Malware analysis 16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe Malicious activity

Add for printing

File name:	16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe
Full analysis:	https://app.any.run/tasks/d8e1354b-4cf1-4caf-90ef-20f3120b4493
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 15, 2024, 18:18:20
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	risepro stealer evasion amadey botnet redline loader kelihos trojan stealc fabookie
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	BD05D7DC1A72D37A806C7307D38713F6
SHA1:	76ADA7A4946FD610FCDBEEEBFBB9359087B82318
SHA256:	16959AC1A2562A4CA6895BC36A54041CAA92013F82A9F2E732C729FFABEE27FC
SSDEEP:	98304:xn2o4WodJOSVf5QylzU1UcfKq/STHJzlrnc2tbb70MBtQLXZ3wjgR/iOkBJwlAsv:o2M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Av7wm62.exe (PID: 2740)
  - 4zY594HE.exe (PID: 588)
  - 6lf1LQ0.exe (PID: 4424)
  - explorhe.exe (PID: 4320)
  - RegAsm.exe (PID: 4552)
  - Miner-XMR1.exe (PID: 2240)
  - iojmibhyhiws.exe (PID: 5392)
  - latestrocki.exe (PID: 2020)
  - InstallSetup7.exe (PID: 5228)
  - boxApp.exe (PID: 2656)
  - flesh.exe (PID: 4168)
  - 322321.exe (PID: 6036)
  - support.exe (PID: 4696)
- RISEPRO has been detected (SURICATA)
  - 6lf1LQ0.exe (PID: 4424)
- Uses Task Scheduler to autorun other applications
  - 6lf1LQ0.exe (PID: 4424)
- RISEPRO has been detected (YARA)
  - 6lf1LQ0.exe (PID: 4424)
  - liva.exe (PID: 2860)
- Changes the autorun value in the registry
  - explorhe.exe (PID: 4320)
  - reg.exe (PID: 5652)
- AMADEY has been detected (SURICATA)
  - explorhe.exe (PID: 4320)
- Connects to the CnC server
  - explorhe.exe (PID: 4320)
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - RRDX.exe (PID: 4840)
  - RegAsm.exe (PID: 4440)
  - RegAsm.exe (PID: 5304)
  - nsl510D.tmp (PID: 3276)
  - rty25.exe (PID: 5616)
  - jsc.exe (PID: 5540)
- REDLINE has been detected (SURICATA)
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - RRDX.exe (PID: 4840)
  - RegAsm.exe (PID: 4440)
  - flesh.exe (PID: 4168)
  - RegAsm.exe (PID: 5304)
  - jsc.exe (PID: 5540)
- Steals credentials from Web Browsers
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - flesh.exe (PID: 4168)
  - RegAsm.exe (PID: 5304)
  - RRDX.exe (PID: 4840)
  - RegAsm.exe (PID: 4440)
  - jsc.exe (PID: 5540)
- REDLINE has been detected (YARA)
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - RRDX.exe (PID: 4840)
  - RegAsm.exe (PID: 4440)
  - 322321.exe (PID: 6036)
  - RegAsm.exe (PID: 5304)
- Actions looks like stealing of personal data
  - ms_updater.exe (PID: 4396)
  - 2024.exe (PID: 3824)
  - RRDX.exe (PID: 4840)
  - RegAsm.exe (PID: 4440)
  - flesh.exe (PID: 4168)
  - rty25.exe (PID: 5616)
  - RegAsm.exe (PID: 5304)
  - jsc.exe (PID: 5540)
- Unusual connection from system programs
  - rundll32.exe (PID: 5452)
- KELIHOS has been detected (SURICATA)
  - explorhe.exe (PID: 4320)
- STEALC has been detected (SURICATA)
  - nsl510D.tmp (PID: 3276)
- FABOOKIE has been detected (SURICATA)
  - rty25.exe (PID: 5616)
SUSPICIOUS
- Reads the Internet Settings
  - 1Xd45Zd4.exe (PID: 3028)
  - 4zY594HE.exe (PID: 588)
  - explorhe.exe (PID: 4320)
  - RegAsm.exe (PID: 4552)
  - 2024.exe (PID: 3824)
  - rundll32.exe (PID: 5452)
  - ms_updater.exe (PID: 4396)
  - latestrocki.exe (PID: 2020)
  - rty25.exe (PID: 3088)
  - InstallSetup7.exe (PID: 5228)
  - rty25.exe (PID: 5616)
  - nsl510D.tmp (PID: 3276)
  - RegAsm.exe (PID: 4440)
  - RegAsm.exe (PID: 5304)
  - RRDX.exe (PID: 4840)
  - jsc.exe (PID: 5540)
- Executable content was dropped or overwritten
  - 16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe (PID: 2936)
  - Av7wm62.exe (PID: 2740)
  - 4zY594HE.exe (PID: 588)
  - 6lf1LQ0.exe (PID: 4424)
  - explorhe.exe (PID: 4320)
  - RegAsm.exe (PID: 4552)
  - Miner-XMR1.exe (PID: 2240)
  - latestrocki.exe (PID: 2020)
  - InstallSetup7.exe (PID: 5228)
  - boxApp.exe (PID: 2656)
  - iojmibhyhiws.exe (PID: 5392)
  - flesh.exe (PID: 4168)
  - 322321.exe (PID: 6036)
  - support.exe (PID: 4696)
- Connects to unusual port
  - 6lf1LQ0.exe (PID: 4424)
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - RRDX.exe (PID: 4840)
  - flesh.exe (PID: 4168)
  - RegAsm.exe (PID: 5304)
  - RegAsm.exe (PID: 4440)
  - jsc.exe (PID: 5540)
- Reads settings of System Certificates
  - 6lf1LQ0.exe (PID: 4424)
  - explorhe.exe (PID: 4320)
  - rty25.exe (PID: 3088)
  - rty25.exe (PID: 5616)
- Checks for external IP
  - 6lf1LQ0.exe (PID: 4424)
- Reads security settings of Internet Explorer
  - explorhe.exe (PID: 4320)
  - rty25.exe (PID: 3088)
  - rty25.exe (PID: 5616)
- Adds/modifies Windows certificates
  - explorhe.exe (PID: 4320)
  - rty25.exe (PID: 5616)
- Connects to the server without a host name
  - explorhe.exe (PID: 4320)
  - InstallSetup7.exe (PID: 5228)
  - nsl510D.tmp (PID: 3276)
- Process requests binary or script from the Internet
  - explorhe.exe (PID: 4320)
  - InstallSetup7.exe (PID: 5228)
- Searches for installed software
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - flesh.exe (PID: 4168)
  - RRDX.exe (PID: 4840)
  - RegAsm.exe (PID: 5304)
  - RegAsm.exe (PID: 4440)
  - jsc.exe (PID: 5540)
- Checks Windows Trust Settings
  - explorhe.exe (PID: 4320)
  - rty25.exe (PID: 3088)
  - rty25.exe (PID: 5616)
- Reads the BIOS version
  - Miner-XMR1.exe (PID: 2240)
  - iojmibhyhiws.exe (PID: 5392)
- Uses REG/REGEDIT.EXE to modify registry
  - Miner-XMR1.exe (PID: 2240)
  - iojmibhyhiws.exe (PID: 5392)
- Starts CMD.EXE for commands execution
  - Miner-XMR1.exe (PID: 2240)
  - BroomSetup.exe (PID: 3244)
- Reads browser cookies
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - flesh.exe (PID: 4168)
  - RegAsm.exe (PID: 4440)
  - RegAsm.exe (PID: 5304)
  - RRDX.exe (PID: 4840)
  - jsc.exe (PID: 5540)
- Drops a system driver (possible attempt to evade defenses)
  - iojmibhyhiws.exe (PID: 5392)
- Starts application with an unusual extension
  - InstallSetup7.exe (PID: 5228)
  - cmd.exe (PID: 5872)
- Executing commands from a ".bat" file
  - BroomSetup.exe (PID: 3244)
- Process drops legitimate windows executable
  - 322321.exe (PID: 6036)
INFO
- Drops the executable file immediately after the start
  - 16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe (PID: 2936)
  - firefox.exe (PID: 3024)
- Checks supported languages
  - 1Xd45Zd4.exe (PID: 3028)
  - 16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe (PID: 2936)
  - Av7wm62.exe (PID: 2740)
  - 4zY594HE.exe (PID: 588)
  - explorhe.exe (PID: 4320)
  - 6lf1LQ0.exe (PID: 4424)
  - boxApp.exe (PID: 2656)
  - 2024.exe (PID: 3824)
  - cryptedpixel.exe (PID: 4288)
  - RegAsm.exe (PID: 4552)
  - ms_updater.exe (PID: 4396)
  - Miner-XMR1.exe (PID: 2240)
  - iojmibhyhiws.exe (PID: 5392)
  - latestrocki.exe (PID: 2020)
  - InstallSetup7.exe (PID: 5228)
  - 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 5476)
  - rty25.exe (PID: 3088)
  - BroomSetup.exe (PID: 3244)
  - RRDX.exe (PID: 4840)
  - nsl510D.tmp (PID: 3276)
  - support.exe (PID: 4696)
  - autorun.exe (PID: 5108)
  - RegAsm.exe (PID: 4440)
  - flesh.exe (PID: 4168)
  - 322321.exe (PID: 6036)
  - rty25.exe (PID: 5616)
  - gold.exe (PID: 4764)
  - chcp.com (PID: 4000)
  - RegAsm.exe (PID: 5304)
  - zona.exe (PID: 712)
  - liva.exe (PID: 2860)
  - MSBuild.exe (PID: 1436)
  - jsc.exe (PID: 5540)
  - MSBuild.exe (PID: 3108)
  - explorhe.exe (PID: 3260)
- Process drops legitimate windows executable
  - 16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe (PID: 2936)
- Reads mouse settings
  - 1Xd45Zd4.exe (PID: 3028)
- Create files in a temporary directory
  - 16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe (PID: 2936)
  - Av7wm62.exe (PID: 2740)
  - 4zY594HE.exe (PID: 588)
  - 6lf1LQ0.exe (PID: 4424)
  - explorhe.exe (PID: 4320)
  - iojmibhyhiws.exe (PID: 5392)
  - latestrocki.exe (PID: 2020)
  - InstallSetup7.exe (PID: 5228)
  - boxApp.exe (PID: 2656)
  - flesh.exe (PID: 4168)
  - support.exe (PID: 4696)
- Application launched itself
  - chrome.exe (PID: 2524)
  - firefox.exe (PID: 3024)
  - msedge.exe (PID: 2600)
  - chrome.exe (PID: 5848)
  - msedge.exe (PID: 3716)
  - chrome.exe (PID: 2900)
  - chrome.exe (PID: 1560)
  - msedge.exe (PID: 4544)
  - msedge.exe (PID: 2932)
  - chrome.exe (PID: 5088)
  - chrome.exe (PID: 2484)
  - msedge.exe (PID: 1096)
  - msedge.exe (PID: 5204)
  - chrome.exe (PID: 3316)
  - rty25.exe (PID: 3088)
- Reads the computer name
  - 1Xd45Zd4.exe (PID: 3028)
  - 4zY594HE.exe (PID: 588)
  - 6lf1LQ0.exe (PID: 4424)
  - explorhe.exe (PID: 4320)
  - boxApp.exe (PID: 2656)
  - cryptedpixel.exe (PID: 4288)
  - RegAsm.exe (PID: 4552)
  - ms_updater.exe (PID: 4396)
  - latestrocki.exe (PID: 2020)
  - 2024.exe (PID: 3824)
  - InstallSetup7.exe (PID: 5228)
  - rty25.exe (PID: 3088)
  - RRDX.exe (PID: 4840)
  - BroomSetup.exe (PID: 3244)
  - support.exe (PID: 4696)
  - RegAsm.exe (PID: 4440)
  - flesh.exe (PID: 4168)
  - rty25.exe (PID: 5616)
  - gold.exe (PID: 4764)
  - RegAsm.exe (PID: 5304)
  - 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 5476)
  - nsl510D.tmp (PID: 3276)
  - autorun.exe (PID: 5108)
  - jsc.exe (PID: 5540)
- Starts itself from another location
  - 4zY594HE.exe (PID: 588)
  - Miner-XMR1.exe (PID: 2240)
- Reads the machine GUID from the registry
  - 4zY594HE.exe (PID: 588)
  - 6lf1LQ0.exe (PID: 4424)
  - explorhe.exe (PID: 4320)
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - latestrocki.exe (PID: 2020)
  - rty25.exe (PID: 3088)
  - RRDX.exe (PID: 4840)
  - InstallSetup7.exe (PID: 5228)
  - boxApp.exe (PID: 2656)
  - RegAsm.exe (PID: 4440)
  - rty25.exe (PID: 5616)
  - RegAsm.exe (PID: 5304)
  - 31839b57a4f11171d6abc8bbc4451ee4.exe (PID: 5476)
  - nsl510D.tmp (PID: 3276)
  - flesh.exe (PID: 4168)
  - jsc.exe (PID: 5540)
  - support.exe (PID: 4696)
- Creates files or folders in the user directory
  - 6lf1LQ0.exe (PID: 4424)
  - explorhe.exe (PID: 4320)
  - RegAsm.exe (PID: 4552)
  - Miner-XMR1.exe (PID: 2240)
  - InstallSetup7.exe (PID: 5228)
  - rty25.exe (PID: 3088)
  - BroomSetup.exe (PID: 3244)
  - rty25.exe (PID: 5616)
- Creates files in the program directory
  - 6lf1LQ0.exe (PID: 4424)
- Reads Environment values
  - 2024.exe (PID: 3824)
  - ms_updater.exe (PID: 4396)
  - RRDX.exe (PID: 4840)
  - flesh.exe (PID: 4168)
  - RegAsm.exe (PID: 4440)
  - RegAsm.exe (PID: 5304)
  - jsc.exe (PID: 5540)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 3024)
- Checks proxy server information
  - explorhe.exe (PID: 4320)
  - rundll32.exe (PID: 5452)
  - rty25.exe (PID: 3088)
  - InstallSetup7.exe (PID: 5228)
  - rty25.exe (PID: 5616)
  - nsl510D.tmp (PID: 3276)
- The process executes via Task Scheduler
  - explorhe.exe (PID: 3260)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(3824) 2024.exe

C2 (1)195.20.16.103:20440

Botnet2024

Options

ErrorMessage

Keys

XorSitfast

(PID) Process(4396) ms_updater.exe

C2 (1)91.92.240.231:13781

Botnet@Pixelscloud

Options

ErrorMessage

Keys

XorVillan

(PID) Process(4840) RRDX.exe

C2 (1)141.95.211.148:46011

Botnet@RLREBORN Cloud (TG: @FATHEROFCARDERS)

Options

ErrorMessageERROR RDX

Keys

XorSuboxide

(PID) Process(4440) RegAsm.exe

C2 (1)194.33.191.102:21751

BotnetBloomberg

Options

ErrorMessage

Keys

XorVermal

(PID) Process(6036) 322321.exe

C2 (1)185.172.128.33:38294

BotnetLegaa

Options

ErrorMessage

Keys

XorBudge

(PID) Process(5304) RegAsm.exe

C2 (1)20.79.30.95:33223

BotnetLiveTraffic

Version1

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:25 00:49:06+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	2554368
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

230

Monitored processes

188

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

244

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=2064 --field-trial-handle=1228,i,7608605005918423292,5233907281314657698,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll

272

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2c46b58,0x7fef2c46b68,0x7fef2c46b78

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll

552

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2812 --field-trial-handle=1364,i,17525001413387694274,14029964247201294611,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

576

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1588 --field-trial-handle=1216,i,14209033223497061160,17334912501977404252,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll

588

C:\Users\admin\AppData\Local\Temp\IXP001.TMP\4zY594HE.exe

Av7wm62.exe

User:

admin

Company:

The Enigma Protector Developers Team

Integrity Level:

MEDIUM

Description:

Software Protection Tool

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\ixp001.tmp\4zy594he.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

624

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll

684

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=1440,i,12987927636963181326,3312507942806198110,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

712

"C:\Users\admin\AppData\Local\Temp\1000320001\zona.exe"

C:\Users\admin\AppData\Local\Temp\1000320001\zona.exe

—

explorhe.exe

User:

admin

Company:

The Enigma Protector Developers Team

Integrity Level:

MEDIUM

Description:

Software Protection Tool

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1000320001\zona.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

892

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3748 --field-trial-handle=1172,i,11801498847852958215,7801817719413349297,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll

980

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1232,i,6490621556834321831,7379139877224367074,131072 /prefetch:2

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll

Add for printing

Total events

48 199

Read events

47 474

Write events

645

Delete events

Modification events


(PID) Process:	(3028) 1Xd45Zd4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3028) 1Xd45Zd4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3028) 1Xd45Zd4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3028) 1Xd45Zd4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2000) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 5
(PID) Process:	(2000) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value: 91676960
(PID) Process:	(2000) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 31049115
(PID) Process:	(2000) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31049165
(PID) Process:	(2600) msedge.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2600) msedge.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1

Add for printing

Executable files

Suspicious files

887

Text files

441

Unknown types

Dropped files

PID	Process	Filename		Type
2524	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF108772.TMP		—
		MD5:—	SHA256:—
2524	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
1436	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pma~RF10831c.TMP		binary
		MD5:886E82F2CA62ECCCE64601B30592078A	SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
1436	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pma		binary
		MD5:CE338FE6899778AACFC28414F2D9498B	SHA256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
2600	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat		binary
		MD5:B54C9C06FE96D186D5B7093D521FCBB4	SHA256:0F91AAD9EEC81442CB66E4CE922D296DB730D24F85A140BD612A630F3F7F7D9B
2936	16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Av7wm62.exe		executable
		MD5:CD03DD553D27B55F12EA9D3DBB5B1B79	SHA256:3DF31BC4B914119D1668BFF79E2CB471C8C0B7FBEB8460E007140AE2F3D6AA07
2600	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF108aec.TMP		—
		MD5:—	SHA256:—
2600	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2936	16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\6lf1LQ0.exe		executable
		MD5:F335C26F13DE2E669BFD4B4D6DB4B7D6	SHA256:B4708AD9EEFB2AC6F31F209F72B6A4A00EE479D302CABF7CDAE5C1FE88CCADBA
2740	Av7wm62.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\4zY594HE.exe		executable
		MD5:F2D3892701E7FDAA25EA422CEFBEA696	SHA256:BB3AF81C2A433A521BAC9F26F52E4C45063FB36A45A322C930CB24B027559BE2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

279

DNS requests

350

Threats

248

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4320	explorhe.exe	GET	200	184.24.77.207:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?94da68134d876079	unknown	compressed	65.2 Kb	unknown
4320	explorhe.exe	POST	200	185.215.113.68:80	http://185.215.113.68/theme/index.php	unknown	text	1.26 Kb	unknown
4320	explorhe.exe	POST	200	185.215.113.68:80	http://185.215.113.68/theme/index.php	unknown	text	4 b	unknown
4320	explorhe.exe	POST	200	185.215.113.68:80	http://185.215.113.68/theme/index.php	unknown	text	4 b	unknown
4320	explorhe.exe	POST	200	185.215.113.68:80	http://185.215.113.68/theme/index.php	unknown	text	4 b	unknown
3024	firefox.exe	POST	200	2.16.2.73:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
3024	firefox.exe	POST	200	2.16.2.73:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
3024	firefox.exe	POST	200	2.16.2.73:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
3024	firefox.exe	POST	200	142.250.185.67:80	http://ocsp.pki.goog/gts1c3	unknown	binary	472 b	unknown
3024	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	unknown	binary	471 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1220	svchost.exe	239.255.255.250:3702	—	—	—	whitelisted
1112	iexplore.exe	142.250.110.84:443	accounts.google.com	GOOGLE	US	unknown
2524	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
1492	iexplore.exe	172.217.18.110:443	www.youtube.com	GOOGLE	US	whitelisted
1928	iexplore.exe	157.240.0.35:443	www.facebook.com	FACEBOOK	US	unknown
2368	chrome.exe	142.250.185.132:443	www.google.com	GOOGLE	US	whitelisted
2368	chrome.exe	142.250.185.131:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
2368	chrome.exe	142.250.110.84:443	accounts.google.com	GOOGLE	US	unknown

DNS requests

Domain	IP	Reputation
accounts.google.com	142.250.110.84 2a00:1450:400c:c0d::54	shared
www.youtube.com	172.217.18.110 172.217.23.110 142.250.185.78 142.250.185.110 142.250.185.142 142.250.185.174 142.250.185.206 142.250.185.238 142.250.186.78 142.250.186.110 142.250.181.238 172.217.16.142 142.250.184.206 142.250.184.238 142.250.186.142 142.250.186.174	whitelisted
www.facebook.com	157.240.0.35	whitelisted
clientservices.googleapis.com	142.250.185.131	whitelisted
www.google.com	142.250.185.132 2a00:1450:4001:830::2004	whitelisted
static.xx.fbcdn.net	157.240.0.6	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
fonts.googleapis.com	216.58.206.42	whitelisted
facebook.com	157.240.0.35	whitelisted

Threats

PID	Process	Class	Message
4424	6lf1LQ0.exe	A Network Trojan was detected	ET MALWARE RisePro TCP Heartbeat Packet
4424	6lf1LQ0.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RisePro TCP (Token)
4424	6lf1LQ0.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] RisePro TCP (Token)
4424	6lf1LQ0.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
4424	6lf1LQ0.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] RisePro TCP (get_settings)
4320	explorhe.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 22
4320	explorhe.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey
4320	explorhe.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
3824	2024.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
3824	2024.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity

1 ETPRO signatures available at the full report

Add for printing

Process	Message
6lf1LQ0.exe	4443436
6lf1LQ0.exe	gdry4645

General Info

16959ac1a2562a4ca6895bc36a54041caa92013f82a9f2e732c729ffabee27fc.exe

BD05D7DC1A72D37A806C7307D38713F6

76ADA7A4946FD610FCDBEEEBFBB9359087B82318

16959AC1A2562A4CA6895BC36A54041CAA92013F82A9F2E732C729FFABEE27FC

98304:xn2o4WodJOSVf5QylzU1UcfKq/STHJzlrnc2tbb70MBtQLXZ3wjgR/iOkBJwlAsv:o2M

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

RISEPRO has been detected (SURICATA)

Uses Task Scheduler to autorun other applications

RISEPRO has been detected (YARA)

Changes the autorun value in the registry

AMADEY has been detected (SURICATA)

Connects to the CnC server

REDLINE has been detected (SURICATA)

Steals credentials from Web Browsers

REDLINE has been detected (YARA)

Actions looks like stealing of personal data

Unusual connection from system programs

KELIHOS has been detected (SURICATA)

STEALC has been detected (SURICATA)

FABOOKIE has been detected (SURICATA)

SUSPICIOUS

Reads the Internet Settings

Executable content was dropped or overwritten

Connects to unusual port

Reads settings of System Certificates

Checks for external IP

Reads security settings of Internet Explorer

Adds/modifies Windows certificates

Connects to the server without a host name

Process requests binary or script from the Internet

Searches for installed software

Checks Windows Trust Settings

Reads the BIOS version

Uses REG/REGEDIT.EXE to modify registry

Starts CMD.EXE for commands execution

Reads browser cookies

Drops a system driver (possible attempt to evade defenses)

Starts application with an unusual extension

Executing commands from a ".bat" file

Process drops legitimate windows executable

INFO

Drops the executable file immediately after the start

Checks supported languages

Process drops legitimate windows executable

Reads mouse settings

Create files in a temporary directory

Application launched itself

Reads the computer name

Starts itself from another location

Reads the machine GUID from the registry

Creates files or folders in the user directory

Creates files in the program directory

Reads Environment values

Executable content was dropped or overwritten

Checks proxy server information

The process executes via Task Scheduler

Malware configuration

RedLine

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information