Malware analysis SecuriteInfo.com.Win32.Evo-gen.25528.31768 Malicious activity

Add for printing

File name:	SecuriteInfo.com.Win32.Evo-gen.25528.31768
Full analysis:	https://app.any.run/tasks/2b2e9d81-09ef-46b3-a7eb-b8aa371e9077
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	July 26, 2025, 19:21:22
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amadey botnet stealer loader rdp rat remote lumma evasion telegram stealc vidar golang anydesk rmm-tool auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	9568D883B40FE309F0E072FDF0562DE6
SHA1:	6C56315100E4AB596C5C770F81CFDB88EB6CDECF
SHA256:	1967625692921A306F4D8565B67E1EDF9C1DA2988D67A76C93659F5A91D546F5
SSDEEP:	6144:3ugbfowURCrMbxMW5fTHjlqRmHb0/Mli0M8jimYmcCQd:3uAfRr0xz5fTHjYmHY/uNsn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Connects to the CnC server
  - IhsE9b0j.fUNA (PID: 3768)
  - svchost.exe (PID: 2200)
  - regsvr32.exe (PID: 4944)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 5288)
- AMADEY mutex has been found
  - IhsE9b0j.fUNA (PID: 3768)
- AMADEY has been detected (SURICATA)
  - IhsE9b0j.fUNA (PID: 3768)
- AMADEY has been detected (YARA)
  - IhsE9b0j.fUNA (PID: 3768)
- Registers / Runs the DLL via REGSVR32.EXE
  - J2CPKV6.tmp (PID: 3756)
  - dllhost.exe (PID: 2664)
- Known privilege escalation attack
  - dllhost.exe (PID: 2664)
- LUMMA mutex has been found
  - MSBuild.exe (PID: 7200)
- XENORAT has been detected (SURICATA)
  - regsvr32.exe (PID: 4944)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2200)
- Steals credentials from Web Browsers
  - explorer.exe (PID: 7452)
  - MSBuild.exe (PID: 7200)
- Actions looks like stealing of personal data
  - explorer.exe (PID: 7452)
  - MSBuild.exe (PID: 7200)
- Changes the autorun value in the registry
  - reg.exe (PID: 7792)
SUSPICIOUS
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 1156)
  - cmd.exe (PID: 6264)
  - cmd.exe (PID: 6164)
- Executable content was dropped or overwritten
  - SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe (PID: 3844)
  - IhsE9b0j.fUNA (PID: 3768)
  - J2CPKV6.exe (PID: 6816)
  - J2CPKV6.tmp (PID: 4540)
  - J2CPKV6.exe (PID: 1336)
  - J2CPKV6.tmp (PID: 3756)
  - csc.exe (PID: 2120)
  - csc.exe (PID: 9076)
  - csc.exe (PID: 7040)
  - csc.exe (PID: 9168)
  - csc.exe (PID: 4560)
  - AnyDesk.exe (PID: 6544)
  - csc.exe (PID: 7988)
  - rw6eMTC.exe (PID: 6148)
- Starts CMD.EXE for commands execution
  - SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe (PID: 3844)
  - regsvr32.exe (PID: 4944)
  - AnyDesk.exe (PID: 6544)
- Starts application with an unusual extension
  - cmd.exe (PID: 3396)
- Process requests binary or script from the Internet
  - IhsE9b0j.fUNA (PID: 3768)
- Potential Corporate Privacy Violation
  - IhsE9b0j.fUNA (PID: 3768)
- There is functionality for enable RDP (YARA)
  - IhsE9b0j.fUNA (PID: 3768)
- There is functionality for taking screenshot (YARA)
  - IhsE9b0j.fUNA (PID: 3768)
- Reads the Windows owner or organization settings
  - J2CPKV6.tmp (PID: 4540)
  - J2CPKV6.tmp (PID: 3756)
- Process drops legitimate windows executable
  - J2CPKV6.tmp (PID: 4540)
  - J2CPKV6.tmp (PID: 3756)
  - rw6eMTC.exe (PID: 6148)
- Executes application which crashes
  - 7rpIPkQ.exe (PID: 2508)
  - regsvr32.exe (PID: 6868)
  - YT1For2.exe (PID: 7184)
- Reads security settings of Internet Explorer
  - J2CPKV6.tmp (PID: 4540)
  - IhsE9b0j.fUNA (PID: 3768)
- CSC.EXE is used to compile C# code
  - csc.exe (PID: 2120)
  - csc.exe (PID: 9076)
  - csc.exe (PID: 7040)
  - csc.exe (PID: 9168)
  - csc.exe (PID: 4560)
  - csc.exe (PID: 7988)
- The process bypasses the loading of PowerShell profile settings
  - regsvr32.exe (PID: 6868)
  - regsvr32.exe (PID: 4944)
  - explorer.exe (PID: 7452)
- The process hide an interactive prompt from the user
  - regsvr32.exe (PID: 6868)
  - regsvr32.exe (PID: 4944)
  - explorer.exe (PID: 7452)
- Starts POWERSHELL.EXE for commands execution
  - regsvr32.exe (PID: 6868)
  - regsvr32.exe (PID: 4944)
  - explorer.exe (PID: 7452)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 620)
  - powershell.exe (PID: 8288)
  - powershell.exe (PID: 8512)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 7816)
  - powershell.exe (PID: 6288)
- Suspicious task schedule using the at utility
  - OpenWith.exe (PID: 2356)
  - Acrobat.exe (PID: 2632)
- Contacting a server suspected of hosting an CnC
  - IhsE9b0j.fUNA (PID: 3768)
  - regsvr32.exe (PID: 4944)
  - svchost.exe (PID: 2200)
- Connects to the server without a host name
  - IhsE9b0j.fUNA (PID: 3768)
- Connects to unusual port
  - regsvr32.exe (PID: 4944)
- Checks for external IP
  - svchost.exe (PID: 2200)
  - it4pKAE.exe (PID: 8016)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - explorer.exe (PID: 7452)
- Reads the BIOS version
  - YT1For2.exe (PID: 7184)
- Searches for installed software
  - explorer.exe (PID: 7452)
- BASE64 encoded PowerShell command has been detected
  - explorer.exe (PID: 7452)
- Base64-obfuscated command line is found
  - explorer.exe (PID: 7452)
- Gets content of a file (POWERSHELL)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 6288)
- The process executes via Task Scheduler
  - regsvr32.exe (PID: 7260)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 3588)
- ANYDESK has been found
  - IhsE9b0j.fUNA (PID: 3768)
- Application launched itself
  - ea742eec0b.exe (PID: 1136)
- The process drops C-runtime libraries
  - rw6eMTC.exe (PID: 6148)
INFO
- Reads the computer name
  - SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe (PID: 3844)
  - IhsE9b0j.fUNA (PID: 3768)
  - 7rpIPkQ.exe (PID: 2508)
  - J2CPKV6.tmp (PID: 4540)
  - J2CPKV6.tmp (PID: 3756)
  - MSBuild.exe (PID: 7200)
  - it4pKAE.exe (PID: 8016)
  - 6Nqk7S3.exe (PID: 2076)
  - YT1For2.exe (PID: 7184)
  - GyFYLGD.exe (PID: 8420)
- Reads the machine GUID from the registry
  - SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe (PID: 3844)
  - IhsE9b0j.fUNA (PID: 3768)
  - 7rpIPkQ.exe (PID: 2508)
  - csc.exe (PID: 2120)
  - MSBuild.exe (PID: 7200)
  - csc.exe (PID: 9076)
  - csc.exe (PID: 7040)
  - csc.exe (PID: 9168)
  - csc.exe (PID: 4560)
  - csc.exe (PID: 7988)
  - GyFYLGD.exe (PID: 8420)
  - csc.exe (PID: 7000)
- Create files in a temporary directory
  - SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe (PID: 3844)
  - IhsE9b0j.fUNA (PID: 3768)
  - 7rpIPkQ.exe (PID: 2508)
  - J2CPKV6.exe (PID: 6816)
  - J2CPKV6.tmp (PID: 4540)
  - J2CPKV6.exe (PID: 1336)
  - J2CPKV6.tmp (PID: 3756)
  - cvtres.exe (PID: 2528)
  - csc.exe (PID: 2120)
  - regsvr32.exe (PID: 4944)
  - csc.exe (PID: 9076)
  - powershell.exe (PID: 8288)
  - cvtres.exe (PID: 9092)
  - explorer.exe (PID: 7452)
  - powershell.exe (PID: 7932)
  - csc.exe (PID: 7040)
  - cvtres.exe (PID: 6192)
  - powershell.exe (PID: 8512)
  - csc.exe (PID: 9168)
  - cvtres.exe (PID: 9056)
  - powershell.exe (PID: 7816)
  - cvtres.exe (PID: 3972)
  - csc.exe (PID: 4560)
  - powershell.exe (PID: 6288)
  - cvtres.exe (PID: 7196)
  - powershell.exe (PID: 7528)
  - csc.exe (PID: 7988)
  - GyFYLGD.exe (PID: 8420)
  - rw6eMTC.exe (PID: 6148)
  - cvtres.exe (PID: 4760)
  - csc.exe (PID: 7000)
- Checks supported languages
  - SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe (PID: 3844)
  - IhsE9b0j.fUNA (PID: 3768)
  - 7rpIPkQ.exe (PID: 2508)
  - J2CPKV6.tmp (PID: 4540)
  - J2CPKV6.exe (PID: 1336)
  - J2CPKV6.exe (PID: 6816)
  - csc.exe (PID: 2120)
  - J2CPKV6.tmp (PID: 3756)
  - cvtres.exe (PID: 2528)
  - official.exe (PID: 6452)
  - RenT7Wg.exe (PID: 3760)
  - MSBuild.exe (PID: 7200)
  - 6Nqk7S3.exe (PID: 2076)
  - it4pKAE.exe (PID: 8016)
  - k9fbiLm.exe (PID: 7008)
  - YT1For2.exe (PID: 7184)
  - zjnjOKt.exe (PID: 8300)
  - csc.exe (PID: 9076)
  - cvtres.exe (PID: 9092)
  - MSBuild.exe (PID: 7540)
  - csc.exe (PID: 7040)
  - cvtres.exe (PID: 6192)
  - DcLvSKS.exe (PID: 7820)
  - csc.exe (PID: 9168)
  - v9d9d.exe (PID: 9024)
  - cvtres.exe (PID: 9056)
  - cvtres.exe (PID: 3972)
  - csc.exe (PID: 4560)
  - GyFYLGD.exe (PID: 8420)
  - MSBuild.exe (PID: 7480)
  - AnyDesk.exe (PID: 6544)
  - AnyDesk.exe (PID: 8056)
  - csc.exe (PID: 7988)
  - cvtres.exe (PID: 7196)
  - ea742eec0b.exe (PID: 1136)
  - csc.exe (PID: 7000)
  - rw6eMTC.exe (PID: 6148)
- Creates files or folders in the user directory
  - IhsE9b0j.fUNA (PID: 3768)
  - J2CPKV6.tmp (PID: 3756)
  - WerFault.exe (PID: 4844)
  - regsvr32.exe (PID: 4944)
  - explorer.exe (PID: 7452)
  - WerFault.exe (PID: 8116)
- Reads the software policy settings
  - IhsE9b0j.fUNA (PID: 3768)
  - WerFault.exe (PID: 4844)
  - MSBuild.exe (PID: 7200)
  - it4pKAE.exe (PID: 8016)
  - explorer.exe (PID: 7452)
  - 6Nqk7S3.exe (PID: 2076)
  - WerFault.exe (PID: 8116)
  - powershell.exe (PID: 8288)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 7816)
  - powershell.exe (PID: 8512)
  - powershell.exe (PID: 6288)
  - slui.exe (PID: 6320)
  - powershell.exe (PID: 7528)
  - powershell.exe (PID: 9212)
- Process checks computer location settings
  - IhsE9b0j.fUNA (PID: 3768)
  - J2CPKV6.tmp (PID: 4540)
- The sample compiled with english language support
  - J2CPKV6.tmp (PID: 4540)
  - J2CPKV6.tmp (PID: 3756)
  - IhsE9b0j.fUNA (PID: 3768)
  - rw6eMTC.exe (PID: 6148)
- Checks proxy server information
  - WerFault.exe (PID: 4844)
  - IhsE9b0j.fUNA (PID: 3768)
  - it4pKAE.exe (PID: 8016)
  - explorer.exe (PID: 7452)
  - WerFault.exe (PID: 8116)
  - slui.exe (PID: 6320)
- Checks transactions between databases Windows and Oracle
  - powershell.exe (PID: 620)
- Reads security settings of Internet Explorer
  - dllhost.exe (PID: 2664)
  - OpenWith.exe (PID: 2356)
  - explorer.exe (PID: 7452)
  - powershell.exe (PID: 8288)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 8512)
  - powershell.exe (PID: 7816)
  - powershell.exe (PID: 6288)
  - powershell.exe (PID: 7528)
  - powershell.exe (PID: 9212)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 3704)
  - powershell.exe (PID: 5600)
- Reads Microsoft Office registry keys
  - OpenWith.exe (PID: 2356)
- Application launched itself
  - Acrobat.exe (PID: 2632)
  - AcroCEF.exe (PID: 6868)
  - chrome.exe (PID: 7268)
  - chrome.exe (PID: 2292)
  - chrome.exe (PID: 8100)
  - chrome.exe (PID: 8248)
  - chrome.exe (PID: 9196)
  - chrome.exe (PID: 9188)
  - chrome.exe (PID: 8280)
  - msedge.exe (PID: 8136)
  - msedge.exe (PID: 8272)
  - chrome.exe (PID: 7660)
  - chrome.exe (PID: 9180)
  - msedge.exe (PID: 8236)
  - msedge.exe (PID: 1128)
  - msedge.exe (PID: 4124)
  - chrome.exe (PID: 7808)
  - chrome.exe (PID: 632)
- Application based on Golang
  - regsvr32.exe (PID: 4944)
- The sample compiled with german language support
  - IhsE9b0j.fUNA (PID: 3768)
- Attempting to use instant messaging service
  - explorer.exe (PID: 7452)
- Creates files in the program directory
  - explorer.exe (PID: 7452)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 6288)
- Launching a file from a Registry key
  - reg.exe (PID: 7792)
- Manual execution by a user
  - AnyDesk.exe (PID: 8056)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(3768) IhsE9b0j.fUNA

C294.154.35.25

URLhttp://94.154.35.25/di9ku38f/index.php

Version5.55

Options

Drop directory96a319e745

Drop nameSrxelqcif.exe

Strings (125)os:

" && timeout 1 && del

\App

shutdown -s -t 0

Panda Security

:::

" && ren

pc:

random

ProductName

bi:

POST

2016

msi

Content-Type: application/x-www-form-urlencoded

0123456789

0000043f

un:

st=s

S-%lu-

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

AVAST Software

cmd

Content-Disposition: form-data; name="data"; filename="

SOFTWARE\Microsoft\Windows NT\CurrentVersion

lv:

<c>

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

00000423

<d>

cred.dll|clip.dll|

exe

og:

Srxelqcif.exe

Powershell.exe

Comodo

5.55

&& Exit"

Startup

%-lu

DefaultSettings.YResolution

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

00000422

rundll32

2019

ps1

ar:

%USERPROFILE%

vs:

-executionpolicy remotesigned -File "

shell32.dll

WinDefender

------

http://

cred.dll

Main

Bitdefender

.jpg

?scr=1

"taskkill /f /im "

CurrentBuild

id:

Doctor Web

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

94.154.35.25

ESET

Sophos

00000419

VideoID

dm:

96a319e745

Keyboard Layout\Preload

AVG

------

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

2025

DefaultSettings.XResolution

/quiet

Norton

SYSTEM\ControlSet001\Services\BasicDisplay\Video

dll

zip

ProgramData\

cmd /C RMDIR /s/q

/Plugins/

Programs

&unit=

Rem

ComputerName

2022

rundll32.exe

Content-Type: multipart/form-data; boundary=----

-%lu

clip.dll

av:

kernel32.dll

GetNativeSystemInfo

360TotalSecurity

\0000

" Content-Type: application/octet-stream

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

+++

Kaspersky Lab

Avira

GET

/di9ku38f/index.php

sd:

abcdefghijklmnopqrstuvwxyz0123456789-_

https://

-unicode-

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:07:26 17:55:28+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	291840
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x4926e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	DownloaderApp
FileVersion:	1.0.0.0
InternalName:	DownloaderApp.exe
LegalCopyright:	Copyright © 2025
LegalTrademarks:	-
OriginalFileName:	DownloaderApp.exe
ProductName:	DownloaderApp
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

348

Monitored processes

203

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

512

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

620

"PowerShell.exe" -NoProfile -NonInteractive -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

regsvr32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

632

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

—

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

864

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1768 --field-trial-handle=1644,i,3275181678895515611,2714572304330829550,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1036

"C:\WINDOWS\system32\regsvr32.exe" /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\LightSlateGray2.pfx"

C:\Windows\SysWOW64\regsvr32.exe

—

J2CPKV6.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Exit code:

3221225477

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1128

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

MSBuild.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1128

"C:\Users\admin\AppData\Local\Temp\10209120101\ea742eec0b.exe"

C:\Users\admin\AppData\Local\Temp\10209120101\ea742eec0b.exe

—

ea742eec0b.exe

User:

admin

Integrity Level:

MEDIUM

1136

"C:\Users\admin\AppData\Local\Temp\10209120101\ea742eec0b.exe"

C:\Users\admin\AppData\Local\Temp\10209120101\ea742eec0b.exe

—

IhsE9b0j.fUNA

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\10209120101\ea742eec0b.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1156

"cmd.exe" /c icacls "C:\Users\admin\Desktop\IhsE9b0j.fUNA" /inheritance:r /grant SYSTEM:F /grant Everyone:RX

C:\Windows\SysWOW64\cmd.exe

—

SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1268

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=2388,i,4380079522719876771,2358125912034967026,262144 --variations-seed-version --mojo-platform-channel-handle=4684 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

109 051

Read events

108 819

Write events

223

Delete events

Modification events


(PID) Process:	(3768) IhsE9b0j.fUNA	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3768) IhsE9b0j.fUNA	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3768) IhsE9b0j.fUNA	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2508) 7rpIPkQ.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Spurdo
Operation:	write	Name:	language
Value: en
(PID) Process:	(2508) 7rpIPkQ.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Spurdo
Operation:	write	Name:	system_optimization
Value: 1
(PID) Process:	(2508) 7rpIPkQ.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Spurdo
Operation:	write	Name:	auto_start
Value: 1
(PID) Process:	(2508) 7rpIPkQ.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Spurdo
Operation:	write	Name:	alternative_injector
Value: 48
(PID) Process:	(2508) 7rpIPkQ.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Spurdo
Operation:	write	Name:	path
Value: C:\Spurdo\
(PID) Process:	(4844) WerFault.exe	Key:	\REGISTRY\A\{ce54583c-c435-70ae-2393-ae9d83a78251}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(4844) WerFault.exe	Key:	\REGISTRY\A\{ce54583c-c435-70ae-2393-ae9d83a78251}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

500

Text files

315

Unknown types

Dropped files

PID	Process	Filename		Type
3844	SecuriteInfo.com.Win32.Evo-gen.25528.31768.exe	C:\Users\admin\Desktop\IhsE9b0j.fUNA		executable
		MD5:156F4A8F006779A3493D9D476F1E8DDA	SHA256:C36ED034D523DA1F54D43176334D4BDA9F9ADCB940948646B43902A620EBDA45
3768	IhsE9b0j.fUNA	C:\Users\admin\AppData\Local\Temp\10208970101\generateLoader.exe		text
		MD5:56322E566B91147558A76562C31570A2	SHA256:4AA23BD348B44D7EC05E8FA15A22530360950A357FB5AE2F98B4552F1EFB622F
1336	J2CPKV6.exe	C:\Users\admin\AppData\Local\Temp\is-0IOOI.tmp\J2CPKV6.tmp		executable
		MD5:E119C945C3F94D46BC73E2A17A52897C	SHA256:D9432AEA01FC2D6C4D2F39D03DA1CE5B19F6E35B2F8DD000D9FA3836D81601A0
3768	IhsE9b0j.fUNA	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5	SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
3768	IhsE9b0j.fUNA	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:FCA9E8A069C38A0210D3E0C88B32CE6C	SHA256:E2A8DE9AAF85EE266DA8D57564C739B33E7882D2C42511231746483CA9468DA2
3768	IhsE9b0j.fUNA	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:8C0AD3C8CBA5C21DF20F5379DC66EAE7	SHA256:B2457AAA652DADFE187E382BF750A40099B387602E59A33EF85183283C962C93
3768	IhsE9b0j.fUNA	C:\Users\admin\AppData\Local\Temp\10208980101\cheat.exe		html
		MD5:4A0DE87C37EA7F3FC444D751532565B0	SHA256:0E3DF7A54DD34A7443D94FED130D5ABD7C441C7671E411F93B9767920B003D34
6816	J2CPKV6.exe	C:\Users\admin\AppData\Local\Temp\is-N7465.tmp\J2CPKV6.tmp		executable
		MD5:E119C945C3F94D46BC73E2A17A52897C	SHA256:D9432AEA01FC2D6C4D2F39D03DA1CE5B19F6E35B2F8DD000D9FA3836D81601A0
2508	7rpIPkQ.exe	C:\Users\admin\AppData\Local\Temp\loader.log		text
		MD5:877B5B8B61CEC42521A8DD78C865B555	SHA256:15F4327A7CD1E9D9DA6753A56F866D5D37C2B6D442F2520A587FE5D51FCD89F5
3768	IhsE9b0j.fUNA	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\7rpIPkQ[1].exe		executable
		MD5:04B05C8FFD76A0E2BE304AD14401428F	SHA256:A71252457565CDB9D490D0CFED81A41EFC32935BE8063EE6DE23EEE98857C5B2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

215

DNS requests

187

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3768	IhsE9b0j.fUNA	GET	200	176.46.158.8:80	http://176.46.158.8/app/random.exe	unknown	—	—	unknown
3768	IhsE9b0j.fUNA	POST	200	94.154.35.25:80	http://94.154.35.25/di9ku38f/index.php	unknown	—	—	unknown
3768	IhsE9b0j.fUNA	POST	200	94.154.35.25:80	http://94.154.35.25/di9ku38f/index.php	unknown	—	—	unknown
1268	svchost.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3768	IhsE9b0j.fUNA	POST	200	94.154.35.25:80	http://94.154.35.25/di9ku38f/index.php	unknown	—	—	unknown
3768	IhsE9b0j.fUNA	GET	200	142.250.184.195:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
3768	IhsE9b0j.fUNA	POST	200	94.154.35.25:80	http://94.154.35.25/di9ku38f/index.php	unknown	—	—	unknown
3768	IhsE9b0j.fUNA	GET	200	142.250.184.195:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
3948	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1976	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3768	IhsE9b0j.fUNA	94.154.35.25:80	—	WINDSTREAM	US	unknown
3768	IhsE9b0j.fUNA	176.46.158.8:80	—	—	IR	unknown
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	23.55.110.211:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59 51.124.78.146 20.73.194.208	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	23.55.110.211 23.55.110.193 23.216.77.42 23.216.77.22 23.216.77.6 23.216.77.19 23.216.77.28 23.216.77.30	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
api.spurdo.me	172.67.133.37 104.21.5.69	unknown
c.pki.goog	142.250.184.195	whitelisted
spurdo.me	172.67.133.37 104.21.5.69	unknown
login.live.com	40.126.31.69 20.190.159.68 20.190.159.75 40.126.31.0 20.190.159.128 20.190.159.73 20.190.159.64 40.126.31.131 40.126.31.129 40.126.31.73 40.126.31.3 20.190.159.2	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

PID	Process	Class	Message
3768	IhsE9b0j.fUNA	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 16
3768	IhsE9b0j.fUNA	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
3768	IhsE9b0j.fUNA	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response
3768	IhsE9b0j.fUNA	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3768	IhsE9b0j.fUNA	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 34
3768	IhsE9b0j.fUNA	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3768	IhsE9b0j.fUNA	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
3768	IhsE9b0j.fUNA	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
3768	IhsE9b0j.fUNA	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host

Add for printing

Process	Message
YT1For2.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
GyFYLGD.exe	1959xka&2alSklh0

General Info

SecuriteInfo.com.Win32.Evo-gen.25528.31768

9568D883B40FE309F0E072FDF0562DE6

6C56315100E4AB596C5C770F81CFDB88EB6CDECF

1967625692921A306F4D8565B67E1EDF9C1DA2988D67A76C93659F5A91D546F5

6144:3ugbfowURCrMbxMW5fTHjlqRmHb0/Mli0M8jimYmcCQd:3uAfRr0xz5fTHjYmHY/uNsn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

Uses Task Scheduler to run other applications

AMADEY mutex has been found

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Registers / Runs the DLL via REGSVR32.EXE

Known privilege escalation attack

LUMMA mutex has been found

XENORAT has been detected (SURICATA)

LUMMA has been detected (SURICATA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes the autorun value in the registry

SUSPICIOUS

Uses ICACLS.EXE to modify access control lists

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

There is functionality for enable RDP (YARA)

There is functionality for taking screenshot (YARA)

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Executes application which crashes

Reads security settings of Internet Explorer

CSC.EXE is used to compile C# code

The process bypasses the loading of PowerShell profile settings

The process hide an interactive prompt from the user

Starts POWERSHELL.EXE for commands execution

Uses base64 encoding (POWERSHELL)

Suspicious task schedule using the at utility

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Connects to unusual port

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Reads the BIOS version

Searches for installed software

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Gets content of a file (POWERSHELL)

The process executes via Task Scheduler

Uses REG/REGEDIT.EXE to modify registry

ANYDESK has been found

Application launched itself

The process drops C-runtime libraries

INFO

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Checks supported languages

Creates files or folders in the user directory

Reads the software policy settings

Process checks computer location settings

The sample compiled with english language support

Checks proxy server information

Checks transactions between databases Windows and Oracle

Reads security settings of Internet Explorer

Checks if a key exists in the options dictionary (POWERSHELL)

Reads Microsoft Office registry keys

Application launched itself

Application based on Golang

The sample compiled with german language support

Attempting to use instant messaging service

Creates files in the program directory

Script raised an exception (POWERSHELL)

Launching a file from a Registry key