Malware analysis Flasher.exe Malicious activity | ANY.RUN

Add for printing

File name:	Flasher.exe
Full analysis:	https://app.any.run/tasks/546ae205-b023-4a92-8818-453911c724b2
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. SVCStealer is an information-stealing malware targeting sensitive user data through spear-phishing email attachments. It systematically extracts credentials, financial data, and system information from various applications, including browsers and messaging platforms. Malware Trends Tracker >>>
Analysis date:	May 31, 2025, 06:14:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	svcstealer stealer crypto-regex amadey rdp processhacker tool kprocesshacker-sys vuln-driver
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	7175D81D25F930437CBE872DA4D6146E
SHA1:	AFF6402B462E139B998E4AFC4CDEF7CDB246F788
SHA256:	9A3F94EB934151C3114D646D229289B5670A0F99F99393A6F2B692EC5CF9CAB3
SSDEEP:	98304:Mb312s4I/KcuT0od2IblSN0PPD/BHzWin3iy:9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Application was injected by another process
  - explorer.exe (PID: 5492)
- Runs injected code in another process
  - ezezeww.exe (PID: 7500)
- Changes the autorun value in the registry
  - ezezeww.exe (PID: 7500)
  - vzycvcxx.exe (PID: 2236)
  - explorer.exe (PID: 5492)
- SVCSTEALER mutex has been found
  - vzycvcxx.exe (PID: 2236)
- AMADEY has been detected (YARA)
  - Gxtuum.exe (PID: 5236)
- Vulnerable driver has been detected
  - processhacker-2.39-setup.tmp (PID: 5392)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Flasher.exe (PID: 7148)
  - ezezeww.exe (PID: 7500)
  - vzycvcxx.exe (PID: 2236)
  - fdnwxcx.exe (PID: 5552)
  - processhacker-2.39-setup.exe (PID: 7284)
  - processhacker-2.39-setup.exe (PID: 3140)
  - processhacker-2.39-setup.tmp (PID: 5392)
- Process drops legitimate windows executable
  - Flasher.exe (PID: 7148)
  - vzycvcxx.exe (PID: 2236)
  - processhacker-2.39-setup.tmp (PID: 5392)
- Reads security settings of Internet Explorer
  - Flasher.exe (PID: 7148)
  - fdnwxcx.exe (PID: 5552)
  - Gxtuum.exe (PID: 5236)
  - processhacker-2.39-setup.tmp (PID: 1040)
  - ProcessHacker.exe (PID: 5936)
- The process creates files with name similar to system file names
  - vzycvcxx.exe (PID: 2236)
- Starts itself from another location
  - fdnwxcx.exe (PID: 5552)
- There is functionality for enable RDP (YARA)
  - Gxtuum.exe (PID: 5236)
- Found regular expressions for crypto-addresses (YARA)
  - vzycvcxx.exe (PID: 2236)
- There is functionality for taking screenshot (YARA)
  - Gxtuum.exe (PID: 5236)
- The process executes via Task Scheduler
  - Gxtuum.exe (PID: 660)
  - Gxtuum.exe (PID: 7548)
  - Gxtuum.exe (PID: 2088)
  - Gxtuum.exe (PID: 7676)
  - Gxtuum.exe (PID: 2772)
- Reads the Windows owner or organization settings
  - processhacker-2.39-setup.tmp (PID: 5392)
- Drops a system driver (possible attempt to evade defenses)
  - processhacker-2.39-setup.tmp (PID: 5392)
- Reads the date of Windows installation
  - Flasher.exe (PID: 7148)
INFO
- Checks supported languages
  - Flasher.exe (PID: 7148)
  - ezezeww.exe (PID: 7500)
  - vcpcjo.exe (PID: 4700)
  - fdnwxcx.exe (PID: 5552)
  - vzycvcxx.exe (PID: 2236)
  - Gxtuum.exe (PID: 5236)
  - Gxtuum.exe (PID: 660)
  - processhacker-2.39-setup.exe (PID: 7284)
  - processhacker-2.39-setup.tmp (PID: 5392)
  - processhacker-2.39-setup.tmp (PID: 1040)
  - processhacker-2.39-setup.exe (PID: 3140)
  - ProcessHacker.exe (PID: 5936)
  - Gxtuum.exe (PID: 2772)
- The sample compiled with english language support
  - Flasher.exe (PID: 7148)
  - vzycvcxx.exe (PID: 2236)
  - processhacker-2.39-setup.tmp (PID: 5392)
- Creates files or folders in the user directory
  - Flasher.exe (PID: 7148)
  - explorer.exe (PID: 5492)
- Reads the computer name
  - Flasher.exe (PID: 7148)
  - vcpcjo.exe (PID: 4700)
  - fdnwxcx.exe (PID: 5552)
  - Gxtuum.exe (PID: 5236)
  - processhacker-2.39-setup.tmp (PID: 1040)
  - processhacker-2.39-setup.tmp (PID: 5392)
  - ProcessHacker.exe (PID: 5936)
- Reads the machine GUID from the registry
  - ezezeww.exe (PID: 7500)
  - ProcessHacker.exe (PID: 5936)
- Creates files in the program directory
  - ezezeww.exe (PID: 7500)
  - vzycvcxx.exe (PID: 2236)
  - processhacker-2.39-setup.tmp (PID: 5392)
- Launch of the file from Registry key
  - ezezeww.exe (PID: 7500)
  - vzycvcxx.exe (PID: 2236)
  - explorer.exe (PID: 5492)
- Process checks computer location settings
  - Flasher.exe (PID: 7148)
  - fdnwxcx.exe (PID: 5552)
  - processhacker-2.39-setup.tmp (PID: 1040)
- Create files in a temporary directory
  - fdnwxcx.exe (PID: 5552)
  - processhacker-2.39-setup.exe (PID: 7284)
  - processhacker-2.39-setup.exe (PID: 3140)
  - processhacker-2.39-setup.tmp (PID: 5392)
- Checks proxy server information
  - explorer.exe (PID: 5492)
  - Gxtuum.exe (PID: 5236)
  - ProcessHacker.exe (PID: 5936)
  - slui.exe (PID: 1052)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 5492)
- Application launched itself
  - chrome.exe (PID: 900)
- Reads the software policy settings
  - slui.exe (PID: 3156)
  - ProcessHacker.exe (PID: 5936)
  - slui.exe (PID: 1052)
- Executable content was dropped or overwritten
  - chrome.exe (PID: 7932)
  - chrome.exe (PID: 900)
- Launch of the file from Downloads directory
  - chrome.exe (PID: 900)
- PROCESSHACKER mutex has been found
  - processhacker-2.39-setup.tmp (PID: 5392)
- Creates a software uninstall entry
  - processhacker-2.39-setup.tmp (PID: 5392)
- Reads Environment values
  - ProcessHacker.exe (PID: 5936)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(5236) Gxtuum.exe

C2185.81.68.156

URLhttp://185.81.68.156/jb87ejvjdsS/index.php

Version5.30

Options

Drop directoryf917d25a84

Drop nameGxtuum.exe

Strings (125)2025

0000043f

S-%lu-

rundll32.exe

-%lu

og:

\App

AVG

ProductName

exe

SYSTEM\ControlSet001\Services\BasicDisplay\Video

WinDefender

f917d25a84

"taskkill /f /im "

<d>

\0000

av:

lv:

&unit=

ComputerName

GET

185.81.68.156

00000423

sd:

360TotalSecurity

random

Gxtuum.exe

5.30

Startup

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Sophos

Programs

-executionpolicy remotesigned -File "

/jb87ejvjdsS/index.php

.jpg

cred.dll|clip.dll|

Comodo

rundll32

Powershell.exe

clip.dll

" && timeout 1 && del

%USERPROFILE%

pc:

------

Rem

:::

dm:

------

ar:

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

AVAST Software

Keyboard Layout\Preload

st=s

ProgramData\

?scr=1

cmd

Content-Disposition: form-data; name="data"; filename="

00000419

ps1

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Bitdefender

DefaultSettings.YResolution

vs:

+++

/Plugins/

" Content-Type: application/octet-stream

abcdefghijklmnopqrstuvwxyz0123456789-_

dll

Kaspersky Lab

id:

kernel32.dll

msi

&& Exit"

ESET

Panda Security

DefaultSettings.XResolution

00000422

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

http://

https://

/quiet

<c>

Content-Type: application/x-www-form-urlencoded

cred.dll

shutdown -s -t 0

CurrentBuild

shell32.dll

Content-Type: multipart/form-data; boundary=----

POST

GetNativeSystemInfo

2022

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

un:

-unicode-

2019

VideoID

Doctor Web

Avira

bi:

%-lu

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

os:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

zip

Norton

Main

" && ren

2016

cmd /C RMDIR /s/q

0123456789

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (46.3)
.exe	\|	Win64 Executable (generic) (41)
.exe	\|	Win32 Executable (generic) (6.6)
.exe	\|	Generic Win/DOS Executable (2.9)
.exe	\|	DOS Executable Generic (2.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:03:20 13:28:25+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	123392
InitializedDataSize:	1857024
UninitializedDataSize:	-
EntryPoint:	0x5f88
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.2.1.1
ProductVersionNumber:	3.1.1.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Software
FileDescription:	Software
FileVersion:	6.0.0.0
InternalName:	Software.exe
LegalCopyright:	(C) 2026
OriginalFileName:	Software.exe
ProductName:	Software
ProductVersion:	3.1.1.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

177

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

660

"C:\Users\admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe"

C:\Users\admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\f917d25a84\gxtuum.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

900

"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1040

"C:\Users\admin\AppData\Local\Temp\is-AU5IS.tmp\processhacker-2.39-setup.tmp" /SL5="$1E02C6,1874675,150016,C:\Users\admin\Downloads\processhacker-2.39-setup.exe"

C:\Users\admin\AppData\Local\Temp\is-AU5IS.tmp\processhacker-2.39-setup.tmp

—

processhacker-2.39-setup.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.52.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-au5is.tmp\processhacker-2.39-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1052

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1196

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

1660

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6824 --field-trial-handle=1964,i,13739407978511101592,12239278288388752116,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2088

"C:\Users\admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe"

C:\Users\admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\f917d25a84\gxtuum.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2092

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4888 --field-trial-handle=1964,i,13739407978511101592,12239278288388752116,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2236

"C:\Users\admin\AppData\Roaming\vzycvcxx.exe"

C:\Users\admin\AppData\Roaming\vzycvcxx.exe

Flasher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

System

Version:

6.0.0.1

Modules

Images
c:\users\admin\appdata\roaming\vzycvcxx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

20 277

Read events

20 015

Write events

246

Delete events

Modification events


(PID) Process:	(7500) ezezeww.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\bbeecafdaeec
Operation:	write	Name:	CurrentPath
Value: C:\Users\admin\AppData\Roaming\ezezeww.exe
(PID) Process:	(7500) ezezeww.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	bbeecafdaeec
Value: "C:\ProgramData\bbeecafdaeec.exe"
(PID) Process:	(2236) vzycvcxx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SystemHandler
Value: C:\Users\admin\AppData\Roaming\vzycvcxx.exe
(PID) Process:	(2236) vzycvcxx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SystemHandler
Value: C:\ProgramData\svchost.exe
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	bbeecafdaeec
Value: "C:\Users\admin\AppData\Roaming\ezezeww.exe"
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\bbeecafdaeec
Operation:	write	Name:	CurrentPath
Value: C:\Users\admin\AppData\Roaming\ezezeww.exe
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	bbeecafdaeec
Value: "C:\ProgramData\bbeecafdaeec.exe"
(PID) Process:	(5236) Gxtuum.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

Suspicious files

317

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF120a78.TMP		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF120a78.TMP		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF120a87.TMP		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF120a87.TMP		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF120a97.TMP		—
		MD5:—	SHA256:—
900	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

125

DNS requests

118

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.20.245.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4776	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aevtvjsxpcrwhjvp5w32fej6zq_9.56.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.56.0_all_acq3rupi4ymeq53so4pzqroatfea.crx3	unknown	—	—	whitelisted
4776	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aevtvjsxpcrwhjvp5w32fej6zq_9.56.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.56.0_all_acq3rupi4ymeq53so4pzqroatfea.crx3	unknown	—	—	whitelisted
4776	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aevtvjsxpcrwhjvp5w32fej6zq_9.56.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.56.0_all_acq3rupi4ymeq53so4pzqroatfea.crx3	unknown	—	—	whitelisted
4776	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aevtvjsxpcrwhjvp5w32fej6zq_9.56.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.56.0_all_acq3rupi4ymeq53so4pzqroatfea.crx3	unknown	—	—	whitelisted
4776	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aevtvjsxpcrwhjvp5w32fej6zq_9.56.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.56.0_all_acq3rupi4ymeq53so4pzqroatfea.crx3	unknown	—	—	whitelisted
4776	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/aevtvjsxpcrwhjvp5w32fej6zq_9.56.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.56.0_all_acq3rupi4ymeq53so4pzqroatfea.crx3	unknown	—	—	whitelisted
4776	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted
4776	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted
4776	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5608	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	2.20.245.139:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3760	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3760	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
900	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
5492	explorer.exe	185.81.68.156:80	—	Chang Way Technologies Co. Limited	RU	malicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.20.245.139 2.20.245.137	whitelisted
www.microsoft.com	95.101.149.131 2.23.181.156	whitelisted
clientservices.googleapis.com	142.250.185.163	whitelisted
accounts.google.com	66.102.1.84	whitelisted
www.google.com	142.250.185.228 142.250.184.228	whitelisted
update.googleapis.com	172.217.18.3	whitelisted
encrypted-tbn0.gstatic.com	172.217.18.14	whitelisted
login.live.com	40.126.31.128 40.126.31.0 20.190.159.130 20.190.159.129 40.126.31.1 20.190.159.4 40.126.31.2 40.126.31.3	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Flasher.exe

7175D81D25F930437CBE872DA4D6146E

AFF6402B462E139B998E4AFC4CDEF7CDB246F788

9A3F94EB934151C3114D646D229289B5670A0F99F99393A6F2B692EC5CF9CAB3

98304:Mb312s4I/KcuT0od2IblSN0PPD/BHzWin3iy:9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

Changes the autorun value in the registry

SVCSTEALER mutex has been found

AMADEY has been detected (YARA)

Vulnerable driver has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Starts itself from another location

There is functionality for enable RDP (YARA)

Found regular expressions for crypto-addresses (YARA)

There is functionality for taking screenshot (YARA)

The process executes via Task Scheduler

Reads the Windows owner or organization settings

Drops a system driver (possible attempt to evade defenses)

Reads the date of Windows installation

INFO

Checks supported languages

The sample compiled with english language support

Creates files or folders in the user directory

Reads the computer name

Reads the machine GUID from the registry

Creates files in the program directory

Launch of the file from Registry key

Process checks computer location settings

Create files in a temporary directory

Checks proxy server information

Reads security settings of Internet Explorer

Application launched itself

Reads the software policy settings

Executable content was dropped or overwritten

Launch of the file from Downloads directory

PROCESSHACKER mutex has been found

Creates a software uninstall entry

Reads Environment values

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information