Malware analysis File_pass1234.7z Malicious activity | ANY.RUN

Add for printing

download:	File_pass1234.7z
Full analysis:	https://app.any.run/tasks/142e399e-f83d-4a0f-a853-cf085e6f8c96
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	June 13, 2023, 20:21:14
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	privateloader opendir evasion loader amadey trojan gcleaner smoke tofsee redline ransomware stop stealer vidar miner g0njxa
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	5D8247884739DBFA2355697F29DFF1E5
SHA1:	93D5CF504819AD65A4B8BAC59555153F7135BA81
SHA256:	1AF498CE6C55C10486204397ECCD2F633F9169235269C99467F908B5631733D2
SSDEEP:	98304:0zwsgldyUmaUISVKKP1VF6L/YQNP+Zku0ALWAiaUqmdhsHCOq24roLvoR6fhAgFb:0zwL/lmNFKKP1vUAEP+iA1l+h0HqrGvl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- PRIVATELOADER was detected
  - File.exe (PID: 2408)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
- Connects to the CnC server
  - File.exe (PID: 2408)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - oneetx.exe (PID: 564)
  - Rec613.exe (PID: 2556)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - explorer.exe (PID: 1960)
  - build2.exe (PID: 2660)
  - build2.exe (PID: 2448)
- Actions looks like stealing of personal data
  - File.exe (PID: 2408)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - build2.exe (PID: 2660)
- Creates a writable file the system directory
  - File.exe (PID: 2408)
  - svchost.exe (PID: 2824)
  - powershell.exe (PID: 3064)
- Application was dropped or rewritten from another process
  - HCgRTQoyreiCQGFkNNSmC0oj.exe (PID: 2484)
  - bhHfPuUtWMmk3BgmQh8i9Q_U.exe (PID: 2772)
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - LFOqf5aQugu4X88TvOj_2Mqp.exe (PID: 2984)
  - 7xM9NJqIg1Sx3VCbIPBLCvXu.exe (PID: 2924)
  - oneetx.exe (PID: 564)
  - newplayer.exe (PID: 2300)
  - 2a344302.exe (PID: 464)
  - ss41.exe (PID: 2248)
  - laszechz.exe (PID: 2832)
  - VAU2R6lmLeu.exe (PID: 1456)
  - EBEF.exe (PID: 568)
  - EBEF.exe (PID: 2396)
  - F362.exe (PID: 1436)
  - EBEF.exe (PID: 1732)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - 2B5.exe (PID: 1448)
  - build2.exe (PID: 2288)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 1624)
  - 2B5.exe (PID: 2804)
  - build3.exe (PID: 1644)
  - build2.exe (PID: 548)
  - build2.exe (PID: 2448)
  - build3.exe (PID: 2452)
  - mstsca.exe (PID: 1436)
  - oneetx.exe (PID: 2676)
  - 430B.exe (PID: 548)
  - XandETC.exe (PID: 900)
  - aafg31.exe (PID: 2976)
  - 4FED.exe (PID: 1264)
  - XandETC.exe (PID: 3064)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 2260)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 2676)
  - 6A4D.exe (PID: 280)
  - 5ABC.exe (PID: 2316)
  - build2.exe (PID: 1188)
  - build2.exe (PID: 2720)
  - 6A4D.exe (PID: 1524)
  - 6A4D.exe (PID: 2316)
  - build3.exe (PID: 2200)
  - build2.exe (PID: 2980)
  - build2.exe (PID: 2676)
  - build3.exe (PID: 2004)
  - BA24.exe (PID: 2844)
  - updater.exe (PID: 2004)
  - FA0D.exe (PID: 2120)
  - oneetx.exe (PID: 2748)
  - 8D18.exe (PID: 2216)
- Loads dropped or rewritten executable
  - is-KHSV8.tmp (PID: 2112)
  - build2.exe (PID: 2660)
- Changes the autorun value in the registry
  - oneetx.exe (PID: 564)
- Uses Task Scheduler to run other applications
  - oneetx.exe (PID: 564)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - build3.exe (PID: 1644)
  - build3.exe (PID: 2452)
  - mstsca.exe (PID: 1436)
  - powershell.exe (PID: 3012)
- Application was injected by another process
  - explorer.exe (PID: 1960)
- Runs injected code in another process
  - 7xM9NJqIg1Sx3VCbIPBLCvXu.exe (PID: 2924)
- AMADEY was detected
  - oneetx.exe (PID: 564)
- Uses Task Scheduler to autorun other applications
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - powershell.exe (PID: 2552)
  - powershell.exe (PID: 856)
- GCLEANER was detected
  - Rec613.exe (PID: 2556)
- AMADEY detected by memory dumps
  - oneetx.exe (PID: 564)
- SMOKE was detected
  - explorer.exe (PID: 1960)
- TOFSEE detected by memory dumps
  - svchost.exe (PID: 2824)
- REDLINE detected by memory dumps
  - bhHfPuUtWMmk3BgmQh8i9Q_U.exe (PID: 2772)
- Stop is detected
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2804)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 2316)
- Starts CMD.EXE for self-deleting
  - Rec613.exe (PID: 2556)
- VIDAR was detected
  - build2.exe (PID: 2660)
  - build2.exe (PID: 2448)
- Steals credentials from Web Browsers
  - build2.exe (PID: 2660)
- Steals credentials
  - build2.exe (PID: 2660)
- Adds path to the Windows Defender exclusion list
  - explorer.exe (PID: 1960)
SUSPICIOUS
- Checks for external IP
  - File.exe (PID: 2408)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
- Connects to the server without a host name
  - File.exe (PID: 2408)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - oneetx.exe (PID: 564)
  - Rec613.exe (PID: 2556)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - explorer.exe (PID: 1960)
  - build2.exe (PID: 2660)
  - build2.exe (PID: 2448)
- Reads the Internet Settings
  - File.exe (PID: 2408)
  - LFOqf5aQugu4X88TvOj_2Mqp.exe (PID: 2984)
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - newplayer.exe (PID: 2300)
  - oneetx.exe (PID: 564)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - explorer.exe (PID: 1960)
  - EBEF.exe (PID: 2396)
  - Rec613.exe (PID: 2556)
  - EBEF.exe (PID: 2072)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - 430B.exe (PID: 548)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 2B5.exe (PID: 2796)
  - 6A4D.exe (PID: 280)
  - 6A4D.exe (PID: 2316)
  - powershell.exe (PID: 2668)
  - build2.exe (PID: 2448)
- Executable content was dropped or overwritten
  - File.exe (PID: 2408)
  - HCgRTQoyreiCQGFkNNSmC0oj.exe (PID: 2484)
  - is-KHSV8.tmp (PID: 2112)
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - LFOqf5aQugu4X88TvOj_2Mqp.exe (PID: 2984)
  - newplayer.exe (PID: 2300)
  - cmd.exe (PID: 2212)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - Rec613.exe (PID: 2556)
  - explorer.exe (PID: 1960)
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - build3.exe (PID: 1644)
  - 2B5.exe (PID: 2804)
  - 430B.exe (PID: 548)
  - 4FED.exe (PID: 1644)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2660)
  - XandETC.exe (PID: 3064)
  - updater.exe (PID: 2004)
- Executes as Windows Service
  - raserver.exe (PID: 1984)
  - laszechz.exe (PID: 2832)
  - raserver.exe (PID: 1356)
- Process requests binary or script from the Internet
  - File.exe (PID: 2408)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - explorer.exe (PID: 1960)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2804)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 2316)
- Reads settings of System Certificates
  - File.exe (PID: 2408)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2448)
- Adds/modifies Windows certificates
  - WinRAR.exe (PID: 2436)
  - EBEF.exe (PID: 1732)
  - build2.exe (PID: 2288)
- Connects to unusual port
  - File.exe (PID: 2408)
  - bhHfPuUtWMmk3BgmQh8i9Q_U.exe (PID: 2772)
  - svchost.exe (PID: 2824)
  - build2.exe (PID: 2660)
  - build2.exe (PID: 2448)
  - conhost.exe (PID: 1440)
- Reads the Windows owner or organization settings
  - is-KHSV8.tmp (PID: 2112)
- Starts CMD.EXE for commands execution
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - oneetx.exe (PID: 564)
  - cmd.exe (PID: 124)
  - Rec613.exe (PID: 2556)
  - explorer.exe (PID: 1960)
  - XandETC.exe (PID: 3064)
  - updater.exe (PID: 2004)
- Reads Microsoft Outlook installation path
  - Rec613.exe (PID: 2556)
- Starts itself from another location
  - newplayer.exe (PID: 2300)
- Application launched itself
  - cmd.exe (PID: 124)
  - EBEF.exe (PID: 568)
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 1732)
  - 2B5.exe (PID: 1448)
  - build2.exe (PID: 2288)
  - 2B5.exe (PID: 2796)
  - 2B5.exe (PID: 1624)
  - build2.exe (PID: 548)
  - 4FED.exe (PID: 1264)
  - explorer.exe (PID: 1960)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 2260)
  - 6A4D.exe (PID: 2676)
  - build2.exe (PID: 1188)
  - 6A4D.exe (PID: 280)
  - 6A4D.exe (PID: 1524)
  - build2.exe (PID: 2980)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 124)
  - EBEF.exe (PID: 2396)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - build2.exe (PID: 2660)
  - build2.exe (PID: 2448)
- Detected use of alternative data streams (AltDS)
  - svchost.exe (PID: 2824)
- Creates or modifies Windows services
  - svchost.exe (PID: 2824)
- Checks Windows Trust Settings
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2448)
- Reads security settings of Internet Explorer
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2448)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)_update
  - build2.exe (PID: 2660)
- The process executes via Task Scheduler
  - mstsca.exe (PID: 1436)
  - oneetx.exe (PID: 2676)
  - updater.exe (PID: 2004)
  - oneetx.exe (PID: 2748)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2716)
- Reads browser cookies
  - build2.exe (PID: 2660)
- Script adds exclusion path to Windows Defender
  - explorer.exe (PID: 1960)
- Starts POWERSHELL.EXE for commands execution
  - explorer.exe (PID: 1960)
  - XandETC.exe (PID: 3064)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2892)
  - cmd.exe (PID: 1164)
- The process checks if current user has admin rights
  - XandETC.exe (PID: 3064)
  - explorer.exe (PID: 1960)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2952)
  - cmd.exe (PID: 2336)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2892)
  - cmd.exe (PID: 1164)
- Unusual connection from system programs
  - powershell.exe (PID: 3064)
- The Powershell connects to the Internet
  - powershell.exe (PID: 3064)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 2004)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 1800)
- Searches for installed software
  - build2.exe (PID: 2660)
INFO
- Checks supported languages
  - File.exe (PID: 2408)
  - HCgRTQoyreiCQGFkNNSmC0oj.exe (PID: 2484)
  - bhHfPuUtWMmk3BgmQh8i9Q_U.exe (PID: 2772)
  - 7xM9NJqIg1Sx3VCbIPBLCvXu.exe (PID: 2924)
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - LFOqf5aQugu4X88TvOj_2Mqp.exe (PID: 2984)
  - is-KHSV8.tmp (PID: 2112)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - 2a344302.exe (PID: 464)
  - Rec613.exe (PID: 2556)
  - newplayer.exe (PID: 2300)
  - oneetx.exe (PID: 564)
  - laszechz.exe (PID: 2832)
  - VAU2R6lmLeu.exe (PID: 1456)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - EBEF.exe (PID: 568)
  - EBEF.exe (PID: 2396)
  - F362.exe (PID: 1436)
  - EBEF.exe (PID: 1732)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 1448)
  - build2.exe (PID: 2288)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 1624)
  - 2B5.exe (PID: 2804)
  - build3.exe (PID: 1644)
  - build2.exe (PID: 548)
  - build2.exe (PID: 2448)
  - build3.exe (PID: 2452)
  - 430B.exe (PID: 548)
  - oneetx.exe (PID: 2676)
  - mstsca.exe (PID: 1436)
  - oldplayer.exe (PID: 2760)
  - XandETC.exe (PID: 3064)
  - 4FED.exe (PID: 1264)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 2260)
  - 4FED.exe (PID: 1644)
  - 5ABC.exe (PID: 2316)
  - 6A4D.exe (PID: 2676)
  - 6A4D.exe (PID: 280)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 1188)
  - build2.exe (PID: 2720)
  - 6A4D.exe (PID: 1524)
  - 6A4D.exe (PID: 2316)
  - build3.exe (PID: 2200)
  - build2.exe (PID: 2980)
  - build2.exe (PID: 2676)
  - 8D18.exe (PID: 2216)
  - updater.exe (PID: 2004)
  - oneetx.exe (PID: 2748)
  - build3.exe (PID: 2004)
- Reads the computer name
  - File.exe (PID: 2408)
  - is-KHSV8.tmp (PID: 2112)
  - bhHfPuUtWMmk3BgmQh8i9Q_U.exe (PID: 2772)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - LFOqf5aQugu4X88TvOj_2Mqp.exe (PID: 2984)
  - newplayer.exe (PID: 2300)
  - oneetx.exe (PID: 564)
  - laszechz.exe (PID: 2832)
  - Rec613.exe (PID: 2556)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - build2.exe (PID: 2448)
  - 430B.exe (PID: 548)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - build2.exe (PID: 2720)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2676)
  - 8D18.exe (PID: 2216)
- The process checks LSA protection
  - File.exe (PID: 2408)
  - is-KHSV8.tmp (PID: 2112)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - bhHfPuUtWMmk3BgmQh8i9Q_U.exe (PID: 2772)
  - LFOqf5aQugu4X88TvOj_2Mqp.exe (PID: 2984)
  - newplayer.exe (PID: 2300)
  - oneetx.exe (PID: 564)
  - netsh.exe (PID: 2168)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - explorer.exe (PID: 1960)
  - EBEF.exe (PID: 2396)
  - icacls.exe (PID: 2096)
  - Rec613.exe (PID: 2556)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - 430B.exe (PID: 548)
  - taskkill.exe (PID: 276)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2448)
  - conhost.exe (PID: 1440)
  - WMIC.exe (PID: 2812)
- Creates files or folders in the user directory
  - File.exe (PID: 2408)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - Rec613.exe (PID: 2556)
  - explorer.exe (PID: 1960)
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build3.exe (PID: 1644)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - 4FED.exe (PID: 1168)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - 6A4D.exe (PID: 2316)
- Reads the machine GUID from the registry
  - File.exe (PID: 2408)
  - bhHfPuUtWMmk3BgmQh8i9Q_U.exe (PID: 2772)
  - newplayer.exe (PID: 2300)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - oneetx.exe (PID: 564)
  - Rec613.exe (PID: 2556)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - build2.exe (PID: 2448)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2720)
  - build2.exe (PID: 2676)
- Checks proxy server information
  - File.exe (PID: 2408)
  - oneetx.exe (PID: 564)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - Rec613.exe (PID: 2556)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
  - EBEF.exe (PID: 2396)
  - EBEF.exe (PID: 2072)
  - 2B5.exe (PID: 2796)
  - build2.exe (PID: 2660)
  - 2B5.exe (PID: 2804)
  - 4FED.exe (PID: 1168)
  - 4FED.exe (PID: 1644)
  - 6A4D.exe (PID: 280)
  - 6A4D.exe (PID: 2316)
  - build2.exe (PID: 2448)
- Process checks computer location settings
  - File.exe (PID: 2408)
  - oLdbrFXlr0yNwkHor72Etr4c.exe (PID: 2376)
- Create files in a temporary directory
  - HCgRTQoyreiCQGFkNNSmC0oj.exe (PID: 2484)
  - JW4f3rUCy6X9QMYYU8sy5NJI.exe (PID: 2140)
  - is-KHSV8.tmp (PID: 2112)
  - LFOqf5aQugu4X88TvOj_2Mqp.exe (PID: 2984)
  - newplayer.exe (PID: 2300)
  - explorer.exe (PID: 1960)
  - EBEF.exe (PID: 2396)
  - 430B.exe (PID: 548)
- Application was dropped or rewritten from another process
  - is-KHSV8.tmp (PID: 2112)
- Creates files in the program directory
  - is-KHSV8.tmp (PID: 2112)
  - HMOGkA1cbtJnGbgRByM_Y6fG.exe (PID: 2996)
  - build2.exe (PID: 2660)
  - XandETC.exe (PID: 3064)
  - updater.exe (PID: 2004)
  - cmd.exe (PID: 1800)
- Reads product name
  - build2.exe (PID: 2660)
- Reads Environment values
  - build2.exe (PID: 2660)
- Reads CPU info
  - build2.exe (PID: 2660)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(564) oneetx.exe

C2 (1)http://45.9.74.80

Version3.83

Options

Drop directory207aa4515d

Drop nameoneetx.exe

Strings (116)SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

Tofsee

(PID) Process(2824) svchost.exe

C2 (2)vanaheim.cn

jotunheim.name

Encrypted Strings (59)c:\Windows

\system32\

ImagePath

.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

MSConfig

.exe

cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s

svchost.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

ConsentPromptBehaviorAdmin

PromptOnSecureDesktop

MSConfig

:.repos

USERPROFILE

\Local Settings:.repos

USERPROFILE

\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos

USERPROFILE

\wincookie.repos

TMP

Config

Control Panel\Buses

Config

SOFTWARE\Microsoft\Buses

Config

Control Panel\Buses

Config

SOFTWARE\Microsoft\Buses

SYSTEM\CurrentControlSet\services

ImagePath

SYSTEM\CurrentControlSet\services

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

.exe

qazwsxed

%s%i%i%i%i.bat

@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0

svchost.exe

.exe

USERPROFILE

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

.exe

"%s" /u"%s"

USERPROFILE

.exe

USERPROFILE

ver=%d lid=%d win=%X/%d sid=%s rep=%s

RedLine

(PID) Process(2772) bhHfPuUtWMmk3BgmQh8i9Q_U.exe

C2 (1)185.81.68.115:2920

Botnet@Germany

Err_msg

Auth_value9d15d78194367a949e54a07d6ce02c62

US (139)

This assembly is protected by an unregistered version of Eziriz's ".NET Reactor"! This assembly won't further work.

Reflection

Ammo

Function

Info

Roaming

UNKNOWN

cFileStreamredFileStreamit_cFileStreamardFileStreams

FileStream

ToString

os_crypt

encrypted_key

Network\

Inner

Unknown

Read

Kill

Microsoft

GetDirectories

MSObject12

EnumerateDirectories

String.Replace

String.Remove

net.tcp://

localhost

9d15d78194367a949e54a07d6ce02c62

Authorization

ns1

CjsVUyADCgELBStWIAMoAQk7HRsjPSQO

FioWDg8EXBElARlf

Gorblimy

MSValue3

EnumerateFiles

ExpandEnvironmentVariables

MSValue2

MSValue1

FullName

Replace

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

214

Monitored processes

140

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

C:\Windows\SysWOW64\explorer.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\explorer.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

124

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "admin:N"&&CACLS "oneetx.exe" /P "admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "admin:N"&&CACLS "..\207aa4515d" /P "admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

—

oneetx.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

148

schtasks /create /f /RU "admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

—

HMOGkA1cbtJnGbgRByM_Y6fG.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

188

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\schtasks.exe

—

build3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

272

C:\Windows\explorer.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

276

taskkill /im "Rec613.exe" /f

C:\Windows\SysWOW64\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\advapi32.dll

280

C:\Users\admin\AppData\Local\Temp\6A4D.exe

6A4D.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\6a4d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\rpcrt4.dll

464

"C:\Users\admin\AppData\Local\Temp\2a344302.exe"

C:\Users\admin\AppData\Local\Temp\2a344302.exe

LFOqf5aQugu4X88TvOj_2Mqp.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\users\admin\appdata\local\temp\2a344302.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll

548

"C:\Users\admin\AppData\Local\845c4473-54f7-4b1e-b327-80f7d77e6734\build2.exe"

C:\Users\admin\AppData\Local\845c4473-54f7-4b1e-b327-80f7d77e6734\build2.exe

—

2B5.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\845c4473-54f7-4b1e-b327-80f7d77e6734\build2.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

548

C:\Users\admin\AppData\Local\Temp\430B.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\430b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll

Add for printing

Total events

28 990

Read events

28 479

Write events

470

Delete events

Modification events


(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000040131FD0E0B45449B5325CF35709B45A0000000002000000000010660000000100002000000097BA847E5D0827CAFBC4D33F7B8AFE8834428DFEF065FA018D8CAB90C5710B0A000000000E8000000002000020000000703BDF28CF4D9DFCAB7DDC229F11B838657F02A563D675B7BA5A582848A73F4F300000008091631BBFD318C1A67DDE62193EF5F65F823DF6F3FB12C344A857963FC714699639A04F9F66927C69CA8E9AC61E02154000000007CED62AF9113E09870DE72EB5744E2CBFDC316C2CF8607885EA5CBB68D61BE0CFB49EE1C4CAF8F2769692B62252F8AB0F88C1F92875F93F72FE70BCC896EFE4
(PID) Process:	(2436) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	{6Q809377-6NS0-444O-8957-N3773S02200R}\JvaENE\JvaENE.rkr
Value: 000000000B000000050000001E9A0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF30D9B8CEF2F1D80100000000
(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	HRZR_PGYFRFFVBA
Value: 0000000091000000940000006A524C00110000000300000071B504007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FDFE0700000000000000000000F012D2020000000000000000000000000000000000000000F012D2020000000012C2D2FDFE070000010000000000000000000000000000000000000000000000F012D20200000000000000000000000000000000000000000000000000000000DCD9D3FDFE0700000000000000000000568ED3FDFE07000005000000000000000000000000000000F012D20200000000C9AAD2FDFE07000000000000000000000500000000000000000000000000000000000000000000000100000000000000C3AAD3FDFE070000F012D202000000000500000000000000010000000000000001000000FFFFFFFF00000000000000000000000000000000000000001C000000010000000000000001000000FFFFFFFF0C18D202000000002C18D202000000000000000000000000010000000600000071D8D3FDFE070000F0E676030000000000000000000000000500000000000000F012D20200000000F012D2020000000063B3D2FDFE07000001000000000000000000000000000000000000000000000005000000FE0700004413D20200000000D017D202000000008014D202100000001B000000C95F05007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000FE221EFEFE07000060000100000000008202000000000000820200000000000001FFFFFF000000006A00A603000000008C00A60300000000B8ACA6030000000050DFE3020000000000010001010000000001E302000000004CE2E3020000000094DFE302000000000000000009090900090909090009111100000000000000008202000000000000820200000000000001000000000000008202000000000000DB9B5A77000000006000010000000000000000000000000000000000000000000000000000000000110000000300000071B504007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FDFE0700000000000000000000F012D2020000000000000000000000000000000000000000F012D2020000000012C2D2FDFE070000010000000000000000000000000000000000000000000000F012D2020000000000000000000000000000000000000000000000000000000013000000A80916007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C007400610073006B006D00670072002E006500780065000000008000000000542D3EFFFE07000000000000000000006800690200000000580001000000000000000000000000000000290000000000EB1ABB7700000000680069020000000000000000FE070000282547FFFE070000B0EA330000000000180069020000000000000000000000000100000000000000BF1D3EFFFE07000090DEF3020000000070C936000000000000000000000000003B94B5FDFE070000E00736000000000008006902000000005800010000000000869AA977000000000814FEDA97F1000082020000000000000000000000000000580001000000000000000000000000008202000000000000020000000000000058000100000000000000000000000000820200000000000080A671FF00000000C81263FF00000000E00736000000000001000000000000000F0000C000000000941AC90200000000820200000000000001000000000000008202000000000000DB9BA977000000005800010000000000000000000000000000000000000000000100000000000000000000000000000081020000000000000000000000000000000000000000000000000000
(PID) Process:	(2436) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(2436) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:	(2436) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(2436) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2436) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2436) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2436	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2436.17935\File.exe		—
		MD5:—	SHA256:—
2408	File.exe	C:\Users\admin\Pictures\Minor Policy\ibtFpfoCTsrOvzoMhlu8ufls.exe		html
		MD5:81F7A08F650AA005B8EC636C9E385065	SHA256:04CBBABD3A2B199EBFE272F04EEF2EEF33B033B987E1E3B13096D7DE7988BA90
2408	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\6523[1].exe		executable
		MD5:3C465371B9755C67FECA54FEE5FA174B	SHA256:61BD39FF52FF66E58A3F46C49EE5F2453C1DF77E911782D163DDF06CC36E4EC8
2408	File.exe	C:\Users\admin\Pictures\Minor Policy\JW4f3rUCy6X9QMYYU8sy5NJI.exe		executable
		MD5:2A9C91D22B235EF9675F44B871A03A83	SHA256:1FAF53A182B0295309F4E97E21469BE2867A9B0669D1E9FECA5EF45A64B82089
2408	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\qdk2rlsncuqts[1].exe		executable
		MD5:2A9C91D22B235EF9675F44B871A03A83	SHA256:1FAF53A182B0295309F4E97E21469BE2867A9B0669D1E9FECA5EF45A64B82089
2408	File.exe	C:\Windows\System32\GroupPolicy\gpt.ini		text
		MD5:39DFFC602ED934569F26BE44EC645814	SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2
2408	File.exe	C:\Users\admin\Pictures\Minor Policy\bhHfPuUtWMmk3BgmQh8i9Q_U.exe		executable
		MD5:918731493DC265322EB7B5563061A665	SHA256:6887704723D5A6150375AAC34FD0F2728FDF221FC064AEAC93D9A7BF5A6C0FF6
2408	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\setup[1].exe		executable
		MD5:90F614FE546A7695D570693A7E94C3E2	SHA256:34E9AD66AAE30CB28066412B4BFA9C8C57943650C49B9FBDF9E65946E3DA54D1
2408	File.exe	C:\Windows\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:CDFD60E717A44C2349B553E011958B85	SHA256:0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F
2408	File.exe	C:\Users\admin\Pictures\Minor Policy\LFOqf5aQugu4X88TvOj_2Mqp.exe		executable
		MD5:8A06751312436A705C6404180C8B1519	SHA256:0875F2085B2F40B96DB96D317CFDD1D870541182D4200DE33FAE9CBEFAF07797

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

113

TCP/UDP connections

144

DNS requests

Threats

832

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2408	File.exe	HEAD	200	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
2408	File.exe	HEAD	—	176.113.115.239:80	http://176.113.115.239:8080/4.php	RU	—	—	suspicious
2408	File.exe	HEAD	—	194.169.175.124:80	http://194.169.175.124:3002/	US	—	—	malicious
2408	File.exe	HEAD	—	83.97.73.131:80	http://83.97.73.131/gallery/photo221.exe	unknown	—	—	malicious
2408	File.exe	HEAD	403	188.114.96.0:80	http://ji.jahhaega2qq.com/m/p0aw25.exe	US	—	—	malicious
2408	File.exe	HEAD	200	45.9.74.80:80	http://45.9.74.80/obins.exe	SC	—	—	malicious
2408	File.exe	HEAD	—	91.215.85.147:80	http://hugersi.com/dl/6523.exe	RU	—	—	suspicious
2408	File.exe	GET	—	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
2408	File.exe	GET	—	194.169.175.124:3002	http://194.169.175.124:3002/	US	—	—	malicious
2408	File.exe	HEAD	200	163.123.143.4:80	http://163.123.143.4/download/Service32.exe	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2408	File.exe	208.67.104.60:80	—	Delis LLC	US	malicious
328	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2408	File.exe	104.26.8.59:443	api.myip.com	CLOUDFLARENET	US	suspicious
2408	File.exe	87.240.132.72:80	vk.com	VKontakte Ltd	RU	suspicious
2408	File.exe	87.240.132.72:443	vk.com	VKontakte Ltd	RU	suspicious
2408	File.exe	194.169.175.124:80	—	—	US	malicious
2408	File.exe	176.113.115.239:80	—	Red Bytes LLC	RU	suspicious
2408	File.exe	45.9.74.6:80	—	Delta Ltd	SC	malicious
2408	File.exe	83.97.73.131:80	—	—	—	malicious

DNS requests

Domain	IP	Reputation
api.myip.com	104.26.8.59	suspicious
ipinfo.io	34.117.59.81	shared
vk.com	87.240.132.72	whitelisted
teredo.ipv6.microsoft.com	—	whitelisted
ji.jahhaega2qq.com	188.114.96.0	malicious
hugersi.com	91.215.85.147	suspicious
dns.msftncsi.com	131.107.255.255	shared
telegram.org	149.154.167.99	whitelisted
twitter.com	104.244.42.1	whitelisted
yandex.ru	5.255.255.70	whitelisted

Threats

PID	Process	Class	Message
2408	File.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
2408	File.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
2408	File.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2408	File.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 20
2408	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2408	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2408	File.exe	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)
2408	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2408	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2408	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host

39 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

File_pass1234.7z

5D8247884739DBFA2355697F29DFF1E5

93D5CF504819AD65A4B8BAC59555153F7135BA81

1AF498CE6C55C10486204397ECCD2F633F9169235269C99467F908B5631733D2

98304:0zwsgldyUmaUISVKKP1VF6L/YQNP+Zku0ALWAiaUqmdhsHCOq24roLvoR6fhAgFb:0zwL/lmNFKKP1vUAEP+iA1l+h0HqrGvl

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PRIVATELOADER was detected

Connects to the CnC server

Actions looks like stealing of personal data

Creates a writable file the system directory

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Application was injected by another process

Runs injected code in another process

AMADEY was detected

Uses Task Scheduler to autorun other applications

GCLEANER was detected

AMADEY detected by memory dumps

SMOKE was detected

TOFSEE detected by memory dumps

REDLINE detected by memory dumps

Stop is detected

Starts CMD.EXE for self-deleting

VIDAR was detected

Steals credentials from Web Browsers

Steals credentials

Adds path to the Windows Defender exclusion list

SUSPICIOUS

Checks for external IP

Connects to the server without a host name

Reads the Internet Settings

Executable content was dropped or overwritten

Executes as Windows Service

Process requests binary or script from the Internet

Reads settings of System Certificates

Adds/modifies Windows certificates

Connects to unusual port

Reads the Windows owner or organization settings

Starts CMD.EXE for commands execution

Reads Microsoft Outlook installation path

Starts itself from another location

Application launched itself

Uses ICACLS.EXE to modify access control lists

Uses NETSH.EXE to add a firewall rule or allowed programs

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Detected use of alternative data streams (AltDS)

Creates or modifies Windows services

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Process communicates with Telegram (possibly using it as an attacker's C2 server)_update

The process executes via Task Scheduler

Uses TASKKILL.EXE to kill process

Reads browser cookies

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Starts SC.EXE for service management

The process checks if current user has admin rights

Uses powercfg.exe to modify the power settings

Uses REG/REGEDIT.EXE to modify registry

Unusual connection from system programs

The Powershell connects to the Internet

Drops a system driver (possible attempt to evade defenses)

Uses WMIC.EXE to obtain a list of video controllers

Searches for installed software

INFO

Checks supported languages

Reads the computer name

The process checks LSA protection

Creates files or folders in the user directory

Reads the machine GUID from the registry

Checks proxy server information

Process checks computer location settings

Create files in a temporary directory