Malware analysis 5252753136844800.zip Malicious activity

Add for printing

File name:	5252753136844800.zip
Full analysis:	https://app.any.run/tasks/36cfdc1d-805b-4c3a-a758-f3e36c530425
Verdict:	Malicious activity
Threats:	Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 30, 2020, 15:35:33
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	ransomware maze
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	2A3C7610D1F141A9430B794CD23F49BC
SHA1:	CB7CF3D6D79F53760FDA7E71505D4ED310E0C2E1
SHA256:	84A7FCD0268600F7678C4A346796E2762B59F144B7A00A18349DF465A0B0597E
SSDEEP:	12288:KLznYk2edCwwBCV67fITH8gTz/mPDnX5ZfUe53Qp:2nEeV6kTH8+TuDnXT7p6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- MAZE was detected
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Deletes shadow copies
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Application was dropped or rewritten from another process
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Writes to a start menu file
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Writes file to Word startup folder
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Actions looks like stealing of personal data
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Renames files like Ransomware
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2876)
- Executed via COM
  - DllHost.exe (PID: 3484)
  - DllHost.exe (PID: 1732)
- Connects to server without host name
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Changes tracing settings of the file or console
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Creates files like Ransomware instruction
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Creates files in the program directory
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Executed as Windows Service
  - vssvc.exe (PID: 1720)
- Reads the cookies of Mozilla Firefox
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Modifies files in Chrome extension folder
  - chrome.exe (PID: 3392)
- Creates files in the user directory
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
INFO
- Manual execution by user
  - explorer.exe (PID: 2948)
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
  - NOTEPAD.EXE (PID: 3984)
  - chrome.exe (PID: 3392)
- Application launched itself
  - chrome.exe (PID: 3392)
- Reads the hosts file
  - chrome.exe (PID: 3392)
  - chrome.exe (PID: 2816)
- Dropped object may contain TOR URL's
  - fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
- Reads settings of System Certificates
  - chrome.exe (PID: 2816)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0009
ZipCompression:	Deflated
ZipModifyDate:	1980:00:00 00:00:00
ZipCRC:	0xd385327b
ZipCompressedSize:	444578
ZipUncompressedSize:	518656
ZipFileName:	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5233043249798609317 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

224

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6511603166250262928 --mojo-platform-channel-handle=3192 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

552

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6000770429503560234 --mojo-platform-channel-handle=1144 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

604

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10087725210940044146 --mojo-platform-channel-handle=3440 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

748

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=11749677113978049627 --mojo-platform-channel-handle=4048 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

968

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5541943982329426690 --mojo-platform-channel-handle=4100 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1524

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7003738020644401589 --mojo-platform-channel-handle=4492 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1720

C:\Windows\system32\vssvc.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1732

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2000

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1008,1946902350393553928,14012845430433383603,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13365997405398168606 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

2 188

Read events

1 807

Write events

371

Delete events

Modification events


(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\5252753136844800.zip
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0

Add for printing

Executable files

Suspicious files

441

Text files

495

Unknown types

Dropped files

PID	Process	Filename		Type
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\autoexec.bat		—
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi		—
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim		—
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.MxcYC7W		—
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{02b4b32f-3d9a-4f0c-90b3-b3f695ffdbdb}_OnDiskSnapshotProp		—
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp		—
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\$Recycle.Bin\DECRYPT-FILES.txt		text
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{0e2a6214-ab14-4acd-9944-51dcd3caf902}_OnDiskSnapshotProp		—
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\Program Files\DECRYPT-FILES.txt		text
		MD5:—	SHA256:—
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{14e6e058-39ee-43ce-ac15-7acb7d834dae}_OnDiskSnapshotProp		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.4:80	http://91.218.114.4/rcrb.cgi?ehmt=k7&pxi=k2xpi2&b=p0q0cgj0y1	RU	—	—	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.25:80	http://91.218.114.25/b.jspx	RU	—	—	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.11:80	http://91.218.114.11/signout/mmrcjggx.jspx?ci=7jfo15&rtk=03&is=o164db7	RU	—	—	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	404	91.218.114.4:80	http://91.218.114.4/rcrb.cgi?ehmt=k7&pxi=k2xpi2&b=p0q0cgj0y1	RU	html	206 b	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.26:80	http://91.218.114.26/edit/pckt.shtml?hu=2	RU	—	—	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.31:80	http://91.218.114.31/update/withdrawal/ccwmnlt.jsp	RU	—	—	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.4:80	http://91.218.114.4/post/signin/wafsrexgtf.shtml?yah=ns3nm0xi1&mekv=e3&a=21ql85a2nw	RU	—	—	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.11:80	http://91.218.114.11/content/q.shtml?g=rofb4&nsep=tf1&sh=45s76830gd&m=i1i0p	RU	—	—	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	POST	—	91.218.114.31:80	http://91.218.114.31/update/withdrawal/ccwmnlt.jsp	RU	—	—	malicious
2816	chrome.exe	GET	302	172.217.23.142:80	http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx	US	html	525 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	91.218.114.4:80	—	Mir Telematiki Ltd	RU	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	91.218.114.31:80	—	Mir Telematiki Ltd	RU	malicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	91.218.114.11:80	—	Mir Telematiki Ltd	RU	malicious
2816	chrome.exe	172.217.16.141:443	accounts.google.com	Google Inc.	US	suspicious
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	91.218.114.26:80	—	Mir Telematiki Ltd	RU	malicious
2816	chrome.exe	172.217.23.106:443	fonts.googleapis.com	Google Inc.	US	whitelisted
2816	chrome.exe	216.58.206.3:443	clientservices.googleapis.com	Google Inc.	US	whitelisted
2816	chrome.exe	172.217.22.35:443	www.google.com.ua	Google Inc.	US	whitelisted
2816	chrome.exe	172.217.21.238:443	apis.google.com	Google Inc.	US	whitelisted
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	91.218.114.25:80	—	Mir Telematiki Ltd	RU	malicious

DNS requests

Domain	IP	Reputation
clientservices.googleapis.com	216.58.206.3	whitelisted
accounts.google.com	172.217.16.141	shared
www.google.com.ua	172.217.22.35	whitelisted
fonts.googleapis.com	172.217.23.106	whitelisted
www.gstatic.com	172.217.22.3	whitelisted
apis.google.com	172.217.21.238	whitelisted
ogs.google.com.ua	172.217.21.206	whitelisted
fonts.gstatic.com	216.58.206.3	whitelisted
mazedecrypt.top	146.0.72.85	whitelisted
www.google.com	172.217.22.36	malicious

Threats

PID	Process	Class	Message
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	A Network Trojan was detected	RANSOMWARE [PTsecurity] Maze
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	A Network Trojan was detected	RANSOMWARE [PTsecurity] Maze
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	A Network Trojan was detected	RANSOMWARE [PTsecurity] Maze
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	A Network Trojan was detected	RANSOMWARE [PTsecurity] Maze
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	A Network Trojan was detected	RANSOMWARE [PTsecurity] Maze
1052	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	A Network Trojan was detected	RANSOMWARE [PTsecurity] Maze
3192	fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe	A Network Trojan was detected	RANSOMWARE [PTsecurity] Maze

Add for printing

No debug info

General Info

5252753136844800.zip

2A3C7610D1F141A9430B794CD23F49BC

CB7CF3D6D79F53760FDA7E71505D4ED310E0C2E1

84A7FCD0268600F7678C4A346796E2762B59F144B7A00A18349DF465A0B0597E

12288:KLznYk2edCwwBCV67fITH8gTz/mPDnX5ZfUe53Qp:2nEeV6kTH8+TuDnXT7p6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

MAZE was detected

Deletes shadow copies

Application was dropped or rewritten from another process

Writes to a start menu file

Writes file to Word startup folder

Actions looks like stealing of personal data

Renames files like Ransomware

SUSPICIOUS

Executable content was dropped or overwritten

Executed via COM

Connects to server without host name

Changes tracing settings of the file or console

Creates files like Ransomware instruction

Creates files in the program directory

Executed as Windows Service

Reads the cookies of Mozilla Firefox

Modifies files in Chrome extension folder

Creates files in the user directory

INFO

Manual execution by user

Application launched itself

Reads the hosts file

Dropped object may contain TOR URL's

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings