File name:	8bede2701c0b0efc421cf1a65f56e25ab4341692ddff5894440976b68a031869.exe
Full analysis:	https://app.any.run/tasks/45b4d60f-6311-4c3e-b2e2-d633ef26b41c
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 01, 2024, 22:02:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion ransomware alphacrypt stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	3341B3D563C2554678E2485890079EAE
SHA1:	AD22ED425CFB03FD4ADCD7F6A9B2EFD6FE97D142
SHA256:	8BEDE2701C0B0EFC421CF1A65F56E25AB4341692DDFF5894440976B68A031869
SSDEEP:	6144:h8RwwduJnwd0mCM25J379nx39cA9LBm0dzl:fnwdrCM25d7PNx9tm0dzl

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2005:11:12 01:32:12+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	196608
InitializedDataSize:	950272
UninitializedDataSize:	-
EntryPoint:	0x30382
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.4.6.2
ProductVersionNumber:	4.4.6.2
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Turkish
CompanyName:	SystemOK AB
FileDescription:	Existences
FileVersion:	4.4.6.2
InternalName:	Macrobiotic.exe
LegalCopyright:	Elevated 1986-2000
OriginalFileName:	Macrobiotic.exe
ProductVersion:	4.4.6.2
ProductName:	Eatage


(PID) Process:	(6428) svcldc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\msys
Operation:	write	Name:	ID
Value: 1CE98070C2333E3A
(PID) Process:	(6428) svcldc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\1CE98070C2333E3A
Operation:	write	Name:	data
Value: 313268744B55714B61456D617A544B396E615A51536A617044347446426D4C344D770000000000000000000000000000044A1D396E7BA0B5422E1508424BF1E69985F7C2E7E974AF04B131333475B90483E41CD6E61E0F834EC14FD9A918DFA9FC636FD10C378FAB779E0A5C9867651ADE3142463242453441393134394538434343353242313343424543443635313534413346324633374230383236384232353035303338463939434145434631444535423939424532443131463030424643364337304534304534413330324631334643333744314136303645434334413133303233424333333134443243383937000000000000000EDD4C67000000000000000000000000
(PID) Process:	(6428) svcldc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	1CE98070C2333E3A
Value: C:\Users\admin\AppData\Roaming\svcldc.exe
(PID) Process:	(6428) svcldc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6428) svcldc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6428) svcldc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
6428	svcldc.exe	C:\ProgramData\Adobe\ARM\S\restore_files_bkmvr.html		html
		MD5:880B3FDA14BA508E635FA0FE8482E122	SHA256:40BC7568AD62635D41DC83F544DED593D63D8B530B09B027D6F1FE16ED95FEF1
6428	svcldc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ip[1].txt		text
		MD5:B6BC698B93378FA2C7AF3CA3AC7782DC	SHA256:91022695EAA2B1C502BB1F2DE3F55961BD234ED58042A6A2E1655F03214AC1C9
6428	svcldc.exe	C:\ProgramData\Adobe\ARM\restore_files_bkmvr.html		html
		MD5:880B3FDA14BA508E635FA0FE8482E122	SHA256:40BC7568AD62635D41DC83F544DED593D63D8B530B09B027D6F1FE16ED95FEF1
6428	svcldc.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\restore_files_bkmvr.html		html
		MD5:880B3FDA14BA508E635FA0FE8482E122	SHA256:40BC7568AD62635D41DC83F544DED593D63D8B530B09B027D6F1FE16ED95FEF1
6380	8bede2701c0b0efc421cf1a65f56e25ab4341692ddff5894440976b68a031869.exe	C:\Users\admin\AppData\Roaming\svcldc.exe		executable
		MD5:3341B3D563C2554678E2485890079EAE	SHA256:8BEDE2701C0B0EFC421CF1A65F56E25AB4341692DDFF5894440976B68A031869
6428	svcldc.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\restore_files_bkmvr.txt		text
		MD5:6C904F5C4695A29A6CABCB44AAB3F1F0	SHA256:CC8C7F09E94649DC065FB038FC0FD5788F6376EC9A5B23EF343C97696AFF5161
6428	svcldc.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\restore_files_bkmvr.txt		text
		MD5:6C904F5C4695A29A6CABCB44AAB3F1F0	SHA256:CC8C7F09E94649DC065FB038FC0FD5788F6376EC9A5B23EF343C97696AFF5161
6428	svcldc.exe	C:\ProgramData\Adobe\ARM\S\388\restore_files_bkmvr.html		html
		MD5:880B3FDA14BA508E635FA0FE8482E122	SHA256:40BC7568AD62635D41DC83F544DED593D63D8B530B09B027D6F1FE16ED95FEF1
6428	svcldc.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\restore_files_bkmvr.html		html
		MD5:880B3FDA14BA508E635FA0FE8482E122	SHA256:40BC7568AD62635D41DC83F544DED593D63D8B530B09B027D6F1FE16ED95FEF1
6428	svcldc.exe	C:\ProgramData\Adobe\ARM\S\388\restore_files_bkmvr.txt		text
		MD5:6C904F5C4695A29A6CABCB44AAB3F1F0	SHA256:CC8C7F09E94649DC065FB038FC0FD5788F6376EC9A5B23EF343C97696AFF5161

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4804	RUXIMICS.exe	GET	200	23.48.23.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
6428	svcldc.exe	GET	200	34.117.59.81:80	http://ipinfo.io/ip	US	text	15 b	shared
4804	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
6428	svcldc.exe	GET	301	185.230.63.107:80	http://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E8041C6D68FBD445D044B89D751165CE8130FA20FD84024928420A67FF813764C9E1898DAF9A3E3D2BDA14148E081F83E78B0E7A502AED86CC925FF08B76E95494FC2282D6663A2DAD9D8C3A90BFF1EECD47990B66E37D3019B1F926BB6D588072BDDCE73CC1ABC1C44313C783F252A663F402280FCA685AFDF8B5E1EE74E5F89E4F65ABCBE543E72538567D750BAF4BE256F4ADB0D044CB9EC19E5FE61F6BB818CE5C7B1B78AE120DDC44817F310B368DB20239C0E41117126871CBEB75F5FCCBFE56B99BA6012B92ADC97F56BF902B28210B841C3CA41BFF808B063B6D879A260C	US	—	—	malicious
—	—	GET	301	34.149.87.45:443	https://serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E8041C6D68FBD445D044B89D751165CE8130FA20FD84024928420A67FF813764C9E1898DAF9A3E3D2BDA14148E081F83E78B0E7A502AED86CC925FF08B76E95494FC2282D6663A2DAD9D8C3A90BFF1EECD47990B66E37D3019B1F926BB6D588072BDDCE73CC1ABC1C44313C783F252A663F402280FCA685AFDF8B5E1EE74E5F89E4F65ABCBE543E72538567D750BAF4BE256F4ADB0D044CB9EC19E5FE61F6BB818CE5C7B1B78AE120DDC44817F310B368DB20239C0E41117126871CBEB75F5FCCBFE56B99BA6012B92ADC97F56BF902B28210B841C3CA41BFF808B063B6D879A260C	US	—	—	unknown
6428	svcldc.exe	GET	301	67.22.44.2:80	http://teenpornotube.org/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E8041C6D68FBD445D044B89D751165CE8130FA20FD84024928420A67FF813764C9E1898DAF9A3E3D2BDA14148E081F83E78B0E7A502AED86CC925FF08B76E95494FC2282D6663A2DAD9D8C3A90BFF1EECD47990B66E37D3019B1F926BB6D588072BDDCE73CC1ABC1C44313C783F252A663F402280FCA685AFDF8B5E1EE74E5F89E4F65ABCBE543E72538567D750BAF4BE2564402DBC84E08FFF3CA453C3611CC09992C1B1E25494A5C20C78E7BE50EE20CB078292DA1B0C394415077C2C1C5F737109126ACE528944BCCBFB6B6D9C4F5EA7B68012978C192A36C1A0B119EF9D95CF1	NL	—	—	malicious
6428	svcldc.exe	GET	—	67.22.44.2:80	http://www.teenpornotube.org/wp-content/themes/r.php	NL	—	—	unknown
6428	svcldc.exe	GET	—	199.116.254.169:80	http://fgainterests.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E8041C6D68FBD445D044B89D751165CE8130FA20FD84024928420A67FF813764C9E1898DAF9A3E3D2BDA14148E081F83E78B0E7A502AED86CC925FF08B76E95494FC2282D6663A2DAD9D8C3A90BFF1EECD47990B66E37D3019B1F926BB6D588072BDF0F0ECE2C90228F369E9F06DEE1BB7AB24BA92294ADF234D76B19DC818FBBD3C3EC33DE5B0E3121574F262B88207B17D5987131CAF29255A5B44F748008A491D4EAE2D5521FDECF44F9FD76AB0C55B5E0B07D54514A469F05E3F4D22EEB40EB703C74DE0AA99F0810F3B07FAA612DB422778DCDC67D57839A73827AAE85F30E0	US	—	—	malicious
—	—	GET	403	34.149.87.45:443	https://www.serenitynowbooksandgifts.com/wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E8041C6D68FBD445D044B89D751165CE8130FA20FD84024928420A67FF813764C9E1898DAF9A3E3D2BDA14148E081F83E78B0E7A502AED86CC925FF08B76E95494FC2282D6663A2DAD9D8C3A90BFF1EECD47990B66E37D3019B1F926BB6D588072BDDCE73CC1ABC1C44313C783F252A663F402280FCA685AFDF8B5E1EE74E5F89E4F65ABCBE543E72538567D750BAF4BE256F4ADB0D044CB9EC19E5FE61F6BB818CE5C7B1B78AE120DDC44817F310B368DB20239C0E41117126871CBEB75F5FCCBFE56B99BA6012B92ADC97F56BF902B28210B841C3CA41BFF808B063B6D879A260C=	US	html	318 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4804	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4804	RUXIMICS.exe	23.48.23.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6428	svcldc.exe	34.117.59.81:80	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	shared
6428	svcldc.exe	199.116.254.169:80	fgainterests.com	GVO	US	malicious
4804	RUXIMICS.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6428	svcldc.exe	185.230.63.107:80	serenitynowbooksandgifts.com	Wix.com Ltd.	US	malicious
6428	svcldc.exe	185.230.63.107:443	serenitynowbooksandgifts.com	Wix.com Ltd.	US	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.48.23.176 23.48.23.173 23.48.23.156 23.48.23.194 23.48.23.164 23.48.23.147 23.48.23.143 23.48.23.145 23.48.23.177	whitelisted
ipinfo.io	34.117.59.81	shared
ezglobalmarketing.com	—	shared
fgainterests.com	199.116.254.169	malicious
www.microsoft.com	2.23.181.156	whitelisted
ledshoppen.nl	—	unknown
serenitynowbooksandgifts.com	185.230.63.107 185.230.63.171 185.230.63.186	malicious
www.serenitynowbooksandgifts.com	34.149.87.45	malicious

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6428	svcldc.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ipinfo.io
6428	svcldc.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
6428	svcldc.exe	Malware Command and Control Activity Detected	ET MALWARE AlphaCrypt CnC Beacon 3
6428	svcldc.exe	Malware Command and Control Activity Detected	ET MALWARE AlphaCrypt CnC Beacon 3
6428	svcldc.exe	Malware Command and Control Activity Detected	ET MALWARE AlphaCrypt CnC Beacon 3
2192	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD
2192	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to .onion proxy Domain (onion.to)

General Info

8bede2701c0b0efc421cf1a65f56e25ab4341692ddff5894440976b68a031869.exe

3341B3D563C2554678E2485890079EAE

AD22ED425CFB03FD4ADCD7F6A9B2EFD6FE97D142

8BEDE2701C0B0EFC421CF1A65F56E25AB4341692DDFF5894440976B68A031869

6144:h8RwwduJnwd0mCM25J379nx39cA9LBm0dzl:fnwdrCM25d7PNx9tm0dzl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Deletes shadow copies

ALPHACRYPT has been detected (SURICATA)

Connects to the CnC server

Modifies files in the Chrome extension folder

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Reads security settings of Internet Explorer

Checks for external IP

Hides command output

Starts CMD.EXE for commands execution

Executes as Windows Service

Contacting a server suspected of hosting an CnC

Checks Windows Trust Settings

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

The process uses the downloaded file

Reads the machine GUID from the registry

Process checks computer location settings

Creates files in the program directory

Drops encrypted VBS script (Microsoft Script Encoder)

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings