Malware analysis File_pass1234.7z Malicious activity | ANY.RUN

Add for printing

download:	File_pass1234.7z
Full analysis:	https://app.any.run/tasks/f29222a2-d055-4537-be61-167bfb2b3981
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	June 28, 2023, 11:20:20
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	privateloader opendir evasion loader rat redline fabookie stealer tofsee trojan gcleaner amadey miner smoke autoit g0njxa
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	3C2AF2430010E312D337D776CCF090B4
SHA1:	E44D3E1A90D427AE5C18FDE94DD3A9F280FDE3B3
SHA256:	F8258E5F0B1154BD3DF426661F578AF3CDB52E7A77030C6549A8D1CC5541A9C1
SSDEEP:	98304:J/u1EAMekXkRZf0CExiEDua0eYacrWFuacM9ovT3Gj0fzBraemIHBOj6VDXXCxPr:JGSbfGZfoIEKa0evciUM9q/NZHBOMDXy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- PRIVATELOADER was detected
  - File.exe (PID: 2544)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
- Connects to the CnC server
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - c9839320.exe (PID: 2240)
  - RefSpacer628.exe (PID: 2884)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - AppLaunch.exe (PID: 3428)
  - rugen.exe (PID: 3768)
  - svchost.exe (PID: 6308)
  - explorer.exe (PID: 1960)
- Creates a writable file the system directory
  - File.exe (PID: 2544)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - svchost.exe (PID: 1824)
- Actions looks like stealing of personal data
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - c9839320.exe (PID: 2240)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - AppLaunch.exe (PID: 3428)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - a7YMofr3FcoPxRf8tFnJRu4E.exe (PID: 44420)
- Application was dropped or rewritten from another process
  - TTNWDp97WEQQb8UjiA93Tdzu.exe (PID: 2392)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - 84NNfXBogAYSZLMMd_gRy_Bt.exe (PID: 3056)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - 0_7MNb1uVdQPQUexq9UQSRa7.exe (PID: 1032)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - v7192759.exe (PID: 3036)
  - v8483071.exe (PID: 1160)
  - a3096516.exe (PID: 2208)
  - v6153492.exe (PID: 116)
  - mcyniayg.exe (PID: 684)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - b2549729.exe (PID: 2356)
  - P3DoLAorJ.exe (PID: 600)
  - c9839320.exe (PID: 2240)
  - d4266130.exe (PID: 1704)
  - NU7RFWfCwHaYhZoebwh1dFXs.exe (PID: 1748)
  - HhgTzu3oCDCVVd1ZvAoVe8Bi.exe (PID: 2332)
  - 9B8IBFrZXYKntACrLSeBAh43.exe (PID: 2836)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - tMf94k5TSiq7XULwQAPNiazd.exe (PID: 2560)
  - Install.exe (PID: 3128)
  - 8xrxUh0t_Vm2GeGqF_VbDtPD.exe (PID: 3640)
  - Install.exe (PID: 3656)
  - e8948402.exe (PID: 4016)
  - rugen.exe (PID: 3768)
  - 67PPdKasO.exe (PID: 3224)
  - ebf05k6p8.exe (PID: 3944)
  - lx2aty.exe (PID: 3204)
  - rugen.exe (PID: 6676)
  - Restrict.pif (PID: 8980)
  - jbruyer.exe (PID: 9956)
  - Restrict.pif (PID: 40604)
- Loads dropped or rewritten executable
  - is-84PI3.tmp (PID: 2076)
  - is-T4KH6.tmp (PID: 2516)
  - rundll32.exe (PID: 3548)
  - rundll32.exe (PID: 8544)
  - rundll32.exe (PID: 9480)
- Steals credentials
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
- Steals credentials from Web Browsers
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - c9839320.exe (PID: 2240)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - AppLaunch.exe (PID: 3428)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
- REDLINE was detected
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - c9839320.exe (PID: 2240)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - AppLaunch.exe (PID: 3428)
- Disables Windows Defender
  - a3096516.exe (PID: 2208)
  - b2549729.exe (PID: 2356)
- Uses Task Scheduler to autorun other applications
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
- Uses Task Scheduler to run other applications
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - rugen.exe (PID: 3768)
  - Install.exe (PID: 3656)
  - cmd.exe (PID: 6964)
  - cmd.exe (PID: 6976)
- Changes the Windows auto-update feature
  - b2549729.exe (PID: 2356)
- FABOOKIE was detected
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
- TOFSEE was detected
  - svchost.exe (PID: 1824)
- GCLEANER was detected
  - RefSpacer628.exe (PID: 2884)
- PRIVATELOADER detected by memory dumps
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
- REDLINE detected by memory dumps
  - 84NNfXBogAYSZLMMd_gRy_Bt.exe (PID: 3056)
  - sGf8ey6Z2gVI_Kzbjdb35FKO.exe (PID: 2944)
- Runs injected code in another process
  - d4266130.exe (PID: 1704)
- Application was injected by another process
  - explorer.exe (PID: 1960)
- Changes the autorun value in the registry
  - rugen.exe (PID: 3768)
- AMADEY was detected
  - rugen.exe (PID: 3768)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 100936)
- Starts CMD.EXE for self-deleting
  - RefSpacer628.exe (PID: 2884)
- MINER was detected
  - svchost.exe (PID: 6308)
- SMOKE was detected
  - explorer.exe (PID: 1960)
SUSPICIOUS
- Connects to the server without a host name
  - File.exe (PID: 2544)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - RefSpacer628.exe (PID: 2884)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - rugen.exe (PID: 3768)
- Checks for external IP
  - File.exe (PID: 2544)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - Restrict.pif (PID: 40604)
- Adds/modifies Windows certificates
  - WinRAR.exe (PID: 2580)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
- Executes as Windows Service
  - raserver.exe (PID: 3032)
  - mcyniayg.exe (PID: 684)
  - raserver.exe (PID: 2940)
  - raserver.exe (PID: 128)
  - raserver.exe (PID: 3528)
  - raserver.exe (PID: 8960)
  - raserver.exe (PID: 7948)
- Reads the Internet Settings
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - RefSpacer628.exe (PID: 2884)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - tMf94k5TSiq7XULwQAPNiazd.exe (PID: 2560)
  - control.exe (PID: 3708)
  - Install.exe (PID: 3656)
  - e8948402.exe (PID: 4016)
  - rugen.exe (PID: 3768)
  - 67PPdKasO.exe (PID: 3224)
  - Restrict.pif (PID: 40604)
  - powershell.EXE (PID: 100936)
  - AppLaunch.exe (PID: 100552)
  - explorer.exe (PID: 1960)
  - Restrict.pif (PID: 8980)
- Reads settings of System Certificates
  - File.exe (PID: 2544)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - Restrict.pif (PID: 40604)
  - AppLaunch.exe (PID: 100552)
- Reads security settings of Internet Explorer
  - File.exe (PID: 2544)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - Restrict.pif (PID: 40604)
- Checks Windows Trust Settings
  - File.exe (PID: 2544)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - Restrict.pif (PID: 40604)
- Process requests binary or script from the Internet
  - File.exe (PID: 2544)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - rugen.exe (PID: 3768)
- Executable content was dropped or overwritten
  - File.exe (PID: 2544)
  - TTNWDp97WEQQb8UjiA93Tdzu.exe (PID: 2392)
  - is-84PI3.tmp (PID: 2076)
  - 0_7MNb1uVdQPQUexq9UQSRa7.exe (PID: 1032)
  - v7192759.exe (PID: 3036)
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - v8483071.exe (PID: 1160)
  - v6153492.exe (PID: 116)
  - cmd.exe (PID: 2652)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - RefSpacer628.exe (PID: 2884)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - NU7RFWfCwHaYhZoebwh1dFXs.exe (PID: 1748)
  - is-T4KH6.tmp (PID: 2516)
  - tMf94k5TSiq7XULwQAPNiazd.exe (PID: 2560)
  - 8xrxUh0t_Vm2GeGqF_VbDtPD.exe (PID: 3640)
  - Install.exe (PID: 3128)
  - e8948402.exe (PID: 4016)
  - 67PPdKasO.exe (PID: 3224)
  - Install.exe (PID: 3656)
  - rugen.exe (PID: 3768)
  - Restrict.pif (PID: 8980)
- Connects to unusual port
  - File.exe (PID: 2544)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - 84NNfXBogAYSZLMMd_gRy_Bt.exe (PID: 3056)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - sGf8ey6Z2gVI_Kzbjdb35FKO.exe (PID: 2944)
  - c9839320.exe (PID: 2240)
  - svchost.exe (PID: 1824)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - yg8Alx82UAwUCrrHahxPzfKu.exe (PID: 2668)
  - AppLaunch.exe (PID: 3428)
  - svchost.exe (PID: 6308)
- Reads the Windows owner or organization settings
  - is-84PI3.tmp (PID: 2076)
  - is-T4KH6.tmp (PID: 2516)
- Starts CMD.EXE for commands execution
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - cmd.exe (PID: 3900)
  - 9B8IBFrZXYKntACrLSeBAh43.exe (PID: 2836)
  - forfiles.exe (PID: 624)
  - forfiles.exe (PID: 3620)
  - rugen.exe (PID: 3768)
  - cmd.exe (PID: 3816)
  - 67PPdKasO.exe (PID: 3224)
  - cmd.exe (PID: 2416)
  - AppLaunch.exe (PID: 100552)
  - RefSpacer628.exe (PID: 2884)
- Reads Microsoft Outlook installation path
  - RefSpacer628.exe (PID: 2884)
  - RefSpacer628.exe (PID: 3868)
- Reads browser cookies
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - c9839320.exe (PID: 2240)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - AppLaunch.exe (PID: 3428)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)_update
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
- Searches for installed software
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - c9839320.exe (PID: 2240)
  - is-T4KH6.tmp (PID: 2516)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - AppLaunch.exe (PID: 3428)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
- Detected use of alternative data streams (AltDS)
  - svchost.exe (PID: 1824)
- Creates or modifies Windows services
  - svchost.exe (PID: 1824)
- Connects to SMTP port
  - svchost.exe (PID: 1824)
- The process checks if it is being run in the virtual environment
  - rundll32.exe (PID: 3548)
  - rundll32.exe (PID: 8544)
- Starts itself from another location
  - 8xrxUh0t_Vm2GeGqF_VbDtPD.exe (PID: 3640)
  - e8948402.exe (PID: 4016)
  - Restrict.pif (PID: 8980)
- Application launched itself
  - cmd.exe (PID: 3900)
  - cmd.exe (PID: 3816)
  - cmd.exe (PID: 2416)
  - a7YMofr3FcoPxRf8tFnJRu4E.exe (PID: 2924)
  - AppLaunch.exe (PID: 2420)
  - svchost.exe (PID: 1824)
  - Restrict.pif (PID: 40604)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 4064)
  - cmd.exe (PID: 3496)
- Get information on the list of running processes
  - cmd.exe (PID: 4064)
- Reads the BIOS version
  - Install.exe (PID: 3656)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 3620)
  - forfiles.exe (PID: 624)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 3748)
  - cmd.exe (PID: 3508)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 3816)
- Executing commands from a ".bat" file
  - 67PPdKasO.exe (PID: 3224)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 4064)
- Starts application with an unusual extension
  - cmd.exe (PID: 4064)
  - Restrict.pif (PID: 40604)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 4064)
- The process executes via Task Scheduler
  - powershell.EXE (PID: 100936)
  - rugen.exe (PID: 6676)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 4216)
- BASE64 encoded PowerShell command has been detected
  - cmd.exe (PID: 3496)
- Base64-obfuscated command line is found
  - cmd.exe (PID: 3496)
- The process creates files with name similar to system file names
  - AppLaunch.exe (PID: 100552)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 3496)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 3548)
- Drops the AutoIt3 executable file
  - Restrict.pif (PID: 8980)
INFO
- Checks supported languages
  - File.exe (PID: 2544)
  - 84NNfXBogAYSZLMMd_gRy_Bt.exe (PID: 3056)
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - TTNWDp97WEQQb8UjiA93Tdzu.exe (PID: 2392)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - a7YMofr3FcoPxRf8tFnJRu4E.exe (PID: 2924)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - 0_7MNb1uVdQPQUexq9UQSRa7.exe (PID: 1032)
  - is-84PI3.tmp (PID: 2076)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - sGf8ey6Z2gVI_Kzbjdb35FKO.exe (PID: 2944)
  - v7192759.exe (PID: 3036)
  - v8483071.exe (PID: 1160)
  - v6153492.exe (PID: 116)
  - a3096516.exe (PID: 2208)
  - RefSpacer628.exe (PID: 2884)
  - mcyniayg.exe (PID: 684)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - b2549729.exe (PID: 2356)
  - P3DoLAorJ.exe (PID: 600)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - c9839320.exe (PID: 2240)
  - NU7RFWfCwHaYhZoebwh1dFXs.exe (PID: 1748)
  - HhgTzu3oCDCVVd1ZvAoVe8Bi.exe (PID: 2332)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - d4266130.exe (PID: 1704)
  - tMf94k5TSiq7XULwQAPNiazd.exe (PID: 2560)
  - 9B8IBFrZXYKntACrLSeBAh43.exe (PID: 2836)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - is-T4KH6.tmp (PID: 2516)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - yg8Alx82UAwUCrrHahxPzfKu.exe (PID: 2668)
  - 8xrxUh0t_Vm2GeGqF_VbDtPD.exe (PID: 3640)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - RefSpacer628.exe (PID: 3868)
  - Install.exe (PID: 3128)
  - Install.exe (PID: 3656)
  - e8948402.exe (PID: 4016)
  - rugen.exe (PID: 3768)
  - 67PPdKasO.exe (PID: 3224)
  - ebf05k6p8.exe (PID: 3944)
  - AppLaunch.exe (PID: 3428)
  - lx2aty.exe (PID: 3204)
  - AppLaunch.exe (PID: 2420)
  - a7YMofr3FcoPxRf8tFnJRu4E.exe (PID: 44420)
  - Restrict.pif (PID: 40604)
  - AppLaunch.exe (PID: 100552)
  - rugen.exe (PID: 6676)
  - Restrict.pif (PID: 8980)
  - jbruyer.exe (PID: 9956)
- Reads the computer name
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - 84NNfXBogAYSZLMMd_gRy_Bt.exe (PID: 3056)
  - a7YMofr3FcoPxRf8tFnJRu4E.exe (PID: 2924)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - is-84PI3.tmp (PID: 2076)
  - sGf8ey6Z2gVI_Kzbjdb35FKO.exe (PID: 2944)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - a3096516.exe (PID: 2208)
  - RefSpacer628.exe (PID: 2884)
  - mcyniayg.exe (PID: 684)
  - b2549729.exe (PID: 2356)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - c9839320.exe (PID: 2240)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - tMf94k5TSiq7XULwQAPNiazd.exe (PID: 2560)
  - 9B8IBFrZXYKntACrLSeBAh43.exe (PID: 2836)
  - is-T4KH6.tmp (PID: 2516)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - HhgTzu3oCDCVVd1ZvAoVe8Bi.exe (PID: 2332)
  - yg8Alx82UAwUCrrHahxPzfKu.exe (PID: 2668)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - RefSpacer628.exe (PID: 3868)
  - Install.exe (PID: 3656)
  - e8948402.exe (PID: 4016)
  - rugen.exe (PID: 3768)
  - 67PPdKasO.exe (PID: 3224)
  - AppLaunch.exe (PID: 3428)
  - Restrict.pif (PID: 40604)
  - AppLaunch.exe (PID: 100552)
  - jbruyer.exe (PID: 9956)
  - Restrict.pif (PID: 8980)
- The process checks LSA protection
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - is-84PI3.tmp (PID: 2076)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - 84NNfXBogAYSZLMMd_gRy_Bt.exe (PID: 3056)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - sGf8ey6Z2gVI_Kzbjdb35FKO.exe (PID: 2944)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - netsh.exe (PID: 3004)
  - RefSpacer628.exe (PID: 2884)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - svchost.exe (PID: 1824)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - c9839320.exe (PID: 2240)
  - tMf94k5TSiq7XULwQAPNiazd.exe (PID: 2560)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - is-T4KH6.tmp (PID: 2516)
  - control.exe (PID: 3708)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - yg8Alx82UAwUCrrHahxPzfKu.exe (PID: 2668)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - HhgTzu3oCDCVVd1ZvAoVe8Bi.exe (PID: 2332)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - Install.exe (PID: 3656)
  - e8948402.exe (PID: 4016)
  - rugen.exe (PID: 3768)
  - 67PPdKasO.exe (PID: 3224)
  - AppLaunch.exe (PID: 3428)
  - a7YMofr3FcoPxRf8tFnJRu4E.exe (PID: 2924)
  - Restrict.pif (PID: 40604)
  - AppLaunch.exe (PID: 100552)
  - taskkill.exe (PID: 4856)
  - Restrict.pif (PID: 8980)
  - explorer.exe (PID: 1960)
  - jbruyer.exe (PID: 9956)
- Process checks computer location settings
  - File.exe (PID: 2544)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
- Creates files or folders in the user directory
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - RefSpacer628.exe (PID: 2884)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - Restrict.pif (PID: 40604)
  - rugen.exe (PID: 3768)
- Reads the machine GUID from the registry
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - 84NNfXBogAYSZLMMd_gRy_Bt.exe (PID: 3056)
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - sGf8ey6Z2gVI_Kzbjdb35FKO.exe (PID: 2944)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - x34mqdPHZOJJaR4PWoCpjZnh.exe (PID: 2932)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - RefSpacer628.exe (PID: 2884)
  - k2Q2smosNKes8KOAv9NBGW7E.exe (PID: 2072)
  - c9839320.exe (PID: 2240)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - yg8Alx82UAwUCrrHahxPzfKu.exe (PID: 2668)
  - HhgTzu3oCDCVVd1ZvAoVe8Bi.exe (PID: 2332)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - Install.exe (PID: 3656)
  - e8948402.exe (PID: 4016)
  - rugen.exe (PID: 3768)
  - AppLaunch.exe (PID: 3428)
  - a7YMofr3FcoPxRf8tFnJRu4E.exe (PID: 2924)
  - Restrict.pif (PID: 40604)
  - JtM3lUoeBjnEfSAujqAKV9lc.exe (PID: 3664)
  - AppLaunch.exe (PID: 100552)
  - jbruyer.exe (PID: 9956)
- Checks proxy server information
  - File.exe (PID: 2544)
  - 76La1iWAu7aEVbH8pjVTqB0i.exe (PID: 1864)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - RefSpacer628.exe (PID: 2884)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - KcJ8gcftkIG3YD3mFcnxuwIB.exe (PID: 3032)
  - rugen.exe (PID: 3768)
  - Restrict.pif (PID: 40604)
- Create files in a temporary directory
  - TTNWDp97WEQQb8UjiA93Tdzu.exe (PID: 2392)
  - 2JopeOHvjj3afHSIa7r5gDa6.exe (PID: 2488)
  - is-84PI3.tmp (PID: 2076)
  - 0_7MNb1uVdQPQUexq9UQSRa7.exe (PID: 1032)
  - v7192759.exe (PID: 3036)
  - v8483071.exe (PID: 1160)
  - v6153492.exe (PID: 116)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - jmFvusbCB4U7RJdpoa9YwPqO.exe (PID: 616)
  - NU7RFWfCwHaYhZoebwh1dFXs.exe (PID: 1748)
  - is-T4KH6.tmp (PID: 2516)
  - 9B8IBFrZXYKntACrLSeBAh43.exe (PID: 2836)
  - tMf94k5TSiq7XULwQAPNiazd.exe (PID: 2560)
  - 8xrxUh0t_Vm2GeGqF_VbDtPD.exe (PID: 3640)
  - Install.exe (PID: 3128)
  - e8948402.exe (PID: 4016)
  - 67PPdKasO.exe (PID: 3224)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - AppLaunch.exe (PID: 100552)
  - Install.exe (PID: 3656)
  - Restrict.pif (PID: 8980)
- Creates files in the program directory
  - is-84PI3.tmp (PID: 2076)
  - G8Ke6lDpgrWAks8QyCWKap5R.exe (PID: 700)
  - is-T4KH6.tmp (PID: 2516)
  - AppLaunch.exe (PID: 100552)
- Application was dropped or rewritten from another process
  - is-84PI3.tmp (PID: 2076)
  - is-T4KH6.tmp (PID: 2516)
- Reads Environment values
  - M2rHu6PLJiGFCgYJZ20mSH9z.exe (PID: 3044)
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
  - c9839320.exe (PID: 2240)
  - 8Bp1mWZEeDt712hNAOghU3Ku.exe (PID: 1756)
  - kwUOACjzHpsUAl82fEVZDne1.exe (PID: 3332)
  - IL3hGDrwAPRno1_Y3JciDk1S.exe (PID: 3320)
  - AppLaunch.exe (PID: 3428)
  - AppLaunch.exe (PID: 100552)
- Reads CPU info
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
- Reads product name
  - S7RhRURGs3KPHuGxgOrpNPIN.exe (PID: 2952)
- The executable file from the user directory is run by the CMD process
  - ebf05k6p8.exe (PID: 3944)
  - lx2aty.exe (PID: 3204)
  - Restrict.pif (PID: 40604)
- Reads mouse settings
  - Restrict.pif (PID: 40604)
  - jbruyer.exe (PID: 9956)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

PrivateLoader

(PID) Process(2932) x34mqdPHZOJJaR4PWoCpjZnh.exe

C2 (7)http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

45.15.156.229

85.208.136.10

94.142.138.131

94.142.138.113

208.67.104.60

Attributes

Payload (36)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

Strings (822)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden

iplogger.org/1nhuM4.js

SOFTWARE\LilFreske

Installed

SOFTWARE\LilFreskeUS

IsWow64Process

GetModuleHandleA

LoadLibraryA

SetPriorityClass

Sleep

GetTempPathA

CreateProcessA

GetFileAttributesA

CreateDirectoryA

CreateThread

CloseHandle

VirtualAlloc

VirtualFree

OpenProcess

TerminateProcess

GetUserGeoID

ntdll.dll

NtQuerySystemInformation

RtlGetVersion

Shell32.dll

ShellExecuteA

SHGetFolderPathA

Advapi32.dll

RegOpenKeyExA

RegSetValueExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegDeleteValueA

RegQueryValueExA

RegEnumKeyExA

ConvertSidToStringSidA

LookupAccountNameA

WINHTTP.dll

wininet.dll

GetComputerNameA

VerSetConditionMask

VerifyVersionInfoW

GetGeoInfoA

GetCurrentProcess

GetVersionExA

MultiByteToWideChar

WideCharToMultiByte

GetCurrentProcessId

CreateToolhelp32Snapshot

Process32First

Process32Next

Wow64DisableWow64FsRedirection

Wow64RevertWow64FsRedirection

User32.dll

CharToOemA

//Minor Policy

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions

Exclusions_Extensions

SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions

SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DisableRoutinelyTakingAction

SOFTWARE\Policies\Microsoft\Windows\System

EnableSmartScreen

SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableBehaviorMonitoring

DisableOnAccessProtection

DisableScanOnRealtimeEnable

DisableRealtimeMonitoring

DisableIOAVProtection

DisableRawWriteNotification

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Windows Server

Windows 10

Windows 8.1

Windows 8

Windows 7

Windows Vista

Windows XP

(x64)

(x32)

explorer.exe

current

children

SOFTWARE\Classes\ms-settings\Shell\Open\command

DelegateExecute

\ComputerDefaults.exe

SOFTWARE\Classes

ms-settings\Shell\Open\command

ms-settings\Shell\Open

ms-settings\Shell

ms-settings

data=

/api/firegate.php

Error!

onlyType

ext_url

cfg_url

ipinfo.io/widget

country

company

Google LLC

db-ip.com

data-api-key="

/self

countryCode

organization

www.maxmind.com/geoip/v2.1/city/me

iso_code

traits

GetIP

api.ipgeolocation.io/ipgeo?include=hostname&ip=

country_code2

/api/tracemap.php

http://

15.5pnp.10.lock

Guest Profile

System Profile

\Google\Chrome\Application

(x86)\Google\Chrome\Application

SOFTWARE\Google\Chrome\BLBeacon

version

\resources.pak

SOFTWARE\Google\Chrome\PreferenceMACs

\Google\Chrome\User Data\

\Secure Preferences

filter_browsers

chrome

browser

use_open_browser

extensions

settings

install_time

\Extensions\

\u003C

protection

extensions.settings.

super_mac

chrome.exe

ChromeRegistryHashStoreValidationSeed

\extensions.settings

SOFTWARE\Google\Chrome\PreferenceMACs\

\chrome.exe

\Microsoft\Edge\Application

(x86)\Microsoft\Edge\Application

SOFTWARE\Microsoft\Edge\BLBeacon

SOFTWARE\Microsoft\Edge\PreferenceMACs

\Microsoft\Edge\User Data\

msedge.exe

SOFTWARE\Microsoft\Edge\PreferenceMACs\

\msedge.exe

\Roaming

\atomic

\Atomic Wallet

\com.liberty.jaxx

\Electrum

\Exodus

\MultiDoge

\Monero

\binance.chain

\Binance

\Metamask

\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec

\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp

\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec

\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa

\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh

\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn

\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca

\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn

\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee

\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf

\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo

\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm

sorare.com

yobit.net

zb.com

binance.com

huobi.com

okex.com

hitbtc.com

bitfinex.com

kraken.com

bitstamp.net

payoneer.com

bittrex.com

bittrex.zendesk.com

gate.io

exmo.com

yobit.io

bitflyer.com

poloniex.com

kucoin.com

coinone.co.kr

localbitcoins.com

korbit.co.kr

cex.io

luno.com

bitkonan.com

jubi.com

koinex.in

koineks.com

kuna.io

koinim.com

kiwi-coin.com

leoxchange.com

lykke.com

localtrade.cc

magnr.com

lbank.info

itbit.com

gemini.com

gdax.com

gatehub.net

satoshitango.com

foxbit.com.br

flowbtc.com.br

exx.com

exrates.me

excambriorex.com

ezbtc.ca

infinitycoin.exchange

tdax.com

stex.com

vbtc.exchange

coinmarketcap.com

vwlpro.com

nocks.com

nlexch.com

novaexchange.com

mynxt.info

nzbcx.com

nevbit.com

mixcoins.com

mr.exchange

neraex.pro

dsx.uk

okcoin.com

liquid.com

quoine.com

quadrigacx.com

rightbtc.com

rippex.net

ripplefox.com

qryptos.com

ore.bz

openledger.info

omnidex.io

paribu.com

paymium.com

dcexchange.ru

dcexe.com

bitmex.com

funpay.ru

bitmaszyna.pl

bitonic.nl

bitpanda.com

bitsblockchain.net

bitmarket.net

bitlish.com

bitfex.trade

blockchain.com

blockchain.info

cryptofresh.com

btcmarkets.net

braziliex.com

btc-trade.com.ua

btc-alpha.com

bitspark.io

bitso.com

bittylicious.com

altcointrader.co.za

arenabitcoin.com

allcoin.com

796.com

abucoins.com

aidosmarket.com

bitcointrade.com

bitcointoyou.com

bitbanktrade.jp

big.one

bcex.ca

bitconnect.co

coinsbank.com

coinsecure.in

coinsquare.com

coinspot.io

coinsmarkets.com

crypto-bridge.org

dcex.com

dabtc.com

decentrex.com

deribit.com

dgtmarket.com

btcturk.com

btcxindia.com

bt.cx

bitstarcoin.com

coincheck.com

coinmate.io

coingi.com

coinnest.co.kr

coinrail.co.kr

coinpit.io

coingather.com

coinfloor.co.uk

coinegg.com

coincorner.com

coinexchange.io

pancakeswap.finance

coinbase.com

livecoin.net

mercatox.com

cryptobridge.freshdesk.com

volabit.com

tradeogre.com

bitkub.com

uphold.com

wallet.uphold.com

tidex.com

coinome.com

coinpayments.net

bitmax.io

bitbank.cc

independentreserve.com

bitmart.com

cryptopia.co.nz

cryptonator.com

advcash.com

my.dogechain.info

spectrocoin.com

exir.io

exir.tech

coinbene.com

bitforex.com

gopax.co.kr

catex.io

vindax.com

coineal.com

maicoin.com

finexbox.com

etherflyer.com

bx.in.th

bitopro.com

citex.co.kr

coinzo.com

atomars.com

coinfinit.com

bitker.com

dobitrade.com

btcexa.com

satowallet.com

cpdax.com

trade.io

btcnext.io

exmarkets.com

btc-exchange.com

chaoex.com

jex.com

therocktrading.com

gdac.com

southxchange.com

tokens.net

fexpro.net

btcbox.co.jp

coinmex.com

cryptology.com

cointiger.com

cashierest.com

coinbit.co.kr

mxc.com

bilaxy.com

coinall.com

coindeal.com

omgfin.com

oceanex.pro

bithumb.com

ftx.com

shortex.net

coin.z.com

fcoin.com

fatbtc.com

tokenize.exchange

simex.global

instantbitex.com

\Login Data

SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs

\BraveSoftware\Brave-Browser\User Data\

SOFTWARE\CryptoTab Browser\PreferenceMACs

\CryptoTab Browser\User Data\

\Opera Software\Opera Stable

ascendex.com

crypto.com

coins.ph

coins.th

dogechain.info

miningpoolhub.com

/vpn/index.html

portal/webclient

remote/login

/vpn/tmindex.html

/LogonPoint/tmindex.html

XenApp1/auth/login.aspx

auth/silentDetection.aspx

/citrix/

/RDWeb/

/+CSCOE+/

/global-protect/

sslvpn.

/dana-na/

/my.policy

ncsecu.org

penfed.org

becu.org

schoolsfirstfcu.org

firsttechfed.com

golden1.com

alliantcreditunion.org

americafirst.com

suncoastcreditunion.com

secumd.org

safecu.org

missionfed.com

greendot.com

rbfcu.org

macu.com

dcu.org

ssfcu.org

bethpagefcu.com

starone.org

alaskausa.org

sdccu.com

aacreditunion.org

lmcu.org

teachersfcu.org

patelco.org

esl.org

onpointcu.com

logixbanking.com

psecu.com

deltacommunitycu.com

ent.com

cefcu.com

greenstate.org

unfcu.org

pffcu.org

wingsfinancial.com

iccu.comdesertfinancial.com

iccu.com

desertfinancial.com

hvfcu.org

wpcu.coop

redwoodcu.org

tcunet.com

wsecu.org

joviafinancial.com

coastal24.com

myeecu.org

gecreditunion.org

nymcu.org

affinityfcu.com

towerfcu.org

ccu.com

communityamerica.com

langleyfcu.org

credithuman.com

techcu.com

gecu.com

kfcu.org

applefcu.org

nasafcu.com

sfcu.org

genisyscu.org

unifyfcu.com

apcocu.org

firstcommunity.com

unitedfcu.com

fairwinds.org

ufcu.org

wescom.org

bcu.org

vacu.org

citadelbanking.com

servicecu.org

summitcreditunion.com

gesa.com

chevronfcu.org

traviscu.org

uwcu.org

communityfirstcu.org

ecu.org

sccu.com

bfsfcu.org

bellco.org

dfcufinancial.com

msufcu.org

members1st.org

landmarkcu.com

kinecta.org

midflorida.com

visionsfcu.org

veridiancu.org

statefarmfcu.com

tinkerfcu.org

sefcu.com

americanheritagecu.org

robinsfcu.org

canvas.org

growfinancial.org

truliantfcu.org

ascend.org

foundersfcu.com

calcoastcu.org

ucu.org

connexuscu.org

slfcu.org

numericacu.com

eecu.org

georgiasown.org

nusenda.org

tvacreditunion.com

pcu.org

msgcu.org

nuvisionfederal.com

trumarkonline.org

navigantcu.org

ornlfcu.com

jscfcu.org

lgfcu.org

elevationscu.com

gtefinancial.org

chartway.com

ecu.com

sdfcu.org

apcu.com

schools.org

metrocu.org

campuscu.com

adviacu.org

psfcu.com

andrewsfcu.org

eglinfcu.org

imcu.com

americaneagle.org

ttcu.com

vantagewest.org

empowerfcu.com

rfcu.com

capcomfcu.org

arizonafederal.org

csecreditunion.com

communityfirstfl.org

bayportcu.org

gwcu.org

wecu.com

stgeorge.com.au

imb.com.au

ing.com.au

bankofmelbourne.com.au

regionalaustraliabank.com

suncorp.com.au

regionalaustraliabank.com.au

bmo.com

cwbank.com

royalbank.com

vancity.com

servus.ca

coastcapitalsavings.com

alterna.ca

interiorsavings.com

synergycu.ca

mainstreetcu.ca

cu.com

fcu.com

robinhood.com

navyfederal.org

tboholidays.com

24x7rooms.com

adonis.com

abreuonline.com

almundo.com.ar

bonotel.com

bookohotel.com

didatravel.com

dotwconnect.com

eetglobal.com

escalabeds.com

fastpayhotels.com

getaroom.com

goglobal.travel

hoteldo.com.mx

hotelspro.com

jumbonline.com

kaluahtours.com

lci-euro.com

lotsofhotels.com

mikinet.co.uk

misterroom.com

nexustours.com

olympiaeurope.com

paximum.com

restel.es

rezserver.com

rezlive.com

sunhotels.com

totalstay.com

travco.co.uk

travellanda.com

smyrooms.com

welcomebeds.com

yalago.com

hotelbeds.com

mercadolibre.com.mx

hsbc.com.mx

bbvanetcash.mx

scotiabank.com.mx

santander.com.mx

bbva.mx

opensea.io

plantvsundead.com

axieinfinity.com

cryptocars.me

bombcrypto.io

cryptoplanes.me

cryptozoon.io

bankalhabib.com

correosprepago.es

orangebank.es

amazon.it

amazon.ca

amazon.de

amazon.com

netspend.com

online.citi.com

cloud.ibm.com

ca.ovh.com

account.alibabacloud.com

cloud.huawei.com

cloud.tencent.com

vultr.com

aws.amazon.com

portal.azure.com

digitalocean.com

console.scaleway.com

hetzner.com

linode.com

oracle.com

rackspace.com

phoenixnap.com

leaseweb.com

sso.ctl.io

ctl.io

lumen.com

paypal.com

WW_P_7

WW_P_8

https://

WW_P_

WW_P_1

links

ezstat.ru/1BfPg7

USA_1

iplis.ru/1BX4j7.png

iplis.ru/1BV4j7.mp4

USA_2

iplogger.org/1nkuM4.jpeg

iplis.ru/1BNhx7.mp3

iplis.ru/1pRXr7.txt

SetIncrement|ww_starts

false

iplis.ru/1S2Qs7.mp3

iplis.ru/1S3fd7.mp3

iplis.ru/17VHv7.mp3

iplis.ru/1GLDc7.mp3

iplis.ru/1xDsk7.mp3

iplis.ru/1xFsk7.mp3

WW_OPERA

iplis.ru/1GCuv7.pdf

iplis.ru/1lmex.mp3

iplis.ru/1Gemv7.mp3

WW_10

iplis.ru/1Gymv7.mp3

WW_11

iplis.ru/1tqHh7.mp3

WW_12

iplis.ru/1aFYp7.mp3

WW_13

iplis.ru/1cC8u7.mp3

WW_14

iplis.ru/1cN8u7.mp3

WW_15

iplis.ru/1kicy7.mp3

iplis.ru/1BMhx7.mp3

WW_16

iplis.ru/1edLy7.png

WW_17

iplis.ru/1nGPt7.png

WW_P_2

iplis.ru/1Bshv7.mp3

WW_P_3

iplis.ru/1Lgnh7.mp3

WW_P_4

iplis.ru/1vt8c7.mp3

WW_P_5

iplis.ru/1IcfD.mp3

WW_P_6

iplis.ru/1eXqs7.mp3

iplis.ru/1Unzy7.mp3

WW_18

iplis.ru/12hYs7.mp3

WW_19

iplis.ru/12d8d7.mp3

WW_20

iplis.ru/1Uvgu7.mp3

WW_21

iplis.ru/1jvTz7.mp3

browsers

Chrome:

Edge:

os_country_code

ip_country

AddExtensionStat|

net_country_code

https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://91.241.19.125/pub.php?pub=one

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

http://mnbuiy.pw/adsli/note8876.exe

http://sarfoods.com/index.php

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

https://iplogger.org/2BTmf7

https://iplogger.org/2BAmf7

https://iplogger.org/2BDmf7

https://iplogger.org/2BFmf7

https://iplogger.org/2s2pg6

https://iplogger.org/2s3pg6

https://iplogger.org/2s4pg6

https://iplogger.org/2s5pg6

https://iplogger.org/2s6pg6

https://iplogger.org/2s7pg6

crypto_wallets

domain

bank_wallets

cu_bank_wallets

shop_wallets

bank_au_wallets

amazon_eu

webhosts

paypal

bank_ca_wallets

browser_vbmt

GetCryptoSleeping

45.15.156.229

85.208.136.10

94.142.138.131

94.142.138.113

208.67.104.60

cryptoWallets

status

bankWallets

cuBankWallets

shops

bankAUWallets

bankCAWallets

cryptoWallets_part1

cryptoWallets_part2

bankWallets_part1

bankWallets_part2

bankMXWallets

cryptoGames

bankPKWallets

bankESWallets

SetLoaderAnalyze|

SetIncrement|not_elevated

WinHttpConnect

WinHttpQueryHeaders

WinHttpOpen

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpCloseHandle

WinHttpSetTimeouts

InternetOpenA

InternetSetOptionA

HttpOpenRequestA

InternetConnectA

InternetOpenUrlA

HttpQueryInfoA

InternetQueryOptionA

HttpSendRequestA

InternetReadFile

InternetCloseHandle

RedLine

(PID) Process(3056) 84NNfXBogAYSZLMMd_gRy_Bt.exe

C2 (1)135.125.27.228:39396

Botnet

Err_msgLogsDiller Cloud (Telegram: @logsdillabot)

Auth_valuec2955ed3813a798683a185a82e949f88

US (15)

net.tcp://

localhost

c2955ed3813a798683a185a82e949f88

Authorization

ns1

Hj0gXCkYLBcpAF0UIxxGECMNNF8gFw4IJjo+bg==

By5UAwZCOx4FFBEBDgwwLQwgalg3LiQdPykxIDM6CRwrPl5RGiwvHgdADRQ9FAUeDyI0AAxUAhk=

Simmering

This assembly is protected by an unregistered version of Eziriz's ".NET Reactor"! This assembly won't further work.

(PID) Process(2944) sGf8ey6Z2gVI_Kzbjdb35FKO.exe

C2 (1)157.254.164.98:28449

Botnetcloudcosmic

Err_msg

Auth_value9a0fce348964108b791b4f723efc89ea

US (12)

net.tcp://

localhost

9a0fce348964108b791b4f723efc89ea

Authorization

ns1

ATU7Rz8mKF86MHgZIB4iOS46E0UBCwlEPQgKUw==

FVMWAhcbMwQWQAIVDyM+cQ==

Lants

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

206

Monitored processes

128

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

C:\Users\admin\AppData\Local\Temp\IXP002.TMP\v6153492.exe

v8483071.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.17763.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\ixp002.tmp\v6153492.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

128

C:\Windows\system32\RAServer.exe /offerraupdate

C:\Windows\System32\raserver.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Remote Assistance COM Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\raserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

600

C:\Users\admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\P3DoLAorJ.exe

—

RefSpacer628.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\p3dolaorj.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

616

"C:\Windows\System32\sc.exe" start cxutzohb

C:\Windows\SysWOW64\sc.exe

—

2JopeOHvjj3afHSIa7r5gDa6.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\sc.exe
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\kernel32.dll

616

"C:\Users\admin\Documents\jmFvusbCB4U7RJdpoa9YwPqO.exe"

C:\Users\admin\Documents\jmFvusbCB4U7RJdpoa9YwPqO.exe

G8Ke6lDpgrWAks8QyCWKap5R.exe

User:

admin

Company:

N-able Take Control

Integrity Level:

HIGH

Description:

TCDirectChat

Exit code:

Version:

7.0.45.1145

Modules

Images
c:\users\admin\documents\jmfvusbcb4u7rjdpoa9ywpqo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

624

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

—

Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ForFiles - Executes a command on selected files

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\forfiles.exe
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

684

C:\Windows\SysWOW64\cxutzohb\mcyniayg.exe /d"C:\Users\admin\Pictures\Minor Policy\2JopeOHvjj3afHSIa7r5gDa6.exe"

C:\Windows\SysWOW64\cxutzohb\mcyniayg.exe

—

services.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Exit code:

Modules

Images
c:\windows\syswow64\cxutzohb\mcyniayg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

700

"C:\Users\admin\Pictures\Minor Policy\G8Ke6lDpgrWAks8QyCWKap5R.exe"

C:\Users\admin\Pictures\Minor Policy\G8Ke6lDpgrWAks8QyCWKap5R.exe

File.exe

User:

admin

Company:

N-able Take Control

Integrity Level:

HIGH

Description:

TCDirectChat

Exit code:

Version:

7.0.45.1145

Modules

Images
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll

1032

"C:\Users\admin\Pictures\Minor Policy\0_7MNb1uVdQPQUexq9UQSRa7.exe"

C:\Users\admin\Pictures\Minor Policy\0_7MNb1uVdQPQUexq9UQSRa7.exe

File.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\pictures\minor policy\0_7mnb1uvdqpquexq9uqsra7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1160

C:\Users\admin\AppData\Local\Temp\IXP001.TMP\v8483071.exe

v7192759.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.17763.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\ixp001.tmp\v8483071.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

35 457

Read events

34 237

Write events

1 126

Delete events

Modification events


(PID) Process:	(1960) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000040131FD0E0B45449B5325CF35709B45A0000000002000000000010660000000100002000000097BA847E5D0827CAFBC4D33F7B8AFE8834428DFEF065FA018D8CAB90C5710B0A000000000E8000000002000020000000703BDF28CF4D9DFCAB7DDC229F11B838657F02A563D675B7BA5A582848A73F4F300000008091631BBFD318C1A67DDE62193EF5F65F823DF6F3FB12C344A857963FC714699639A04F9F66927C69CA8E9AC61E02154000000007CED62AF9113E09870DE72EB5744E2CBFDC316C2CF8607885EA5CBB68D61BE0CFB49EE1C4CAF8F2769692B62252F8AB0F88C1F92875F93F72FE70BCC896EFE4
(PID) Process:	(2580) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	{6Q809377-6NS0-444O-8957-N3773S02200R}\JvaENE\JvaENE.rkr
Value: 000000000B000000050000001E9A0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF30D9B8CEF2F1D80100000000
(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	HRZR_PGYFRFFVBA
Value: 0000000091000000940000006A524C00110000000300000071B504007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FDFE0700000000000000000000F012D2020000000000000000000000000000000000000000F012D2020000000012C2D2FDFE070000010000000000000000000000000000000000000000000000F012D20200000000000000000000000000000000000000000000000000000000DCD9D3FDFE0700000000000000000000568ED3FDFE07000005000000000000000000000000000000F012D20200000000C9AAD2FDFE07000000000000000000000500000000000000000000000000000000000000000000000100000000000000C3AAD3FDFE070000F012D202000000000500000000000000010000000000000001000000FFFFFFFF00000000000000000000000000000000000000001C000000010000000000000001000000FFFFFFFF0C18D202000000002C18D202000000000000000000000000010000000600000071D8D3FDFE070000F0E676030000000000000000000000000500000000000000F012D20200000000F012D2020000000063B3D2FDFE07000001000000000000000000000000000000000000000000000005000000FE0700004413D20200000000D017D202000000008014D202100000001B000000C95F05007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000FE221EFEFE07000060000100000000008202000000000000820200000000000001FFFFFF000000006A00A603000000008C00A60300000000B8ACA6030000000050DFE3020000000000010001010000000001E302000000004CE2E3020000000094DFE302000000000000000009090900090909090009111100000000000000008202000000000000820200000000000001000000000000008202000000000000DB9B5A77000000006000010000000000000000000000000000000000000000000000000000000000110000000300000071B504007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FDFE0700000000000000000000F012D2020000000000000000000000000000000000000000F012D2020000000012C2D2FDFE070000010000000000000000000000000000000000000000000000F012D2020000000000000000000000000000000000000000000000000000000013000000A80916007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C007400610073006B006D00670072002E006500780065000000008000000000542D3EFFFE07000000000000000000006800690200000000580001000000000000000000000000000000290000000000EB1ABB7700000000680069020000000000000000FE070000282547FFFE070000B0EA330000000000180069020000000000000000000000000100000000000000BF1D3EFFFE07000090DEF3020000000070C936000000000000000000000000003B94B5FDFE070000E00736000000000008006902000000005800010000000000869AA977000000000814FEDA97F1000082020000000000000000000000000000580001000000000000000000000000008202000000000000020000000000000058000100000000000000000000000000820200000000000080A671FF00000000C81263FF00000000E00736000000000001000000000000000F0000C000000000941AC90200000000820200000000000001000000000000008202000000000000DB9BA977000000005800010000000000000000000000000000000000000000000100000000000000000000000000000081020000000000000000000000000000000000000000000000000000
(PID) Process:	(2580) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(2580) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:	(2580) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(2580) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2580) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80

Add for printing

Executable files

Suspicious files

Text files

341

Unknown types

Dropped files

PID	Process	Filename		Type
2580	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2580.23183\File.exe		—
		MD5:—	SHA256:—
2544	File.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\J06UCEIP.txt		text
		MD5:2080ACA3D8E39A477F0A75B1525EEEDD	SHA256:F2D7069BED2035ECCECBAE50DC64BC9F9FF45B4D055FF423D8CF89FC309EB510
2544	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\setup[1].exe		executable
		MD5:2B046520B577691511FD925ED9F00624	SHA256:B9703314498FA31879F4FCBC532361E13C2E5CE8DB8C3E90EE29340036C088C0
2544	File.exe	C:\Windows\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:CDFD60E717A44C2349B553E011958B85	SHA256:0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F
2544	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\2[1].exe		executable
		MD5:2EFB4C902EBBC6B351954EBBDD7F13B9	SHA256:8302C7AD199E5BA118A309E5304970362EF1087C53612B4D3FA300822926E36E
2544	File.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\F433SGDE.txt		text
		MD5:FCF7470BF6185427622A1DB55805EAAC	SHA256:D1D733BF957BF5EE6D9CAEA35FBF5F9AD5870FA619CB5DF93E1B05BE8F89A443
2544	File.exe	C:\Users\admin\Pictures\Minor Policy\oQAQe7wE61HNek19Ntr3LPgr.exe		html
		MD5:7A6364A82A2DE55DFFB7126319D1BA21	SHA256:F1F9CAA274DC42C373320AEC93F6A6724C9C719E82480DA9EEC6A8BCCF7476C3
2544	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\Service32[1].exe		executable
		MD5:831F2A5B64F7C7193B2D54777DCF3C14	SHA256:7A650B7AF16721E46686633A253C967184414183A7D2BE0CB64978E4D8880BA6
2544	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQYU0XHJ\WWW1[1].bmp		—
		MD5:—	SHA256:—
2544	File.exe	C:\Users\admin\Pictures\Minor Policy\x34mqdPHZOJJaR4PWoCpjZnh.exe		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

345

DNS requests

Threats

225

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2544	File.exe	HEAD	200	163.123.143.4:80	http://163.123.143.4/download/Service32.exe	unknown	—	—	malicious
2544	File.exe	HEAD	—	176.113.115.239:80	http://176.113.115.239:8080/4.php	RU	—	—	suspicious
2544	File.exe	GET	—	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
2544	File.exe	HEAD	200	83.97.73.134:80	http://83.97.73.134/gallery/photo085.exe	unknown	—	—	malicious
2544	File.exe	HEAD	200	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
2544	File.exe	GET	—	156.236.72.121:80	http://zzz.fhauiehgha.com/m/okka25.exe	US	—	—	malicious
2544	File.exe	HEAD	200	45.9.74.6:80	http://45.9.74.6/2.exe	SC	—	—	malicious
2544	File.exe	GET	—	163.123.143.4:80	http://163.123.143.4/download/Service32.exe	unknown	—	—	malicious
2544	File.exe	GET	—	176.113.115.239:8080	http://176.113.115.239:8080/4.php	RU	—	—	suspicious
2544	File.exe	GET	—	83.97.73.134:80	http://83.97.73.134/gallery/photo085.exe	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2544	File.exe	131.255.7.10:80	callusoyasociados.com.ar	InterBS S.R.L. BAEHOST	AR	suspicious
4	System	192.168.100.255:137	—	—	—	whitelisted
328	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2544	File.exe	94.142.138.131:80	—	Network Management Ltd	RU	malicious
2544	File.exe	104.26.8.59:443	api.myip.com	CLOUDFLARENET	US	suspicious
2544	File.exe	87.240.129.133:80	vk.com	VKontakte Ltd	RU	malicious
2544	File.exe	34.117.59.81:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	whitelisted
2544	File.exe	87.240.129.133:443	vk.com	VKontakte Ltd	RU	malicious
2544	File.exe	87.240.132.72:443	vk.com	VKontakte Ltd	RU	suspicious
2544	File.exe	87.240.137.164:80	vk.com	VKontakte Ltd	RU	suspicious

DNS requests

Domain	IP	Reputation
api.myip.com	104.26.8.59 172.67.75.163 104.26.9.59	suspicious
ipinfo.io	34.117.59.81	shared
teredo.ipv6.microsoft.com	—	whitelisted
vk.com	87.240.129.133 87.240.132.72 87.240.137.164 87.240.132.67 93.186.225.194 87.240.132.78	whitelisted
dns.msftncsi.com	131.107.255.255	shared
zzz.fhauiehgha.com	156.236.72.121	malicious
hugersi.com	91.215.85.147	suspicious
traffic-to.site	104.21.29.16 172.67.171.62	unknown
bitbucket.org	104.192.141.1	shared
callusoyasociados.com.ar	131.255.7.10	unknown

Threats

PID	Process	Class	Message
2544	File.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
2544	File.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
2544	File.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2544	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
2544	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2544	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2544	File.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2544	File.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2544	File.exe	Misc activity	ET INFO EXE - Served Attached HTTP
2544	File.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

21 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

File_pass1234.7z

3C2AF2430010E312D337D776CCF090B4

E44D3E1A90D427AE5C18FDE94DD3A9F280FDE3B3

F8258E5F0B1154BD3DF426661F578AF3CDB52E7A77030C6549A8D1CC5541A9C1

98304:J/u1EAMekXkRZf0CExiEDua0eYacrWFuacM9ovT3Gj0fzBraemIHBOj6VDXXCxPr:JGSbfGZfoIEKa0evciUM9q/NZHBOMDXy

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PRIVATELOADER was detected

Connects to the CnC server

Creates a writable file the system directory

Actions looks like stealing of personal data

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Steals credentials

Steals credentials from Web Browsers

REDLINE was detected

Disables Windows Defender

Uses Task Scheduler to autorun other applications

Uses Task Scheduler to run other applications

Changes the Windows auto-update feature

FABOOKIE was detected

TOFSEE was detected

GCLEANER was detected

PRIVATELOADER detected by memory dumps

REDLINE detected by memory dumps

Runs injected code in another process

Application was injected by another process

Changes the autorun value in the registry

AMADEY was detected

Run PowerShell with an invisible window

Starts CMD.EXE for self-deleting

MINER was detected

SMOKE was detected

SUSPICIOUS

Connects to the server without a host name

Checks for external IP

Adds/modifies Windows certificates

Executes as Windows Service

Reads the Internet Settings

Reads settings of System Certificates

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Connects to unusual port

Reads the Windows owner or organization settings

Starts CMD.EXE for commands execution

Reads Microsoft Outlook installation path

Reads browser cookies

Process communicates with Telegram (possibly using it as an attacker's C2 server)_update

Searches for installed software

Uses NETSH.EXE to add a firewall rule or allowed programs

Detected use of alternative data streams (AltDS)

Creates or modifies Windows services

Connects to SMTP port

The process checks if it is being run in the virtual environment

Starts itself from another location

Application launched itself

Starts POWERSHELL.EXE for commands execution

Get information on the list of running processes

Reads the BIOS version

Found strings related to reading or modifying Windows Defender settings

Uses REG/REGEDIT.EXE to modify registry

Uses ICACLS.EXE to modify access control lists

Executing commands from a ".bat" file

Using 'findstr.exe' to search for text patterns in files and output

Starts application with an unusual extension

Runs PING.EXE to delay simulation

The process executes via Task Scheduler

Uses TASKKILL.EXE to kill process

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

The process creates files with name similar to system file names

Uses powercfg.exe to modify the power settings

Uses RUNDLL32.EXE to load library

Drops the AutoIt3 executable file