Malware analysis Solona SmartFlasher.exe Malicious activity

Add for printing

File name:	Solona SmartFlasher.exe
Full analysis:	https://app.any.run/tasks/ccfc5775-0268-49cc-9236-837b1dcdaa5c
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 13, 2025, 09:59:55
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	diamotrix clipper amadey botnet stealer python auto generic svc redline crypto-regex arch-doc rust rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	1016FE557FBB851640F9B4D38D9B5E1A
SHA1:	046936E004FED67E00794DB7367D50CABF0BB19C
SHA256:	00B9BA96389CB9BFCBA784CF183A8B6C20A22EB7B0ACD14ACDD7CCF4AFB8290E
SSDEEP:	98304:WxDIja11XToYHSNraIRMgRBiicYhCzirVcOvUWellrZJkzvCxkSZyoDH6gER9fZz:zn2dd2hj+0KCFboh11kYF2W0iTg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- DIAMOTRIX mutex has been found
  - gfgdfxwx.exe (PID: 6900)
  - gfgdfxwx.exe (PID: 1700)
- SVC has been found (auto)
  - Solona SmartFlasher.exe (PID: 6128)
- GENERIC has been found (auto)
  - Solona SmartFlasher.exe (PID: 6128)
- AMADEY has been found (auto)
  - Solona SmartFlasher.exe (PID: 6128)
  - dfssdfxx.exe (PID: 7164)
- Loads dropped or rewritten executable
  - cxvezrfde.exe (PID: 1752)
  - cxvezrfde.exe (PID: 2552)
  - powershell.exe (PID: 3844)
  - regsvr32.exe (PID: 5020)
  - Solona SmartFlasher.exe (PID: 6128)
  - conhost.exe (PID: 2632)
  - gfgdfxwx.exe (PID: 6900)
  - Solona SmartFlasher.exe (PID: 4236)
  - WmiPrvSE.exe (PID: 3608)
  - powershell.exe (PID: 2864)
  - conhost.exe (PID: 2160)
  - cxvezrfde.exe (PID: 3196)
  - gfgdfxwx.exe (PID: 1700)
  - wxcvxverd.exe (PID: 6620)
  - regsvr32.exe (PID: 3884)
  - cvcxxxx.exe (PID: 3752)
  - cvcxxxx.exe (PID: 6664)
  - wxcvxverd.exe (PID: 1148)
  - cxvezrfde.exe (PID: 3820)
  - MusNotificationUx.exe (PID: 4012)
  - MusNotifyIcon.exe (PID: 1896)
  - taskhostw.exe (PID: 420)
  - SIHClient.exe (PID: 984)
  - slui.exe (PID: 1488)
- Registers / Runs the DLL via REGSVR32.EXE
  - bvcbghgf.tmp (PID: 3732)
  - bvcbghgf.tmp (PID: 7076)
- AMADEY has been detected (SURICATA)
  - nudwee.exe (PID: 888)
- Changes the autorun value in the registry
  - gfgdfxwx.exe (PID: 6900)
- Actions looks like stealing of personal data
  - cvcxxxx.exe (PID: 3752)
- Runs injected code in another process
  - regsvr32.exe (PID: 5020)
- Application was injected by another process
  - explorer.exe (PID: 4772)
- AMADEY has been detected (YARA)
  - nudwee.exe (PID: 888)
- Connects to the CnC server
  - cvcxxxx.exe (PID: 3752)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Solona SmartFlasher.exe (PID: 6128)
  - bvcbghgf.exe (PID: 7060)
  - gfgdfxwx.exe (PID: 6900)
  - cxvezrfde.exe (PID: 2552)
  - bvcbghgf.tmp (PID: 6732)
  - bvcbghgf.tmp (PID: 3732)
  - dfssdfxx.exe (PID: 7164)
  - bvcbghgf.exe (PID: 3780)
  - bvcbghgf.tmp (PID: 3888)
  - cxvezrfde.exe (PID: 3196)
  - bvcbghgf.exe (PID: 7056)
  - bvcbghgf.exe (PID: 2764)
  - bvcbghgf.tmp (PID: 7076)
- Reads the date of Windows installation
  - Solona SmartFlasher.exe (PID: 6128)
  - Solona SmartFlasher.exe (PID: 4236)
- Process drops python dynamic module
  - cxvezrfde.exe (PID: 2552)
  - cxvezrfde.exe (PID: 3196)
- Process drops legitimate windows executable
  - gfgdfxwx.exe (PID: 6900)
  - cxvezrfde.exe (PID: 2552)
  - Solona SmartFlasher.exe (PID: 6128)
  - bvcbghgf.tmp (PID: 6732)
  - bvcbghgf.tmp (PID: 3732)
  - cxvezrfde.exe (PID: 3196)
  - bvcbghgf.tmp (PID: 7076)
  - bvcbghgf.tmp (PID: 3888)
- Reads security settings of Internet Explorer
  - Solona SmartFlasher.exe (PID: 6128)
  - bvcbghgf.tmp (PID: 6732)
  - dfssdfxx.exe (PID: 7164)
  - nudwee.exe (PID: 888)
  - Solona SmartFlasher.exe (PID: 4236)
  - bvcbghgf.tmp (PID: 3888)
  - cvcxxxx.exe (PID: 3752)
- The process drops C-runtime libraries
  - cxvezrfde.exe (PID: 2552)
  - cxvezrfde.exe (PID: 3196)
- Reads the Windows owner or organization settings
  - bvcbghgf.tmp (PID: 6732)
  - bvcbghgf.tmp (PID: 3732)
  - bvcbghgf.tmp (PID: 3888)
  - bvcbghgf.tmp (PID: 7076)
- Application launched itself
  - cxvezrfde.exe (PID: 2552)
  - cxvezrfde.exe (PID: 3196)
- Loads Python modules
  - cxvezrfde.exe (PID: 1752)
  - cxvezrfde.exe (PID: 3820)
- Starts itself from another location
  - dfssdfxx.exe (PID: 7164)
- Starts POWERSHELL.EXE for commands execution
  - regsvr32.exe (PID: 5020)
- Contacting a server suspected of hosting an CnC
  - nudwee.exe (PID: 888)
  - cvcxxxx.exe (PID: 3752)
- The process bypasses the loading of PowerShell profile settings
  - regsvr32.exe (PID: 5020)
- The process hide an interactive prompt from the user
  - regsvr32.exe (PID: 5020)
- Connects to the server without a host name
  - nudwee.exe (PID: 888)
  - cvcxxxx.exe (PID: 3752)
- Found regular expressions for crypto-addresses (YARA)
  - gfgdfxwx.exe (PID: 6900)
- There is functionality for enable RDP (YARA)
  - nudwee.exe (PID: 888)
- There is functionality for taking screenshot (YARA)
  - nudwee.exe (PID: 888)
- Connects to unusual port
  - wxcvxverd.exe (PID: 6620)
- Potential Corporate Privacy Violation
  - cvcxxxx.exe (PID: 3752)
- The process executes via Task Scheduler
  - nudwee.exe (PID: 2732)
INFO
- Checks supported languages
  - Solona SmartFlasher.exe (PID: 6128)
  - bvcbghgf.exe (PID: 7060)
  - cxvezrfde.exe (PID: 2552)
  - dfssdfxx.exe (PID: 7164)
  - cvcxxxx.exe (PID: 3752)
  - bvcbghgf.tmp (PID: 6732)
  - wxcvxverd.exe (PID: 6620)
  - bvcbghgf.tmp (PID: 3732)
  - bvcbghgf.exe (PID: 3780)
  - cxvezrfde.exe (PID: 1752)
  - nudwee.exe (PID: 888)
  - Solona SmartFlasher.exe (PID: 4236)
  - bvcbghgf.exe (PID: 7056)
  - cxvezrfde.exe (PID: 3196)
  - wxcvxverd.exe (PID: 1148)
  - bvcbghgf.tmp (PID: 3888)
  - dfssdfxx.exe (PID: 2716)
  - gfgdfxwx.exe (PID: 1700)
  - cvcxxxx.exe (PID: 6664)
  - bvcbghgf.tmp (PID: 7076)
  - bvcbghgf.exe (PID: 2764)
  - gfgdfxwx.exe (PID: 6900)
  - cxvezrfde.exe (PID: 3820)
  - nudwee.exe (PID: 2732)
- The sample compiled with english language support
  - Solona SmartFlasher.exe (PID: 6128)
  - gfgdfxwx.exe (PID: 6900)
  - cxvezrfde.exe (PID: 2552)
  - bvcbghgf.tmp (PID: 6732)
  - bvcbghgf.tmp (PID: 3732)
  - cxvezrfde.exe (PID: 3196)
  - bvcbghgf.tmp (PID: 3888)
  - bvcbghgf.tmp (PID: 7076)
- Creates files or folders in the user directory
  - Solona SmartFlasher.exe (PID: 6128)
  - gfgdfxwx.exe (PID: 6900)
  - bvcbghgf.tmp (PID: 3732)
  - cvcxxxx.exe (PID: 3752)
- Reads the computer name
  - Solona SmartFlasher.exe (PID: 6128)
  - cxvezrfde.exe (PID: 2552)
  - bvcbghgf.tmp (PID: 6732)
  - dfssdfxx.exe (PID: 7164)
  - bvcbghgf.tmp (PID: 3732)
  - nudwee.exe (PID: 888)
  - Solona SmartFlasher.exe (PID: 4236)
  - cxvezrfde.exe (PID: 3196)
  - bvcbghgf.tmp (PID: 3888)
  - bvcbghgf.tmp (PID: 7076)
  - wxcvxverd.exe (PID: 6620)
  - cvcxxxx.exe (PID: 3752)
- Create files in a temporary directory
  - bvcbghgf.exe (PID: 7060)
  - bvcbghgf.tmp (PID: 6732)
  - cxvezrfde.exe (PID: 2552)
  - bvcbghgf.exe (PID: 3780)
  - bvcbghgf.tmp (PID: 3732)
  - dfssdfxx.exe (PID: 7164)
  - bvcbghgf.exe (PID: 7056)
  - cxvezrfde.exe (PID: 3196)
  - bvcbghgf.tmp (PID: 3888)
  - bvcbghgf.exe (PID: 2764)
  - bvcbghgf.tmp (PID: 7076)
  - cvcxxxx.exe (PID: 3752)
- Process checks computer location settings
  - Solona SmartFlasher.exe (PID: 6128)
  - bvcbghgf.tmp (PID: 6732)
  - dfssdfxx.exe (PID: 7164)
  - Solona SmartFlasher.exe (PID: 4236)
  - bvcbghgf.tmp (PID: 3888)
- Reads the machine GUID from the registry
  - cxvezrfde.exe (PID: 1752)
  - cxvezrfde.exe (PID: 3820)
  - wxcvxverd.exe (PID: 6620)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 3844)
  - powershell.exe (PID: 2864)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4772)
- Manual execution by a user
  - Solona SmartFlasher.exe (PID: 4236)
- Checks proxy server information
  - nudwee.exe (PID: 888)
  - cvcxxxx.exe (PID: 3752)
- Launching a file from a Registry key
  - gfgdfxwx.exe (PID: 6900)
- Application based on Rust
  - wxcvxverd.exe (PID: 6620)
  - cvcxxxx.exe (PID: 3752)
- Creates files in the program directory
  - cvcxxxx.exe (PID: 3752)
  - MusNotificationUx.exe (PID: 4012)
  - MusNotifyIcon.exe (PID: 1896)
- Reads the time zone
  - MusNotificationUx.exe (PID: 4012)
  - MusNotifyIcon.exe (PID: 1896)
  - WmiPrvSE.exe (PID: 3608)
- Reads the software policy settings
  - SIHClient.exe (PID: 984)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:05:22 14:08:03+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	123392
InitializedDataSize:	16141312
UninitializedDataSize:	-
EntryPoint:	0x5f00
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.2.1.1
ProductVersionNumber:	3.1.1.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Opwcv
FileVersion:	6.0.0.0
InternalName:	Opwcv.exe
LegalCopyright:	(C) 2026
OriginalFileName:	Opwcv.exe
ProductName:	Opwcv
ProductVersion:	3.1.1.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

160

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

420

taskhostw.exe

C:\Windows\System32\taskhostw.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskhostw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll

888

"C:\Users\admin\AppData\Local\Temp\56e51a1e3a\nudwee.exe"

C:\Users\admin\AppData\Local\Temp\56e51a1e3a\nudwee.exe

dfssdfxx.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\56e51a1e3a\nudwee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

984

C:\WINDOWS\System32\sihclient.exe /cv k/vLawJ38EWH8MteFVr10g.0.2

C:\Windows\System32\SIHClient.exe

upfc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

SIH Client

Exit code:

2379777

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sihclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll

1068

"regsvr32.exe" /s /i:--type=renderer "C:\Users\admin\AppData\Roaming\microsoft\systemcertificates\\PackageSupportFramework_7.pfx"

C:\Windows\SysWOW64\regsvr32.exe

—

bvcbghgf.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1148

"C:\Users\admin\AppData\Roaming\wxcvxverd.exe"

C:\Users\admin\AppData\Roaming\wxcvxverd.exe

—

Solona SmartFlasher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Features

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\roaming\wxcvxverd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1488

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1700

"C:\Users\admin\AppData\Roaming\gfgdfxwx.exe"

C:\Users\admin\AppData\Roaming\gfgdfxwx.exe

Solona SmartFlasher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

System

Exit code:

Version:

6.0.0.1

Modules

Images
c:\users\admin\appdata\roaming\gfgdfxwx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll

1752

"C:\Users\admin\AppData\Roaming\cxvezrfde.exe"

C:\Users\admin\AppData\Roaming\cxvezrfde.exe

—

cxvezrfde.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\cxvezrfde.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1896

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\MusNotifyIcon.exe

—

MusNotification.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

MusNotifyIcon.exe

Exit code:

2149884437

Version:

10.0.19041.3693 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\musnotifyicon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2160

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

25 666

Read events

25 634

Write events

Delete events

Modification events


(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0230
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0230
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6900) gfgdfxwx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SystemServices
Value: C:\Users\admin\AppData\Roaming\gfgdfxwx.exe
(PID) Process:	(6900) gfgdfxwx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SystemServices
Value: C:\Users\admin\AppData\Roaming\winapp\winapp.exe
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000005025A
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000005025A
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000702BC
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000702BC
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(888) nudwee.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(888) nudwee.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

122

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2552	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI25522\_lzma.pyd		executable
		MD5:37057C92F50391D0751F2C1D7AD25B02	SHA256:9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
2552	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI25522\_bz2.pyd		executable
		MD5:3DC8AF67E6EE06AF9EEC52FE985A7633	SHA256:C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
6128	Solona SmartFlasher.exe	C:\Users\admin\AppData\Roaming\gfgdfxwx.exe		executable
		MD5:FA8A3DFE625E06D74B4931E31236A971	SHA256:47EC05FA7ED4B24C51CE19C2CCA63982A8D376278247391910B4EBAF7AF4DCEE
7060	bvcbghgf.exe	C:\Users\admin\AppData\Local\Temp\is-JV6L4.tmp\bvcbghgf.tmp		executable
		MD5:E6D13F10D97044F4F6FF7EA11E3E8E99	SHA256:344CFBA808BCCD3C187CA801DC6EA8AAFD77BF49B4C6342A26624028BA958A5F
6128	Solona SmartFlasher.exe	C:\Users\admin\AppData\Roaming\cxvezrfde.exe		executable
		MD5:73EC96E86A9C1D656AC35B522EF74A9B	SHA256:789BEC99500EB4B2C3CE10D651F9BC46ACC89BAC5636C731DC0414CE36E391C4
2552	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI25522\VCRUNTIME140.dll		executable
		MD5:0E675D4A7A5B7CCD69013386793F68EB	SHA256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
6128	Solona SmartFlasher.exe	C:\Users\admin\AppData\Roaming\wxcvxverd.exe		executable
		MD5:7C85687956E00BDBBF28D98A44780BB5	SHA256:631491FD39EC560D77B9C0BF55C1FB8C144E2B7EFFD25FE52342ED99C052D4EE
2552	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI25522\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:5AF784F599437629DEEA9FE4E8EB4799	SHA256:7E5BD3EE263D09C7998E0D5FFA684906DDC56DA61536331C89C74B039DF00C7C
6900	gfgdfxwx.exe	C:\Users\admin\AppData\Roaming\winapp\winapp.exe		executable
		MD5:FA8A3DFE625E06D74B4931E31236A971	SHA256:47EC05FA7ED4B24C51CE19C2CCA63982A8D376278247391910B4EBAF7AF4DCEE
2552	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI25522\_socket.pyd		executable
		MD5:D6BAE4B430F349AB42553DC738699F0E	SHA256:587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
888	nudwee.exe	POST	404	185.156.72.8:80	http://185.156.72.8/rob75u9v/index.php	unknown	—	—	malicious
640	svchost.exe	GET	200	23.40.158.218:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3752	cvcxxxx.exe	POST	200	185.156.72.8:80	http://185.156.72.8/zpaxpjz/get.php	unknown	—	—	malicious
888	nudwee.exe	POST	404	185.156.72.8:80	http://185.156.72.8/rob75u9v/index.php	unknown	—	—	malicious
3752	cvcxxxx.exe	POST	200	185.156.72.8:80	http://185.156.72.8/zpaxpjz/get.php	unknown	—	—	malicious
3752	cvcxxxx.exe	POST	200	185.156.72.8:80	http://185.156.72.8/zpaxpjz/get.php	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
—	—	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
—	—	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
888	nudwee.exe	185.156.72.8:80	—	Tov Vaiz Partner	RU	malicious
2336	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
google.com	142.250.185.78	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.5 20.190.160.67 40.126.32.68 20.190.160.2 20.190.160.128 40.126.32.138 20.190.160.14 40.126.32.74	whitelisted
ocsp.digicert.com	23.40.158.218	whitelisted
nexusrules.officeapps.live.com	52.111.243.29	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

PID	Process	Class	Message
888	nudwee.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 35
888	nudwee.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
3752	cvcxxxx.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
3752	cvcxxxx.exe	A Network Trojan was detected	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
3752	cvcxxxx.exe	A Network Trojan was detected	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
3752	cvcxxxx.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Sending Screenshot in Archive via POST Request
3752	cvcxxxx.exe	A Network Trojan was detected	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
3752	cvcxxxx.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
3752	cvcxxxx.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
3752	cvcxxxx.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)

Add for printing

No debug info

General Info

Solona SmartFlasher.exe

1016FE557FBB851640F9B4D38D9B5E1A

046936E004FED67E00794DB7367D50CABF0BB19C

00B9BA96389CB9BFCBA784CF183A8B6C20A22EB7B0ACD14ACDD7CCF4AFB8290E

98304:WxDIja11XToYHSNraIRMgRBiicYhCzirVcOvUWellrZJkzvCxkSZyoDH6gER9fZz:zn2dd2hj+0KCFboh11kYF2W0iTg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DIAMOTRIX mutex has been found

SVC has been found (auto)

GENERIC has been found (auto)

AMADEY has been found (auto)

Loads dropped or rewritten executable

Registers / Runs the DLL via REGSVR32.EXE

AMADEY has been detected (SURICATA)

Changes the autorun value in the registry

Actions looks like stealing of personal data

Runs injected code in another process

Application was injected by another process

AMADEY has been detected (YARA)

Connects to the CnC server

SUSPICIOUS

Executable content was dropped or overwritten

Reads the date of Windows installation

Process drops python dynamic module

Process drops legitimate windows executable

Reads security settings of Internet Explorer

The process drops C-runtime libraries

Reads the Windows owner or organization settings

Application launched itself

Loads Python modules

Starts itself from another location

Starts POWERSHELL.EXE for commands execution

Contacting a server suspected of hosting an CnC

The process bypasses the loading of PowerShell profile settings

The process hide an interactive prompt from the user

Connects to the server without a host name

Found regular expressions for crypto-addresses (YARA)

There is functionality for enable RDP (YARA)

There is functionality for taking screenshot (YARA)

Connects to unusual port

Potential Corporate Privacy Violation

The process executes via Task Scheduler

INFO

Checks supported languages

The sample compiled with english language support

Creates files or folders in the user directory

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

Checks if a key exists in the options dictionary (POWERSHELL)

Reads security settings of Internet Explorer

Manual execution by a user

Checks proxy server information

Launching a file from a Registry key

Application based on Rust

Creates files in the program directory

Reads the time zone

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules