Malware analysis 7zS.sfx.exe Malicious activity | ANY.RUN

Add for printing

File name:	7zS.sfx.exe
Full analysis:	https://app.any.run/tasks/9ebfad5c-9293-40ec-b486-06e0a1defdfb
Verdict:	Malicious activity
Threats:	GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools Malware Trends Tracker >>>
Analysis date:	January 05, 2024, 21:08:24
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion gcleaner
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	BA081B0E14F236799AC98B4704B299D2
SHA1:	B4A15A7359431171610EF629BE5C5E9F18C9C6DB
SHA256:	048C51CDDD7226942B94B0B406E6134FB17766EDA673F1DD713FEE7C845F4514
SSDEEP:	98304:owUSQ8X4lkznjwiC1RjqNuf64su9XqozngBs9a02Ot3oyte5UHvKgYpkUZU3KMqL:jB8YpyPvawQ5rH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - setup_install.exe (PID: 784)
  - cmd.exe (PID: 1632)
- Starts CMD.EXE for self-deleting
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
- GCLEANER has been detected (YARA)
  - 62a4badcb43a3_a6c0e514.exe (PID: 848)
SUSPICIOUS
- Reads the Internet Settings
  - 7zS.sfx.exe (PID: 2064)
  - 62a4bad8262f6_79a499f590.exe (PID: 1264)
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
  - powershell.exe (PID: 1772)
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
  - 62a4badb7af85_623761ba41.exe (PID: 1820)
  - 62a4badcb43a3_a6c0e514.exe (PID: 848)
  - control.exe (PID: 3220)
  - rundll32.exe (PID: 3208)
- Starts CMD.EXE for commands execution
  - setup_install.exe (PID: 784)
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
- The process hide an interactive prompt from the user
  - cmd.exe (PID: 1632)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 1632)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 1632)
- Starts application with an unusual extension
  - 62a4bae1cd5ec_f0e751fd26.exe (PID: 2628)
  - JKiHEG (PID: 1924)
- Reads the Windows owner or organization settings
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
- Reads security settings of Internet Explorer
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
- Reads settings of System Certificates
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
- Checks Windows Trust Settings
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 1772)
- Adds/modifies Windows certificates
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
- Uses RUNDLL32.EXE to load library
  - control.exe (PID: 3220)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2988)
INFO
- Drops the executable file immediately after the start
  - 7zS.sfx.exe (PID: 2064)
  - 62a4bae1cd5ec_f0e751fd26.exe (PID: 2628)
  - 62a4bae132fe9_b10406e779.exe (PID: 2300)
  - JKiHEG (PID: 1924)
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
  - rundll32.exe (PID: 3208)
- Checks supported languages
  - 7zS.sfx.exe (PID: 2064)
  - setup_install.exe (PID: 784)
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
  - 62a4bad8262f6_79a499f590.exe (PID: 1264)
  - 62a4bad771e8f_923347.exe (PID: 1112)
  - 62a4badb7af85_623761ba41.exe (PID: 1820)
  - 62a4bad9333c8_8e10071d.exe (PID: 2172)
  - 62a4badcb43a3_a6c0e514.exe (PID: 848)
  - 62a4bae132fe9_b10406e779.exe (PID: 2300)
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - 62a4bae1cd5ec_f0e751fd26.exe (PID: 2628)
  - 62a4bae2a134b_4fa915d.exe (PID: 796)
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bad8262f6_79a499f590.exe (PID: 1844)
  - 62a4badf31e77_62aa4e13bb.exe (PID: 1636)
  - JKiHEG (PID: 1924)
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
  - CmvDgs (PID: 996)
  - 62a4badf31e77_62aa4e13bb.exe (PID: 3036)
  - f6009.exe (PID: 3580)
- Reads the computer name
  - 7zS.sfx.exe (PID: 2064)
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
  - 62a4bad771e8f_923347.exe (PID: 1112)
  - 62a4bad8262f6_79a499f590.exe (PID: 1264)
  - 62a4badb7af85_623761ba41.exe (PID: 1820)
  - 62a4bad8262f6_79a499f590.exe (PID: 1844)
  - 62a4bae2a134b_4fa915d.exe (PID: 796)
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
  - 62a4badcb43a3_a6c0e514.exe (PID: 848)
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - f6009.exe (PID: 3580)
- Drops 7-zip archiver for unpacking
  - 7zS.sfx.exe (PID: 2064)
- The executable file from the user directory is run by the CMD process
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
  - 62a4bad8262f6_79a499f590.exe (PID: 1264)
  - 62a4bad771e8f_923347.exe (PID: 1112)
  - 62a4badb7af85_623761ba41.exe (PID: 1820)
  - 62a4bad9333c8_8e10071d.exe (PID: 2172)
  - 62a4badf31e77_62aa4e13bb.exe (PID: 1636)
  - 62a4badcb43a3_a6c0e514.exe (PID: 848)
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - 62a4bae132fe9_b10406e779.exe (PID: 2300)
  - 62a4bae2a134b_4fa915d.exe (PID: 796)
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bae1cd5ec_f0e751fd26.exe (PID: 2628)
- Create files in a temporary directory
  - 7zS.sfx.exe (PID: 2064)
  - 62a4bae132fe9_b10406e779.exe (PID: 2300)
  - 62a4bae1cd5ec_f0e751fd26.exe (PID: 2628)
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
  - JKiHEG (PID: 1924)
  - 62a4badb7af85_623761ba41.exe (PID: 1820)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - rundll32.exe (PID: 3208)
- Application launched itself
  - 62a4bad8262f6_79a499f590.exe (PID: 1264)
  - 62a4badf31e77_62aa4e13bb.exe (PID: 1636)
- Reads the machine GUID from the registry
  - 62a4bad771e8f_923347.exe (PID: 1112)
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - 62a4badcb43a3_a6c0e514.exe (PID: 848)
- Reads Environment values
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
- Checks proxy server information
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bae02cdda_a09bb3e.exe (PID: 1900)
  - 62a4badcb43a3_a6c0e514.exe (PID: 848)
  - rundll32.exe (PID: 3208)
- Starts itself from another location
  - JKiHEG (PID: 1924)
- Process drops legitimate windows executable
  - 62a4bae132fe9_b10406e779.tmp (PID: 2636)
- Creates files or folders in the user directory
  - 62a4bae89fe45_b5ccf628.exe (PID: 2624)
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
- Checks for external IP
  - 62a4bae4d2a9c_cc09b024e.exe (PID: 2640)
  - 62a4bad6b95e3_be16fe.exe (PID: 1584)
- Connects to unusual port
  - 62a4bad771e8f_923347.exe (PID: 1112)
- Unusual connection from system programs
  - rundll32.exe (PID: 3208)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

GCleaner

(PID) Process(848) 62a4badcb43a3_a6c0e514.exe

C2 (1)203.159.80.49

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:02:21 17:00:00+01:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	104448
InitializedDataSize:	28160
UninitializedDataSize:	-
EntryPoint:	0x1910c
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	19.0.0.0
ProductVersionNumber:	19.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Igor Pavlov
FileDescription:	7z Setup SFX
FileVersion:	19
InternalName:	7zS.sfx
LegalCopyright:	Copyright (c) 1999-2018 Igor Pavlov
OriginalFileName:	7zS.sfx.exe
ProductName:	7-Zip
ProductVersion:	19

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

584

C:\Windows\system32\cmd.exe /c 62a4bad771e8f_923347.exe

C:\Windows\System32\cmd.exe

—

setup_install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

604

taskkill /im "62a4bae02cdda_a09bb3e.exe" /f

C:\Windows\System32\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll

784

"C:\Users\admin\AppData\Local\Temp\7zS0180632E\setup_install.exe"

C:\Users\admin\AppData\Local\Temp\7zS0180632E\setup_install.exe

—

7zS.sfx.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\7zs0180632e\setup_install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\7zs0180632e\libwinpthread-1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

796

62a4bae2a134b_4fa915d.exe

C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bae2a134b_4fa915d.exe

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\7zs0180632e\62a4bae2a134b_4fa915d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

848

62a4badcb43a3_a6c0e514.exe /mixtwo

C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4badcb43a3_a6c0e514.exe

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\7zs0180632e\62a4badcb43a3_a6c0e514.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

GCleaner

(PID) Process(848) 62a4badcb43a3_a6c0e514.exe

C2 (1)203.159.80.49

996

C:\Users\admin\AppData\Local\Temp\oYqDcONISRSwFEnLnc\CmvDgs

JKiHEG

User:

admin

Company:

MASM32 SDK

Integrity Level:

HIGH

Description:

Color Capture Utility

Exit code:

3221225477

Version:

1.0

Modules

Images
c:\users\admin\appdata\local\temp\oyqdconisrswfenlnc\cmvdgs
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll

1112

62a4bad771e8f_923347.exe

C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bad771e8f_923347.exe

cmd.exe

User:

admin

Company:

Installer Project

Integrity Level:

HIGH

Description:

Installer Project

Exit code:

Version:

3, 48, 1, 0

Modules

Images
c:\users\admin\appdata\local\temp\7zs0180632e\62a4bad771e8f_923347.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

1264

62a4bad8262f6_79a499f590.exe

C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bad8262f6_79a499f590.exe

—

cmd.exe

User:

admin

Company:

TODO: <Company name>

Integrity Level:

HIGH

Description:

TODO: <File description>

Exit code:

Version:

1.0.0.1

Modules

Images
c:\users\admin\appdata\local\temp\7zs0180632e\62a4bad8262f6_79a499f590.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

1576

C:\Windows\system32\cmd.exe /c 62a4bade488e6_dadba0.exe

C:\Windows\System32\cmd.exe

—

setup_install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1584

62a4bad6b95e3_be16fe.exe

C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bad6b95e3_be16fe.exe

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

4294967295

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\7zs0180632e\62a4bad6b95e3_be16fe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

20 222

Read events

19 982

Write events

236

Delete events

Modification events


(PID) Process:	(2064) 7zS.sfx.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2064) 7zS.sfx.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2064) 7zS.sfx.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2064) 7zS.sfx.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1264) 62a4bad8262f6_79a499f590.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1264) 62a4bad8262f6_79a499f590.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1264) 62a4bad8262f6_79a499f590.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1264) 62a4bad8262f6_79a499f590.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2624) 62a4bae89fe45_b5ccf628.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2624) 62a4bae89fe45_b5ccf628.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bad8262f6_79a499f590.exe		executable
		MD5:0CAD21764FE956F3028096FF3FF37549	SHA256:F65A68DCC63BD141E3A6619ED81B9C0FF3A5492EBD73034F8C794681F1875E3E
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bad771e8f_923347.exe		executable
		MD5:2DB62B3E5088B61EAD161E0482B2F6F2	SHA256:C277EAC5A2F147B839219C2327A2D7E6C85BE9DABE91C8A92B553E2CADC9E3C3
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4badcb43a3_a6c0e514.exe		executable
		MD5:34FF1645F6865DEE9A1EF114759CA48F	SHA256:909B86BC2AB0BBB6860422827A3827F7BD0B56EFE17C077FD0709BCE1D43AEC7
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bade488e6_dadba0.exe		executable
		MD5:E77F09A338E643EE05AD09E367EEDF73	SHA256:F32C3414F14E0B4C08183AF08702736A2ED18C99101D5EE1BC5BC5E8EE3C8982
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4badf31e77_62aa4e13bb.exe		executable
		MD5:92F5CA1832C018A5761F26E061F701D0	SHA256:A39354BBA664F79E28EC6792CEA228188420D7A30B140A47506783B237D3A572
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bad9333c8_8e10071d.exe		executable
		MD5:10F718551CE15CE0C355B32669B51D2F	SHA256:74328B4664781C7C6D58BF597A0BE968F198FBB199BD0C3425FF575A3F52D688
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\libstdc++-6.dll		executable
		MD5:5E279950775BAAE5FEA04D2CC4526BCC	SHA256:97DE47068327BB822B33C7106F9CBB489480901A6749513EF5C31D229DCACA87
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bae89fe45_b5ccf628.exe		executable
		MD5:B735AF19C1782C4FBEB037FCA859B8FA	SHA256:6515D15D618B349A68BC2456F3A9EECC6B0B64AAAC9D662C1B3F702FFBA3C054
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\62a4bae4d2a9c_cc09b024e.exe		executable
		MD5:C8CC1B2DC76454583C3968D96AF6D095	SHA256:03BC61C86383045EC0D07802596D98EC5B869144FB9F41330332058D340183F3
2064	7zS.sfx.exe	C:\Users\admin\AppData\Local\Temp\7zS0180632E\libgcc_s_dw2-1.dll		executable
		MD5:9AEC524B616618B0D3D00B27B6F51DA1	SHA256:59A466F77584438FC3ABC0F43EDC0FC99D41851726827A008841F05CFE12DA7E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2636	62a4bae132fe9_b10406e779.tmp	HEAD	404	151.115.10.1:80	http://pierpont.s3.pl-waw.scw.cloud/cul-pub/poweroff.exe	unknown	—	—	—
2636	62a4bae132fe9_b10406e779.tmp	HEAD	404	151.115.10.1:80	http://nikola.s3.pl-waw.scw.cloud/adv-spec/poweroff.exe	unknown	—	—	—
2636	62a4bae132fe9_b10406e779.tmp	GET	404	151.115.10.1:80	http://pierpont.s3.pl-waw.scw.cloud/cul-pub/poweroff.exe	unknown	xml	224 b	—
2640	62a4bae4d2a9c_cc09b024e.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?789a5713bc875667	unknown	compressed	65.2 Kb	—
2640	62a4bae4d2a9c_cc09b024e.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33e02552bdc6c8f0	unknown	compressed	4.66 Kb	—
2624	62a4bae89fe45_b5ccf628.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA3teJZTSbNo1B9%2B4%2BHu0es%3D	unknown	binary	313 b	—
2624	62a4bae89fe45_b5ccf628.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0f8b9cb74b2995b5	unknown	compressed	4.66 Kb	—
2636	62a4bae132fe9_b10406e779.tmp	GET	404	151.115.10.1:80	http://nikola.s3.pl-waw.scw.cloud/adv-spec/poweroff.exe	unknown	xml	222 b	—
2624	62a4bae89fe45_b5ccf628.exe	GET	200	192.229.221.95:80	http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTwhx4whLWmoMiOrOHBDr230kVlzwQUQd9N8GGTx%2Fy1q818kgKdD3ycCpACEAaqQBqJGZ3PSb1X5c3H%2F0I%3D	unknown	binary	280 b	—
2640	62a4bae4d2a9c_cc09b024e.exe	GET	200	69.192.161.44:80	http://x2.c.lencr.org/	unknown	binary	300 b	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
796	62a4bae2a134b_4fa915d.exe	46.23.109.174:80	—	Serverius Holding B.V.	NL	unknown
2636	62a4bae132fe9_b10406e779.tmp	151.115.10.1:80	pierpont.s3.pl-waw.scw.cloud	Online S.a.s.	PL	unknown
2624	62a4bae89fe45_b5ccf628.exe	164.138.208.141:443	www.telellevo.es	Cyberneticos Hosting SL	ES	unknown
2640	62a4bae4d2a9c_cc09b024e.exe	104.21.4.208:443	iplogger.org	CLOUDFLARENET	—	unknown
2624	62a4bae89fe45_b5ccf628.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	unknown
2640	62a4bae4d2a9c_cc09b024e.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	unknown
2624	62a4bae89fe45_b5ccf628.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown

DNS requests

Domain	IP	Reputation
v.xyzgamev.com	—	unknown
udninfofree.shop	—	unknown
www.icodeps.com	127.0.0.1	unknown
buyinvestment24.com	—	unknown
pierpont.s3.pl-waw.scw.cloud	151.115.10.1	unknown
www.telellevo.es	164.138.208.141	unknown
best-boutique-clu2.xyz	—	unknown
best-atel1er.com	—	unknown
nikola.s3.pl-waw.scw.cloud	151.115.10.1	unknown
iplogger.org	104.21.4.208 172.67.132.113	unknown

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
—	—	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in TLS SNI)
—	—	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in TLS SNI)

4 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

7zS.sfx.exe

BA081B0E14F236799AC98B4704B299D2

B4A15A7359431171610EF629BE5C5E9F18C9C6DB

048C51CDDD7226942B94B0B406E6134FB17766EDA673F1DD713FEE7C845F4514

98304:owUSQ8X4lkznjwiC1RjqNuf64su9XqozngBs9a02Ot3oyte5UHvKgYpkUZU3KMqL:jB8YpyPvawQ5rH

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Starts CMD.EXE for self-deleting

GCLEANER has been detected (YARA)

SUSPICIOUS

Reads the Internet Settings

Starts CMD.EXE for commands execution

The process hide an interactive prompt from the user

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Starts application with an unusual extension

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Reads settings of System Certificates

Checks Windows Trust Settings

Using PowerShell to operate with local accounts

Adds/modifies Windows certificates

Uses RUNDLL32.EXE to load library

Uses TASKKILL.EXE to kill process

INFO

Drops the executable file immediately after the start

Checks supported languages

Reads the computer name

Drops 7-zip archiver for unpacking

The executable file from the user directory is run by the CMD process

Create files in a temporary directory

Application launched itself

Reads the machine GUID from the registry

Reads Environment values

Checks proxy server information

Starts itself from another location

Process drops legitimate windows executable

Creates files or folders in the user directory

Checks for external IP

Connects to unusual port

Unusual connection from system programs

Malware configuration

GCleaner

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

GCleaner

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity