Malware analysis Steam Account Generator FIXED.exe Malicious activity

Add for printing

File name:	Steam Account Generator FIXED.exe
Full analysis:	https://app.any.run/tasks/be4f9d0a-6377-4e0f-b356-f5719bf502ca
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 29, 2025, 20:10:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amadey botnet stealer diamotrix clipper auto-reg python auto redline metastealer generic crypto-regex arch-doc rust rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	07ADD688984EC45F5003C2B696822EF0
SHA1:	7FB6FAFBD649EA7A33A6E90DFBCB10BAFD08D79A
SHA256:	379D108F6D40EEF6A248E1E3C1DD2E88094CC4506E603195B55814DE865E6E5E
SSDEEP:	196608:3n2dd2hj+0KCFboh11kYF2WVqfc7JlY+942ASiTg:328K0KCxqAIqfc9lJ91ASi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GENERIC has been found (auto)
  - Steam Account Generator FIXED.exe (PID: 4988)
- DIAMOTRIX mutex has been found
  - gfgdfxwx.exe (PID: 1324)
  - winapp.exe (PID: 4920)
  - gfgdfxwx.exe (PID: 5868)
- Changes the autorun value in the registry
  - gfgdfxwx.exe (PID: 1324)
- AMADEY has been found (auto)
  - Steam Account Generator FIXED.exe (PID: 4988)
  - dfssdfxx.exe (PID: 5116)
- Registers / Runs the DLL via REGSVR32.EXE
  - bvcbghgf.tmp (PID: 5216)
- Loads dropped or rewritten executable
  - cxvezrfde.exe (PID: 2088)
  - Steam Account Generator FIXED.exe (PID: 4988)
  - gfgdfxwx.exe (PID: 1324)
  - cxvezrfde.exe (PID: 5428)
  - regsvr32.exe (PID: 5800)
  - conhost.exe (PID: 1228)
  - conhost.exe (PID: 1056)
  - svchost.exe (PID: 4560)
  - cvcxxxx.exe (PID: 644)
  - WaaSMedicAgent.exe (PID: 2516)
  - wxcvxverd.exe (PID: 1052)
  - winapp.exe (PID: 4920)
  - powershell.exe (PID: 6388)
  - gfgdfxwx.exe (PID: 5868)
  - WmiPrvSE.exe (PID: 2504)
  - powershell.exe (PID: 5056)
  - conhost.exe (PID: 5548)
  - SIHClient.exe (PID: 6068)
  - notepad.exe (PID: 4068)
  - notepad.exe (PID: 6576)
  - notepad.exe (PID: 6112)
  - notepad.exe (PID: 3884)
  - 3B60.tmp.exe (PID: 5064)
  - 3B60.tmp.exe (PID: 1168)
  - rundll32.exe (PID: 3268)
  - rundll32.exe (PID: 2240)
  - regsvr32.exe (PID: 5608)
  - conhost.exe (PID: 2800)
  - powershell.exe (PID: 4464)
  - dllhost.exe (PID: 4528)
  - slui.exe (PID: 1052)
- AMADEY has been detected (SURICATA)
  - nudwee.exe (PID: 6872)
- Connects to the CnC server
  - nudwee.exe (PID: 6872)
  - wxcvxverd.exe (PID: 1052)
- Actions looks like stealing of personal data
  - cvcxxxx.exe (PID: 644)
  - wxcvxverd.exe (PID: 1052)
- METASTEALER has been detected (SURICATA)
  - wxcvxverd.exe (PID: 1052)
- Application was injected by another process
  - explorer.exe (PID: 5492)
- AMADEY has been detected (YARA)
  - nudwee.exe (PID: 6872)
- Runs injected code in another process
  - regsvr32.exe (PID: 5800)
- Stealers network behavior
  - wxcvxverd.exe (PID: 1052)
- REDLINE has been detected (SURICATA)
  - wxcvxverd.exe (PID: 1052)
- Steals credentials from Web Browsers
  - wxcvxverd.exe (PID: 1052)
SUSPICIOUS
- Reads the date of Windows installation
  - Steam Account Generator FIXED.exe (PID: 4988)
- Reads security settings of Internet Explorer
  - Steam Account Generator FIXED.exe (PID: 4988)
  - bvcbghgf.tmp (PID: 5800)
  - nudwee.exe (PID: 6872)
  - dfssdfxx.exe (PID: 5116)
  - cvcxxxx.exe (PID: 644)
- Process drops legitimate windows executable
  - Steam Account Generator FIXED.exe (PID: 4988)
  - gfgdfxwx.exe (PID: 1324)
  - cxvezrfde.exe (PID: 2088)
  - bvcbghgf.tmp (PID: 5800)
  - bvcbghgf.tmp (PID: 5216)
  - 3B60.tmp.exe (PID: 5064)
- Executable content was dropped or overwritten
  - bvcbghgf.exe (PID: 6988)
  - Steam Account Generator FIXED.exe (PID: 4988)
  - gfgdfxwx.exe (PID: 1324)
  - cxvezrfde.exe (PID: 2088)
  - bvcbghgf.tmp (PID: 5800)
  - bvcbghgf.tmp (PID: 5216)
  - bvcbghgf.exe (PID: 5008)
  - dfssdfxx.exe (PID: 5116)
  - Launcher.exe (PID: 6372)
  - explorer.exe (PID: 5492)
  - 3B60.tmp.exe (PID: 5064)
- Process drops python dynamic module
  - cxvezrfde.exe (PID: 2088)
  - 3B60.tmp.exe (PID: 5064)
- Reads the Windows owner or organization settings
  - bvcbghgf.tmp (PID: 5800)
  - bvcbghgf.tmp (PID: 5216)
- The process drops C-runtime libraries
  - cxvezrfde.exe (PID: 2088)
  - 3B60.tmp.exe (PID: 5064)
- Application launched itself
  - cxvezrfde.exe (PID: 2088)
  - 3B60.tmp.exe (PID: 5064)
- Loads Python modules
  - cxvezrfde.exe (PID: 5428)
  - 3B60.tmp.exe (PID: 1168)
- Starts itself from another location
  - dfssdfxx.exe (PID: 5116)
- Starts POWERSHELL.EXE for commands execution
  - regsvr32.exe (PID: 5800)
  - regsvr32.exe (PID: 5608)
- Reads the BIOS version
  - Launcher.exe (PID: 6372)
- Contacting a server suspected of hosting an CnC
  - nudwee.exe (PID: 6872)
- The process hide an interactive prompt from the user
  - regsvr32.exe (PID: 5800)
- The process bypasses the loading of PowerShell profile settings
  - regsvr32.exe (PID: 5800)
- Found regular expressions for crypto-addresses (YARA)
  - gfgdfxwx.exe (PID: 1324)
- The process executes via Task Scheduler
  - nudwee.exe (PID: 6592)
  - regsvr32.exe (PID: 5608)
  - nudwee.exe (PID: 1616)
- Potential Corporate Privacy Violation
  - cvcxxxx.exe (PID: 644)
- Connects to unusual port
  - wxcvxverd.exe (PID: 1052)
- Connects to the server without a host name
  - cvcxxxx.exe (PID: 644)
  - explorer.exe (PID: 5492)
- There is functionality for taking screenshot (YARA)
  - nudwee.exe (PID: 6872)
- There is functionality for enable RDP (YARA)
  - nudwee.exe (PID: 6872)
- Searches for installed software
  - wxcvxverd.exe (PID: 1052)
- Uses RUNDLL32.EXE to load library
  - explorer.exe (PID: 5492)
INFO
- Reads the computer name
  - Steam Account Generator FIXED.exe (PID: 4988)
  - cxvezrfde.exe (PID: 2088)
  - bvcbghgf.tmp (PID: 5800)
  - dfssdfxx.exe (PID: 5116)
  - Launcher.exe (PID: 6372)
  - bvcbghgf.tmp (PID: 5216)
  - nudwee.exe (PID: 6872)
  - wxcvxverd.exe (PID: 1052)
  - cvcxxxx.exe (PID: 644)
  - 3B60.tmp.exe (PID: 5064)
- The sample compiled with english language support
  - Steam Account Generator FIXED.exe (PID: 4988)
  - gfgdfxwx.exe (PID: 1324)
  - bvcbghgf.tmp (PID: 5800)
  - cxvezrfde.exe (PID: 2088)
  - bvcbghgf.tmp (PID: 5216)
  - 3B60.tmp.exe (PID: 5064)
- Checks supported languages
  - Steam Account Generator FIXED.exe (PID: 4988)
  - cxvezrfde.exe (PID: 2088)
  - gfgdfxwx.exe (PID: 1324)
  - bvcbghgf.exe (PID: 6988)
  - cvcxxxx.exe (PID: 644)
  - dfssdfxx.exe (PID: 5116)
  - wxcvxverd.exe (PID: 1052)
  - bvcbghgf.tmp (PID: 5216)
  - bvcbghgf.exe (PID: 5008)
  - bvcbghgf.tmp (PID: 5800)
  - Launcher.exe (PID: 6372)
  - cxvezrfde.exe (PID: 5428)
  - nudwee.exe (PID: 6872)
  - gfgdfxwx.exe (PID: 5868)
  - winapp.exe (PID: 4920)
  - nudwee.exe (PID: 6592)
  - 3B60.tmp.exe (PID: 5064)
  - 3B60.tmp.exe (PID: 1168)
  - nudwee.exe (PID: 1616)
- Creates files or folders in the user directory
  - Steam Account Generator FIXED.exe (PID: 4988)
  - gfgdfxwx.exe (PID: 1324)
  - bvcbghgf.tmp (PID: 5216)
  - cvcxxxx.exe (PID: 644)
- Create files in a temporary directory
  - bvcbghgf.exe (PID: 6988)
  - Steam Account Generator FIXED.exe (PID: 4988)
  - bvcbghgf.tmp (PID: 5800)
  - cxvezrfde.exe (PID: 2088)
  - bvcbghgf.exe (PID: 5008)
  - bvcbghgf.tmp (PID: 5216)
  - Launcher.exe (PID: 6372)
  - dfssdfxx.exe (PID: 5116)
  - cvcxxxx.exe (PID: 644)
  - explorer.exe (PID: 5492)
  - 3B60.tmp.exe (PID: 5064)
- Process checks computer location settings
  - Steam Account Generator FIXED.exe (PID: 4988)
  - bvcbghgf.tmp (PID: 5800)
  - dfssdfxx.exe (PID: 5116)
- Launch of the file from Registry key
  - gfgdfxwx.exe (PID: 1324)
- Reads the machine GUID from the registry
  - cxvezrfde.exe (PID: 5428)
  - wxcvxverd.exe (PID: 1052)
  - 3B60.tmp.exe (PID: 1168)
- Checks proxy server information
  - nudwee.exe (PID: 6872)
  - cvcxxxx.exe (PID: 644)
  - explorer.exe (PID: 5492)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6388)
  - powershell.exe (PID: 5056)
  - powershell.exe (PID: 4464)
- Reads the software policy settings
  - WaaSMedicAgent.exe (PID: 2516)
  - SIHClient.exe (PID: 6068)
- Manual execution by a user
  - winapp.exe (PID: 4920)
  - gfgdfxwx.exe (PID: 5868)
  - notepad.exe (PID: 4068)
- Creates files in the program directory
  - cvcxxxx.exe (PID: 644)
- Application based on Rust
  - wxcvxverd.exe (PID: 1052)
  - cvcxxxx.exe (PID: 644)
- Reads Environment values
  - wxcvxverd.exe (PID: 1052)
- Reads product name
  - wxcvxverd.exe (PID: 1052)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 5492)
  - notepad.exe (PID: 4068)
  - notepad.exe (PID: 6576)
  - notepad.exe (PID: 3884)
  - notepad.exe (PID: 6112)
  - rundll32.exe (PID: 3268)
- Reads the time zone
  - WmiPrvSE.exe (PID: 2504)
- Reads Windows Product ID
  - WmiPrvSE.exe (PID: 2504)
- Reads Microsoft Office registry keys
  - rundll32.exe (PID: 3268)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:05:22 13:49:50+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	123392
InitializedDataSize:	24038400
UninitializedDataSize:	-
EntryPoint:	0x5f2c
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.2.1.1
ProductVersionNumber:	3.1.1.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Opwcv
FileVersion:	6.0.0.0
InternalName:	Opwcv.exe
LegalCopyright:	(C) 2026
OriginalFileName:	Opwcv.exe
ProductName:	Opwcv
ProductVersion:	3.1.1.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

166

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

644

"C:\Users\admin\AppData\Roaming\cvcxxxx.exe"

C:\Users\admin\AppData\Roaming\cvcxxxx.exe

Steam Account Generator FIXED.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

10.0.19041.1566 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\roaming\cvcxxxx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

660

"regsvr32.exe" /s /i:--type=renderer "C:\Users\admin\AppData\Roaming\microsoft\systemcertificates\\PackageSupportFramework_7.pfx"

C:\Windows\SysWOW64\regsvr32.exe

—

bvcbghgf.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1052

"C:\Users\admin\AppData\Roaming\wxcvxverd.exe"

C:\Users\admin\AppData\Roaming\wxcvxverd.exe

Steam Account Generator FIXED.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Features

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\roaming\wxcvxverd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

1052

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1056

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1168

C:\Users\admin\AppData\Local\Temp\3B60.tmp.exe

—

3B60.tmp.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\3b60.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1228

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

WaaSMedicAgent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1324

"C:\Users\admin\AppData\Roaming\gfgdfxwx.exe"

C:\Users\admin\AppData\Roaming\gfgdfxwx.exe

Steam Account Generator FIXED.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

System

Version:

6.0.0.1

Modules

Images
c:\users\admin\appdata\roaming\gfgdfxwx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1616

"C:\Users\admin\AppData\Local\Temp\56e51a1e3a\nudwee.exe"

C:\Users\admin\AppData\Local\Temp\56e51a1e3a\nudwee.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\56e51a1e3a\nudwee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2088

"C:\Users\admin\AppData\Roaming\cxvezrfde.exe"

C:\Users\admin\AppData\Roaming\cxvezrfde.exe

Steam Account Generator FIXED.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\cxvezrfde.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

47 316

Read events

47 206

Write events

107

Delete events

Modification events


(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000005034A
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000005034A
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000008034E
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000008034E
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1324) gfgdfxwx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SystemServices
Value: C:\Users\admin\AppData\Roaming\gfgdfxwx.exe
(PID) Process:	(1324) gfgdfxwx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SystemServices
Value: C:\Users\admin\AppData\Roaming\winapp\winapp.exe
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000060292
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000060292
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6872) nudwee.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6872) nudwee.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

119

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2088	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI20882\_socket.pyd		executable
		MD5:D6BAE4B430F349AB42553DC738699F0E	SHA256:587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
4988	Steam Account Generator FIXED.exe	C:\Users\admin\AppData\Roaming\gfgdfxwx.exe		executable
		MD5:FA8A3DFE625E06D74B4931E31236A971	SHA256:47EC05FA7ED4B24C51CE19C2CCA63982A8D376278247391910B4EBAF7AF4DCEE
2088	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI20882\VCRUNTIME140.dll		executable
		MD5:0E675D4A7A5B7CCD69013386793F68EB	SHA256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
6988	bvcbghgf.exe	C:\Users\admin\AppData\Local\Temp\is-M42H2.tmp\bvcbghgf.tmp		executable
		MD5:E6D13F10D97044F4F6FF7EA11E3E8E99	SHA256:344CFBA808BCCD3C187CA801DC6EA8AAFD77BF49B4C6342A26624028BA958A5F
1324	gfgdfxwx.exe	C:\Users\admin\AppData\Roaming\winapp\winapp.exe		executable
		MD5:FA8A3DFE625E06D74B4931E31236A971	SHA256:47EC05FA7ED4B24C51CE19C2CCA63982A8D376278247391910B4EBAF7AF4DCEE
4988	Steam Account Generator FIXED.exe	C:\Users\admin\AppData\Roaming\cxvezrfde.exe		executable
		MD5:73EC96E86A9C1D656AC35B522EF74A9B	SHA256:789BEC99500EB4B2C3CE10D651F9BC46ACC89BAC5636C731DC0414CE36E391C4
4988	Steam Account Generator FIXED.exe	C:\Users\admin\AppData\Roaming\bvcbghgf.exe		executable
		MD5:965FA89A5AA7A9FA57F11F7664E8E35B	SHA256:35C4B9C27FD5E7FE2AE63026D52EFD10A4672D5254584190923AEB8169CD4DA2
2088	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI20882\_bz2.pyd		executable
		MD5:3DC8AF67E6EE06AF9EEC52FE985A7633	SHA256:C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
4988	Steam Account Generator FIXED.exe	C:\Users\admin\AppData\Roaming\wxcvxverd.exe		executable
		MD5:7C85687956E00BDBBF28D98A44780BB5	SHA256:631491FD39EC560D77B9C0BF55C1FB8C144E2B7EFFD25FE52342ED99C052D4EE
2088	cxvezrfde.exe	C:\Users\admin\AppData\Local\Temp\_MEI20882\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:B56D69079D2001C1B2AF272774B53A64	SHA256:F3A41D882544202B2E1BDF3D955458BE11FC7F76BA12668388A681870636F143

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5492	explorer.exe	POST	200	185.156.72.8:80	http://185.156.72.8/diamo/post.php	unknown	—	—	malicious
—	—	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6872	nudwee.exe	POST	200	185.156.72.8:80	http://185.156.72.8/rob75u9v/index.php	unknown	—	—	malicious
6872	nudwee.exe	POST	200	185.156.72.8:80	http://185.156.72.8/rob75u9v/index.php	unknown	—	—	malicious
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
644	cvcxxxx.exe	POST	200	185.156.72.8:80	http://185.156.72.8/zpaxpjz/get.php	unknown	—	—	malicious
644	cvcxxxx.exe	POST	200	185.156.72.8:80	http://185.156.72.8/zpaxpjz/get.php	unknown	—	—	malicious
5492	explorer.exe	POST	200	185.156.72.8:80	http://185.156.72.8/diamo/post.php	unknown	—	—	malicious
5492	explorer.exe	POST	200	185.156.72.8:80	http://185.156.72.8/diamo/post.php	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
—	—	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6872	nudwee.exe	185.156.72.8:80	—	Tov Vaiz Partner	RU	malicious
6544	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	2.23.181.156 95.101.149.131	whitelisted
google.com	142.250.185.78	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.22 20.190.160.5 40.126.32.134 20.190.160.67 40.126.32.133 40.126.32.74 20.190.160.132 20.190.160.14	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Threats

PID	Process	Class	Message
6872	nudwee.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 35
6872	nudwee.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
6872	nudwee.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response
6872	nudwee.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response
644	cvcxxxx.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
644	cvcxxxx.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Sending Screenshot in Archive via POST Request
1052	wxcvxverd.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
644	cvcxxxx.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
644	cvcxxxx.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1052	wxcvxverd.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 7

Add for printing

No debug info

General Info

Steam Account Generator FIXED.exe

07ADD688984EC45F5003C2B696822EF0

7FB6FAFBD649EA7A33A6E90DFBCB10BAFD08D79A

379D108F6D40EEF6A248E1E3C1DD2E88094CC4506E603195B55814DE865E6E5E

196608:3n2dd2hj+0KCFboh11kYF2WVqfc7JlY+942ASiTg:328K0KCxqAIqfc9lJ91ASi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

DIAMOTRIX mutex has been found

Changes the autorun value in the registry

AMADEY has been found (auto)

Registers / Runs the DLL via REGSVR32.EXE

Loads dropped or rewritten executable

AMADEY has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

METASTEALER has been detected (SURICATA)

Application was injected by another process

AMADEY has been detected (YARA)

Runs injected code in another process

Stealers network behavior

REDLINE has been detected (SURICATA)

Steals credentials from Web Browsers

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executable content was dropped or overwritten

Process drops python dynamic module

Reads the Windows owner or organization settings

The process drops C-runtime libraries

Application launched itself

Loads Python modules

Starts itself from another location

Starts POWERSHELL.EXE for commands execution

Reads the BIOS version

Contacting a server suspected of hosting an CnC

The process hide an interactive prompt from the user

The process bypasses the loading of PowerShell profile settings

Found regular expressions for crypto-addresses (YARA)

The process executes via Task Scheduler

Potential Corporate Privacy Violation

Connects to unusual port

Connects to the server without a host name

There is functionality for taking screenshot (YARA)

There is functionality for enable RDP (YARA)

Searches for installed software

Uses RUNDLL32.EXE to load library

INFO

Reads the computer name

The sample compiled with english language support

Checks supported languages

Creates files or folders in the user directory

Create files in a temporary directory

Process checks computer location settings

Launch of the file from Registry key

Reads the machine GUID from the registry

Checks proxy server information

Checks if a key exists in the options dictionary (POWERSHELL)

Reads the software policy settings

Manual execution by a user

Creates files in the program directory

Application based on Rust

Reads Environment values

Reads product name

Reads security settings of Internet Explorer

Reads the time zone

Reads Windows Product ID

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots