Malware analysis appFile.exe Malicious activity | ANY.RUN

Add for printing

File name:	appFile.exe
Full analysis:	https://app.any.run/tasks/bdc63106-0032-49f0-9059-b32863d71d52
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 08, 2024, 15:05:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	privateloader evasion stealer discord loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	24E36F44FEC4755F66C5F852FEB45B92
SHA1:	8C84E207DB3C3285E2E545E42543251ABAE411B0
SHA256:	FE89D20B6821C597A077DFEF6CDE510EABC11E2CEEFEF2795C7474160D05C5AD
SSDEEP:	98304:JlLgStou+raAejpn3ZVvR97QAZP69EV1b2vs5DDDLnSgBDBW7PoV4M+NYC9eiIiv:CuUw1eQtisE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- PRIVATELOADER has been detected (SURICATA)
  - appFile.exe (PID: 6356)
- Connects to the CnC server
  - appFile.exe (PID: 6356)
- PRIVATELOADER has been detected (YARA)
  - appFile.exe (PID: 6356)
- Actions looks like stealing of personal data
  - appFile.exe (PID: 6356)
SUSPICIOUS
- Drops the executable file immediately after the start
  - appFile.exe (PID: 6356)
- Checks for external IP
  - svchost.exe (PID: 2256)
  - appFile.exe (PID: 6356)
- Connects to the server without a host name
  - appFile.exe (PID: 6356)
- Reads security settings of Internet Explorer
  - appFile.exe (PID: 6356)
- Checks Windows Trust Settings
  - appFile.exe (PID: 6356)
- Process requests binary or script from the Internet
  - appFile.exe (PID: 6356)
- Potential Corporate Privacy Violation
  - appFile.exe (PID: 6356)
- Executable content was dropped or overwritten
  - appFile.exe (PID: 6356)
INFO
- Checks supported languages
  - appFile.exe (PID: 6356)
- Reads the computer name
  - appFile.exe (PID: 6356)
- Reads the software policy settings
  - appFile.exe (PID: 6356)
- Process checks computer location settings
  - appFile.exe (PID: 6356)
- Reads the machine GUID from the registry
  - appFile.exe (PID: 6356)
- Checks proxy server information
  - appFile.exe (PID: 6356)
- Creates files or folders in the user directory
  - appFile.exe (PID: 6356)
- Attempting to use instant messaging service
  - svchost.exe (PID: 2256)
  - appFile.exe (PID: 6356)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:08:08 12:23:14+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.39
CodeSize:	1167872
InitializedDataSize:	1047040
UninitializedDataSize:	-
EntryPoint:	0x7bd885
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2024.2.2.25170
ProductVersionNumber:	2024.2.2.25170
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Foxit Software Inc.
FileDescription:	Foxit PDF Reader Setup
FileVersion:	2024.2.2.25170
LegalCopyright:	Copyright © 2004-2024 Foxit Software Inc. All Rights Reserved.
ProductName:	Foxit PDF Reader Setup
ProductVersion:	2024.2.2.25170

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

135

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

6304

"C:\Users\admin\AppData\Local\Temp\appFile.exe"

C:\Users\admin\AppData\Local\Temp\appFile.exe

—

explorer.exe

User:

admin

Company:

Foxit Software Inc.

Integrity Level:

MEDIUM

Description:

Foxit PDF Reader Setup

Exit code:

3221226540

Version:

2024.2.2.25170

Modules

Images
c:\users\admin\appdata\local\temp\appfile.exe
c:\windows\system32\ntdll.dll

6356

"C:\Users\admin\AppData\Local\Temp\appFile.exe"

C:\Users\admin\AppData\Local\Temp\appFile.exe

explorer.exe

User:

admin

Company:

Foxit Software Inc.

Integrity Level:

HIGH

Description:

Foxit PDF Reader Setup

Version:

2024.2.2.25170

Modules

Images
c:\users\admin\appdata\local\temp\appfile.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

1 386

Read events

1 375

Write events

Delete events

Modification events


(PID) Process:	(6356) appFile.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6356) appFile.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6356) appFile.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6356) appFile.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6356) appFile.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6356) appFile.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6356) appFile.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6356	appFile.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27		binary
		MD5:790CECCFA139D7B4BBFA4B5D1E2F40E6	SHA256:A9FFE906F5EB6AFE3851406750764C445E35FAA41DDCBA5554E2B60B792C20D9
6356	appFile.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		der
		MD5:971C514F84BBA0785F80AA1C23EDFD79	SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6356	appFile.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		der
		MD5:7FB5FA1534DCF77F2125B2403B30A0EE	SHA256:33A39E9EC2133230533A686EC43760026E014A3828C703707ACBC150FE40FD6F
6356	appFile.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:B0A1D2697300326A1040FA75217ECA41	SHA256:E4CE34D746678B1E6C0315796499141248D428F6A70C4278A355BE9AF160DCA9
6356	appFile.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:9D97F747F5E598E7C2A0C5177BAAF6D8	SHA256:0E071CE8A703F0957FE0591EFB1CB8360D031D2824A843726280A66B243C6BE1
6356	appFile.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751		binary
		MD5:3DFCA46E00FFA4795C72A41375F159D3	SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E
6356	appFile.exe	C:\Users\admin\Documents\piratemamm\McD5YdM4gVbxz_4gzh3nNu2A.exe		executable
		MD5:9B43256A33142E469ADBE046A1552781	SHA256:ECE19F874768EA52EBE95047C61508402DEC21104CA6A5857C09C1F990EC983E
6356	appFile.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\66b4b10e9ef0b_stealc_default[1].exe		executable
		MD5:9B43256A33142E469ADBE046A1552781	SHA256:ECE19F874768EA52EBE95047C61508402DEC21104CA6A5857C09C1F990EC983E
6356	appFile.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\file[1].exe		executable
		MD5:F3F3BDFD954D90F103C1325AE009D815	SHA256:BD535CD18038CAE0BE82E74E3541AA05249B50D1CD4D60B6B13C84568BD82DB0
6356	appFile.exe	C:\Users\admin\Documents\piratemamm\bdUrVoLTXdBMOFLE6ZI9iEZm.exe		executable
		MD5:F3F3BDFD954D90F103C1325AE009D815	SHA256:BD535CD18038CAE0BE82E74E3541AA05249B50D1CD4D60B6B13C84568BD82DB0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2608	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6356	appFile.exe	POST	200	147.45.47.57:80	http://147.45.47.57/api/twofish.php	unknown	—	—	unknown
6356	appFile.exe	HEAD	200	147.45.44.104:80	http://147.45.44.104/prog/66b382f122c02_stk.exe	unknown	—	—	unknown
6776	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6356	appFile.exe	HEAD	200	185.215.113.16:80	http://185.215.113.16/games/nino.exe	unknown	—	—	suspicious
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6356	appFile.exe	GET	200	147.45.47.57:80	http://147.45.47.57/api/crazyfish.php	unknown	—	—	suspicious
6356	appFile.exe	HEAD	200	147.45.44.104:80	http://147.45.44.104/prog/66b4b10e9ef0b_stealc_default.exe	unknown	—	—	malicious
6356	appFile.exe	HEAD	302	194.58.114.223:80	http://194.58.114.223/d/525403	unknown	—	—	unknown
6356	appFile.exe	HEAD	200	147.45.44.104:80	http://147.45.44.104/prog/66b45c742e0a1_123p.exe	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4080	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5408	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6356	appFile.exe	147.45.47.57:80	—	OOO FREEnet Group	RU	unknown
6356	appFile.exe	104.26.9.59:443	api.myip.com	CLOUDFLARENET	US	unknown
6356	appFile.exe	34.117.59.81:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5336	SearchApp.exe	104.126.37.155:443	www.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.185.110	whitelisted
api.myip.com	104.26.9.59 104.26.8.59 172.67.75.163	whitelisted
ipinfo.io	34.117.59.81	shared
www.bing.com	104.126.37.155 104.126.37.186 104.126.37.146 104.126.37.130 104.126.37.145 104.126.37.154 104.126.37.144 104.126.37.139 104.126.37.128	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	20.190.159.2 20.190.159.23 20.190.159.64 40.126.31.69 20.190.159.4 40.126.31.73 40.126.31.67 40.126.31.71	whitelisted
th.bing.com	104.126.37.161 104.126.37.130 104.126.37.139 104.126.37.186 104.126.37.177 104.126.37.128 104.126.37.162 104.126.37.146 104.126.37.144	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted

Threats

PID	Process	Class	Message
6356	appFile.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 23
6356	appFile.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
6356	appFile.exe	A Network Trojan was detected	ET MALWARE PrivateLoader CnC Activity (GET)
6356	appFile.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
6356	appFile.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6356	appFile.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
6356	appFile.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6356	appFile.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6356	appFile.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host

Add for printing

No debug info

General Info

appFile.exe

24E36F44FEC4755F66C5F852FEB45B92

8C84E207DB3C3285E2E545E42543251ABAE411B0

FE89D20B6821C597A077DFEF6CDE510EABC11E2CEEFEF2795C7474160D05C5AD

98304:JlLgStou+raAejpn3ZVvR97QAZP69EV1b2vs5DDDLnSgBDBW7PoV4M+NYC9eiIiv:CuUw1eQtisE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PRIVATELOADER has been detected (SURICATA)

Connects to the CnC server

PRIVATELOADER has been detected (YARA)

Actions looks like stealing of personal data

SUSPICIOUS

Drops the executable file immediately after the start

Checks for external IP

Connects to the server without a host name

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

INFO

Checks supported languages

Reads the computer name

Reads the software policy settings

Process checks computer location settings

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings