| File name: | RedEye.exe |
| Full analysis: | https://app.any.run/tasks/22b87f69-71d7-4045-8260-ddee85a55eac |
| Verdict: | Malicious activity |
| Analysis date: | May 16, 2025, 16:28:20 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | E9E5596B42F209CC058B55EDC2737A80 |
| SHA1: | F30232697B3F54E58AF08421DA697262C99EC48B |
| SHA256: | 9AC9F207060C28972EDE6284137698CE0769E3695C7AD98AB320605D23362305 |
| SSDEEP: | 196608:+ahZ5qN3wvdJBiAv1hXx7jeeDt9/wGoyIu+sTvDmQONhL/LslAVyq8rZyA+TXtTa:+w6NAvPAA/Xx3eeDtTD+GDONhL/AlAVm |
MALICIOUS
Changes the autorun value in the registry
- RedEye.exe (PID: 6800)
Deletes shadow copies
- RedEye.exe (PID: 6800)
Disables Windows Defender
- RedEye.exe (PID: 6800)
Disables task manager
- RedEye.exe (PID: 6800)
UAC/LUA settings modification
- RedEye.exe (PID: 6800)
Disables the Run the Start menu
- RedEye.exe (PID: 6800)
Changes image file execution options
- RedEye.exe (PID: 6800)
SUSPICIOUS
Changes the desktop background image
- RedEye.exe (PID: 6800)
Creates file in the systems drive root
- RedEye.exe (PID: 6800)
Executable content was dropped or overwritten
- RedEye.exe (PID: 6800)
Uses NETSH.EXE to change the status of the firewall
- RedEye.exe (PID: 6800)
Executes as Windows Service
- VSSVC.exe (PID: 5380)
Reads security settings of Internet Explorer
- ShellExperienceHost.exe (PID: 4756)
- RedEye.exe (PID: 6800)
Reads the date of Windows installation
- RedEye.exe (PID: 6800)
The system shut down or reboot
- RedEye.exe (PID: 6800)
INFO
Checks supported languages
- RedEye.exe (PID: 6800)
- ShellExperienceHost.exe (PID: 4756)
Reads the computer name
- RedEye.exe (PID: 6800)
- ShellExperienceHost.exe (PID: 4756)
Reads the machine GUID from the registry
- RedEye.exe (PID: 6800)
Process checks computer location settings
- RedEye.exe (PID: 6800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:06:05 22:56:17+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 10989056 |
| InitializedDataSize: | 109568 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa7ccae |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | Windows Update |
| CompanyName: | - |
| FileDescription: | Windows Update |
| FileVersion: | 1.0.0.0 |
| InternalName: | RedEye.exe |
| LegalCopyright: | Copyright © 2018 |
| LegalTrademarks: | Windows Update |
| OriginalFileName: | RedEye.exe |
| ProductName: | Windows Update |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
146
Monitored processes
18
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 672 | vssadmin delete shadows /all /quiet | C:\Windows\System32\vssadmin.exe | — | RedEye.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 672 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | UCPDMgr.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2852 | "C:\Users\admin\AppData\Local\Temp\RedEye.exe" | C:\Users\admin\AppData\Local\Temp\RedEye.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Windows Update Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3096 | "C:\Windows\System32\shutdown.exe" -r -t 00 -f | C:\Windows\System32\shutdown.exe | — | RedEye.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Shutdown and Annotation Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3332 | NetSh Advfirewall set allprofiles state off | C:\Windows\System32\netsh.exe | — | RedEye.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4008 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4488 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4652 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | vssadmin.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4756 | "C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shell Experience Host Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4944 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | vssadmin.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 633
Read events
3 535
Write events
98
Delete events
0
Modification events
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Windows Update |
Value: C:\Users\admin\AppData\Local\Temp\RedEye.exe | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Windows Update |
Value: C:\Users\admin\AppData\Local\Temp\RedEye.exe | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Windows Update |
Value: C:\Users\admin\AppData\Local\Temp\RedEye.exe | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableRoutinelyTakingAction |
Value: 1 | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | WindowsDefenderMAJ |
Value: 1 | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | WindowsDefenderMAJ |
Value: 1 | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings |
| Operation: | write | Name: | Enabled |
Value: 0 | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings |
| Operation: | write | Name: | Enabled |
Value: 0 | |||
| (PID) Process: | (6800) RedEye.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore |
| Operation: | write | Name: | DisableSR |
Value: 1 | |||
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6800 | RedEye.exe | C:\redeyebmp.bmp | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Documents\beafrica.rtf.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Documents\casesking.rtf.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Documents\Database1.accdb.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Documents\labeloperation.rtf.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Documents\partysimple.rtf.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Documents\robertcontent.rtf.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Documents\schedulepoints.rtf.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Pictures\bottomput.png.RedEye | — | |
MD5:— | SHA256:— | |||
| 6800 | RedEye.exe | C:\Users\admin\Pictures\informationfunds.jpg.RedEye | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
37
DNS requests
6
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.32.68:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2112 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3812 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2292 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |