File name:	Adobe+Illustrator+CS6+Full+Crack+With+Serial+Keygen+{Latest+2019}+Free-RTMD-AEIuk17nlgAA7xoCAFVBFwASANdJposA.exe
Full analysis:	https://app.any.run/tasks/b849597b-3444-42a8-a2d9-562b71982f22
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 13, 2020, 09:14:52
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trojan glupteba loader adware evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	0083DA23232EC9E8040F46C0C2ABC07F
SHA1:	26C3A03C22EF7802F76721A7B3EF34CC893D9E6B
SHA256:	40A340087CC07780BFD61EAB92E40F1223A6DE88EC191BDEDEA0B91B16ECA2AA
SSDEEP:	98304:YKAmzR0w6g8cowIem0ku14W4rSXbKwyQHoUAsbrow/xI:1rCBg8cvIhLW4rSXbKwYpsbV/m

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:03:19 10:14:35+01:00
PEType:	PE32
LinkerVersion:	9
CodeSize:	3887104
InitializedDataSize:	4812288
UninitializedDataSize:	-
EntryPoint:	0x1eab
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	19-Mar-2019 09:14:35
Detected languages:	Norwegian - Norway (Bokmal)
Debug artifacts:	C:\fazawepob.pdb

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000E8

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	19-Mar-2019 09:14:35
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x003B4FFD	0x003B5000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.99912
.rdata	0x003B6000	0x0000491A	0x00004A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.39288
.data	0x003BB000	0x00484720	0x00012E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.350334
.rsrc	0x00840000	0x00007DF0	0x00007E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.20374

Title	Entropy	Size	Codepage	Language	Type
1	4.58535	3752	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
2	5.30634	2216	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
3	5.55966	1736	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
4	5.68524	1384	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
5	4.40142	9640	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
6	4.84828	4264	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
7	5.17079	2440	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
8	5.53747	1128	UNKNOWN	Norwegian - Norway (Bokmal)	RT_ICON
9	2.53698	816	UNKNOWN	UNKNOWN	RT_CURSOR
10	2.5653	304	UNKNOWN	UNKNOWN	RT_CURSOR


(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	Name
Value: AncientSnowflake
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	Firewall
Value:
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	Defender
Value:
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	Servers
Value: https://deepsound.live
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	UUID
Value:
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	Command
Value: 0000000000000000
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	FirstInstallDate
Value: 9E2D945E00000000
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	ServiceVersion
Value:
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	SC
Value: 0000000000000000
(PID) Process:	(2976) a0cf09e4-cb60-47f2-a388-1dd0dfb3f705.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\af29c3b2
Operation:	write	Name:	PGDSE
Value: 0000000000000000

PID	Process	Filename		Type
3044	patch.exe	C:\Users\admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\095BC104DF8F482AB8B6029096C1D22F2\download.error		—
		MD5:—	SHA256:—
3044	patch.exe	C:\Users\admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\095BC104DF8F482AB8B6029096C1D22F2\ntkrnlmp.pdb		—
		MD5:—	SHA256:—
3044	patch.exe	C:\Users\admin\AppData\Local\Temp\Symbols\winload_prod.pdb\91F34F989C2E4D268E95A3E2A74C1A5A1\download.error		—
		MD5:—	SHA256:—
2728	dsefix.exe	C:\Windows\system32\drivers\VBoxDrv.sys		—
		MD5:—	SHA256:—
776	certutil.exe	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\V3D8YJXE.txt		—
		MD5:—	SHA256:—
776	certutil.exe	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\app[1].exe		—
		MD5:—	SHA256:—
2512	csrss.exe	C:\Windows\windefender.exe		executable
		MD5:—	SHA256:—
776	certutil.exe	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\20047C5219171C654461F0EB91DAFF9F		binary
		MD5:—	SHA256:—
776	certutil.exe	C:\Users\admin\AppData\Local\Temp\csrss\scheduled.exe		executable
		MD5:—	SHA256:—
1692	certutil.exe	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\N8W31KP1.txt		—
		MD5:—	SHA256:—


KERNEL32.dll
MSIMG32.dll

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2512	csrss.exe	GET	400	204.79.197.219:443	https://msdl.microsoft.com/download/symbols/index2.txt	US	—	—	whitelisted
2512	csrss.exe	GET	302	204.79.197.219:443	https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/095BC104DF8F482AB8B6029096C1D22F2/ntkrnlmp.pdb	US	—	—	whitelisted
3044	patch.exe	GET	302	204.79.197.219:443	https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/095BC104DF8F482AB8B6029096C1D22F2/ntkrnlmp.pdb	US	—	—	whitelisted
3044	patch.exe	GET	400	204.79.197.219:443	https://msdl.microsoft.com/download/symbols/index2.txt	US	—	—	whitelisted
3044	patch.exe	GET	302	204.79.197.219:443	https://msdl.microsoft.com/download/symbols/winload_prod.pdb/91F34F989C2E4D268E95A3E2A74C1A5A1/winload_prod.pdb	US	—	—	whitelisted
3044	patch.exe	GET	302	204.79.197.219:443	https://msdl.microsoft.com/download/symbols/winload_prod.pdb/91F34F989C2E4D268E95A3E2A74C1A5A1/winload_prod.pdb	US	—	—	whitelisted
3044	patch.exe	GET	404	104.24.121.129:443	https://1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live/api/cloudnet-url?c=383b6353fb723b35&uuid=1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b	US	—	—	unknown
3044	patch.exe	POST	404	104.24.121.129:443	https://1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live/api/poll	US	text	232 b	unknown
3044	patch.exe	GET	200	104.27.188.209:443	https://biggames.online/app/app.exe	US	executable	3.85 Mb	suspicious
3044	patch.exe	POST	404	104.24.121.129:443	https://1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live/api/poll	US	text	232 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
2512	csrss.exe	104.24.121.129:443	1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live	Cloudflare Inc	US	unknown
3044	patch.exe	104.214.40.16:443	vsblobprodscussu5shard67.blob.core.windows.net	Microsoft Corporation	US	whitelisted
3044	patch.exe	204.79.197.219:443	msdl.microsoft.com	Microsoft Corporation	US	whitelisted
2512	csrss.exe	104.27.188.209:443	biggames.online	Cloudflare Inc	US	shared
776	certutil.exe	104.27.188.209:443	biggames.online	Cloudflare Inc	US	shared
776	certutil.exe	67.26.75.254:80	ctldl.windowsupdate.com	Level 3 Communications, Inc.	US	suspicious
2032	scheduled.exe	104.24.121.129:443	1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live	Cloudflare Inc	US	unknown
1692	certutil.exe	104.27.188.209:443	biggames.online	Cloudflare Inc	US	shared
1816	scheduled.exe	104.24.121.129:443	1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live	Cloudflare Inc	US	unknown
2304	csrss.exe	104.24.121.129:443	1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live	Cloudflare Inc	US	unknown

Domain	IP	Reputation
1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server2.deepsound.live	104.24.121.129 104.24.120.129	unknown
msdl.microsoft.com	204.79.197.219	whitelisted
vsblobprodscussu5shard67.blob.core.windows.net	104.214.40.16	unknown
vsblobprodscussu5shard62.blob.core.windows.net	104.214.40.16	unknown
biggames.online	104.27.188.209 104.27.189.209	suspicious
ctldl.windowsupdate.com	67.26.75.254 8.241.121.126 67.27.158.126 67.27.159.254 8.253.207.121	whitelisted
deepsound.live	104.24.121.129 104.24.120.129	suspicious
teredo.ipv6.microsoft.com	—	whitelisted
1635cb4b-ca7b-4a4c-8e38-99a8f8b66a4b.server3.deepsound.live	104.24.121.129 104.24.120.129	unknown
chatmusic.xyz	104.18.48.126 104.18.49.126	malicious

PID	Process	Class	Message
2304	csrss.exe	A Network Trojan was detected	ET TROJAN Possible JKDDOS download cl.exe
2304	csrss.exe	A Network Trojan was detected	ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2304	csrss.exe	Potentially Bad Traffic	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2304	csrss.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
2304	csrss.exe	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
2304	csrss.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2304	csrss.exe	Misc activity	ET INFO EXE - Served Attached HTTP
984	cloudnet.exe	A Network Trojan was detected	ET TROJAN Win32.Glupteba/ClIEcker CnC Checkin
984	cloudnet.exe	A Network Trojan was detected	MALWARE [PTsecurity] Glupteba
984	cloudnet.exe	Attempted Information Leak	ET POLICY IP Check Domain (whatismyip in HTTP Host)

Process	Message
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn

General Info

Adobe+Illustrator+CS6+Full+Crack+With+Serial+Keygen+{Latest+2019}+Free-RTMD-AEIuk17nlgAA7xoCAFVBFwASANdJposA.exe

0083DA23232EC9E8040F46C0C2ABC07F

26C3A03C22EF7802F76721A7B3EF34CC893D9E6B

40A340087CC07780BFD61EAB92E40F1223A6DE88EC191BDEDEA0B91B16ECA2AA

98304:YKAmzR0w6g8cowIem0ku14W4rSXbKwyQHoUAsbrow/xI:1rCBg8cvIhLW4rSXbKwYpsbV/m

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Modifies exclusions in Windows Defender

Known privilege escalation attack

GLUPTEBA was detected

Changes the autorun value in the registry

Changes settings of System certificates

Uses Task Scheduler to autorun other applications

Loads the Task Scheduler COM API

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Downloads executable files from the Internet

Starts CertUtil for downloading files

Connects to CnC server

SUSPICIOUS

Application launched itself

Creates files in the Windows directory

Modifies the open verb of a shell class

Reads the machine GUID from the registry

Starts CMD.EXE for commands execution

Starts itself from another location

Executable content was dropped or overwritten

Reads Internet Cache Settings

Low-level read access rights to disk partition

Creates files in the driver directory

Uses NETSH.EXE for network configuration

Starts SC.EXE for service management

Executed as Windows Service

Executed via Task Scheduler

Removes files from Windows directory

Checks for external IP

Connects to unusual port

Creates files in the user directory

INFO

Reads settings of System Certificates

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules