: 4668)
- Create files in a temporary directory
  - WerFault.exe (PID: 628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

AssemblyVersion:	1.0.0.0
ProductVersion:	1.0.0.0
ProductName:	Rbmoqggf
OriginalFileName:	Rbmoqggf.exe
LegalTrademarks:	-
LegalCopyright:	Copyright © 2017
InternalName:	Rbmoqggf.exe
FileVersion:	1.0.0.0
FileDescription:	Rbmoqggf
CompanyName:	-
Comments:	-
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	1.0.0.0
FileVersionNumber:	1.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x2f9e
UninitializedDataSize:	-
InitializedDataSize:	217600
CodeSize:	4096
LinkerVersion:	8
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2025:01:07 23:02:49+00:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4668

"C:\Users\admin\AppData\Local\Temp\OP53532 Harumi new order.scr.exe"

C:\Users\admin\AppData\Local\Temp\OP53532 Harumi new order.scr.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Rbmoqggf

Exit code:

4294967295

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\op53532 harumi new order.scr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

6576

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

—

OP53532 Harumi new order.scr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6584

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6632

ipconfig /release

C:\Windows\SysWOW64\ipconfig.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IP Configuration Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7064

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

.NET Framework installation utility

Exit code:

3221225477

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

7088

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\cmd.exe

—

OP53532 Harumi new order.scr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7096

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1328

ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IP Configuration Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

628

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7064 -s 12

C:\Windows\SysWOW64\WerFault.exe

InstallUtil.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

4 574

Read events

4 560

Write events

Delete events

Modification events


(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4668) OP53532 Harumi new order.scr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OP53532 Harumi new order_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
628	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_4cf03da6-16de-483f-8510-317c264b06ae\Report.wer		—
		MD5:—	SHA256:—
4668	OP53532 Harumi new order.scr.exe	C:\Users\admin\AppData\Roaming\pdf.exe		executable
		MD5:CA2CB33B0542CDBA0673C3F0A81A2F7F	SHA256:F3FF932BD931EE266567CD0422A067FD38281164C534026B57D740658AA056C3
628	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:08E99EB45D45E354406CD84AD028E581	SHA256:E8338C14130EFDAD3A8BD2CF52271292978C63A1B506A036168A1664DA5D9124
628	WerFault.exe	C:\Users\admin\AppData\Local\Temp\WER9724.tmp.WERDataCollectionStatus.txt		text
		MD5:23465F1F5F7FFB8BFA08B088FA9F4B45	SHA256:877C853E4E8354ED89FE92BF427D4FD38E869511692AAF8B9D402B77A5EA0883
628	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE		der
		MD5:FA84E4BCC92AA5DB735AB50711040CDE	SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
628	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785		der
		MD5:F6F53CD09A41E968C363419B279D3112	SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
628	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6E4.tmp.WERInternalMetadata.xml		xml
		MD5:FCB2D9BB2A47168C2EAA07F8DD7CF862	SHA256:98EEC526F731639A64A4AF3B88B585D4F834773DED8F86FBF8AAD2389298AA67
628	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA714.tmp.xml		xml
		MD5:408806173606A74FEA86519E3F0AE28D	SHA256:500A83ABE50B2099C9ACE586825998312F6DE22E2D90C0EFAF8B2AFF2456CFDA
628	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785		binary
		MD5:26682B8CAEC3B6D0731D7CBF41D35232	SHA256:8A2EF1CA4839D515493D225379144E9B6EDFB5B852D14D7679D60669657B1B49
4668	OP53532 Harumi new order.scr.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs		text
		MD5:2D383DEEF8B1F01DCCFFF30D1BA60B3B	SHA256:941AA62018213392AB38D6405F3EC156EF61B68BA1D3C826DEDC611420AD5BE9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
628	WerFault.exe	GET	200	2.20.157.251:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
628	WerFault.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5320	SIHClient.exe	GET	200	2.20.157.251:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.72:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5320	SIHClient.exe	GET	200	2.20.157.251:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4668	OP53532 Harumi new order.scr.exe	GET	200	173.252.167.60:80	http://hlag.cc/panel/uploads/Otecu.pdf	unknown	—	—	—
2100	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5340	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.72:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	unknown
4668	OP53532 Harumi new order.scr.exe	173.252.167.60:80	hlag.cc	SRS-6-Z-7381	US	unknown
1176	svchost.exe	40.126.32.133:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146 51.104.136.2	whitelisted
crl.microsoft.com	2.16.164.72 2.16.164.49 23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	184.30.230.103 2.20.157.251	whitelisted
google.com	142.250.185.174	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
hlag.cc	173.252.167.60	unknown
login.live.com	40.126.32.133 40.126.32.138 40.126.32.134 20.190.160.20 20.190.160.22 40.126.32.68 40.126.32.72 40.126.32.74	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.56.254.14	whitelisted
watson.events.data.microsoft.com	20.189.173.21	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .cc TLD

Add for printing

No debug info

General Info

OP53532 Harumi new order.scr

CA2CB33B0542CDBA0673C3F0A81A2F7F

066C0FC9236C6EB5AD69A3F8F095A793A9D5789A

F3FF932BD931EE266567CD0422A067FD38281164C534026B57D740658AA056C3

1536:fVNVW2hI6JgXRL320VVNVWbBBk6CzVxEVFC:fVNVHJCR72qVNVYBBk6CzVxEVFC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PURECRYPTER has been detected (YARA)

Create files in the Startup directory

SUSPICIOUS

Reads security settings of Internet Explorer

Process uses IPCONFIG to discard the IP address configuration

Starts CMD.EXE for commands execution

Process uses IPCONFIG to renew DHCP configuration

Possibly patching Antimalware Scan Interface function (YARA)

Executes application which crashes

Executable content was dropped or overwritten

INFO

Disables trace logs

Reads the machine GUID from the registry

Process checks computer location settings

Creates files or folders in the user directory

Checks proxy server information

.NET Reactor protector has been detected

Checks supported languages

Reads the computer name

Reads the software policy settings

Manual execution by a user

The process uses the downloaded file

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings