| File name: | random.exe |
| Full analysis: | https://app.any.run/tasks/c8f3395c-71c1-4e05-8c1e-598d7f486f4e |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | September 22, 2025, 02:00:35 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 1C20777E35B5ED18748E8A710CDD47B6 |
| SHA1: | 173F7A9A4839FBE617C6D79DDA7D694CE555EE5F |
| SHA256: | 7DC8154E2BFDF8381E90EA83E64A09E127E0304447D6A4F3E2A9E4E003626AF1 |
| SSDEEP: | 98304:sVMPvp9r5S58vI3RZc6f9ymo49F2tO+kZohmVZasI45jhHpT16qUH1I6TDz+87n+:A6TP9 |
MALICIOUS
TROX has been detected
- TrustedInstaller.exe (PID: 4752)
- F5apc6j.exe (PID: 4040)
STEALC mutex has been found
- random.exe (PID: 4752)
- svchostam.exe (PID: 5460)
AMADEY mutex has been found
- svchosthelper.exe (PID: 3392)
- svchostam.exe (PID: 5460)
- svchosthelper.exe (PID: 3888)
- svchosthelper.exe (PID: 1392)
- svchostam.exe (PID: 7324)
- svchosthelper.exe (PID: 1216)
- svchosthelper.exe (PID: 7632)
- svchosthelper.exe (PID: 7532)
- svchosthelper.exe (PID: 5568)
- svchosthelper.exe (PID: 7384)
- svchosthelper.exe (PID: 8152)
- svchosthelper.exe (PID: 7208)
- svchosthelper.exe (PID: 5084)
- svchosthelper.exe (PID: 6764)
- svchosthelper.exe (PID: 7048)
- svchosthelper.exe (PID: 6876)
- svchosthelper.exe (PID: 8612)
- svchosthelper.exe (PID: 9068)
- svchosthelper.exe (PID: 8680)
- svchosthelper.exe (PID: 8732)
- svchosthelper.exe (PID: 8544)
- svchosthelper.exe (PID: 4416)
- svchosthelper.exe (PID: 3396)
- svchosthelper.exe (PID: 8884)
- svchosthelper.exe (PID: 6572)
- svchosthelper.exe (PID: 8180)
- svchosthelper.exe (PID: 8228)
- svchosthelper.exe (PID: 2428)
- svchosthelper.exe (PID: 8636)
- svchosthelper.exe (PID: 8380)
- svchosthelper.exe (PID: 4168)
- svchosthelper.exe (PID: 8936)
- svchosthelper.exe (PID: 1028)
- svchosthelper.exe (PID: 6244)
- svchosthelper.exe (PID: 8564)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 5432)
Adds path to the Windows Defender exclusion list
- cmd.exe (PID: 6452)
- NSudoLG.exe (PID: 4748)
- cmd.exe (PID: 7920)
- NSudoLG.exe (PID: 7180)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 8000)
- NjtIeMV.exe (PID: 7736)
Changes the Windows auto-update feature
- reg.exe (PID: 5372)
Changes Windows Defender settings
- NSudoLG.exe (PID: 4748)
- NSudoLG.exe (PID: 7180)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 8000)
- NjtIeMV.exe (PID: 7736)
Actions looks like stealing of personal data
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
- dwm.exe (PID: 8892)
Steals credentials from Web Browsers
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
- dwm.exe (PID: 8892)
VIDAR has been detected (YARA)
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
AMADEY has been detected (SURICATA)
- svchostam.exe (PID: 5460)
Connects to the CnC server
- svchostam.exe (PID: 5460)
AMADEY has been detected (YARA)
- random.exe (PID: 7008)
- svchostam.exe (PID: 5460)
Changes the autorun value in the registry
- LVMTgg9.exe (PID: 4104)
- LVMTgg9.exe (PID: 2632)
- svchostam.exe (PID: 5460)
- XaUfT3G.exe (PID: 3784)
- V37W2l4.exe (PID: 4760)
Run PowerShell with an invisible window
- powershell.exe (PID: 7720)
Executing a file with an untrusted certificate
- L3kfcxp.exe (PID: 8768)
- x0q5424.exe (PID: 9048)
- 5EzqpDw.exe (PID: 2596)
- 5EzqpDw.exe (PID: 8416)
- PPUWgfp.exe (PID: 8460)
Changes powershell execution policy (Bypass)
- x0q5424.exe (PID: 9048)
- Cursemicrodrawing.exe (PID: 9052)
Bypass execution policy to execute commands
- powershell.exe (PID: 4012)
- powershell.exe (PID: 8988)
STEALC has been detected
- PPUWgfp.exe (PID: 8460)
SUSPICIOUS
Launching a dropped file
- random.exe (PID: 4752)
- random.exe (PID: 3540)
- random.exe (PID: 7008)
- systemhelper.exe (PID: 5952)
- 7z.exe (PID: 1216)
- game.exe (PID: 700)
- game.exe (PID: 7408)
- 7z.exe (PID: 8104)
- svchostam.exe (PID: 5460)
- LVMTgg9.exe (PID: 2632)
- NjtIeMV.exe (PID: 6176)
- LVMTgg9.exe (PID: 4104)
- game.exe (PID: 5900)
- game.exe (PID: 7328)
- 5EzqpDw.exe (PID: 2596)
- F5apc6j.exe (PID: 4040)
- XaUfT3G.exe (PID: 3784)
- x0q5424.exe (PID: 9048)
- Cursemicrodrawing.exe (PID: 9052)
- dl.exe (PID: 2144)
- V37W2l4.exe (PID: 4760)
- dwm.exe (PID: 8892)
Reads security settings of Internet Explorer
- random.exe (PID: 4752)
- random.exe (PID: 3540)
- svchostmanager.exe (PID: 4844)
- systemhelper.exe (PID: 5952)
- svchostam.exe (PID: 5460)
- game.exe (PID: 6472)
- game.exe (PID: 700)
- systemhelper.exe (PID: 5528)
- nircmd.exe (PID: 7484)
- game.exe (PID: 7408)
- game.exe (PID: 1644)
- IObitUnlocker.exe (PID: 8044)
- game.exe (PID: 5476)
- StartMenuExperienceHost.exe (PID: 8140)
- StartMenuExperienceHost.exe (PID: 6388)
- svchostmanager.exe (PID: 2120)
- LVMTgg9.exe (PID: 2632)
- game.exe (PID: 5900)
- game.exe (PID: 7328)
- 598fd84968.exe (PID: 6508)
- proxy.exe (PID: 5408)
- dl.exe (PID: 2144)
- F5apc6j.exe (PID: 4040)
Executable content was dropped or overwritten
- random.exe (PID: 4752)
- random.exe (PID: 3540)
- random.exe (PID: 7008)
- systemhelper.exe (PID: 5952)
- 7z.exe (PID: 1216)
- game.exe (PID: 700)
- game.exe (PID: 7408)
- 7z.exe (PID: 8104)
- svchostam.exe (PID: 5460)
- LVMTgg9.exe (PID: 2632)
- NjtIeMV.exe (PID: 6176)
- LVMTgg9.exe (PID: 4104)
- game.exe (PID: 5900)
- game.exe (PID: 7328)
- 5EzqpDw.exe (PID: 2596)
- F5apc6j.exe (PID: 4040)
- Cursemicrodrawing.exe (PID: 9052)
- x0q5424.exe (PID: 9048)
- XaUfT3G.exe (PID: 3784)
- V37W2l4.exe (PID: 4760)
- dl.exe (PID: 2144)
- dwm.exe (PID: 8892)
Reads the BIOS version
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
Application launched itself
- random.exe (PID: 4752)
- cmd.exe (PID: 6452)
- cmd.exe (PID: 7920)
- LVMTgg9.exe (PID: 2632)
- powershell.exe (PID: 8000)
- powershell.exe (PID: 6756)
- NjtIeMV.exe (PID: 6176)
- XaUfT3G.exe (PID: 6068)
- V37W2l4.exe (PID: 2716)
- proxy.exe (PID: 5408)
Creates a new Windows service
- sc.exe (PID: 2628)
Executes as Windows Service
- random.exe (PID: 7008)
Windows service management via SC.EXE
- sc.exe (PID: 5628)
- sc.exe (PID: 5808)
- sc.exe (PID: 1936)
- sc.exe (PID: 5564)
- sc.exe (PID: 3608)
- sc.exe (PID: 3556)
- sc.exe (PID: 7060)
- sc.exe (PID: 4748)
- sc.exe (PID: 4320)
- sc.exe (PID: 7720)
- sc.exe (PID: 7256)
- sc.exe (PID: 2528)
- sc.exe (PID: 7440)
- sc.exe (PID: 8960)
- sc.exe (PID: 9012)
- sc.exe (PID: 9052)
- sc.exe (PID: 4020)
- sc.exe (PID: 6756)
- sc.exe (PID: 8676)
- sc.exe (PID: 9132)
- sc.exe (PID: 9092)
- sc.exe (PID: 9012)
- sc.exe (PID: 3800)
Executes application which crashes
- svchosthelper.exe (PID: 3392)
- svchosthelper.exe (PID: 1392)
- svchosthelper.exe (PID: 1216)
- svchosthelper.exe (PID: 7532)
- svchosthelper.exe (PID: 5568)
- svchosthelper.exe (PID: 7384)
- svchosthelper.exe (PID: 8152)
- svchosthelper.exe (PID: 7208)
- svchosthelper.exe (PID: 5084)
- svchosthelper.exe (PID: 6764)
- svchosthelper.exe (PID: 7048)
- svchosthelper.exe (PID: 8612)
- svchosthelper.exe (PID: 6876)
- svchosthelper.exe (PID: 9068)
- svchosthelper.exe (PID: 8680)
- svchosthelper.exe (PID: 8732)
- svchosthelper.exe (PID: 8544)
- svchosthelper.exe (PID: 3396)
- svchosthelper.exe (PID: 4416)
- svchosthelper.exe (PID: 6572)
- svchosthelper.exe (PID: 8884)
- svchosthelper.exe (PID: 8228)
- svchosthelper.exe (PID: 2428)
- svchosthelper.exe (PID: 8180)
- svchosthelper.exe (PID: 8636)
- svchosthelper.exe (PID: 8380)
- svchosthelper.exe (PID: 8936)
- svchosthelper.exe (PID: 1028)
- svchosthelper.exe (PID: 6244)
- svchosthelper.exe (PID: 8564)
The process creates files with name similar to system file names
- systemhelper.exe (PID: 5952)
- LVMTgg9.exe (PID: 4104)
Starts application with an unusual extension
- cmd.exe (PID: 6160)
- cmd.exe (PID: 6452)
- cmd.exe (PID: 7176)
- cmd.exe (PID: 7748)
- cmd.exe (PID: 7920)
Executing commands from a ".bat" file
- systemhelper.exe (PID: 5952)
- NSudoLG.exe (PID: 1808)
- systemhelper.exe (PID: 5528)
- nircmd.exe (PID: 7484)
- NSudoLG.exe (PID: 7900)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 6452)
- cmd.exe (PID: 6160)
- cmd.exe (PID: 7748)
- cmd.exe (PID: 7920)
Get information on the list of running processes
- cmd.exe (PID: 768)
- cmd.exe (PID: 6452)
- cmd.exe (PID: 8160)
- cmd.exe (PID: 7920)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 6452)
- cmd.exe (PID: 7920)
Escape characters obfuscation (POWERSHELL)
- NSudoLG.exe (PID: 4748)
- powershell.exe (PID: 7060)
- NSudoLG.exe (PID: 7180)
- powershell.exe (PID: 7796)
Starts POWERSHELL.EXE for commands execution
- NSudoLG.exe (PID: 4748)
- NSudoLG.exe (PID: 7180)
- LVMTgg9.exe (PID: 4104)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 8000)
- NjtIeMV.exe (PID: 7736)
- x0q5424.exe (PID: 9048)
- Cursemicrodrawing.exe (PID: 9052)
- dwm.exe (PID: 8892)
Script adds exclusion path to Windows Defender
- NSudoLG.exe (PID: 4748)
- NSudoLG.exe (PID: 7180)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 8000)
- NjtIeMV.exe (PID: 7736)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
Starts SC.EXE for service management
- cmd.exe (PID: 2188)
- cmd.exe (PID: 6452)
- cmd.exe (PID: 6900)
- cmd.exe (PID: 984)
- cmd.exe (PID: 7660)
- cmd.exe (PID: 7692)
- cmd.exe (PID: 6968)
- cmd.exe (PID: 6996)
- cmd.exe (PID: 2468)
- cmd.exe (PID: 5920)
- cmd.exe (PID: 5912)
- cmd.exe (PID: 7920)
- cmd.exe (PID: 9000)
- cmd.exe (PID: 8000)
Reads the date of Windows installation
- game.exe (PID: 6472)
- game.exe (PID: 700)
- nircmd.exe (PID: 7484)
- game.exe (PID: 7408)
- game.exe (PID: 1644)
- game.exe (PID: 5476)
- StartMenuExperienceHost.exe (PID: 8140)
- StartMenuExperienceHost.exe (PID: 6388)
- SearchApp.exe (PID: 1948)
- LVMTgg9.exe (PID: 2632)
- proxy.exe (PID: 5408)
- dl.exe (PID: 2144)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 5476)
- cmd.exe (PID: 7236)
- cmd.exe (PID: 7856)
- cmd.exe (PID: 7084)
- cmd.exe (PID: 8704)
- cmd.exe (PID: 8008)
Stops a currently running service
- sc.exe (PID: 2464)
- sc.exe (PID: 5988)
- sc.exe (PID: 2972)
- sc.exe (PID: 3672)
- sc.exe (PID: 4520)
- sc.exe (PID: 440)
- sc.exe (PID: 4324)
- sc.exe (PID: 8980)
- sc.exe (PID: 8932)
- sc.exe (PID: 9032)
- sc.exe (PID: 9072)
- sc.exe (PID: 7172)
- sc.exe (PID: 8620)
- sc.exe (PID: 9112)
- sc.exe (PID: 1236)
Creates or modifies Windows services
- reg.exe (PID: 5612)
- game.exe (PID: 700)
- game.exe (PID: 5476)
- game.exe (PID: 7328)
PowerShell delay command usage (probably sleep evasion)
- powershell.exe (PID: 7060)
- powershell.exe (PID: 7796)
Drops a system driver (possible attempt to evade defenses)
- game.exe (PID: 700)
- game.exe (PID: 7408)
- game.exe (PID: 5900)
- game.exe (PID: 7328)
Searches for installed software
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
- PPUWgfp.exe (PID: 8460)
The process verifies whether the antivirus software is installed
- game.exe (PID: 7408)
- IObitUnlocker.exe (PID: 8044)
- game.exe (PID: 7328)
- IObitUnlocker.exe (PID: 9136)
Multiple wallet extension IDs have been found
- svchostmanager.exe (PID: 4844)
Contacting a server suspected of hosting an CnC
- svchostam.exe (PID: 5460)
Potential Corporate Privacy Violation
- svchostam.exe (PID: 5460)
- XaUfT3G.exe (PID: 3784)
- dl.exe (PID: 2144)
There is functionality for taking screenshot (YARA)
- svchostam.exe (PID: 5460)
There is functionality for enable RDP (YARA)
- svchostam.exe (PID: 5460)
Starts NET.EXE to display or manage information about active sessions
- LVMTgg9.exe (PID: 4104)
- net.exe (PID: 4160)
- LVMTgg9.exe (PID: 2632)
- net.exe (PID: 7048)
Base64-obfuscated command line is found
- LVMTgg9.exe (PID: 4104)
- x0q5424.exe (PID: 9048)
- Cursemicrodrawing.exe (PID: 9052)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 8000)
- powershell.exe (PID: 2400)
Starts a new process with hidden mode (POWERSHELL)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 8000)
BASE64 encoded PowerShell command has been detected
- LVMTgg9.exe (PID: 4104)
- Cursemicrodrawing.exe (PID: 9052)
- x0q5424.exe (PID: 9048)
Process drops legitimate windows executable
- NjtIeMV.exe (PID: 6176)
- F5apc6j.exe (PID: 4040)
- x0q5424.exe (PID: 9048)
The process drops C-runtime libraries
- NjtIeMV.exe (PID: 6176)
- F5apc6j.exe (PID: 4040)
Process drops python dynamic module
- NjtIeMV.exe (PID: 6176)
- F5apc6j.exe (PID: 4040)
The process bypasses the loading of PowerShell profile settings
- x0q5424.exe (PID: 9048)
- Cursemicrodrawing.exe (PID: 9052)
The process checks if it is being run in the virtual environment
- OpenWith.exe (PID: 8776)
- uO0vgSP.exe (PID: 9152)
The process executes via Task Scheduler
- svchosthelper.exe (PID: 4168)
Connects to unusual port
- x0q5424.exe (PID: 9048)
- OpenWith.exe (PID: 8776)
Connects to SMTP port
- XaUfT3G.exe (PID: 3784)
Starts itself from another location
- V37W2l4.exe (PID: 4760)
- dwm.exe (PID: 8892)
Suspicious use of NETSH.EXE
- proxy.exe (PID: 5408)
- proxy.exe (PID: 2504)
Smart Card resource manager service initialization
- svchost.exe (PID: 3880)
Uses NETSH.EXE to add a firewall rule or allowed programs
- proxy.exe (PID: 2504)
INFO
Create files in a temporary directory
- random.exe (PID: 4752)
- random.exe (PID: 3540)
- systemhelper.exe (PID: 5952)
- 7z.exe (PID: 1216)
- systemhelper.exe (PID: 5528)
- 7z.exe (PID: 8104)
- svchostam.exe (PID: 5460)
- NjtIeMV.exe (PID: 6176)
- F5apc6j.exe (PID: 4040)
- XaUfT3G.exe (PID: 3784)
- dwm.exe (PID: 8892)
Reads the computer name
- random.exe (PID: 4752)
- svchostmanager.exe (PID: 4844)
- random.exe (PID: 3540)
- systemhelper.exe (PID: 5952)
- random.exe (PID: 7008)
- svchosthelper.exe (PID: 3392)
- svchostam.exe (PID: 5460)
- NSudoLG.exe (PID: 1808)
- NSudoLG.exe (PID: 4748)
- 7z.exe (PID: 1216)
- game.exe (PID: 6472)
- game.exe (PID: 700)
- svchosthelper.exe (PID: 1392)
- systemhelper.exe (PID: 5528)
- NSudoLG.exe (PID: 2292)
- nircmd.exe (PID: 1212)
- game.exe (PID: 7408)
- nircmd.exe (PID: 7484)
- NSudoLG.exe (PID: 7900)
- NSudoLG.exe (PID: 7180)
- game.exe (PID: 1644)
- IObitUnlocker.exe (PID: 8044)
- 7z.exe (PID: 8104)
- game.exe (PID: 5476)
- svchosthelper.exe (PID: 1216)
- StartMenuExperienceHost.exe (PID: 8140)
- TextInputHost.exe (PID: 6504)
- SearchApp.exe (PID: 4008)
- StartMenuExperienceHost.exe (PID: 6388)
- TextInputHost.exe (PID: 4700)
- SearchApp.exe (PID: 1948)
- svchosthelper.exe (PID: 7532)
- svchosthelper.exe (PID: 5568)
- svchostmanager.exe (PID: 2120)
- svchosthelper.exe (PID: 7384)
- svchosthelper.exe (PID: 8152)
- svchosthelper.exe (PID: 7208)
- LVMTgg9.exe (PID: 2632)
- svchosthelper.exe (PID: 5084)
- svchosthelper.exe (PID: 6764)
- NjtIeMV.exe (PID: 6176)
- svchosthelper.exe (PID: 7048)
- svchosthelper.exe (PID: 6876)
- svchosthelper.exe (PID: 8612)
- svchosthelper.exe (PID: 8680)
- x0q5424.exe (PID: 9048)
- svchosthelper.exe (PID: 8544)
- Cursemicrodrawing.exe (PID: 9052)
- 598fd84968.exe (PID: 6508)
- svchosthelper.exe (PID: 3396)
- svchosthelper.exe (PID: 4416)
- Cursemicrodrawing.exe (PID: 8852)
- XaUfT3G.exe (PID: 6068)
- svchosthelper.exe (PID: 6572)
- svchosthelper.exe (PID: 8884)
- svchosthelper.exe (PID: 8228)
- svchosthelper.exe (PID: 8180)
- svchosthelper.exe (PID: 2428)
- XaUfT3G.exe (PID: 3784)
- uO0vgSP.exe (PID: 9152)
- svchosthelper.exe (PID: 8936)
- V37W2l4.exe (PID: 4760)
- AppLaunch.exe (PID: 8424)
- svchosthelper.exe (PID: 6244)
- dwm.exe (PID: 8892)
- proxy.exe (PID: 5408)
- dl.exe (PID: 2144)
- F5apc6j.exe (PID: 4040)
- proxy.exe (PID: 2504)
- dwm.exe (PID: 5780)
Checks supported languages
- random.exe (PID: 4752)
- svchostmanager.exe (PID: 4844)
- svchosthelper.exe (PID: 3392)
- random.exe (PID: 7008)
- random.exe (PID: 3540)
- svchostam.exe (PID: 5460)
- chcp.com (PID: 6688)
- systemhelper.exe (PID: 5952)
- nircmd.exe (PID: 32)
- chcp.com (PID: 5476)
- nircmd.exe (PID: 2220)
- mode.com (PID: 4116)
- NSudoLG.exe (PID: 1808)
- NSudoLG.exe (PID: 4748)
- svchosthelper.exe (PID: 3888)
- 7z.exe (PID: 1216)
- game.exe (PID: 6472)
- 7z.exe (PID: 1156)
- svchostmanager.exe (PID: 2120)
- game.exe (PID: 700)
- svchosthelper.exe (PID: 1392)
- cecho.exe (PID: 4520)
- systemhelper.exe (PID: 5528)
- NSudoLG.exe (PID: 2292)
- nircmd.exe (PID: 1212)
- svchostam.exe (PID: 7324)
- nircmd.exe (PID: 7368)
- chcp.com (PID: 7416)
- nircmd.exe (PID: 7484)
- game.exe (PID: 7408)
- chcp.com (PID: 7840)
- nircmd.exe (PID: 7820)
- nircmd.exe (PID: 7984)
- NSudoLG.exe (PID: 7900)
- chcp.com (PID: 8008)
- mode.com (PID: 8076)
- game.exe (PID: 1644)
- NSudoLG.exe (PID: 7180)
- IObitUnlocker.exe (PID: 8044)
- 7z.exe (PID: 8104)
- game.exe (PID: 5476)
- svchosthelper.exe (PID: 1216)
- svchosthelper.exe (PID: 7632)
- StartMenuExperienceHost.exe (PID: 8140)
- TextInputHost.exe (PID: 6504)
- SearchApp.exe (PID: 4008)
- svchosthelper.exe (PID: 7532)
- TextInputHost.exe (PID: 4700)
- SearchApp.exe (PID: 1948)
- StartMenuExperienceHost.exe (PID: 6388)
- svchosthelper.exe (PID: 5568)
- svchosthelper.exe (PID: 8152)
- svchosthelper.exe (PID: 7384)
- svchosthelper.exe (PID: 7208)
- LVMTgg9.exe (PID: 2632)
- LVMTgg9.exe (PID: 4104)
- svchosthelper.exe (PID: 5084)
- svchosthelper.exe (PID: 6764)
- NjtIeMV.exe (PID: 6176)
- svchosthelper.exe (PID: 7048)
- svchosthelper.exe (PID: 6876)
- NjtIeMV.exe (PID: 7736)
- svchosthelper.exe (PID: 8612)
- svchosthelper.exe (PID: 8680)
- L3kfcxp.exe (PID: 8768)
- x0q5424.exe (PID: 9048)
- 5EzqpDw.exe (PID: 2596)
- Cursemicrodrawing.exe (PID: 9052)
- svchosthelper.exe (PID: 8544)
- svchosthelper.exe (PID: 3396)
- svchosthelper.exe (PID: 4416)
- 598fd84968.exe (PID: 6508)
- 5EzqpDw.exe (PID: 8416)
- Cursemicrodrawing.exe (PID: 8852)
- svchosthelper.exe (PID: 8884)
- XaUfT3G.exe (PID: 6068)
- svchosthelper.exe (PID: 6572)
- F5apc6j.exe (PID: 4040)
- svchosthelper.exe (PID: 8228)
- svchosthelper.exe (PID: 8180)
- XaUfT3G.exe (PID: 3784)
- svchosthelper.exe (PID: 8636)
- svchosthelper.exe (PID: 4168)
- uO0vgSP.exe (PID: 9152)
- svchosthelper.exe (PID: 8936)
- svchosthelper.exe (PID: 8380)
- PPUWgfp.exe (PID: 8460)
- V37W2l4.exe (PID: 2716)
- V37W2l4.exe (PID: 4760)
- AppLaunch.exe (PID: 8424)
- svchosthelper.exe (PID: 1028)
- dl.exe (PID: 2144)
- svchosthelper.exe (PID: 6244)
- dwm.exe (PID: 8892)
- proxy.exe (PID: 5408)
- proxy.exe (PID: 2504)
- dwm.exe (PID: 5780)
Reads the machine GUID from the registry
- random.exe (PID: 4752)
- random.exe (PID: 3540)
- random.exe (PID: 7008)
- game.exe (PID: 6472)
- svchostmanager.exe (PID: 4844)
- game.exe (PID: 700)
- game.exe (PID: 7408)
- game.exe (PID: 1644)
- game.exe (PID: 5476)
- SearchApp.exe (PID: 4008)
- svchostam.exe (PID: 5460)
- SearchApp.exe (PID: 1948)
- svchostmanager.exe (PID: 2120)
- game.exe (PID: 5900)
- x0q5424.exe (PID: 9048)
- Cursemicrodrawing.exe (PID: 9052)
- Cursemicrodrawing.exe (PID: 8852)
- 598fd84968.exe (PID: 6508)
- XaUfT3G.exe (PID: 6068)
- uO0vgSP.exe (PID: 9152)
- V37W2l4.exe (PID: 4760)
- AppLaunch.exe (PID: 8424)
- V37W2l4.exe (PID: 2716)
- dwm.exe (PID: 8892)
- dwm.exe (PID: 5780)
Process checks computer location settings
- random.exe (PID: 4752)
- random.exe (PID: 3540)
- systemhelper.exe (PID: 5952)
- systemhelper.exe (PID: 5528)
- nircmd.exe (PID: 7484)
- game.exe (PID: 1644)
- SearchApp.exe (PID: 4008)
- StartMenuExperienceHost.exe (PID: 8140)
- svchostam.exe (PID: 5460)
- StartMenuExperienceHost.exe (PID: 6388)
- SearchApp.exe (PID: 1948)
- LVMTgg9.exe (PID: 2632)
- proxy.exe (PID: 5408)
- dl.exe (PID: 2144)
Creates files in the program directory
- svchostmanager.exe (PID: 4844)
- game.exe (PID: 1644)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
- svchost.exe (PID: 7584)
- dwm.exe (PID: 8892)
- svchost.exe (PID: 2552)
Checks proxy server information
- svchostmanager.exe (PID: 4844)
- svchostam.exe (PID: 5460)
- SearchApp.exe (PID: 4008)
- SearchApp.exe (PID: 1948)
- slui.exe (PID: 5036)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
- dl.exe (PID: 2144)
Reads the software policy settings
- svchostmanager.exe (PID: 4844)
- WerFault.exe (PID: 3852)
- WerFault.exe (PID: 3852)
- WerFault.exe (PID: 7316)
- SearchApp.exe (PID: 4008)
- WerFault.exe (PID: 7236)
- slui.exe (PID: 5036)
- WerFault.exe (PID: 5488)
- svchostmanager.exe (PID: 2120)
- SearchApp.exe (PID: 1948)
- WerFault.exe (PID: 6724)
- WerFault.exe (PID: 1068)
- WerFault.exe (PID: 8012)
- WerFault.exe (PID: 7572)
- WerFault.exe (PID: 6432)
- WerFault.exe (PID: 436)
- WerFault.exe (PID: 6012)
- WerFault.exe (PID: 3788)
- WerFault.exe (PID: 8376)
- WerFault.exe (PID: 4328)
- WerFault.exe (PID: 8248)
- 598fd84968.exe (PID: 6508)
- WerFault.exe (PID: 1232)
- WerFault.exe (PID: 6112)
- WerFault.exe (PID: 8388)
- WerFault.exe (PID: 8860)
- WerFault.exe (PID: 1156)
- WerFault.exe (PID: 8836)
- WerFault.exe (PID: 8652)
- WerFault.exe (PID: 4148)
The sample compiled with english language support
- systemhelper.exe (PID: 5952)
- game.exe (PID: 700)
- game.exe (PID: 7408)
- NjtIeMV.exe (PID: 6176)
- svchostam.exe (PID: 5460)
- game.exe (PID: 5900)
- game.exe (PID: 7328)
- F5apc6j.exe (PID: 4040)
- XaUfT3G.exe (PID: 3784)
- x0q5424.exe (PID: 9048)
NirSoft software is detected
- nircmd.exe (PID: 32)
- nircmd.exe (PID: 2220)
- nircmd.exe (PID: 1212)
- nircmd.exe (PID: 7368)
- nircmd.exe (PID: 7484)
- nircmd.exe (PID: 7820)
- nircmd.exe (PID: 7984)
Changes the display of characters in the console
- cmd.exe (PID: 6160)
- cmd.exe (PID: 6452)
- cmd.exe (PID: 7176)
- cmd.exe (PID: 7748)
- cmd.exe (PID: 7920)
Checks operating system version
- cmd.exe (PID: 6452)
- cmd.exe (PID: 7920)
Manual execution by a user
- svchosthelper.exe (PID: 3888)
- 7z.exe (PID: 1156)
- svchostmanager.exe (PID: 2120)
- cecho.exe (PID: 4520)
- NSudoLG.exe (PID: 5476)
- systemhelper.exe (PID: 5528)
- NSudoLG.exe (PID: 2292)
- nircmd.exe (PID: 1212)
- svchostam.exe (PID: 7324)
- game.exe (PID: 1644)
- game.exe (PID: 2716)
- OpenWith.exe (PID: 8776)
- svchost.exe (PID: 7584)
- svchost.exe (PID: 7444)
- svchost.exe (PID: 3880)
- svchost.exe (PID: 2552)
- svchost.exe (PID: 1044)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7060)
- powershell.exe (PID: 7720)
- powershell.exe (PID: 4624)
- powershell.exe (PID: 6644)
UNLOCKER BY EJECT mutex has been found
- game.exe (PID: 6472)
- game.exe (PID: 700)
- game.exe (PID: 7408)
- game.exe (PID: 1644)
- game.exe (PID: 5476)
- game.exe (PID: 5900)
- game.exe (PID: 7328)
Reads Environment values
- svchostmanager.exe (PID: 4844)
- SearchApp.exe (PID: 4008)
- SearchApp.exe (PID: 1948)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
Reads product name
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
Reads CPU info
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
- 598fd84968.exe (PID: 6508)
- PPUWgfp.exe (PID: 8460)
Reads the time zone
- explorer.exe (PID: 7312)
Changes appearance of the Explorer extensions
- explorer.exe (PID: 7312)
Themida protector has been detected
- svchostmanager.exe (PID: 4844)
- svchostmanager.exe (PID: 2120)
Application launched itself
- chrome.exe (PID: 7688)
- chrome.exe (PID: 7456)
- chrome.exe (PID: 4336)
Creates files or folders in the user directory
- svchostam.exe (PID: 5460)
- LVMTgg9.exe (PID: 2632)
- LVMTgg9.exe (PID: 4104)
- x0q5424.exe (PID: 9048)
- Cursemicrodrawing.exe (PID: 9052)
- V37W2l4.exe (PID: 4760)
Launching a file from a Registry key
- LVMTgg9.exe (PID: 4104)
- LVMTgg9.exe (PID: 2632)
- svchostam.exe (PID: 5460)
- XaUfT3G.exe (PID: 3784)
- V37W2l4.exe (PID: 4760)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 8000)
- powershell.exe (PID: 2400)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 6644)
- powershell.exe (PID: 2400)
- powershell.exe (PID: 4624)
- powershell.exe (PID: 7720)
- powershell.exe (PID: 4012)
- powershell.exe (PID: 8988)
Drops encrypted JS script (Microsoft Script Encoder)
- 5EzqpDw.exe (PID: 2596)
- 5EzqpDw.exe (PID: 8416)
- proxy.exe (PID: 5408)
- proxy.exe (PID: 2504)
- dwm.exe (PID: 8892)
Checks current location (POWERSHELL)
- powershell.exe (PID: 4512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(5460) svchostam.exe
C2178.16.54.200
URLhttp://178.16.54.200/f8nus4b/index.php
Version5.60
Options
Drop directory8126767c2f
Drop nameUvwbf.exe
Strings (125):::
178.16.54.200
lv:
cred.dll|clip.dll|
%USERPROFILE%
st=s
ProgramData\
AVG
00000423
------
un:
id:
kernel32.dll
ps1
dm:
POST
00000422
cred.dll
\App
Content-Disposition: form-data; name="data"; filename="
shell32.dll
Kaspersky Lab
-unicode-
"
Content-Type: application/octet-stream
e1
Rem
ESET
"taskkill /f /im "
2019
Bitdefender
&unit=
\0000
2025
0123456789
cmd
Startup
------
/f8nus4b/index.php
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
https://
2016
Doctor Web
DefaultSettings.XResolution
og:
2022
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
rundll32.exe
GetNativeSystemInfo
r=
SYSTEM\ControlSet001\Services\BasicDisplay\Video
exe
Panda Security
&& Exit"
e3
pc:
zip
dll
VideoID
SOFTWARE\Microsoft\Windows NT\CurrentVersion
random
vs:
/Plugins/
Powershell.exe
ComputerName
os:
sd:
ar:
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
bi:
S-%lu-
ProductName
%-lu
"
Uvwbf.exe
5.60
http://
rb
Content-Type: application/x-www-form-urlencoded
msi
d1
GET
Main
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Avira
Content-Type: multipart/form-data; boundary=----
CurrentBuild
00000419
av:
Programs
e2
-executionpolicy remotesigned -File "
abcdefghijklmnopqrstuvwxyz0123456789-_
Keyboard Layout\Preload
rundll32
Sophos
|
--
0000043f
\
clip.dll
/k
#
?scr=1
360TotalSecurity
Norton
DefaultSettings.YResolution
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<c>
<d>
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
cmd /C RMDIR /s/q
wb
Comodo
=
WinDefender
-%lu
/quiet
.jpg
AVAST Software
+++
8126767c2f
" && ren
&&
" && timeout 1 && del
shutdown -s -t 0
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2044:10:25 04:47:28+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 5377536 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x522c1e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | DownloaderApp |
| FileVersion: | 1.0.0.0 |
| InternalName: | DownloaderApp.exe |
| LegalCopyright: | Copyright © 2025 |
| LegalTrademarks: | - |
| OriginalFileName: | DownloaderApp.exe |
| ProductName: | DownloaderApp |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
608
Monitored processes
418
Malicious processes
70
Suspicious processes
16
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 8 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=1944,i,18289156583339367096,11208058120890276028,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2124 /prefetch:3 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 133.0.6943.127 Modules
| |||||||||||||||
| 32 | nircmd win min process "cmd.exe" | C:\Users\admin\AppData\Local\Temp\hater\nircmd.exe | — | cmd.exe | |||||||||||
User: admin Company: NirSoft Integrity Level: HIGH Description: NirCmd Exit code: 0 Version: 2.87 Modules
| |||||||||||||||
| 304 | reg unload HKLM\TEMP_SYSTEM | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 304 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 320 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 436 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7048 -s 544 | C:\Windows\SysWOW64\WerFault.exe | svchosthelper.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 440 | sc stop IObitUnlocker | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Service Control Manager Configuration Tool Exit code: 1060 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 480 | reg query "HKLM\System\CurrentControlSet\Services\wscsvc" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 700 | game /delwd | C:\Users\admin\AppData\Local\Temp\hater\game.exe | cmd.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Description: Unlocker by Eject NotOfficial Exit code: 1 Version: 1.0.0.0 Modules
| |||||||||||||||
| 768 | C:\WINDOWS\system32\cmd.exe /c tasklist | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
330 744
Read events
330 288
Write events
354
Delete events
102
Modification events
| (PID) Process: | (4844) svchostmanager.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4844) svchostmanager.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4844) svchostmanager.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3852) WerFault.exe | Key: | \REGISTRY\A\{34ec759d-2431-aae0-f968-fd87282628fe}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (3852) WerFault.exe | Key: | \REGISTRY\A\{34ec759d-2431-aae0-f968-fd87282628fe}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3852) WerFault.exe | Key: | \REGISTRY\A\{34ec759d-2431-aae0-f968-fd87282628fe}\Root\InventoryApplicationFile\svchosthelper.ex|977604269ee94eb2 |
| Operation: | write | Name: | ProgramId |
Value: 000675c4ce9d537aab2334309fdb6c61a7ae0000ffff | |||
| (PID) Process: | (3852) WerFault.exe | Key: | \REGISTRY\A\{34ec759d-2431-aae0-f968-fd87282628fe}\Root\InventoryApplicationFile\svchosthelper.ex|977604269ee94eb2 |
| Operation: | write | Name: | FileId |
Value: 000085c1e5add3ff1e4499136dc9f1643bbf88f16825 | |||
| (PID) Process: | (3852) WerFault.exe | Key: | \REGISTRY\A\{34ec759d-2431-aae0-f968-fd87282628fe}\Root\InventoryApplicationFile\svchosthelper.ex|977604269ee94eb2 |
| Operation: | write | Name: | LowerCaseLongPath |
Value: c:\windows\svchosthelper.exe | |||
| (PID) Process: | (3852) WerFault.exe | Key: | \REGISTRY\A\{34ec759d-2431-aae0-f968-fd87282628fe}\Root\InventoryApplicationFile\svchosthelper.ex|977604269ee94eb2 |
| Operation: | write | Name: | LongPathHash |
Value: svchosthelper.ex|977604269ee94eb2 | |||
| (PID) Process: | (3852) WerFault.exe | Key: | \REGISTRY\A\{34ec759d-2431-aae0-f968-fd87282628fe}\Root\InventoryApplicationFile\svchosthelper.ex|977604269ee94eb2 |
| Operation: | write | Name: | Name |
Value: svchosthelper.exe | |||
Executable files
115
Suspicious files
120
Text files
1 169
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3852 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchosthelper.ex_876bf21ed01352c334c7f1e68810f54857f6116_9242ee47_709f1e29-d13a-489f-bd16-30e311b4f1e3\Report.wer | — | |
MD5:— | SHA256:— | |||
| 7008 | random.exe | C:\Windows\Temp\svchostmanager.exe | executable | |
MD5:85EE12DC144D38CD72FB99F33498B58C | SHA256:2B6B8E81B4130E4BFD80F022F076E8CD1C95C842167E27D5ACA7F74BA0CE5D04 | |||
| 4752 | random.exe | C:\Users\admin\AppData\Local\Temp\svchostmanager.exe | executable | |
MD5:85EE12DC144D38CD72FB99F33498B58C | SHA256:2B6B8E81B4130E4BFD80F022F076E8CD1C95C842167E27D5ACA7F74BA0CE5D04 | |||
| 4752 | random.exe | C:\Users\admin\AppData\Local\Temp\svchostam.exe | executable | |
MD5:19CD3C6D17D45C9DE97240011B9E6B1D | SHA256:FB14B67779559AF123E61B6D205E27CD79952C5356D6077C0546575538BAA5BE | |||
| 5952 | systemhelper.exe | C:\Users\admin\AppData\Local\Temp\MoBFXVd.bat | text | |
MD5:A43FFD6B86EC1D617FD2872FD3118AF5 | SHA256:07BC6A2ED72E02E1988D152188BED752C21AB5282649F22C4C168A176CBDC690 | |||
| 3540 | random.exe | C:\Windows\svchosthelper.exe | executable | |
MD5:19CD3C6D17D45C9DE97240011B9E6B1D | SHA256:FB14B67779559AF123E61B6D205E27CD79952C5356D6077C0546575538BAA5BE | |||
| 3540 | random.exe | C:\Users\admin\AppData\Local\Temp\WindowsLogsHelper.xml | xml | |
MD5:05A11BE5D4544C45DC72EC69D6FB6111 | SHA256:6079E0D2CD5A661C893E58C9E3C18A2C78E5C10B5E863E7F339BDAC1697D928A | |||
| 5952 | systemhelper.exe | C:\Users\admin\AppData\Local\Temp\hater\nircmd.exe | executable | |
MD5:4A9DA765FD91E80DECFD2C9FE221E842 | SHA256:2E81E048AB419FDC6E5F4336A951BD282ED6B740048DC38D7673678EE3490CDA | |||
| 5952 | systemhelper.exe | C:\Users\admin\AppData\Local\Temp\hater\land.zip | compressed | |
MD5:7CDA8352CF156222F5BD5BE34AE6740C | SHA256:276B5361015B6485230F1A9F51762500AB3400BB112246DCB730597EC11CEA8E | |||
| 5952 | systemhelper.exe | C:\Users\admin\AppData\Local\Temp\hater\7z.exe | executable | |
MD5:426CCB645E50A3143811CFA0E42E2BA6 | SHA256:CF878BFBD9ED93DC551AC038AFF8A8BBA4C935DDF8D48E62122BDDFDB3E08567 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
156
TCP/UDP connections
152
DNS requests
60
Threats
109
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 149.154.167.99:443 | https://telegram.me/nc1anasy | unknown | html | 12.0 Kb | unknown |
1268 | svchost.exe | GET | 200 | 23.32.238.107:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5476 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 95.216.183.166:443 | https://r0.ttx.proksen.com/ | unknown | text | 62 b | unknown |
5460 | svchostam.exe | POST | 200 | 178.16.54.200:80 | http://178.16.54.200/f8nus4b/index.php | unknown | — | — | malicious |
— | — | GET | 200 | 95.216.183.166:443 | https://r0.ttx.proksen.com/ | unknown | — | — | unknown |
5460 | svchostam.exe | POST | 200 | 178.16.54.200:80 | http://178.16.54.200/f8nus4b/index.php | unknown | — | — | malicious |
— | — | GET | 200 | 104.126.37.131:443 | https://www.bing.com/manifest/threshold.appcache | unknown | text | 2.87 Kb | unknown |
— | — | GET | 404 | 185.178.208.135:443 | https://xone.fun/c2/panel/rat/loader.exe | unknown | html | 19.3 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5476 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.32.238.107:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.32.238.107:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5476 | RUXIMICS.exe | 23.32.238.107:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1268 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
telegram.me |
| whitelisted |
r0.ttx.proksen.com |
| unknown |
watson.events.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
xone.fun |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
5460 | svchostam.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 33 |
— | — | A Network Trojan was detected | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 |
— | — | A Network Trojan was detected | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 |
— | — | Malware Command and Control Activity Detected | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 |
— | — | Malware Command and Control Activity Detected | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 |
— | — | Malware Command and Control Activity Detected | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 |
— | — | Malware Command and Control Activity Detected | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 |
— | — | Malware Command and Control Activity Detected | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 |
— | — | Malware Command and Control Activity Detected | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 |
Process | Message |
|---|---|
IObitUnlocker.exe | PostAction_Delete |
IObitUnlocker.exe | FileCount:289 |
IObitUnlocker.exe | C:\ProgramData\Microsoft\Windows Defender-------- |
IObitUnlocker.exe | C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection-------- |
IObitUnlocker.exe | C:\ProgramData\Microsoft\Windows Security Health-------- |
IObitUnlocker.exe | C:\ProgramData\Microsoft\Storage Health-------- |
IObitUnlocker.exe | C:\Program Files\Windows Defender-------- |
IObitUnlocker.exe | C:\Program Files\Windows Defender Advanced Threat Protection-------- |
IObitUnlocker.exe | C:\Program Files\Windows Security-------- |
IObitUnlocker.exe | C:\Program Files\PCHealthCheck-------- |