File name:	a625ed01ef1eb71929a9cccefe6ce056bef40e44b332f1f144cafe552af310a3
Full analysis:	https://app.any.run/tasks/f2be55f8-4594-40e2-93b1-c87a51f1997f
Verdict:	Malicious activity
Analysis date:	May 24, 2025, 23:37:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	confuser auto-startup
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:	F0AA6259A6249EDC000EA1525EFBED27
SHA1:	14B2F93236AD2898CEF9951D27F602E929A79DC5
SHA256:	A625ED01EF1EB71929A9CCCEFE6CE056BEF40E44B332F1F144CAFE552AF310A3
SSDEEP:	24576:bSEbsw1EageTz5zrNsbhjvLnxI3Ma5SXV7uzaN/uzHDeeNpg80IQTG6BznHg:bSEbsQlgeTz5zrNsbhjvLxI3Ma5SXV7L

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:05:24 22:05:51+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	11
CodeSize:	634880
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.0.0.1
ProductVersionNumber:	2.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Windows 更新程序
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Windows Update
FileVersion:	2.0.0.1
InternalName:	vcryx.exe
LegalCopyright:	Copyright © 2025 Microsoft Corporation
LegalTrademarks:	Microsoft Corporation
OriginalFileName:	vcryx.exe
ProductName:	VortexCryX
ProductVersion:	2.0.0.1
AssemblyVersion:	2.0.0.1


(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System
Operation:	write	Name:	DisableCMD
Value: 2
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	RestrictRun
Value: 1
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	rundll32.exe
Value: rundll32.exe
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	msedge.exe
Value: msedge.exe
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	WeChat.exe
Value: WeChat.exe
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	shutdown.exe
Value: shutdown.exe
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	ReAgentc.exe
Value: ReAgentc.exe
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	Rundl132.exe
Value: Rundl132.exe
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	@Vortex_decryptor.exe
Value: @Vortex_decryptor.exe
(PID) Process:	(7804) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Operation:	write	Name:	notepad.exe
Value: notepad.exe

PID	Process	Filename		Type
7976	ReAgentc.exe	C:\Windows\System32\Recovery\Winre.wim		—
		MD5:—	SHA256:—
7804	rundll32.exe	\Device\Harddisk0\DR0		—
		MD5:—	SHA256:—
7804	rundll32.exe	C:\Windows\System32\ntoskrnl.exe.crypt		—
		MD5:—	SHA256:—
7748	a625ed01ef1eb71929a9cccefe6ce056bef40e44b332f1f144cafe552af310a3.exe	C:\Windows\System32\vncy.dll		executable
		MD5:E3B6CC3C498BBDA9DAA79A6B13FDB3D4	SHA256:4DB7B61B130A3922C44FA0F7FE277FB5C0A13945E00133CF51CCD04FA8021B93
7804	rundll32.exe	C:\bin\AES_Key.bin		binary
		MD5:A6652D473AAB6709EDB42FC0D23DA7C4	SHA256:148D9EB5D082114668780F2E23000869DB3252FE71CA102595A5D3800DB8B010
7804	rundll32.exe	C:\bin\AES_Key.bin.Encrypt		binary
		MD5:1A06C3FF9B2F7E01E47E3C9D3367129E	SHA256:730F5AFAF095EA0014266459D7112ACED4A49A0DE25472E6205014234ABB0CC4
7748	a625ed01ef1eb71929a9cccefe6ce056bef40e44b332f1f144cafe552af310a3.exe	C:\vcry.dll		executable
		MD5:08BD5F30E2867DBA15155037FB7A6B68	SHA256:3B42AAA50154492DAF3DD9F925ECC8EE688F9F166105CFCACB87F921B170093E
7804	rundll32.exe	C:\Rundl132.exe		executable
		MD5:8A09DFD7C6659D7D8639D6EC8304941A	SHA256:087BBDBC253BB88B662717C7007881E370868074B5BD9323FE182E2E4D7FD67F
7804	rundll32.exe	C:\bin\mbr.bin.crypt		binary
		MD5:0C8B0ACCEB5F407B0A8B03951A44962D	SHA256:0DC40D5F9FAEE7A9914F07ECF52FF902A1F7C84F84953DBE33199E644FC83E8D
7976	ReAgentc.exe	C:\Windows\Logs\ReAgent\ReAgent.log		text
		MD5:45469FA2AC111A665DA56D93D709A791	SHA256:C208C80451526960CE8BA315C9F6F800AF92E0C7445AFD6337B64CAB7AF794AF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	200	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
2104	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	400	20.190.160.128:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.32.76:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
2104	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	400	20.190.160.17:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.20:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6544	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
904	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
google.com	216.58.212.142	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114 23.216.77.28 23.216.77.42 23.216.77.6	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
www.microsoft.com	95.101.149.131 23.35.229.160	whitelisted
login.live.com	40.126.32.76 20.190.160.14 20.190.160.22 20.190.160.65 40.126.32.133 20.190.160.17 40.126.32.138 20.190.160.2	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted

General Info

a625ed01ef1eb71929a9cccefe6ce056bef40e44b332f1f144cafe552af310a3

F0AA6259A6249EDC000EA1525EFBED27

14B2F93236AD2898CEF9951D27F602E929A79DC5

A625ED01EF1EB71929A9CCCEFE6CE056BEF40E44B332F1F144CAFE552AF310A3

24576:bSEbsw1EageTz5zrNsbhjvLnxI3Ma5SXV7uzaN/uzHDeeNpg80IQTG6BznHg:bSEbsQlgeTz5zrNsbhjvLxI3Ma5SXV7L

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts CMD.EXE for self-deleting

UAC/LUA settings modification

Starts REAGENTC.EXE to disable the Windows Recovery Environment

Antivirus name has been found in the command line (generic signature)

Disables task manager

Changes the login/logoff helper path in the registry

Deletes shadow copies

Create files in the Startup directory

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Creates file in the systems drive root

Executable content was dropped or overwritten

Uses RUNDLL32.EXE to load library

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Executes as Windows Service

Takes ownership (TAKEOWN.EXE)

The process creates files with name similar to system file names

Uses ICACLS.EXE to modify access control lists

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

The sample compiled with chinese language support

Confuser has been detected (YARA)

Creates files in the program directory

Creates files or folders in the user directory

Auto-launch of the file from Startup directory

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests