Malware analysis SDA EMV Chip Writer By Paws.exe Malicious activity

Add for printing

File name:	SDA EMV Chip Writer By Paws.exe
Full analysis:	https://app.any.run/tasks/9a697f63-2589-4be6-865a-4b46e7945c83
Verdict:	Malicious activity
Threats:	Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. Malware Trends Tracker >>>
Analysis date:	December 03, 2023, 20:22:50
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	netwire
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	30EE6AAF50E4B4369E0A1634AFBCD757
SHA1:	B2EE5B9C07098A1058AE9778AD59396B8B8C9878
SHA256:	7F4D0810B884D9647D5374550187A123F009CE8F6450D5DAB818A2384358FB06
SSDEEP:	98304:WZJ3Xi+LQegKdakQwSstgALbRhZZ1pkuIqf0pGbqLbhO2yU8zPdk4ujUwYChbnGF:fFoD7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - SDA EMV Chip Writer By Paws.exe (PID: 1864)
  - Sdachipwriter.exe (PID: 2964)
  - Syssvctoolsx64bit.exe (PID: 2532)
- NETWIRE has been detected (YARA)
  - crhomeAT64bit.exe (PID: 2336)
SUSPICIOUS
- Reads the Internet Settings
  - SDA EMV Chip Writer By Paws.exe (PID: 2412)
  - Sdachipwriter.exe (PID: 2964)
- Application launched itself
  - SDA EMV Chip Writer By Paws.exe (PID: 2412)
  - Syssvctoolsx64bit.exe (PID: 1088)
  - crhomeAT64bit.exe (PID: 684)
- The process creates files with name similar to system file names
  - Sdachipwriter.exe (PID: 2964)
- Starts itself from another location
  - Syssvctoolsx64bit.exe (PID: 2532)
- Connects to unusual port
  - crhomeAT64bit.exe (PID: 2336)
INFO
- Reads the computer name
  - SDA EMV Chip Writer By Paws.exe (PID: 2412)
  - SDA EMV Chip Writer By Paws.exe (PID: 1864)
  - Syssvctoolsx64bit.exe (PID: 1088)
  - Sdachipwriter.exe (PID: 2964)
  - crhomeAT64bit.exe (PID: 684)
  - crhomeAT64bit.exe (PID: 2336)
  - GPShell.exe (PID: 3940)
  - GPShell.exe (PID: 3880)
  - GPShell.exe (PID: 2764)
  - GPShell.exe (PID: 3108)
  - GPShell.exe (PID: 3296)
  - GPShell.exe (PID: 3528)
  - GPShell.exe (PID: 3116)
  - GPShell.exe (PID: 3644)
  - GPShell.exe (PID: 2932)
  - GPShell.exe (PID: 3424)
  - GPShell.exe (PID: 944)
  - GPShell.exe (PID: 2892)
- Reads mouse settings
  - SDA EMV Chip Writer By Paws.exe (PID: 1864)
  - SDA EMV Chip Writer By Paws.exe (PID: 2412)
  - Syssvctoolsx64bit.exe (PID: 1088)
  - crhomeAT64bit.exe (PID: 684)
- Checks supported languages
  - SDA EMV Chip Writer By Paws.exe (PID: 2412)
  - SDA EMV Chip Writer By Paws.exe (PID: 1864)
  - Syssvctoolsx64bit.exe (PID: 1088)
  - Sdachipwriter.exe (PID: 2964)
  - Syssvctoolsx64bit.exe (PID: 2532)
  - crhomeAT64bit.exe (PID: 684)
  - crhomeAT64bit.exe (PID: 2336)
  - GPShell.exe (PID: 3940)
  - GPShell.exe (PID: 2764)
  - GPShell.exe (PID: 3108)
  - GPShell.exe (PID: 3880)
  - GPShell.exe (PID: 3296)
  - GPShell.exe (PID: 3528)
  - GPShell.exe (PID: 3116)
  - GPShell.exe (PID: 3512)
  - GPShell.exe (PID: 3644)
  - GPShell.exe (PID: 3944)
  - GPShell.exe (PID: 2932)
  - GPShell.exe (PID: 3424)
  - GPShell.exe (PID: 3984)
  - GPShell.exe (PID: 944)
  - GPShell.exe (PID: 2892)
  - GPShell.exe (PID: 3236)
  - GPShell.exe (PID: 3884)
  - GPShell.exe (PID: 3732)
- Creates files or folders in the user directory
  - SDA EMV Chip Writer By Paws.exe (PID: 1864)
  - Syssvctoolsx64bit.exe (PID: 2532)
  - crhomeAT64bit.exe (PID: 2336)
- Create files in a temporary directory
  - SDA EMV Chip Writer By Paws.exe (PID: 1864)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

NetWire

(PID) Process(2336) crhomeAT64bit.exe

C2 (5)local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361

HostBTC2020

Credentials

Passwordanjing

Options

MutexNLBJEoGj

Install path%AppData%\instal\crhomeAT64bit.exe

Startup nametvnserver

ProxyDirect connection

ActiveXTrue

Copy executableTrue

Delete originalFalse

Lock executableFalse

Registry autorunTrue

Use a mutexTrue

Offline keyloggerTrue

Sleep10

Keylogger directoryC:\Users\admin\AppData\Roaming\0pera\metaolgs.dat\

Keys

RC461c55498a2d7953c0f398f1ad24013fd

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

AssemblyVersion:	10.2.0.0
ProductVersion:	10.2.0.0
ProductName:	EMVsoftware
OriginalFileName:	EMVsoftware.exe
LegalCopyright:	2015-2020
InternalName:	EMVMX.exe
FileVersion:	10.2.0.0
FileDescription:	EMV chip writer by paws
CompanyName:	EMV chip software
Comments:	EMV chip writer by paws
CharacterSet:	Unicode
LanguageCode:	English (British)
FileSubtype:	-
ObjectFileType:	Unknown
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	10.2.0.0
FileVersionNumber:	10.2.0.0
Subsystem:	Windows GUI
SubsystemVersion:	5
ImageVersion:	-
OSVersion:	5
EntryPoint:	0x165c1
UninitializedDataSize:	-
InitializedDataSize:	100352
CodeSize:	526336
LinkerVersion:	10
PEType:	PE32
ImageFileCharacteristics:	No relocs, Executable, Large address aware, 32-bit
TimeStamp:	2011:12:23 11:59:31+01:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2412

"C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exe"

C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exe

—

explorer.exe

User:

admin

Company:

EMV chip software

Integrity Level:

MEDIUM

Description:

EMV chip writer by paws

Exit code:

Version:

10.2.0.0

Modules

Images
c:\users\admin\desktop\sda emv chip writer by paws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

1864

"C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exe"

C:\Users\admin\Desktop\SDA EMV Chip Writer By Paws.exe

SDA EMV Chip Writer By Paws.exe

User:

admin

Company:

EMV chip software

Integrity Level:

HIGH

Description:

EMV chip writer by paws

Exit code:

Version:

10.2.0.0

Modules

Images
c:\users\admin\desktop\sda emv chip writer by paws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

1088

C:\Users\admin\AppData\Roaming/Syssvctoolsx64bit.exe

C:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exe

—

SDA EMV Chip Writer By Paws.exe

User:

admin

Company:

Controller ACEI Inc.

Integrity Level:

HIGH

Description:

Controller ACEI: Host application

Exit code:

Version:

7.7.0.0

Modules

Images
c:\users\admin\appdata\roaming\syssvctoolsx64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

2964

C:\Users\admin\AppData\Local\Temp/Sdachipwriter.exe

C:\Users\admin\AppData\Local\Temp\Sdachipwriter.exe

—

SDA EMV Chip Writer By Paws.exe

User:

admin

Company:

EMV Writer Software by Paws

Integrity Level:

HIGH

Description:

EMV Chip Writer

Version:

10.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\sdachipwriter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll

2532

"C:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exe"

C:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exe

—

Syssvctoolsx64bit.exe

User:

admin

Company:

Controller ACEI Inc.

Integrity Level:

HIGH

Description:

Controller ACEI: Host application

Exit code:

Version:

7.7.0.0

Modules

Images
c:\users\admin\appdata\roaming\syssvctoolsx64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

684

"C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe"

C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe

—

Syssvctoolsx64bit.exe

User:

admin

Company:

Controller ACEI Inc.

Integrity Level:

HIGH

Description:

Controller ACEI: Host application

Exit code:

Version:

7.7.0.0

Modules

Images
c:\users\admin\appdata\roaming\instal\crhomeat64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

2336

"C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe"

C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe

crhomeAT64bit.exe

User:

admin

Company:

Controller ACEI Inc.

Integrity Level:

HIGH

Description:

Controller ACEI: Host application

Version:

7.7.0.0

Modules

Images
c:\users\admin\appdata\roaming\instal\crhomeat64bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

NetWire

(PID) Process(2336) crhomeAT64bit.exe

C2 (5)local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361

HostBTC2020

Credentials

Passwordanjing

Options

MutexNLBJEoGj

Install path%AppData%\instal\crhomeAT64bit.exe

Startup nametvnserver

ProxyDirect connection

ActiveXTrue

Copy executableTrue

Delete originalFalse

Lock executableFalse

Registry autorunTrue

Use a mutexTrue

Offline keyloggerTrue

Sleep10

Keylogger directoryC:\Users\admin\AppData\Roaming\0pera\metaolgs.dat\

Keys

RC461c55498a2d7953c0f398f1ad24013fd

3940

"C:\Windowr\GPShell.exe" del.dll

C:\Windowr\GPShell.exe

—

Sdachipwriter.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

1, 4, 4, 0

Modules

Images
c:\windowr\gpshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windowr\globalplatform.dll
c:\windowr\zlib1.dll
c:\windowr\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll

2764

"C:\Windowr\GPShell.exe" del.dll

C:\Windowr\GPShell.exe

—

Sdachipwriter.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

1, 4, 4, 0

Modules

Images
c:\windowr\gpshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windowr\globalplatform.dll
c:\windowr\zlib1.dll
c:\windowr\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll

3880

"C:\Windowr\GPShell.exe" del.dll

C:\Windowr\GPShell.exe

—

Sdachipwriter.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

1, 4, 4, 0

Modules

Images
c:\windowr\gpshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windowr\globalplatform.dll
c:\windowr\zlib1.dll
c:\windowr\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll

Add for printing

Total events

1 405

Read events

1 389

Write events

Delete events

Modification events


(PID) Process:	(2412) SDA EMV Chip Writer By Paws.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2412) SDA EMV Chip Writer By Paws.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2412) SDA EMV Chip Writer By Paws.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2412) SDA EMV Chip Writer By Paws.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2964) Sdachipwriter.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2964) Sdachipwriter.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2964) Sdachipwriter.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2964) Sdachipwriter.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1864	SDA EMV Chip Writer By Paws.exe	C:\Users\admin\AppData\Local\Temp\aut692E.tmp		binary
		MD5:D6D055DC35731C86EA942B14DDFE09F5	SHA256:5230CD3764629D78C7CC4BB9FCBF97B95DD171AB38855C94A276211642426D16
2964	Sdachipwriter.exe	C:\Windowr\GPShell.exe		executable
		MD5:50FCDD91AEE3EC8D7C54FEB63E324C03	SHA256:BA5E9041668257393AE28413F5099DB5D12D7F48C239E8D19E9BEDA2036B31BE
1864	SDA EMV Chip Writer By Paws.exe	C:\Users\admin\AppData\Local\Temp\aut698C.tmp		binary
		MD5:13B3DE29B96725C248448DA736A2CEA7	SHA256:245ABA2A3FC4DD976B1A000F9DD3177F4D26AD146F5D01771B0B485727DA3674
2964	Sdachipwriter.exe	C:\Windowr\GPPcScConnectionPlugin.dll		executable
		MD5:2F99E012379E8C950B0BDE761C5CCA0F	SHA256:5D84EC3F8DEE7438B0049D5DC201A68A99F3E471A4C9ACAC48DD7F67F89FD178
2964	Sdachipwriter.exe	C:\Windowr\GlobalPlatform.dll		executable
		MD5:C035B189CCC0FA06E549CCABF7DFBA48	SHA256:DAC5A4213654CAE1AA622877E7E156C0EFD77C0601440DF7CE9995E280DF8694
1864	SDA EMV Chip Writer By Paws.exe	C:\Users\admin\AppData\Roaming\Syssvctoolsx64bit.exe		executable
		MD5:C57711ED5AC9003F30BE5D81C0B8DDC1	SHA256:EC94FFBDA11B4F750EA732A9986B6DD60D4C87978F810F27336ABF4EE178BC03
2532	Syssvctoolsx64bit.exe	C:\Users\admin\AppData\Roaming\instal\crhomeAT64bit.exe		executable
		MD5:C57711ED5AC9003F30BE5D81C0B8DDC1	SHA256:EC94FFBDA11B4F750EA732A9986B6DD60D4C87978F810F27336ABF4EE178BC03
1864	SDA EMV Chip Writer By Paws.exe	C:\Users\admin\AppData\Local\Temp\Sdachipwriter.exe		executable
		MD5:0828480F98ADB533104D42AD42601F80	SHA256:1ECFD3755EBA578108363C0705C6EC205972080739ED0FBD17439F8139BA7E08
2964	Sdachipwriter.exe	C:\Windowr\Global.drv		compressed
		MD5:418F4F42405CEC3252F0B952ED9A642C	SHA256:148B8755D228F174F4DBD0B8454E3825F34E6D6E055341D4C3981C2BB7664C07
2964	Sdachipwriter.exe	C:\Windowr\MacGyver.cap		compressed
		MD5:3709E18B229E3DB113BF5C7863C59DB4	SHA256:9DC70002E82C78EE34C813597925C6CF8AA8D68B7E9CE5BCC70EA9BCAB9DBF4A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
2588	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2336	crhomeAT64bit.exe	180.241.167.149:3361	local.cable-modem.org	PT Telekomunikasi Indonesia	ID	unknown

DNS requests

Domain	IP	Reputation
local.cable-modem.org	180.241.167.149	unknown
dns.msftncsi.com	131.107.255.255	unknown
teamviewer.ddns.net	180.241.167.149	unknown
optic.cable-modem.org	—	unknown
teamviewer.ddns.me	—	unknown
logmein.loginto.me	—	unknown

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .me
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.loginto .me
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.cable-modem .org
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
—	—	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.cable-modem .org

Add for printing

No debug info

General Info

SDA EMV Chip Writer By Paws.exe

30EE6AAF50E4B4369E0A1634AFBCD757

B2EE5B9C07098A1058AE9778AD59396B8B8C9878

7F4D0810B884D9647D5374550187A123F009CE8F6450D5DAB818A2384358FB06

98304:WZJ3Xi+LQegKdakQwSstgALbRhZZ1pkuIqf0pGbqLbhO2yU8zPdk4ujUwYChbnGF:fFoD7

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

NETWIRE has been detected (YARA)

SUSPICIOUS

Reads the Internet Settings

Application launched itself

The process creates files with name similar to system file names

Starts itself from another location

Connects to unusual port

INFO

Reads the computer name

Reads mouse settings

Checks supported languages

Creates files or folders in the user directory

Create files in a temporary directory

Malware configuration

NetWire

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

NetWire

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings