Malware analysis GHOSTFUDCRYPTER.exe Malicious activity

Add for printing

File name:	GHOSTFUDCRYPTER.exe
Full analysis:	https://app.any.run/tasks/732a419e-73bb-49de-93ad-1f4d7aded2fb
Verdict:	Malicious activity
Analysis date:	May 30, 2025, 19:59:26
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	api-base64 golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 15 sections
MD5:	513424ED6D555BF357EE44846F510FAF
SHA1:	3C2EE69C49A7D28A7720937D273836293C75DC36
SHA256:	339A880408B453DF07D35DBA3979144B2CEE3A778BC3906E52D1B72ACAF5B045
SSDEEP:	49152:BJMr7Nwia8d0JBJm6b7xeJnQ7SN0xD/j285goJ0a/f4h8Rsm/fTyBQif5q5W3iF1:Kq60JBDFeD0xDRBS4D9F0YO/te6xM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 5024)
- Executing commands from a ".bat" file
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 5024)
- Suspicious files were dropped or overwritten
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 5024)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 5972)
  - cmd.exe (PID: 4220)
  - cmd.exe (PID: 1184)
  - cmd.exe (PID: 524)
- Starts CMD.EXE for commands execution
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 5024)
- Starts application with an unusual extension
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 5024)
- Write to the desktop.ini file (may be used to cloak folders)
  - diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 716)
- Reads browser cookies
  - diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 716)
- Reads the date of Windows installation
  - SearchApp.exe (PID: 8052)
- Start notepad (likely ransomware note)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 5024)
INFO
- Checks supported languages
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 716)
  - SearchApp.exe (PID: 8052)
- Drops encrypted JS script (Microsoft Script Encoder)
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
- Reads the computer name
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - SearchApp.exe (PID: 8052)
- Potential library load (Base64 Encoded 'LoadLibrary')
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
- Application based on Golang
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 716)
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
- Potential modification of remote process state (Base64 Encoded 'SetThreadContext')
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
- Potential dynamic function import (Base64 Encoded 'GetProcAddress')
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
- Checks proxy server information
  - SearchApp.exe (PID: 8052)
- Reads the machine GUID from the registry
  - SearchApp.exe (PID: 8052)
- Potential access to remote process (Base64 Encoded 'OpenProcess')
  - GHOSTFUDCRYPTER.exe (PID: 3784)
  - adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat (PID: 6584)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
- Manual execution by a user
  - GHOSTFUDCRYPTER.exe (PID: 6892)
  - GHOSTFUDCRYPTER.exe (PID: 1916)
  - GHOSTFUDCRYPTER.exe (PID: 4172)
  - Acrobat.exe (PID: 5176)
  - GHOSTFUDCRYPTER.exe (PID: 4424)
  - GHOSTFUDCRYPTER.exe (PID: 7548)
  - notepad.exe (PID: 3176)
  - notepad.exe (PID: 7560)
- Process checks computer location settings
  - SearchApp.exe (PID: 8052)
- Application launched itself
  - Acrobat.exe (PID: 5176)
  - AcroCEF.exe (PID: 924)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	3
CodeSize:	740352
InitializedDataSize:	59904
UninitializedDataSize:	-
EntryPoint:	0x652c0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

165

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

236

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

524

cmd /C "attrib +h C:\Users\admin\Downloads\diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat"

C:\Windows\System32\cmd.exe

—

adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

716

C:\Users\admin\Downloads\diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat

—

adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\downloads\diwejdiowejdoiewdeowedopwedxcmkedtmpscript.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

924

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

Acrobat.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1184

cmd /C "attrib +h C:\Users\admin\Downloads\adiwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat"

C:\Windows\System32\cmd.exe

—

GHOSTFUDCRYPTER.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1368

attrib +h C:\Users\admin\Downloads\diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat

C:\Windows\System32\attrib.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Attribute Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1672

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1536 --field-trial-handle=1624,i,18439229285801361789,1957901527609585005,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1696

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2148 --field-trial-handle=1624,i,18439229285801361789,1957901527609585005,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1916

"C:\Users\admin\Desktop\GHOSTFUDCRYPTER.exe"

C:\Users\admin\Desktop\GHOSTFUDCRYPTER.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\ghostfudcrypter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll

2432

attrib +h C:\Users\admin\Downloads\diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat

C:\Windows\System32\attrib.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Attribute Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

Add for printing

Total events

30 044

Read events

29 373

Write events

652

Delete events

Modification events


(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState
Operation:	write	Name:	ShouldShowCombinedConsent
Value: 01A6F35C699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState
Operation:	write	Name:	ShouldUnregisterAllBackgroundTasks
Value: 0142435D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState
Operation:	write	Name:	CortanaCapabilities
Value: 0000000042435D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState
Operation:	write	Name:	RPSServerBing
Value: 63006F007200740061006E0061002E00620069006E0067002E0063006F006D00000042435D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState
Operation:	write	Name:	RPSServerLive
Value: 730073006C002E006C006900760065002E0063006F006D00000042435D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState\OnlineServices
Operation:	write	Name:	UseTestServer
Value: 00000000946A5D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState\OnlineServices\Providers\RulesRequest
Operation:	write	Name:	Id
Value: 1E000000946A5D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState\OnlineServices\Providers\RulesRequest\HttpRequestCmd
Operation:	write	Name:	Id
Value: 00000000946A5D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState\OnlineServices\Providers\RulesRequest\HttpRequestCmd
Operation:	write	Name:	HeaderTemplate
Value: 58002D005300650061007200630068002D00490047003A002000250032000D000A0058002D005300650061007200630068002D00550049004C0061006E0067003A002000250033000D000A0058002D005300650061007200630068002D004D00610072006B00650074003A002000250034000D000A0058002D005300650061007200630068002D0043006C00690065006E007400490044003A002000250035000D000A0058002D004100670065006E0074002D00520075006C0065007300560065007200730069006F006E003A002000250036000D000A0058002D004100670065006E0074002D005200650073006F006C007500740069006F006E003A002000250037000D000A0058002D004100670065006E0074002D00440065007600690063006500490064003A002000250038000D000A0058002D0042004D002D004F0045004D003A002000250039000D000A0058002D0042004D002D004D004F003A0020002500310030000D000A0058002D004100670065006E0074002D00500068006F006E0065004F0053005600650072003A0020002500310031000D000A00540069006D0065007A006F006E0065003A0020002500310032000000946A5D699DD1DB01
(PID) Process:	(8052) SearchApp.exe	Key:	\REGISTRY\A\{25a74e0d-2cf2-49f7-e112-8395af5e6296}\LocalState\OnlineServices\Providers\RulesRequest\HttpRequestCmd
Operation:	write	Name:	ParamCount
Value: 0C000000946A5D699DD1DB01

Add for printing

Executable files

Suspicious files

2 735

Text files

326

Unknown types

Dropped files

PID	Process	Filename		Type
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention		binary
		MD5:0BC68257028F360AD40120C71A694BC6	SHA256:662AFA1099E2DE9F090C4530ECCFB47DAD44090E14768952A7791A12421C1D0A
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst		binary
		MD5:3BFF5D30F30577AC468A30547997451A	SHA256:EDD5C20DB86E80109956175F9042A32034DC43FB550BC9CE4D6C0817CB114881
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner		binary
		MD5:1F001A521763C682BD0FA3BF9468D6AE	SHA256:E15FB1E157102FA301FCF68FFC6C4B5D0A83E93E3DA4390C80629274FD8C7E46
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner		binary
		MD5:7A33BFE9EC6A2CF376976B4AB4B223FB	SHA256:91B0127094C924EC0B7A0D7FCBFDCAB9CC0BC8B1A1647AF2246AED8F4FAED488
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Comms\UnistoreDB\USS.jcp		binary
		MD5:D184C3F23DA8DE552FD27F7661E80314	SHA256:86EC2C7FDA712D7279D90048279D6FCB242DC62009047DA433AB3FD7479238C0
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner		binary
		MD5:6CD1CDE1D9D3325B8CA1753210DC50FA	SHA256:77CBD7F31F9CDDD6BA97031A425DA6C23DF6276ADA874997684A405CEE7BFC44
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst		binary
		MD5:67836CA5104FB6ACEBEF936FDD1E2581	SHA256:58D2F239B8E3EF4D71E8CC6DD3590005217F5E07D94F8E0CCFFD15A1AAFF1BCA
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards		binary
		MD5:29358C97BD9AF95A5D451CEEC841B424	SHA256:7ADF126B5108CF82B7C0D59027A48A3DF4EC56F26CEA69D2D8CF38E91AC525C6
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx		binary
		MD5:5DB964DE3C1AEDB5C4128BD06CE2B3F2	SHA256:73286944DDEE072CD5BFDF16E487D41760D5E2B6FB13BF4B6E70261667556586
716	diwejdiowejdoiewdeowedopwedxcmkedtmpScript.bat	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface		binary
		MD5:DA892CDE7D39FDD85A6E003894A859AE	SHA256:6ED275F4D262B64A541F2E8363C41230A1E1DB6233E5FFB59E0156D8F92FEC21

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2516	svchost.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2516	svchost.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
8052	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3300	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3300	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
8052	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
8052	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5024	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.32.238.34:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2516	svchost.exe	23.32.238.34:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2516	svchost.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.159.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.32.238.34 2.19.198.194	whitelisted
www.microsoft.com	2.16.253.202 2.23.246.101	whitelisted
login.live.com	20.190.159.128 20.190.159.75 40.126.31.71 40.126.31.131 20.190.159.4 20.190.159.71 20.190.159.0 40.126.31.1	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
www.bing.com	2.23.227.215 2.23.227.208 2.16.204.157 2.16.204.156 2.16.204.152 2.16.204.147 2.16.204.150 2.16.204.153 2.16.204.146 2.16.204.151 2.16.204.145	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

GHOSTFUDCRYPTER.exe

513424ED6D555BF357EE44846F510FAF

3C2EE69C49A7D28A7720937D273836293C75DC36

339A880408B453DF07D35DBA3979144B2CEE3A778BC3906E52D1B72ACAF5B045

49152:BJMr7Nwia8d0JBJm6b7xeJnQ7SN0xD/j285goJ0a/f4h8Rsm/fTyBQif5q5W3iF1:Kq60JBDFeD0xDRBS4D9F0YO/te6xM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Executing commands from a ".bat" file

Suspicious files were dropped or overwritten

Uses ATTRIB.EXE to modify file attributes

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Write to the desktop.ini file (may be used to cloak folders)

Reads browser cookies

Reads the date of Windows installation

Start notepad (likely ransomware note)

INFO

Checks supported languages

Drops encrypted JS script (Microsoft Script Encoder)

Reads the computer name

Potential library load (Base64 Encoded 'LoadLibrary')

Application based on Golang

Potential modification of remote process state (Base64 Encoded 'SetThreadContext')

Potential dynamic function import (Base64 Encoded 'GetProcAddress')

Checks proxy server information

Reads the machine GUID from the registry

Potential access to remote process (Base64 Encoded 'OpenProcess')

Manual execution by a user

Process checks computer location settings

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings