File name:

mtk.exe

Full analysis: https://app.any.run/tasks/4d56e33a-9ae5-42a1-9c42-e01674b85e09
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: October 24, 2023, 20:15:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
upatre
trojan
evasion
sinkhole
amadey
botnet
stealer
ransomware
teslacrypt
cerber
apt
strongpity
plugx
fareit
pony
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

0DBAFF61A0D7EB35C23542FE980C8E30

SHA1:

A65BCE229A1F0143C6F5C86A205DA15D74652335

SHA256:

0771DDC1515150CF7BB2EAED7CE17DB58BF1F3F963EC60B28E29266763C92594

SSDEEP:

49152:5hkVUncRtu1kPxXzEgDH/0nl0efk6e4Ath5+hY7hYKJ+NFK2Z0N/eEDNIGuWFlva:qxJDhlEF0N/e06Wrghxt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2748)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2004)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 992)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2728)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 3016)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 364)
      • 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe (PID: 2620)
      • 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe (PID: 2144)
      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 2116)
      • 0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe (PID: 1424)
      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2892)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1968)
      • 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe.exe (PID: 2332)
      • 1002.exe.exe (PID: 2036)
      • 1003.exe.exe (PID: 2224)
      • 1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe (PID: 1584)
      • 131.exe.exe (PID: 2584)
      • 15540D149889539308135FA12BEDBCBF.exe.exe (PID: 1088)
      • 17.exe.exe (PID: 2644)
      • 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe (PID: 1124)
      • 19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe (PID: 2748)
      • 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe (PID: 2284)
      • 1D34D800AA3320DC17A5786F8EEC16EE.exe.exe (PID: 1296)
      • 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe (PID: 2952)
      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2888)
      • 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe (PID: 2804)
      • 2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe (PID: 3040)
      • 21.exe.exe (PID: 792)
      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2880)
      • utilview.exe (PID: 1696)
      • 260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b.exe.exe (PID: 3088)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 3240)
      • 323CANON.EXE_WORM_VOBFUS.SM01.exe (PID: 3800)
      • KB00653670.exe (PID: 2564)
      • utilview.exe (PID: 2452)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2692)
      • gbudn.exe (PID: 4000)
      • gbudn.exe (PID: 7568)

    • Drops the executable file immediately after the start

      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2004)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1968)
      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 2116)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • 19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe (PID: 2748)
      • mtk.exe (PID: 2612)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2692)
      • 17.exe.exe (PID: 2644)
      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2880)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 3240)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 2556)
      • 23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c8259df4881800971.exe.exe (PID: 2516)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 4008)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2728)
      • frame.exe (PID: 4080)
      • 75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe (PID: 4364)
      • 6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe (PID: 2880)
      • 6072a303039b032f1b3b0e596a3eb9a35568cef830a18404c18bb4fffef86fba.exe.exe (PID: 3576)
      • 773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe (PID: 4720)
      • ggjsona.exe (PID: 3020)
      • 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe (PID: 4408)
      • 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe (PID: 4820)
      • 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe (PID: 5916)
      • 3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693.exe.exe (PID: 3172)
      • 8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe (PID: 6040)
      • 3_4.exe.exe (PID: 1968)
      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe.exe (PID: 5628)
      • a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe (PID: 4092)
      • b81b10bdf4f29347979ea8a1715cbfc560e3452ba9fffcc33cd19a3dc47083a4.exe.exe (PID: 6752)
      • AAA._xe.exe (PID: 5840)
      • c7128e2772b4f8c59943028e205d1b23c07f36206c1c61a05645c7bf143b24ee.exe.exe (PID: 6072)
      • C116CD083284CC599C024C3479CA9B70_2.tmp_.exe (PID: 7904)
      • bea95bebec95e0893a845f62e832d7cf.exe.ViR.exe (PID: 6912)
      • Gadget.exe (PID: 8096)
      • cf65cc6e4b2b0c3f602b16398c8c30c277b8cfaed689fe7cb61b92560d4e5b1b.exe.exe (PID: 6216)
      • c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe (PID: 7544)
      • e1d852f2ea8436ac33bc8fe200aca4af4fb15f33ecda6441741589daa44115c5.exe.exe (PID: 10420)
      • blanca de nieve.scr.exe (PID: 7436)
      • e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe (PID: 13136)
      • Dustman.exe.exe (PID: 11844)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)
      • FLASH829.EXE.exe (PID: 24736)

    • Application was injected by another process

      • WerFault.exe (PID: 1176)
      • WerFault.exe (PID: 4004)
      • WerFault.exe (PID: 4012)

    • Runs injected code in another process

      • KB00653670.exe (PID: 2564)

    • Deletes shadow copies

      • ggjsona.exe (PID: 3020)
      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3320)

    • Uses Task Scheduler to run other applications

      • gbudn.exe (PID: 4000)

    • Starts NET.EXE for service management

      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3320)
      • net.exe (PID: 3512)
      • net.exe (PID: 2288)
      • net.exe (PID: 3552)
      • net.exe (PID: 2688)
      • net.exe (PID: 3728)
      • net.exe (PID: 4304)
      • net.exe (PID: 4496)
      • net.exe (PID: 984)
      • net.exe (PID: 4432)
      • net.exe (PID: 3560)
      • net.exe (PID: 4320)
      • net.exe (PID: 4704)
      • net.exe (PID: 4688)
      • net.exe (PID: 2880)
      • net.exe (PID: 4736)
      • net.exe (PID: 4536)
      • net.exe (PID: 3876)
      • net.exe (PID: 3192)
      • net.exe (PID: 3140)
      • net.exe (PID: 4904)
      • net.exe (PID: 5016)
      • net.exe (PID: 3144)
      • net.exe (PID: 3796)
      • net.exe (PID: 752)
      • net.exe (PID: 5348)
      • net.exe (PID: 5700)

    • Starts CMD.EXE for self-deleting

      • 5a765351046fea1490d20f25.exe.exe (PID: 2464)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • mtk.exe (PID: 2612)

    • Reads the Internet Settings

      • mtk.exe (PID: 2612)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 3016)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2004)
      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2892)
      • cmd.exe (PID: 2468)
      • utilview.exe (PID: 2452)

    • Process drops legitimate windows executable

      • mtk.exe (PID: 2612)
      • 19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe (PID: 2748)
      • AAA._xe.exe (PID: 5840)
      • svchost.exe (PID: 5284)
      • svchost.exe (PID: 3440)
      • blanca de nieve.scr.exe (PID: 7436)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)
      • FLASH829.EXE.exe (PID: 24736)

    • The process creates files with name similar to system file names

      • mtk.exe (PID: 2612)

    • Creates executable files that already exist in Windows

      • mtk.exe (PID: 2612)

    • Executing commands from a ".bat" file

      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 2116)
      • 17.exe.exe (PID: 2644)
      • 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe (PID: 5916)
      • 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe (PID: 4820)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)

    • Starts CMD.EXE for commands execution

      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 2116)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 2556)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 992)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 364)
      • 17.exe.exe (PID: 2644)
      • 388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe (PID: 4040)
      • 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe (PID: 3448)
      • 3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe (PID: 3156)
      • 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe (PID: 1124)
      • 5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19.exe.exe (PID: 3104)
      • 50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe (PID: 3404)
      • 52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f.exe.exe (PID: 3584)
      • 6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe (PID: 2880)
      • 773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe (PID: 4720)
      • 5d491ea5705e90c817cf0f5211c9edbcd5291fe8bd4cc69cdb58e8d0e6b6d1fe.exe.exe (PID: 3396)
      • 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe (PID: 5916)
      • 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe (PID: 4820)
      • a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe (PID: 4092)
      • 5a765351046fea1490d20f25.exe.exe (PID: 2464)
      • a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe (PID: 4588)
      • bdef2ddcd8d4d66a42c9cbafd5cf7d86c4c0e3ed8c45cc734742c5da2fb573f7.exe.exe (PID: 5012)
      • bc12d7052e6cfce8f16625ca8b88803cd4e58356eb32fe62667336d4dee708a3.exe.exe (PID: 3824)
      • e1d852f2ea8436ac33bc8fe200aca4af4fb15f33ecda6441741589daa44115c5.exe.exe (PID: 10420)
      • d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726.exe.exe (PID: 10108)
      • Dustman.exe.exe (PID: 11844)
      • dea53e331d3b9f21354147f60902f6e132f06183ed2f4a28e67816f9cb140a90.exe.exe (PID: 11752)
      • e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747.exe.exe (PID: 11868)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)

    • Application launched itself

      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2888)
      • utilview.exe (PID: 1696)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 3460)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3204)
      • syhonay.exe (PID: 2880)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe (PID: 2800)
      • 5a765351046fea1490d20f25.exe.exe (PID: 3440)
      • 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe (PID: 4368)
      • wovoletir.exe (PID: 5424)
      • a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe (PID: 4588)

    • Starts itself from another location

      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2880)
      • 17.exe.exe (PID: 2644)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 3240)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 2556)
      • 23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c8259df4881800971.exe.exe (PID: 2516)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 4008)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2728)
      • 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe (PID: 4408)
      • 3_4.exe.exe (PID: 1968)
      • 8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe (PID: 6040)
      • Gadget.exe (PID: 8096)
      • c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe (PID: 7544)
      • e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe (PID: 13136)

    • Uses TASKKILL.EXE to kill process

      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3320)

    • The process executes via Task Scheduler

      • FlashUpdate.exe (PID: 5744)
      • gbudn.exe (PID: 7568)
      • 4cc343.exe (PID: 13728)

    • The process executes JS scripts

      • afa8d185de2f357082ed4042fc057a6d7300f603d3bfdbe7e6c351868e45e477.exe.exe (PID: 4548)

    • Writes files like Keylogger logs

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe.exe (PID: 5628)

    • Drops a system driver (possible attempt to evade defenses)

      • Dustman.exe.exe (PID: 11844)

    • Uses ATTRIB.EXE to modify file attributes

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)

    • Uses ICACLS.EXE to modify access control lists

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)

  • INFO

    • Reads the computer name

      • mtk.exe (PID: 2612)
      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2748)
      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2892)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 3016)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2004)
      • 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe (PID: 2620)
      • 0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe (PID: 1424)
      • 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe (PID: 2144)
      • 17.exe.exe (PID: 2644)
      • 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe (PID: 2952)
      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2880)
      • KB00653670.exe (PID: 2564)
      • utilview.exe (PID: 2452)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 992)
      • 2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe (PID: 3040)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 364)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2728)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2692)
      • 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe (PID: 2284)
      • 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe (PID: 1124)
      • 1D34D800AA3320DC17A5786F8EEC16EE.exe.exe (PID: 1296)
      • 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe (PID: 2804)
      • 23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe (PID: 2336)
      • 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe (PID: 3448)
      • 323CANON.EXE_WORM_VOBFUS.SM01.exe (PID: 3800)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 3240)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • 1003.exe.exe (PID: 2224)
      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 3264)
      • 1002.exe.exe (PID: 2036)

    • Checks supported languages

      • mtk.exe (PID: 2612)
      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2748)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2004)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 3016)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1968)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 364)
      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2892)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2728)
      • 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe (PID: 2620)
      • 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe (PID: 2144)
      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 2116)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 992)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • 0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe (PID: 1424)
      • 1002.exe.exe (PID: 2036)
      • 1003.exe.exe (PID: 2224)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2692)
      • 19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe (PID: 2748)
      • 17.exe.exe (PID: 2644)
      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2888)
      • 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe (PID: 1124)
      • 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe (PID: 2952)
      • 1D34D800AA3320DC17A5786F8EEC16EE.exe.exe (PID: 1296)
      • 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe (PID: 2284)
      • 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe (PID: 2804)
      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2880)
      • 2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe (PID: 3040)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 3240)
      • utilview.exe (PID: 2452)
      • 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe (PID: 3448)
      • utilview.exe (PID: 1696)
      • KB00653670.exe (PID: 2564)
      • 23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe (PID: 2336)
      • 323CANON.EXE_WORM_VOBFUS.SM01.exe (PID: 3800)
      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 3264)

    • Checks proxy server information

      • mtk.exe (PID: 2612)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 3016)
      • utilview.exe (PID: 2452)

    • Reads the machine GUID from the registry

      • mtk.exe (PID: 2612)
      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2748)
      • 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe (PID: 2620)
      • 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe (PID: 2144)
      • 0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe (PID: 1424)
      • 1002.exe.exe (PID: 2036)
      • 1003.exe.exe (PID: 2224)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 3016)

    • Create files in a temporary directory

      • mtk.exe (PID: 2612)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 2004)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1968)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2728)
      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 2116)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe (PID: 2952)
      • 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe (PID: 2880)
      • 17.exe.exe (PID: 2644)

    • Dropped object may contain TOR URL's

      • mtk.exe (PID: 2612)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 2556)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)
      • cerber.exe.exe (PID: 7496)

    • Reads Environment values

      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2892)
      • 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe (PID: 2952)

    • Creates files or folders in the user directory

      • 19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe (PID: 2748)
      • 17.exe.exe (PID: 2644)

    • Reads product name

      • 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe (PID: 2952)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 2280)
      • svchost.exe (PID: 5284)
      • svchost.exe (PID: 3440)
      • svchost.exe (PID: 7272)

    • Application launched itself

      • iexplore.exe (PID: 2280)

    • The dropped object may contain a URL to Tor Browser

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 17128)
      • cerber.exe.exe (PID: 7496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x28032c
UninitializedDataSize: -
InitializedDataSize: 1511936
CodeSize: 2664960
LinkerVersion: 14.37
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 2023:10:24 19:43:43+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
505
Monitored processes
365
Malicious processes
37
Suspicious processes
22

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start start drop and start drop and start drop and start inject inject inject mtk.exe 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe no specs 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe no specs 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe no specs 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe no specs 0468127a19daf4c7bc41015c5640fe1f.exe.exe 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe no specs 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe no specs 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe no specs 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe 0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe no specs 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe no specs 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe.exe no specs 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe no specs 1002.exe.exe no specs 1003.exe.exe no specs cmd.exe no specs 1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe no specs 131.exe.exe no specs 15540d149889539308135fa12bedbcbf.exe.exe no specs 17.exe.exe no specs 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe no specs 19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.vir.exe no specs cmd.exe no specs 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe no specs 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe no specs 1d34d800aa3320dc17a5786f8eec16ee.exe.exe wusa.exe no specs 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe no specs 2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe no specs 21.exe.exe no specs 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe no specs wusa.exe no specs 23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe no specs utilview.exe no specs kb00653670.exe no specs 23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c8259df4881800971.exe.exe no specs utilview.exe no specs 260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b.exe.exe no specs 2a3b92f6180367306d750e59c9b6446b.exe.exe no specs 301210d5557d9ba34f401d3ef7a7276f.exe.exe no specs 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe no specs 323canon.exe_worm_vobfus.sm01.exe no specs 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe no specs cmd.exe no specs gbudn.exe no specs 388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe no specs 3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693.exe.exe no specs ggjsona.exe no specs 3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe no specs 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe no specs cmd.exe no specs 3_4.exe.exe no specs 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs werfault.exe werfault.exe werfault.exe cmd.exe no specs dulebas.exe no specs 48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441.exe.exe no specs vssadmin.exe no specs 4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430.exe.exe no specs dw20.exe no specs 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe no specs cmd.exe no specs frame.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs syhonay.exe no specs 50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe no specs cmd.exe no specs 51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe.exe no specs 52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f.exe.exe no specs 5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19.exe.exe no specs 589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31.exe.exe no specs vlc.exe no specs 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe no specs 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe.exe no specs lphsi.exe no specs 5a310669920099cd51f82bc9eb5459e9889b6357a21f7ce95ac961e053c79acb.exe.exe no specs 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe no specs wusa.exe 5a765351046fea1490d20f25.exe.exe no specs 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe no specs hrss.exe no specs syhonay.exe no specs 5d491ea5705e90c817cf0f5211c9edbcd5291fe8bd4cc69cdb58e8d0e6b6d1fe.exe.exe no specs 5ffd4c5e1766196ac1cbd799de829812757684f4432f1b8de59054890997c30d.exe.exe no specs 6072a303039b032f1b3b0e596a3eb9a35568cef830a18404c18bb4fffef86fba.exe.exe no specs 60c01a897dd8d60d3fea002ed3a4b764.exe.exe no specs 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe.exe no specs iexplore.exe no specs 51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe.exe no specs 6674ffe375f8ab54cfa2a276e4a39b414cf327e0b00733c215749e8a94385c63.exe.exe no specs 67e4f5301851646b10a95f65a0b3bacb.exe.exe no specs 6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe no specs iexplore.exe no specs 6b97b3cd2fcfb4b74985143230441463_gadget.exe_.exe no specs net.exe no specs net.exe no specs 5a765351046fea1490d20f25.exe.exe no specs net.exe no specs 5a765351046fea1490d20f25.exe.exe no specs net.exe no specs net.exe no specs cmd.exe no specs net.exe no specs 7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe no specs cmd.exe no specs net.exe no specs net.exe no specs net.exe no specs 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs 75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe net.exe no specs net.exe no specs net.exe no specs 773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe no specs net.exe no specs net.exe no specs net.exe no specs 78201fd42dfc65e94774d8a9b87293c19044ad93edf59d3ff6846766ed4c3e2e.exe.exe no specs net.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs cmd.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs 7824eb5f173c43574593bd3afab41a60e0e2ffae80201a9b884721b451e6d935.exe.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net.exe no specs 798_abroad.exe.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs 7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a.exe.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs 7zipsetup.exe.exe no specs net.exe no specs net1.exe no specs net.exe no specs sc.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs 8390e210162d9b14d5b0b1ef9746c16853aa2d29d1dfc4eab6a051885e0333ed.exe.exe no specs net1.exe no specs sc.exe no specs taskkill.exe no specs 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe no specs cmd.exe no specs taskkill.exe no specs 86bb737bd9a508be2ff9dc0dee7e7c40abea215088c61788a368948f9250fa4c.exe.exe cmd.exe no specs taskkill.exe no specs net1.exe no specs vssadmin.exe no specs net1.exe no specs flashupdate.exe 8953398de47344e9c2727565af8d6f31.exe.exe no specs net1.exe no specs vssadmin.exe no specs net1.exe no specs vssadmin.exe no specs net1.exe no specs net1.exe no specs vssadmin.exe no specs 8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe no specs vssadmin.exe no specs wovoletir.exe no specs vssadmin.exe no specs vssadmin.exe no specs 8c213b3707b0b042d769fdf543c6e8bd7c127cea6a9bc989eaf241a1505d1ed9.exe.exe no specs vssadmin.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs vssadmin.exe no specs 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97.exe.exe no specs vssadmin.exe no specs net1.exe no specs vssadmin.exe no specs 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852.exe.exe no specs vssadmin.exe no specs 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe no specs net1.exe no specs vssadmin.exe no specs 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b.exe.exe no specs cmd.exe no specs vssadmin.exe no specs 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe no specs 9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5.exe.exe no specs 9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f.exe.exe no specs 9d4b4c39106f8e2fd036e798fc67bbd7b98284121724c0f845bca0a6d2ae3999.exe.exe no specs cmd.exe no specs a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355.exe.exe no specs a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe no specs cmd.exe no specs a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339.exe.exe a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206.exe.exe no specs a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0.exe.exe no specs a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392.exe.exe no specs a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe.exe.exe no specs a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.exe.exe no specs a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe no specs cmd.exe no specs aaa._xe.exe no specs cmd.exe no specs pumu.exe no specs abba_-_happy_new_year_zaycev_net.exe.exe no specs ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa.exe.exe no specs wovoletir.exe no specs aed230b6b772aeb5c25e9336086e9dd4d6081d3efc205f9f9214b51f2f8c3655.exe.exe no specs aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35.exe.exe no specs afa8d185de2f357082ed4042fc057a6d7300f603d3bfdbe7e6c351868e45e477.exe.exe no specs agent.exe.exe svchost.exe no specs ardamaxkeylogger_e33af9e602cbb7ac3634c2608150dd18.exe.exe no specs svchost.exe no specs avatar_rootkit_netbotnet_32d6644c5ea66e390070d3dc3401e54b_unpacked.exe.exe no specs explorer.exe no specs b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4.exe.exe no specs b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047.exe.exe no specs b14299fd4d1cbfb4cc7486d978398214.exe.exe no specs b154ac015c0d1d6250032f63c749f9cf.exe.exe no specs b275c8978d18832bd3da9975d0f43cbc90e09a99718f4efaf1be7b43db46cf95.exe.exe no specs explorer.exe no specs b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867.exe.exe no specs dwm.exe no specs cscript.exe no specs b7f36159aec7f3512e00bfa8aa189cbb97f9cc4752a635bc272c7a5ac1710e0b.exe.exe b81b10bdf4f29347979ea8a1715cbfc560e3452ba9fffcc33cd19a3dc47083a4.exe.exe no specs b96bd6bbf0e3f4f98b606a2ab5db4a69.exe.exe no specs bac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8.exe.exe no specs backdoor.msil.tyupkin.a.vir.exe no specs backdoor.msil.tyupkin.c.vir.exe no specs backdoor.win32.tyupkin.c2.vir.exe no specs backdoor.win32.tyupkin.d.vir.exe no specs cmd.exe no specs backdoor.win32.tyupkin.h.exe.vir.exe no specs bc12d7052e6cfce8f16625ca8b88803cd4e58356eb32fe62667336d4dee708a3.exe.exe no specs bdef2ddcd8d4d66a42c9cbafd5cf7d86c4c0e3ed8c45cc734742c5da2fb573f7.exe.exe no specs bea95bebec95e0893a845f62e832d7cf.exe.vir.exe no specs bed0bec3d123e7611dc3d722813eeb197a2b8048396cef4414f29f24af3a29c4.exe.exe no specs blanca de nieve.scr.exe no specs c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe no specs gbudn.exe no specs c116cd083284cc599c024c3479ca9b70_2.tmp_.exe no specs c1e5dae72a51a7b7219346c4a360d867.exe.exe no specs c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe.exe no specs c4762489488f797b4b33382c8b1b71c94a42c846f1f28e0e118c83fe032848f0.exe.exe no specs c7128e2772b4f8c59943028e205d1b23c07f36206c1c61a05645c7bf143b24ee.exe.exe no specs gadget.exe no specs c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe.exe no specs cmd.exe no specs cerber.exe.exe no specs cf4bf26b2d6f1c6055534bbe9decb579ef0180e0f8c467c1a26e2ead7567058a.exe.exe no specs cf65cc6e4b2b0c3f602b16398c8c30c277b8cfaed689fe7cb61b92560d4e5b1b.exe.exe svchost.exe no specs cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30.exe.exe no specs cff49c25b053f775db8980a431a958020bdf969ea08872de4cef5a5f344f534c.exe.exe d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821.exe.exe no specs cmd.exe no specs d214c717a357fe3a455610b197c390aa.exe.exe no specs d2642d3731508b52efa34adf57701f18e2f8b70addf31e33e445e75b9a909822.exe.exe no specs cmd.exe no specs d30f306d4d866a07372b94f7657a7a2b0500137fe7ef51678d0ef4249895c2c5.exe.exe no specs gadget.exe no specs d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c.exe.exe no specs d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5.exe.exe no specs mcwsazmq.exe no specs d883dc7acc192019f220409ee2cadd64.exe.exe d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726.exe.exe no specs data.exe_.exe no specs db36ad77875bbf622d96ae8086f44924c37034dd95e9eb6d6369cc6accd2a40d.exe.exe no specs compmgmtlauncher.exe no specs a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe no specs dea53e331d3b9f21354147f60902f6e132f06183ed2f4a28e67816f9cb140a90.exe.exe no specs df5a394ad60512767d375647dbb82994.exe.exe no specs doublefantasy_2a12630ff976ba0994143ca93fecd17f.exe.exe no specs dropper.ex_.exe no specs svchost.exe no specs dumped.exe.exe no specs cmd.exe no specs dump_00a10000-00a1d000.exe.vir.exe no specs dustman.exe.exe no specs e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc.exe.exe no specs e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902.exe.exe no specs e1d852f2ea8436ac33bc8fe200aca4af4fb15f33ecda6441741589daa44115c5.exe.exe no specs e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747.exe.exe no specs e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe no specs e5b68ab68b12c3eaff612ada09eb2d4c403f923cdec8a5c8fe253c6773208baf.exe.exe no specs e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d.exe.exe no specs 4cc343.exe no specs e784e95fb5b0188f0c7c82add9a3c89c5bc379eaf356a4d3876d9493a986e343.exe.exe no specs cmd.exe no specs c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe no specs e906fa3d51e86a61741b3499145a114e9bfb7c56.exe.exe no specs e93d6f4ce34d4f594d7aed76cfde0fad.exe.exe no specs cmd.exe no specs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe no specs cmd.exe no specs eefa052da01c3faa1d1f516ddfefa8ceb8a5185bb9b5368142ffdf839aea4506.exe.exe no specs ef47aaf4e964e1e1b7787c480e60a744550de847618510d2bf54bbc5bda57470.exe.exe no specs eqig unpacked.ex_.exe no specs eqig.ex_.exe no specs msiexec.exe no specs equationdrug_4556ce5eb007af1de5bd3b457f0b216d.exe.exe no specs cmd.exe no specs f152ed03e4383592ce7dd548c34f73da53fc457ce8f26d165155a331cde643a9.exe.exe no specs f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e.exe.exe no specs f1e546fe9d51dc96eb766ec61269edfb.exe.exe no specs f65fa71e8ffe11bb6e7c6c84c3d365f4fe729e1e9c38cb4f073d2b65058465fa.exe.exe no specs f77db63cbed98391027f2525c14e161f.exe.exe no specs f897a65b.exe.exe no specs cmd.exe no specs attrib.exe no specs fa5390bbcc4ab768dd81f31eac0950f6.exe.exe no specs icacls.exe no specs fancybear.germanparliament.exe no specs cmd.exe no specs HNetCfg.FwMgr no specs cmd.exe no specs fc085d9be18f3d8d7ca68fbe1d9e29abbe53e7582453f61a9cd65da06961f751.exe.exe no specs e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe no specs fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd.exe.exe no specs file_4571518150a8181b403df4ae7ad54ce8b16ded0c.exe.exe no specs taskdl.exe no specs cmd.exe no specs fixklez.com.exe no specs cmd.exe no specs fix_nimda.exe.exe no specs flash829.exe.exe no specs cmd.exe no specs grayfish_9b1ca66aab784dc5f1dfe635d8f8a904.exe.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe.exemtk.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
364"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exemtk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Help Service
Exit code:
0
Version:
2, 0, 0, 2
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\users\admin\appdata\local\temp\.tmpgcwzrs\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe
c:\windows\system32\kernel32.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
416"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"C:\Program Files\VideoLAN\VLC\vlc.exe0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
0
Version:
2.2.6
588"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\8c213b3707b0b042d769fdf543c6e8bd7c127cea6a9bc989eaf241a1505d1ed9.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\8c213b3707b0b042d769fdf543c6e8bd7c127cea6a9bc989eaf241a1505d1ed9.exe.exemtk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
600C:\Windows\system32\net1 stop BackupExecJobEngine /yC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
752"net.exe" stop CASAD2DWebSvc /yC:\Windows\SysWOW64\net.exe5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
792"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\21.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\21.exe.exemtk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\.tmpgcwzrs\21.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
984"net.exe" stop ccSetMgr /yC:\Windows\SysWOW64\net.exe5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
984C:\Windows\system32\net1 stop PDVFSService /yC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
992"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exemtk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Help Service
Exit code:
0
Version:
2, 0, 0, 2
Modules
Images
c:\users\admin\appdata\local\temp\.tmpgcwzrs\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
4 866
Read events
4 786
Write events
80
Delete events
0

Modification events

(PID) Process:(2612) mtk.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2004) 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2004) 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2004) 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2004) 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3016) 0468127a19daf4c7bc41015c5640fe1f.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3016) 0468127a19daf4c7bc41015c5640fe1f.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000C1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3016) 0468127a19daf4c7bc41015c5640fe1f.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3016) 0468127a19daf4c7bc41015c5640fe1f.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2468) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
584
Suspicious files
926
Text files
147
Unknown types
4

Dropped files

PID
Process
Filename
Type
2612mtk.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2612mtk.exeC:\Users\admin\AppData\Local\Temp\CabCCFF.tmpcompressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2612mtk.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:26B8C301554A9D8BCCCF4DD93016E383
SHA256:AA84904EB011D4EA7CC847AB1E70617FB2654B6CD491876D49F67931E7364225
2612mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exeexecutable
MD5:460B288A581CDEB5F831D102CB6D198B
SHA256:01259A104A0199B794B0C61FCFC657EB766B2CAEAE68D5C6B164A53A97874257
2612mtk.exeC:\Users\admin\AppData\Local\Temp\TarCD00.tmpbinary
MD5:9441737383D21192400ECA82FDA910EC
SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
2612mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exeexecutable
MD5:6B8EA12D811ACF88F94B734BF5CFBFB3
SHA256:0EB038E7E5EDD6AC1B4EEE8DD1C51B6D94DA24D02BA705E7E7F10B41EDF701C2
2612mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exeexecutable
MD5:34409ABA1F76045AA0255E49DE16D586
SHA256:0CFC34FA76228B1AFC7CE63E284A23CE1CD2927E6159B9DEA9702AD9CB2A6300
2612mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exeexecutable
MD5:2AEA3B217E6A3D08EF684594192CAFC8
SHA256:0442CFABB3212644C4B894A7E4A7E84C00FD23489CC4F96490F9988E6074B6AB
2612mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\0008065861f5b09195e51add72dacd3c4bbce6444711320ad349c7dab5bb97fb.exe.exeexecutable
MD5:D2074D6273F41C34E8BA370AA9AF46AD
SHA256:0008065861F5B09195E51ADD72DACD3C4BBCE6444711320AD349C7DAB5BB97FB
2612mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpGcwzRs\027cc450ef5f8c5f653329641ec1fed9.exe.exeexecutable
MD5:71B6A493388E7D0B40C83CE903BC6B04
SHA256:027CC450EF5F8C5F653329641EC1FED91F694E0D229928963B30F6B0D7D3A745
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
1 142
DNS requests
68
Threats
107

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
404
188.40.187.155:80
http://mynexa.io/hfv23svj2/plugins/cred.dll
unknown
unknown
GET
404
188.40.187.155:80
http://mynexa.io/hfv23svj2/plugins/scr.dll
unknown
unknown
2452
utilview.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
html
106 b
unknown
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
html
106 b
unknown
POST
404
188.40.187.155:80
http://mynexa.io/hfv23svj2/index.php
unknown
unknown
GET
404
123.57.60.215:80
http://123.57.60.215/beacon.txt
unknown
text
19 b
unknown
GET
404
123.57.60.215:80
http://123.57.60.215/beacon.txt
unknown
text
19 b
unknown
GET
301
13.107.246.60:80
http://api.nuget.org/packages/taskscheduler.2.5.23.nupkg
unknown
unknown
2612
mtk.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e5937c9360690284
unknown
compressed
61.6 Kb
unknown
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
html
106 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
unknown
324
svchost.exe
224.0.0.252:5355
unknown
2612
mtk.exe
45.67.85.72:443
m.crep.vip
US
unknown
2612
mtk.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
2892
0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe
58.158.177.102:443
flash-update.buyonebuy.top
ARTERIA Networks Corporation
JP
unknown
3016
0468127a19daf4c7bc41015c5640fe1f.exe.exe
193.135.12.107:80
LLC Baxet
RU
malicious
2452
utilview.exe
132.226.8.169:80
checkip.dyndns.org
ORACLE-BMC-31898
JP
unknown
95.181.46.38:14307
E-Light-Telecom Ltd.
RU
unknown

DNS requests

Domain
IP
Reputation
m.crep.vip
  • 45.67.85.72
unknown
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
flash-update.buyonebuy.top
  • 58.158.177.102
unknown
checkip.dyndns.org
  • 132.226.8.169
  • 193.122.130.0
  • 132.226.247.73
  • 158.101.44.242
  • 193.122.6.168
shared
www.microsoft.com
  • 23.36.157.160
  • 23.35.229.160
  • 69.192.161.161
whitelisted
www.google.com
  • 142.250.185.132
  • 142.250.187.132
  • 172.217.169.132
whitelisted
exusin.ru
unknown
imagisp.ru
unknown
cudgewit.ru
unknown
mynexa.io
  • 188.40.187.155
unknown

Threats

PID
Process
Class
Message
324
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
324
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
324
svchost.exe
Misc activity
AV INFO Query to checkip.dyndns. Domain
A Network Trojan was detected
ET MALWARE Common Upatre Header Structure 2
Device Retrieving External IP Address Detected
ET MALWARE Upatre External IP Check
A Network Trojan was detected
ET MALWARE Mazilla Suspicious User-Agent Jan 15 2015
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
2892
0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe
Domain Observed Used for C2 Detected
ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)
A Network Trojan was detected
ET MALWARE Common Upatre Header Structure 2
A Network Trojan was detected
ET MALWARE Mazilla Suspicious User-Agent Jan 15 2015
29 ETPRO signatures available at the full report
Process
Message
vlc.exe
core libvlc: one instance mode ENABLED
7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe
Script Error
7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe
Run OK
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mtk.exe