Malware analysis atom.exe Malicious activity | ANY.RUN

Add for printing

File name:	atom.exe
Full analysis:	https://app.any.run/tasks/3e929446-be1c-4e1f-b921-a00384988ea0
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 20:06:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader winring0x64-sys vuln-driver
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	59F2AC79F77D882EEF0AD3A9AE12C78B
SHA1:	4855E83407256EDCEE2B131542CE271673FA274A
SHA256:	1672C62639293577DB5745693CB8A0C596A6B3882BD654A04E9DB9F6734221B3
SSDEEP:	49152:33Mn23dXnvwj5Ju7SMpGcuMUdlEe9BxIklWMrD5raghxKtDCwgWAyuFf:33Mn23hnvwFkODVP6qDBxKtDCwMyIf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - setup.exe (PID: 6892)
  - hjksfs.exe (PID: 1056)
  - DistriCompiler89.exe (PID: 5232)
  - DistriCompiler89.exe (PID: 632)
  - DistriCompiler89.exe (PID: 2140)
  - hjksfd.exe (PID: 7156)
  - VirtuServer128.exe (PID: 4892)
  - shark.exe (PID: 6044)
- Known privilege escalation attack
  - dllhost.exe (PID: 4200)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 5304)
  - cmd.exe (PID: 668)
- Changes Windows Defender settings
  - cmd.exe (PID: 668)
- Adds path to the Windows Defender exclusion list
  - cmd.exe (PID: 668)
- Adds process to the Windows Defender exclusion list
  - cmd.exe (PID: 668)
- Vulnerable driver has been detected
  - 7za.exe (PID: 7224)
SUSPICIOUS
- Executable content was dropped or overwritten
  - atom.exe (PID: 7412)
  - lrunner0.exe (PID: 2284)
  - setup.exe (PID: 4880)
  - hjksfs.exe (PID: 1056)
  - DistriCompiler89.exe (PID: 5232)
  - DistriCompiler89.exe (PID: 632)
  - DistriCompiler89.exe (PID: 2140)
  - setup.exe (PID: 6892)
  - IDM 6.42.36 Patch.exe (PID: 1056)
  - hjksfd.exe (PID: 7156)
  - MicrosoftEdgeWebview2Setup.exe (PID: 6740)
  - 7za.exe (PID: 7224)
  - VirtuServer128.exe (PID: 4892)
- Starts itself from another location
  - atom.exe (PID: 7412)
  - DistriCompiler89.exe (PID: 5232)
- Reads security settings of Internet Explorer
  - loader.exe (PID: 7432)
  - setup.exe (PID: 4880)
  - explorer.exe (PID: 3900)
  - atom.exe (PID: 7000)
- Application launched itself
  - setup.exe (PID: 4880)
  - atom.exe (PID: 7000)
  - setup.exe (PID: 7788)
  - WinRAR.exe (PID: 6512)
  - WinRAR.exe (PID: 4464)
  - WinRAR.exe (PID: 7212)
  - cmd.exe (PID: 7976)
  - cmd.exe (PID: 1812)
  - cmd.exe (PID: 668)
- Reads Microsoft Outlook installation path
  - loader.exe (PID: 7432)
- There is functionality for taking screenshot (YARA)
  - atom.exe (PID: 7412)
  - loader.exe (PID: 7432)
- Reads Internet Explorer settings
  - loader.exe (PID: 7432)
- Creates a software uninstall entry
  - setup.exe (PID: 4880)
- Searches for installed software
  - setup.exe (PID: 4880)
- The process creates files with name similar to system file names
  - setup.exe (PID: 4880)
- Reads the date of Windows installation
  - atom.exe (PID: 7000)
- Starts a Microsoft application from unusual location
  - setup.exe (PID: 6892)
  - MicrosoftEdgeUpdate.exe (PID: 6480)
- Drops 7-zip archiver for unpacking
  - DistriCompiler89.exe (PID: 632)
  - IDM 6.42.36 Patch.exe (PID: 1056)
- Executes application which crashes
  - hjksfd.exe (PID: 7156)
  - shark.exe (PID: 6044)
- Potential Corporate Privacy Violation
  - setup.exe (PID: 6892)
- Starts CMD.EXE for commands execution
  - hjksfd.exe (PID: 7156)
  - IDM 6.42.36 Patch.exe (PID: 1056)
  - t29408.exe (PID: 2408)
  - cmd.exe (PID: 7976)
  - cmd.exe (PID: 1812)
  - cmd.exe (PID: 668)
- Executing commands from a ".bat" file
  - IDM 6.42.36 Patch.exe (PID: 1056)
  - cmd.exe (PID: 7976)
  - t29408.exe (PID: 2408)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 668)
  - VirtuServer128.exe (PID: 4892)
  - t29408.exe (PID: 7992)
  - cmd.exe (PID: 7976)
  - cmd.exe (PID: 4112)
  - cmd.exe (PID: 6184)
  - shark.exe (PID: 6044)
- Script adds exclusion process to Windows Defender
  - cmd.exe (PID: 668)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 668)
- Connects to unusual port
  - VirtuServer128.exe (PID: 4892)
  - shark.exe (PID: 6044)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 668)
- Process drops legitimate windows executable
  - VirtuServer128.exe (PID: 4892)
  - MicrosoftEdgeUpdate.exe (PID: 6480)
  - 7za.exe (PID: 7224)
  - MicrosoftEdgeWebview2Setup.exe (PID: 6740)
- Starts process via Powershell
  - powershell.exe (PID: 7600)
- Drops a system driver (possible attempt to evade defenses)
  - 7za.exe (PID: 7224)
- The process executes via Task Scheduler
  - shark.exe (PID: 6044)
- Possibly malicious use of IEX has been detected
  - cmd.exe (PID: 7976)
- Probably obfuscated PowerShell command line is found
  - cmd.exe (PID: 7976)
- Hides command output
  - cmd.exe (PID: 4112)
  - cmd.exe (PID: 3804)
  - cmd.exe (PID: 7556)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 7976)
  - cmd.exe (PID: 3804)
  - cmd.exe (PID: 7556)
- Starts application with an unusual extension
  - cmd.exe (PID: 7976)
INFO
- The sample compiled with english language support
  - atom.exe (PID: 7412)
  - lrunner0.exe (PID: 2284)
  - setup.exe (PID: 4880)
  - DistriCompiler89.exe (PID: 632)
  - DistriCompiler89.exe (PID: 2140)
  - IDM 6.42.36 Patch.exe (PID: 1056)
  - VirtuServer128.exe (PID: 4892)
  - MicrosoftEdgeWebview2Setup.exe (PID: 6740)
  - MicrosoftEdgeUpdate.exe (PID: 6480)
- Create files in a temporary directory
  - atom.exe (PID: 7412)
  - loader.exe (PID: 7432)
  - lrunner0.exe (PID: 2284)
  - atom.exe (PID: 7000)
- Checks supported languages
  - atom.exe (PID: 7412)
  - loader.exe (PID: 7432)
  - setup.exe (PID: 4880)
  - setup.exe (PID: 6048)
  - lrunner0.exe (PID: 2284)
  - atom.exe (PID: 7000)
  - explorer.exe (PID: 3900)
  - atom.exe (PID: 5164)
  - atom.exe (PID: 5728)
  - atom.exe (PID: 5124)
  - atom.exe (PID: 7344)
  - atom.exe (PID: 7596)
  - atom.exe (PID: 7796)
  - atom.exe (PID: 664)
  - atom.exe (PID: 6132)
  - atom.exe (PID: 6268)
  - atom.exe (PID: 6108)
  - atom.exe (PID: 7792)
  - atom.exe (PID: 5576)
  - atom.exe (PID: 720)
  - atom.exe (PID: 1128)
  - atom.exe (PID: 8056)
  - atom.exe (PID: 1328)
  - atom.exe (PID: 1912)
  - atom.exe (PID: 5556)
  - atom.exe (PID: 5744)
  - atom.exe (PID: 7540)
  - atom.exe (PID: 4284)
  - atom.exe (PID: 5036)
  - atom.exe (PID: 7468)
  - atom.exe (PID: 2560)
  - atom.exe (PID: 4112)
  - atom.exe (PID: 7404)
  - setup.exe (PID: 900)
  - setup.exe (PID: 7788)
  - atom.exe (PID: 1184)
- Reads the machine GUID from the registry
  - loader.exe (PID: 7432)
  - setup.exe (PID: 4880)
  - atom.exe (PID: 7000)
  - atom.exe (PID: 7540)
- Reads the computer name
  - loader.exe (PID: 7432)
  - setup.exe (PID: 4880)
  - lrunner0.exe (PID: 2284)
  - atom.exe (PID: 7000)
  - explorer.exe (PID: 3900)
  - atom.exe (PID: 5728)
  - atom.exe (PID: 6268)
  - atom.exe (PID: 5124)
  - atom.exe (PID: 7540)
  - atom.exe (PID: 7468)
  - atom.exe (PID: 7404)
  - setup.exe (PID: 7788)
  - atom.exe (PID: 1184)
- Checks proxy server information
  - loader.exe (PID: 7432)
  - atom.exe (PID: 7000)
  - setup.exe (PID: 4880)
- Creates files in the program directory
  - loader.exe (PID: 7432)
- Reads the software policy settings
  - loader.exe (PID: 7432)
  - setup.exe (PID: 4880)
  - atom.exe (PID: 7000)
  - atom.exe (PID: 7540)
  - slui.exe (PID: 7648)
- Creates files or folders in the user directory
  - setup.exe (PID: 6048)
  - loader.exe (PID: 7432)
  - explorer.exe (PID: 3900)
  - setup.exe (PID: 4880)
  - atom.exe (PID: 5728)
  - atom.exe (PID: 7000)
  - setup.exe (PID: 7788)
- Process checks computer location settings
  - explorer.exe (PID: 3900)
  - atom.exe (PID: 664)
  - atom.exe (PID: 7596)
  - atom.exe (PID: 6132)
  - atom.exe (PID: 8056)
  - atom.exe (PID: 1328)
  - atom.exe (PID: 1912)
  - atom.exe (PID: 1128)
  - atom.exe (PID: 6108)
  - atom.exe (PID: 2560)
  - atom.exe (PID: 7796)
  - atom.exe (PID: 7792)
  - atom.exe (PID: 7000)
  - atom.exe (PID: 5036)
  - atom.exe (PID: 4284)
  - atom.exe (PID: 5576)
  - atom.exe (PID: 4112)
  - atom.exe (PID: 7344)
- Process checks whether UAC notifications are on
  - atom.exe (PID: 7000)
- Executes as Windows Service
  - elevation_service.exe (PID: 8032)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6384)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 2432)
- The sample compiled with japanese language support
  - 7za.exe (PID: 7224)
- Checks operating system version
  - cmd.exe (PID: 7976)
- Changes the display of characters in the console
  - cmd.exe (PID: 7976)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:12:22 08:05:10+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	376320
InitializedDataSize:	614400
UninitializedDataSize:	-
EntryPoint:	0x23466
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	7.0.0.133
ProductVersionNumber:	7.0.0.133
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	VK
FileDescription:	Atom Browser
InternalName:	Atom Browser
OriginalFileName:	Atom Browser
ProductName:	Atom Browser
FileVersion:	7.0.0.133
ProductVersion:	7.0.0.133
LegalCopyright:	Copyright 2021

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

366

Monitored processes

210

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

reg delete HKU\S-1-5-21-1693682860-607145093-2874071422-1001\IAS_TEST /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

456

C:\Users\admin\AppData\Local\Temp\wtmpd\t29408.exe j6NM4Cxfv3

C:\Users\admin\AppData\Local\Temp\wtmpd\t29408.exe

—

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\wtmpd\t29408.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

632

C:\ProgramData\Iaclientv2\DistriCompiler89.exe

DistriCompiler89.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\programdata\iaclientv2\districompiler89.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

664

"C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1472,14488773432526872264,9345687115926349938,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,PwaSupport,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3236 /prefetch:1

C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe

—

atom.exe

User:

admin

Company:

The Atom Authors

Integrity Level:

LOW

Description:

Atom

Exit code:

Version:

17.0.0.21

Modules

Images
c:\users\admin\appdata\local\mail.ru\atom\application\atom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\mail.ru\atom\application\17.0.0.21\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

668

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7156 -s 744

C:\Windows\SysWOW64\WerFault.exe

—

hjksfd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

668

"C:\WINDOWS\Sysnative\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\wtmpd\t29395.bat "C:\Users\admin\AppData\Local\Temp\Rar$EXb6384.38429\IDM 6.42.36 Patch.exe"

C:\Windows\System32\cmd.exe

—

IDM 6.42.36 Patch.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll

672

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6044 -s 664

C:\Windows\SysWOW64\WerFault.exe

—

shark.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

720

"C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1472,14488773432526872264,9345687115926349938,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,PwaSupport,UnnamedSearch --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:8

C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe

—

atom.exe

User:

admin

Company:

The Atom Authors

Integrity Level:

LOW

Description:

Atom

Exit code:

Version:

17.0.0.21

Modules

Images
c:\users\admin\appdata\local\mail.ru\atom\application\atom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\mail.ru\atom\application\17.0.0.21\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

736

"C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1472,14488773432526872264,9345687115926349938,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,PwaSupport,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=4492 /prefetch:1

C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe

—

atom.exe

User:

admin

Company:

The Atom Authors

Integrity Level:

LOW

Description:

Atom

Exit code:

Version:

17.0.0.21

Modules

Images
c:\users\admin\appdata\local\mail.ru\atom\application\atom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\mail.ru\atom\application\17.0.0.21\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

800

reg query HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software\Classes\Wow6432Node\CLSID\IAS_TEST

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

141 771

Read events

141 332

Write events

394

Delete events

Modification events


(PID) Process:	(7432) loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mail.Ru\AtomInstaller
Operation:	write	Name:	LOADERGUID
Value: {0EE1664A-0BBE-4A12-9869-1685EBC29101}
(PID) Process:	(7432) loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7432) loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7432) loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2284) lrunner0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mail.Ru\AtomInstaller
Operation:	write	Name:	rfr
Value: 520002
(PID) Process:	(2284) lrunner0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mail.Ru\AtomInstaller
Operation:	write	Name:	newrfr
Value: 520002
(PID) Process:	(4880) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mail.Ru\AtomInstaller
Operation:	write	Name:	GUID
Value: {0EE1664A-0BBE-4A12-9869-1685EBC29101}
(PID) Process:	(4880) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mail.Ru\PartnerInfo\Atom
Operation:	write	Name:	InstallTime
Value: 58EC286800000000
(PID) Process:	(4880) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Atom
Operation:	write	Name:	InstallerProgress
Value: 19
(PID) Process:	(4880) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Atom
Operation:	write	Name:	InstallerProgress
Value: 25

Add for printing

Executable files

245

Suspicious files

674

Text files

160

Unknown types

Dropped files

PID	Process	Filename		Type
7432	loader.exe	C:\Users\admin\AppData\Local\Temp\mr1096125\lrunner0.exe		—
		MD5:—	SHA256:—
2284	lrunner0.exe	C:\Users\admin\AppData\Local\Temp\mr1096125\CR_CE9C1.tmp\CHROME.PACKED.7Z		—
		MD5:—	SHA256:—
4880	setup.exe	C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\17.0.0.21\Installer\chrome.7z		—
		MD5:—	SHA256:—
4880	setup.exe	C:\Users\admin\AppData\Local\Mail.Ru\Atom\Application\eventer.exe		—
		MD5:—	SHA256:—
7432	loader.exe	C:\ProgramData\Mail.Ru\Id		text
		MD5:4AD1EA09B76E2923A2BABD1BC7D090DA	SHA256:B98FCAA97DEDB4F563EE5FD2EDA8137757A1B10B674A11DCF3AF8846D85E1509
4880	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9B22F9556CD0158D3825C40DB4E12B13		binary
		MD5:620BEE79B007B7E0E85AC7222BE4B4A6	SHA256:93FB741CF1BEF1C6BCA4102CA1C41EDD35663B603A3ED48F6144CD624E04B94D
2284	lrunner0.exe	C:\Users\admin\AppData\Local\Temp\mr1096125\CR_CE9C1.tmp\setup.exe		executable
		MD5:EAC8B4DEB715A291AF1095D011BC9E57	SHA256:B5486C35BD45FEECC173C3ACBF435A2A6B24F2009A89F9B3B212F36D5D2D8E76
4880	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B		binary
		MD5:123F6587195FCD8DA8D1151720528C87	SHA256:49170DE0B799E680E0A9D5B5E87C36305043CB8328C38BF4513B513A69D56D0A
6048	setup.exe	C:\Users\admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad\settings.dat		binary
		MD5:420F1EEF3741CA055210A60A9765B98A	SHA256:B9AEADB6699E9419D6CF948B487BB80DDDC5B8F3DC0780C93CDC71DEBF3C0457
4880	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B		binary
		MD5:8B3A36B5BD5E98FECD798749E4B6B079	SHA256:8F522CD976049C1F726CA77B4ED2BF4C5CC2B9F06C96A797E8B27DAEB962529D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

297

DNS requests

146

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7432	loader.exe	GET	204	95.163.50.150:80	http://mrds.mail.ru/update/2/version.txt?type=loader.req_check&tool=loader&BID=%7B0EE1664A-0BBE-4A12-9869-1685EBC29101%7D&kind=atom&masterid=%7BBB4CE14F-1994-4B88-9FF5-FFA05BE94AD9%7D&rfr=&newrfr=520002&os=10.0&ver=7.0.0.133&IVID=3AYCeP0-qm2700000Z16H4I7%3A%3A%3A0-0-0-6f8308d%3ACAASEGHgAvLfvfiQj-kEZbuPgA8aYM4m01XaRlIlGt9KUmzdXYvCp7wfOc6bMXLH5uEhIOWGiN-Xl-MwRK25YkFzAqHbPySgdZNruhLfVm4nI0NOe-AoK7i2ivWps1q5AYa2iyi8gpBsC9ZBK7A_cPHqM68spg&send_stats=1&result=0	unknown	—	—	whitelisted
7432	loader.exe	GET	204	95.163.50.150:80	http://mrds.mail.ru/update/2/version.txt?type=loader.init&tool=loader&BID=%7B0EE1664A-0BBE-4A12-9869-1685EBC29101%7D&kind=atom&masterid=%7BBB4CE14F-1994-4B88-9FF5-FFA05BE94AD9%7D&rfr=&newrfr=520002&os=10.0&ver=7.0.0.133&IVID=3AYCeP0-qm2700000Z16H4I7%3A%3A%3A0-0-0-6f8308d%3ACAASEGHgAvLfvfiQj-kEZbuPgA8aYM4m01XaRlIlGt9KUmzdXYvCp7wfOc6bMXLH5uEhIOWGiN-Xl-MwRK25YkFzAqHbPySgdZNruhLfVm4nI0NOe-AoK7i2ivWps1q5AYa2iyi8gpBsC9ZBK7A_cPHqM68spg&send_stats=1&dsa=1	unknown	—	—	whitelisted
7432	loader.exe	GET	204	95.163.50.150:80	http://mrds.mail.ru/update/2/version.txt?type=loader.begin&tool=loader&BID=%7B0EE1664A-0BBE-4A12-9869-1685EBC29101%7D&kind=atom&masterid=%7BBB4CE14F-1994-4B88-9FF5-FFA05BE94AD9%7D&rfr=&newrfr=520002&os=10.0&ver=7.0.0.133&IVID=3AYCeP0-qm2700000Z16H4I7%3A%3A%3A0-0-0-6f8308d%3ACAASEGHgAvLfvfiQj-kEZbuPgA8aYM4m01XaRlIlGt9KUmzdXYvCp7wfOc6bMXLH5uEhIOWGiN-Xl-MwRK25YkFzAqHbPySgdZNruhLfVm4nI0NOe-AoK7i2ivWps1q5AYa2iyi8gpBsC9ZBK7A_cPHqM68spg&send_stats=1&send_stats=0	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7196	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7196	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7432	loader.exe	GET	204	95.163.50.150:80	http://mrds.mail.ru/update/2/version.txt?type=loader.download_finished&tool=loader&BID=%7B0EE1664A-0BBE-4A12-9869-1685EBC29101%7D&kind=atom&masterid=%7BBB4CE14F-1994-4B88-9FF5-FFA05BE94AD9%7D&rfr=&newrfr=520002&os=10.0&ver=7.0.0.133&IVID=3AYCeP0-qm2700000Z16H4I7%3A%3A%3A0-0-0-6f8308d%3ACAASEGHgAvLfvfiQj-kEZbuPgA8aYM4m01XaRlIlGt9KUmzdXYvCp7wfOc6bMXLH5uEhIOWGiN-Xl-MwRK25YkFzAqHbPySgdZNruhLfVm4nI0NOe-AoK7i2ivWps1q5AYa2iyi8gpBsC9ZBK7A_cPHqM68spg&send_stats=1&app=atom&error=0	unknown	—	—	whitelisted
4880	setup.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
—	—	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7432	loader.exe	142.250.185.142:443	www.google-analytics.com	GOOGLE	US	whitelisted
7432	loader.exe	95.163.50.150:80	mrds.mail.ru	LLC VK	RU	whitelisted
7432	loader.exe	5.181.61.0:443	browser-asset.cdnmail.ru	LLC VK	RU	suspicious
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	2.23.246.101 69.192.161.161	whitelisted
google.com	142.250.184.206 172.217.16.206	whitelisted
www.google-analytics.com	142.250.185.142	whitelisted
mrds.mail.ru	95.163.50.150	whitelisted
browser-asset.cdnmail.ru	5.181.61.0	unknown
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.159.68 20.190.159.23 40.126.31.73 40.126.31.71 20.190.159.75 40.126.31.129 40.126.31.128 40.126.31.0 20.190.159.4 20.190.159.129 20.190.159.64 40.126.31.69	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196	svchost.exe	Misc activity	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
5728	atom.exe	Misc activity	ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
5728	atom.exe	Misc activity	ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
2196	svchost.exe	Misc activity	ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz)
5728	atom.exe	Misc activity	ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)

Add for printing

No debug info

General Info

atom.exe

59F2AC79F77D882EEF0AD3A9AE12C78B

4855E83407256EDCEE2B131542CE271673FA274A

1672C62639293577DB5745693CB8A0C596A6B3882BD654A04E9DB9F6734221B3

49152:33Mn23dXnvwj5Ju7SMpGcuMUdlEe9BxIklWMrD5raghxKtDCwgWAyuFf:33Mn23hnvwFkODVP6qDBxKtDCwMyIf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Known privilege escalation attack

Uses Task Scheduler to run other applications

Changes Windows Defender settings

Adds path to the Windows Defender exclusion list

Adds process to the Windows Defender exclusion list

Vulnerable driver has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Reads security settings of Internet Explorer

Application launched itself

Reads Microsoft Outlook installation path

There is functionality for taking screenshot (YARA)

Reads Internet Explorer settings

Creates a software uninstall entry

Searches for installed software

The process creates files with name similar to system file names

Reads the date of Windows installation

Starts a Microsoft application from unusual location

Drops 7-zip archiver for unpacking

Executes application which crashes

Potential Corporate Privacy Violation

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Starts POWERSHELL.EXE for commands execution

Script adds exclusion process to Windows Defender

Script adds exclusion path to Windows Defender

Connects to unusual port

Uses ATTRIB.EXE to modify file attributes

Process drops legitimate windows executable

Starts process via Powershell

Drops a system driver (possible attempt to evade defenses)

The process executes via Task Scheduler

Possibly malicious use of IEX has been detected

Probably obfuscated PowerShell command line is found

Hides command output

Uses REG/REGEDIT.EXE to modify registry

Starts application with an unusual extension

INFO

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Creates files in the program directory

Reads the software policy settings

Creates files or folders in the user directory

Process checks computer location settings

Process checks whether UAC notifications are on

Executes as Windows Service

Executable content was dropped or overwritten

Starts MODE.COM to configure console settings

The sample compiled with japanese language support

Checks operating system version

Changes the display of characters in the console

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information