File name:

mtk.exe

Full analysis: https://app.any.run/tasks/402c4286-c3db-4a4e-a659-3b527dfe9693
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: October 25, 2023, 04:40:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
upatre
trojan
amadey
botnet
stealer
ransomware
teslacrypt
keylogger
cerber
apt
strongpity
plugx
sinkhole
fareit
pony
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

0F9599D3DDF1E0C8F818D384EE8D0D19

SHA1:

2CA17AEF38DF0C00EFA49B4B448C5F8343725C2F

SHA256:

A98AEC4A39F5F5EE41280CB17D9B4B5E9BC1EEA2FB2FF0D7A962E2B74464D67C

SSDEEP:

98304:YkiQ73BKa7wm47Q5oPHUBIcdffsJjkGZ/U1E1J1J1g1HtvEpoAdIo:o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2744)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 1936)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 1088)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 2692)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2956)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 792)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1844)
      • 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe (PID: 3068)
      • 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe (PID: 1192)
      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 1200)
      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2344)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • utilview.exe (PID: 2800)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 936)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • utilview.exe (PID: 3116)
      • 388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe (PID: 3968)
      • ywpnarg.exe (PID: 4020)
      • gbudn.exe (PID: 2464)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2936)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 944)
      • hrss.exe (PID: 3588)
      • lphsi.exe (PID: 2328)
      • 6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe (PID: 2980)

    • Drops the executable file immediately after the start

      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 1200)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1844)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 1936)
      • mtk.exe (PID: 2968)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2956)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 936)
      • 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe (PID: 2684)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 3560)
      • 6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe (PID: 2980)
      • ywpnarg.exe (PID: 4020)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 944)
      • 75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe (PID: 2772)
      • 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe (PID: 2616)
      • 773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe (PID: 3464)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe (PID: 2876)
      • 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe (PID: 5568)
      • 3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693.exe.exe (PID: 3712)
      • 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe (PID: 5764)
      • 6072a303039b032f1b3b0e596a3eb9a35568cef830a18404c18bb4fffef86fba.exe.exe (PID: 3240)
      • a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe (PID: 5628)
      • 8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe (PID: 1632)
      • AAA._xe.exe (PID: 5604)
      • Gadget.exe (PID: 4192)
      • blanca de nieve.scr.exe (PID: 4608)
      • C116CD083284CC599C024C3479CA9B70_2.tmp_.exe (PID: 6624)
      • c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe (PID: 4448)
      • cf65cc6e4b2b0c3f602b16398c8c30c277b8cfaed689fe7cb61b92560d4e5b1b.exe.exe (PID: 4820)
      • bea95bebec95e0893a845f62e832d7cf.exe.ViR.exe (PID: 3620)
      • 3_4.exe.exe (PID: 1396)
      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe.exe (PID: 5456)
      • b81b10bdf4f29347979ea8a1715cbfc560e3452ba9fffcc33cd19a3dc47083a4.exe.exe (PID: 5512)
      • c7128e2772b4f8c59943028e205d1b23c07f36206c1c61a05645c7bf143b24ee.exe.exe (PID: 6492)
      • e1d852f2ea8436ac33bc8fe200aca4af4fb15f33ecda6441741589daa44115c5.exe.exe (PID: 6584)
      • e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe (PID: 4272)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)
      • Dustman.exe.exe (PID: 4040)
      • FLASH829.EXE.exe (PID: 11120)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe.exe (PID: 13404)
      • amstvhs.exe (PID: 1136)

    • Steals credentials from Web Browsers

      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 2004)

    • Deletes shadow copies

      • ywpnarg.exe (PID: 4020)
      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)

    • Uses Task Scheduler to run other applications

      • gbudn.exe (PID: 2464)

    • Application was injected by another process

      • WerFault.exe (PID: 3344)
      • WerFault.exe (PID: 3340)
      • WerFault.exe (PID: 3348)
      • WerFault.exe (PID: 4240)

    • Actions looks like stealing of personal data

      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 2004)

    • Creates a writable file the system directory

      • wusa.exe (PID: 4040)

    • Starts NET.EXE for service management

      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)
      • net.exe (PID: 1512)
      • net.exe (PID: 2120)
      • net.exe (PID: 2084)
      • net.exe (PID: 4572)
      • net.exe (PID: 3920)
      • net.exe (PID: 4980)
      • net.exe (PID: 1168)
      • net.exe (PID: 4796)
      • net.exe (PID: 4416)
      • net.exe (PID: 2980)
      • net.exe (PID: 4640)
      • net.exe (PID: 4896)
      • net.exe (PID: 4380)
      • net.exe (PID: 2360)
      • net.exe (PID: 4820)
      • net.exe (PID: 5088)
      • net.exe (PID: 4120)
      • net.exe (PID: 2804)
      • net.exe (PID: 648)
      • net.exe (PID: 4528)
      • net.exe (PID: 3540)
      • net.exe (PID: 3688)
      • net.exe (PID: 4276)
      • net.exe (PID: 3988)
      • net.exe (PID: 4424)
      • net.exe (PID: 1268)
      • net.exe (PID: 3104)

    • Starts CMD.EXE for self-deleting

      • 5a765351046fea1490d20f25.exe.exe (PID: 3824)
      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)

    • UPATRE was detected

      • utilview.exe (PID: 3116)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • wovoletir.exe (PID: 5564)

    • AMADEY has been detected (YARA)

      • gbudn.exe (PID: 2464)

    • AMADEY was detected

      • gbudn.exe (PID: 2464)

    • Connects to the CnC server

      • gbudn.exe (PID: 2464)

  • SUSPICIOUS

    • Reads the Internet Settings

      • mtk.exe (PID: 2968)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 936)
      • utilview.exe (PID: 3116)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2956)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • gbudn.exe (PID: 2464)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2936)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • ywpnarg.exe (PID: 4020)

    • Reads settings of System Certificates

      • mtk.exe (PID: 2968)

    • Process drops legitimate windows executable

      • mtk.exe (PID: 2968)
      • AAA._xe.exe (PID: 5604)
      • svchost.exe (PID: 3516)
      • svchost.exe (PID: 3380)
      • blanca de nieve.scr.exe (PID: 4608)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)
      • FLASH829.EXE.exe (PID: 11120)

    • Creates executable files that already exist in Windows

      • mtk.exe (PID: 2968)

    • The process creates files with name similar to system file names

      • mtk.exe (PID: 2968)

    • Executing commands from a ".bat" file

      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 1200)
      • 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe (PID: 5764)
      • 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe (PID: 5568)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)
      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)
      • GrayFish_9B1CA66AAB784DC5F1DFE635D8F8A904.exe.exe (PID: 10212)
      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 2004)

    • Starts CMD.EXE for commands execution

      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 1200)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1844)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 1088)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 792)
      • 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe (PID: 3036)
      • 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe (PID: 2952)
      • 6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe (PID: 2980)
      • 5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19.exe.exe (PID: 3080)
      • 50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe (PID: 584)
      • 52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f.exe.exe (PID: 2848)
      • 773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe (PID: 3464)
      • 5d491ea5705e90c817cf0f5211c9edbcd5291fe8bd4cc69cdb58e8d0e6b6d1fe.exe.exe (PID: 3260)
      • 388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe (PID: 3968)
      • 3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe (PID: 3520)
      • 5a765351046fea1490d20f25.exe.exe (PID: 3824)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe (PID: 2876)
      • 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe (PID: 5568)
      • 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe (PID: 5764)
      • a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe (PID: 5628)
      • a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe (PID: 4468)
      • c7128e2772b4f8c59943028e205d1b23c07f36206c1c61a05645c7bf143b24ee.exe.exe (PID: 6492)
      • bc12d7052e6cfce8f16625ca8b88803cd4e58356eb32fe62667336d4dee708a3.exe.exe (PID: 6744)
      • bdef2ddcd8d4d66a42c9cbafd5cf7d86c4c0e3ed8c45cc734742c5da2fb573f7.exe.exe (PID: 7144)
      • e1d852f2ea8436ac33bc8fe200aca4af4fb15f33ecda6441741589daa44115c5.exe.exe (PID: 6584)
      • dea53e331d3b9f21354147f60902f6e132f06183ed2f4a28e67816f9cb140a90.exe.exe (PID: 7068)
      • e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747.exe.exe (PID: 7352)
      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)
      • Dustman.exe.exe (PID: 4040)
      • d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726.exe.exe (PID: 6184)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe.exe (PID: 13404)
      • GrayFish_9B1CA66AAB784DC5F1DFE635D8F8A904.exe.exe (PID: 10212)
      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 2004)
      • fc085d9be18f3d8d7ca68fbe1d9e29abbe53e7582453f61a9cd65da06961f751.exe.exe (PID: 9040)

    • Application launched itself

      • utilview.exe (PID: 2800)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 288)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3544)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2936)
      • syhonay.exe (PID: 3108)
      • 5a765351046fea1490d20f25.exe.exe (PID: 3156)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe (PID: 2816)
      • 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe (PID: 3456)
      • wovoletir.exe (PID: 4316)
      • amstvhs.exe (PID: 4836)
      • a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe (PID: 4468)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe.exe (PID: 7580)
      • e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747.exe.exe (PID: 7352)
      • eefa052da01c3faa1d1f516ddfefa8ceb8a5185bb9b5368142ffdf839aea4506.exe.exe (PID: 8672)
      • e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe (PID: 11176)
      • c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe (PID: 4500)

    • Starts itself from another location

      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 936)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2956)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 3560)
      • 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe (PID: 2616)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe (PID: 2876)
      • 8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe (PID: 1632)
      • Gadget.exe (PID: 4192)
      • 3_4.exe.exe (PID: 1396)
      • c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe (PID: 4448)
      • e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe (PID: 4272)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe.exe (PID: 13404)

    • Searches for installed software

      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 2004)

    • The process executes via Task Scheduler

      • FlashUpdate.exe (PID: 5052)
      • 3cb477.exe (PID: 8264)
      • gbudn.exe (PID: 14240)

    • Uses TASKKILL.EXE to kill process

      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)

    • The process executes JS scripts

      • afa8d185de2f357082ed4042fc057a6d7300f603d3bfdbe7e6c351868e45e477.exe.exe (PID: 5316)

    • Writes files like Keylogger logs

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe.exe (PID: 5456)

    • Uses ATTRIB.EXE to modify file attributes

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)

    • Uses ICACLS.EXE to modify access control lists

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)

    • Drops a system driver (possible attempt to evade defenses)

      • Dustman.exe.exe (PID: 4040)

    • Connects to unusual port

      • utilview.exe (PID: 3116)
      • 8390e210162d9b14d5b0b1ef9746c16853aa2d29d1dfc4eab6a051885e0333ed.exe.exe (PID: 4280)

    • Checks for external IP

      • utilview.exe (PID: 3116)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • wovoletir.exe (PID: 5564)

    • Connects to the server without a host name

      • 75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe (PID: 2772)
      • FlashUpdate.exe (PID: 5052)

    • Process requests binary or script from the Internet

      • 75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe (PID: 2772)
      • FlashUpdate.exe (PID: 5052)

    • Start notepad (likely ransomware note)

      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)

  • INFO

    • Checks proxy server information

      • mtk.exe (PID: 2968)
      • utilview.exe (PID: 3116)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • gbudn.exe (PID: 2464)
      • ywpnarg.exe (PID: 4020)

    • Checks supported languages

      • mtk.exe (PID: 2968)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 1936)
      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2744)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 1088)
      • 0468127a19daf4c7bc41015c5640fe1f.exe.exe (PID: 2692)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2956)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1844)
      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 1200)
      • 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe (PID: 1192)
      • 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe (PID: 3068)
      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2344)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 792)
      • lphsi.exe (PID: 2328)
      • hrss.exe (PID: 3588)
      • dw20.exe (PID: 3452)
      • 1003.exe.exe (PID: 2400)
      • utilview.exe (PID: 3116)
      • 323CANON.EXE_WORM_VOBFUS.SM01.exe (PID: 1696)
      • gbudn.exe (PID: 2464)
      • 23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe (PID: 2388)
      • 388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe (PID: 3968)
      • 1002.exe.exe (PID: 844)
      • ywpnarg.exe (PID: 4020)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2936)
      • 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe (PID: 1208)
      • 3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693.exe.exe (PID: 3712)
      • 3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe (PID: 3520)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 288)
      • 3_4.exe.exe (PID: 1396)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3544)
      • 48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441.exe.exe (PID: 3912)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 3560)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • syhonay.exe (PID: 3108)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe (PID: 2816)
      • 50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe (PID: 584)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 944)
      • 5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19.exe.exe (PID: 3080)
      • 589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31.exe.exe (PID: 4092)
      • 5a310669920099cd51f82bc9eb5459e9889b6357a21f7ce95ac961e053c79acb.exe.exe (PID: 3784)
      • 5a765351046fea1490d20f25.exe.exe (PID: 3156)
      • 52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f.exe.exe (PID: 2848)
      • syhonay.exe (PID: 1848)
      • 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe (PID: 3564)

    • Reads the machine GUID from the registry

      • mtk.exe (PID: 2968)
      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2744)
      • 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe (PID: 1208)
      • 2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe (PID: 2884)
      • 1003.exe.exe (PID: 2400)
      • utilview.exe (PID: 3116)
      • 1002.exe.exe (PID: 844)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • gbudn.exe (PID: 2464)
      • ywpnarg.exe (PID: 4020)

    • Reads the computer name

      • mtk.exe (PID: 2968)
      • 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe (PID: 2744)
      • 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe (PID: 1192)
      • 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe (PID: 3068)
      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2344)
      • 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe (PID: 1208)
      • lphsi.exe (PID: 2328)
      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 936)
      • utilview.exe (PID: 3116)
      • 1003.exe.exe (PID: 2400)
      • dw20.exe (PID: 3452)
      • gbudn.exe (PID: 2464)
      • hrss.exe (PID: 3588)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • 1002.exe.exe (PID: 844)
      • 301210D5557D9BA34F401D3EF7A7276F.exe.exe (PID: 2004)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2936)
      • 3_4.exe.exe (PID: 1396)
      • 323CANON.EXE_WORM_VOBFUS.SM01.exe (PID: 1696)
      • 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe (PID: 2952)
      • 3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe (PID: 3520)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 288)
      • 388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe (PID: 3968)
      • ywpnarg.exe (PID: 4020)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3544)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 1088)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 3560)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 792)
      • syhonay.exe (PID: 1848)

    • Create files in a temporary directory

      • mtk.exe (PID: 2968)
      • 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe (PID: 1936)
      • 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe (PID: 1844)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 2956)
      • 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe (PID: 1200)
      • lphsi.exe (PID: 2328)
      • 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe (PID: 3560)

    • Dropped object may contain TOR URL's

      • mtk.exe (PID: 2968)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)
      • amstvhs.exe (PID: 1136)

    • Reads Environment values

      • 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe (PID: 2344)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 1088)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 792)

    • Creates files in the program directory

      • 2a3b92f6180367306d750e59c9b6446b.exe.exe (PID: 936)
      • 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe (PID: 944)
      • gbudn.exe (PID: 2464)

    • Creates files or folders in the user directory

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe (PID: 3056)
      • 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe (PID: 3036)
      • utilview.exe (PID: 3116)
      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 1088)
      • 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe (PID: 2952)
      • 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe (PID: 3804)
      • ywpnarg.exe (PID: 4020)

    • Drops the executable file immediately after the start

      • wusa.exe (PID: 4040)
      • iexplore.exe (PID: 2236)
      • svchost.exe (PID: 3516)
      • svchost.exe (PID: 3380)
      • svchost.exe (PID: 6768)

    • Reads product name

      • 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe (PID: 1088)
      • 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe (PID: 792)

    • Application launched itself

      • iexplore.exe (PID: 2236)

    • The dropped object may contain a URL to Tor Browser

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe (PID: 6428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:10:25 00:55:01+02:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 2556928
InitializedDataSize: 1432064
UninitializedDataSize: -
EntryPoint: 0x2659dc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
529
Monitored processes
373
Malicious processes
43
Suspicious processes
19

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start start drop and start drop and start drop and start inject inject inject inject mtk.exe 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe no specs 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe no specs 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe no specs 0468127a19daf4c7bc41015c5640fe1f.exe.exe no specs 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe no specs 07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe no specs 084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe 08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe no specs 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe 0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe no specs 1002.exe.exe no specs cmd.exe no specs 1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe no specs 1003.exe.exe no specs cmd.exe no specs 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe no specs 1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe no specs 1d34d800aa3320dc17a5786f8eec16ee.exe.exe no specs 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe no specs 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe no specs 2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe no specs 23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe no specs utilview.exe no specs 2a3b92f6180367306d750e59c9b6446b.exe.exe no specs 301210d5557d9ba34f401d3ef7a7276f.exe.exe 30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe no specs 323canon.exe_worm_vobfus.sm01.exe no specs 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe no specs #UPATRE utilview.exe dw20.exe no specs #AMADEY gbudn.exe winword.exe no specs 388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe no specs ywpnarg.exe 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe no specs cmd.exe no specs 3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693.exe.exe no specs 3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe no specs 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe no specs cmd.exe no specs cmd.exe no specs 3_4.exe.exe no specs wusa.exe 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe no specs vssadmin.exe no specs schtasks.exe no specs werfault.exe werfault.exe werfault.exe 48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441.exe.exe no specs 4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430.exe.exe no specs 3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe no specs syhonay.exe no specs 50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe no specs #UPATRE 40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe 51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe.exe no specs cmd.exe no specs 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe 52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f.exe.exe no specs cmd.exe no specs 5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19.exe.exe no specs 589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31.exe.exe no specs 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe.exe no specs 5a310669920099cd51f82bc9eb5459e9889b6357a21f7ce95ac961e053c79acb.exe.exe no specs 5a765351046fea1490d20f25.exe.exe no specs syhonay.exe no specs 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe no specs 5d491ea5705e90c817cf0f5211c9edbcd5291fe8bd4cc69cdb58e8d0e6b6d1fe.exe.exe no specs 5ffd4c5e1766196ac1cbd799de829812757684f4432f1b8de59054890997c30d.exe.exe no specs 6072a303039b032f1b3b0e596a3eb9a35568cef830a18404c18bb4fffef86fba.exe.exe no specs cmd.exe no specs iexplore.exe no specs 5a765351046fea1490d20f25.exe.exe no specs 5a765351046fea1490d20f25.exe.exe no specs 60c01a897dd8d60d3fea002ed3a4b764.exe.exe no specs 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe.exe no specs 6674ffe375f8ab54cfa2a276e4a39b414cf327e0b00733c215749e8a94385c63.exe.exe no specs iexplore.exe no specs 67e4f5301851646b10a95f65a0b3bacb.exe.exe no specs 6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe no specs 6b97b3cd2fcfb4b74985143230441463_gadget.exe_.exe no specs 51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs 7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe cmd.exe no specs 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe no specs 75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe 773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe no specs 78201fd42dfc65e94774d8a9b87293c19044ad93edf59d3ff6846766ed4c3e2e.exe.exe no specs 7824eb5f173c43574593bd3afab41a60e0e2ffae80201a9b884721b451e6d935.exe.exe net.exe no specs net.exe no specs net.exe no specs 798_abroad.exe.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs 7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a.exe.exe no specs net.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs 73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe no specs net.exe no specs net.exe no specs net.exe no specs 7zipsetup.exe.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs 8390e210162d9b14d5b0b1ef9746c16853aa2d29d1dfc4eab6a051885e0333ed.exe.exe wovoletir.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs cmd.exe no specs 86bb737bd9a508be2ff9dc0dee7e7c40abea215088c61788a368948f9250fa4c.exe.exe net.exe no specs cmd.exe no specs net.exe no specs net.exe no specs 8953398de47344e9c2727565af8d6f31.exe.exe no specs net1.exe no specs net.exe no specs flashupdate.exe net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs amstvhs.exe no specs net.exe no specs 8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs 8c213b3707b0b042d769fdf543c6e8bd7c127cea6a9bc989eaf241a1505d1ed9.exe.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97.exe.exe no specs net1.exe no specs net.exe no specs 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852.exe.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs 9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe no specs sc.exe no specs 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b.exe.exe no specs sc.exe no specs net1.exe no specs cmd.exe no specs 9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe no specs sc.exe no specs sc.exe no specs 9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5.exe.exe no specs taskkill.exe no specs taskkill.exe no specs net1.exe no specs taskkill.exe no specs 9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f.exe.exe no specs 9d4b4c39106f8e2fd036e798fc67bbd7b98284121724c0f845bca0a6d2ae3999.exe.exe no specs net1.exe no specs vssadmin.exe no specs net1.exe no specs vssadmin.exe no specs net1.exe no specs vssadmin.exe no specs vssadmin.exe no specs net1.exe no specs a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355.exe.exe no specs cmd.exe no specs a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe no specs vssadmin.exe no specs net1.exe no specs #UPATRE wovoletir.exe a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339.exe.exe cmd.exe no specs vssadmin.exe no specs a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206.exe.exe no specs vssadmin.exe no specs net1.exe no specs net1.exe no specs werfault.exe a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0.exe.exe no specs net1.exe no specs net1.exe no specs a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392.exe.exe no specs vssadmin.exe no specs net1.exe no specs a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe.exe.exe no specs net1.exe no specs vssadmin.exe no specs a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.exe.exe no specs vssadmin.exe no specs net1.exe no specs net1.exe no specs a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe no specs cmd.exe no specs xadi.exe no specs vssadmin.exe no specs aaa._xe.exe no specs cmd.exe no specs vssadmin.exe no specs abba_-_happy_new_year_zaycev_net.exe.exe no specs vssadmin.exe no specs vssadmin.exe no specs ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa.exe.exe no specs aed230b6b772aeb5c25e9336086e9dd4d6081d3efc205f9f9214b51f2f8c3655.exe.exe no specs aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35.exe.exe no specs afa8d185de2f357082ed4042fc057a6d7300f603d3bfdbe7e6c351868e45e477.exe.exe no specs agent.exe.exe ardamaxkeylogger_e33af9e602cbb7ac3634c2608150dd18.exe.exe no specs svchost.exe no specs avatar_rootkit_netbotnet_32d6644c5ea66e390070d3dc3401e54b_unpacked.exe.exe no specs svchost.exe no specs lphsi.exe no specs hrss.exe no specs b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4.exe.exe no specs explorer.exe no specs b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047.exe.exe no specs b14299fd4d1cbfb4cc7486d978398214.exe.exe no specs b154ac015c0d1d6250032f63c749f9cf.exe.exe no specs b275c8978d18832bd3da9975d0f43cbc90e09a99718f4efaf1be7b43db46cf95.exe.exe no specs b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867.exe.exe no specs explorer.exe no specs b7f36159aec7f3512e00bfa8aa189cbb97f9cc4752a635bc272c7a5ac1710e0b.exe.exe b81b10bdf4f29347979ea8a1715cbfc560e3452ba9fffcc33cd19a3dc47083a4.exe.exe no specs cscript.exe no specs b96bd6bbf0e3f4f98b606a2ab5db4a69.exe.exe no specs bac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8.exe.exe no specs backdoor.msil.tyupkin.a.vir.exe no specs backdoor.msil.tyupkin.c.vir.exe no specs backdoor.win32.tyupkin.c2.vir.exe no specs backdoor.win32.tyupkin.d.vir.exe no specs backdoor.win32.tyupkin.h.exe.vir.exe no specs bc12d7052e6cfce8f16625ca8b88803cd4e58356eb32fe62667336d4dee708a3.exe.exe no specs bdef2ddcd8d4d66a42c9cbafd5cf7d86c4c0e3ed8c45cc734742c5da2fb573f7.exe.exe no specs bea95bebec95e0893a845f62e832d7cf.exe.vir.exe no specs amstvhs.exe no specs bed0bec3d123e7611dc3d722813eeb197a2b8048396cef4414f29f24af3a29c4.exe.exe no specs blanca de nieve.scr.exe no specs c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe no specs c116cd083284cc599c024c3479ca9b70_2.tmp_.exe no specs c1e5dae72a51a7b7219346c4a360d867.exe.exe no specs c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe.exe no specs c4762489488f797b4b33382c8b1b71c94a42c846f1f28e0e118c83fe032848f0.exe.exe no specs gadget.exe no specs c7128e2772b4f8c59943028e205d1b23c07f36206c1c61a05645c7bf143b24ee.exe.exe no specs c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe.exe no specs cerber.exe.exe no specs svchost.exe no specs cf4bf26b2d6f1c6055534bbe9decb579ef0180e0f8c467c1a26e2ead7567058a.exe.exe no specs cf65cc6e4b2b0c3f602b16398c8c30c277b8cfaed689fe7cb61b92560d4e5b1b.exe.exe cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30.exe.exe no specs cff49c25b053f775db8980a431a958020bdf969ea08872de4cef5a5f344f534c.exe.exe d0dd9c624bb2b33de96c29b0ccb5aa5b43ce83a54e2842f1643247811487f8d9.exe.exe no specs cmd.exe no specs d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821.exe.exe no specs d214c717a357fe3a455610b197c390aa.exe.exe no specs cmd.exe no specs d2642d3731508b52efa34adf57701f18e2f8b70addf31e33e445e75b9a909822.exe.exe no specs cmd.exe no specs gadget.exe no specs d30f306d4d866a07372b94f7657a7a2b0500137fe7ef51678d0ef4249895c2c5.exe.exe no specs d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c.exe.exe no specs cmd.exe no specs d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5.exe.exe no specs d883dc7acc192019f220409ee2cadd64.exe.exe cmd.exe no specs d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726.exe.exe no specs data.exe_.exe no specs mcwsazmq.exe no specs db36ad77875bbf622d96ae8086f44924c37034dd95e9eb6d6369cc6accd2a40d.exe.exe no specs dea53e331d3b9f21354147f60902f6e132f06183ed2f4a28e67816f9cb140a90.exe.exe no specs win-firewall.exe no specs df5a394ad60512767d375647dbb82994.exe.exe no specs c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe no specs doublefantasy_2a12630ff976ba0994143ca93fecd17f.exe.exe no specs dropper.ex_.exe no specs compmgmtlauncher.exe no specs svchost.exe no specs dumped.exe.exe no specs dump_00a10000-00a1d000.exe.vir.exe no specs dustman.exe.exe no specs e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc.exe.exe no specs e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902.exe.exe no specs e1d852f2ea8436ac33bc8fe200aca4af4fb15f33ecda6441741589daa44115c5.exe.exe no specs e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747.exe.exe no specs e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe no specs e5b68ab68b12c3eaff612ada09eb2d4c403f923cdec8a5c8fe253c6773208baf.exe.exe no specs e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d.exe.exe no specs e784e95fb5b0188f0c7c82add9a3c89c5bc379eaf356a4d3876d9493a986e343.exe.exe no specs a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe no specs cmd.exe no specs e906fa3d51e86a61741b3499145a114e9bfb7c56.exe.exe no specs e93d6f4ce34d4f594d7aed76cfde0fad.exe.exe no specs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.exe no specs eefa052da01c3faa1d1f516ddfefa8ceb8a5185bb9b5368142ffdf839aea4506.exe.exe no specs cmd.exe no specs ef47aaf4e964e1e1b7787c480e60a744550de847618510d2bf54bbc5bda57470.exe.exe no specs cmd.exe no specs eqig unpacked.ex_.exe no specs cmd.exe no specs eqig.ex_.exe no specs 3cb477.exe equationdrug_4556ce5eb007af1de5bd3b457f0b216d.exe.exe no specs HNetCfg.FwMgr no specs f152ed03e4383592ce7dd548c34f73da53fc457ce8f26d165155a331cde643a9.exe.exe no specs f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e.exe.exe no specs f1e546fe9d51dc96eb766ec61269edfb.exe.exe no specs f65fa71e8ffe11bb6e7c6c84c3d365f4fe729e1e9c38cb4f073d2b65058465fa.exe.exe no specs f77db63cbed98391027f2525c14e161f.exe.exe no specs f897a65b.exe.exe no specs msiexec.exe no specs fa5390bbcc4ab768dd81f31eac0950f6.exe.exe no specs attrib.exe no specs fancybear.germanparliament.exe no specs icacls.exe no specs fc085d9be18f3d8d7ca68fbe1d9e29abbe53e7582453f61a9cd65da06961f751.exe.exe no specs cmd.exe no specs fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd.exe.exe no specs cmd.exe no specs file_4571518150a8181b403df4ae7ad54ce8b16ded0c.exe.exe no specs taskdl.exe no specs fixklez.com.exe no specs cmd.exe no specs cmd.exe no specs fix_nimda.exe.exe no specs flash829.exe.exe no specs cmd.exe no specs grayfish_9b1ca66aab784dc5f1dfe635d8f8a904.exe.exe no specs e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe no specs dw20.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs e906fa3d51e86a61741b3499145a114e9bfb7c56.exe.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747.exe.exe no specs winmail.exe no specs nieexct.exe no specs cmd.exe no specs cmd.exe no specs gbudn.exe no specs cmd.exe no specs eefa052da01c3faa1d1f516ddfefa8ceb8a5185bb9b5368142ffdf839aea4506.exe.exe c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe.exe e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe.exe cmd.exe no specs compmgmtlauncher.exe notepad.exe no specs cmd.exe no specs NODE_091907c0_9c3e_4fa4_89cb_fcf5ccee602c

Process information

PID
CMD
Path
Indicators
Parent process
288"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exemtk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\users\admin\appdata\local\temp\.tmpxwujp6\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe
c:\windows\system32\ntdll.dll
288"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339.exe.exe
mtk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
364"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430.exe.exemtk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\.tmpxwujp6\4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430.exe.exe
c:\windows\system32\ntdll.dll
584"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exemtk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Help Service
Exit code:
0
Version:
2, 0, 0, 2
Modules
Images
c:\users\admin\appdata\local\temp\.tmpxwujp6\50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
648"net.exe" stop BackupExecJobEngine /yC:\Windows\SysWOW64\net.exe5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
792"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exemtk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Help Service
Exit code:
0
Version:
2, 0, 0, 2
Modules
Images
c:\users\admin\appdata\local\temp\.tmpxwujp6\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\user32.dll
844"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\1002.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\1002.exe.exemtk.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft Windows Auto Update
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrtremote.dll
920"net.exe" stop ccEvtMgr /yC:\Windows\SysWOW64\net.exe5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
936"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\2a3b92f6180367306d750e59c9b6446b.exe.exe"C:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\2a3b92f6180367306d750e59c9b6446b.exe.exemtk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
944"C:\Users\admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe" "runas"C:\Users\admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe
0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
6 008
Read events
5 884
Write events
124
Delete events
0

Modification events

(PID) Process:(2968) mtk.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000C4000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3116) utilview.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(936) 2a3b92f6180367306d750e59c9b6446b.exe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
621
Suspicious files
2 306
Text files
359
Unknown types
1

Dropped files

PID
Process
Filename
Type
2968mtk.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2968mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\0008065861f5b09195e51add72dacd3c4bbce6444711320ad349c7dab5bb97fb.exe.exeexecutable
MD5:D2074D6273F41C34E8BA370AA9AF46AD
SHA256:0008065861F5B09195E51ADD72DACD3C4BBCE6444711320AD349C7DAB5BB97FB
2968mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exeexecutable
MD5:460B288A581CDEB5F831D102CB6D198B
SHA256:01259A104A0199B794B0C61FCFC657EB766B2CAEAE68D5C6B164A53A97874257
2968mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exeexecutable
MD5:77B645EF1C599F289F3D462A09048C49
SHA256:0DC2AB0CCF783FB39028326A7E8B0BA4EAA148020EC05FC26313EF2BF70F700F
2968mtk.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:66C453D6F621E00862BFEA1C1CA91172
SHA256:AAD4E2012DF849FE47881C67DCBA41AE8A721985883B94CA01C0A7FEB347A8DB
2968mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\027cc450ef5f8c5f653329641ec1fed9.exe.exeexecutable
MD5:71B6A493388E7D0B40C83CE903BC6B04
SHA256:027CC450EF5F8C5F653329641EC1FED91F694E0D229928963B30F6B0D7D3A745
2968mtk.exeC:\Users\admin\AppData\Local\Temp\TarB736.tmpcat
MD5:9441737383D21192400ECA82FDA910EC
SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
2968mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\0468127a19daf4c7bc41015c5640fe1f.exe.exeexecutable
MD5:0468127A19DAF4C7BC41015C5640FE1F
SHA256:DD1792BCDF560EBAA633F72DE4037E78FE1ADA5C8694B9D4879554AEDC323AC9
2968mtk.exeC:\Users\admin\AppData\Local\Temp\CabB735.tmpcompressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2968mtk.exeC:\Users\admin\AppData\Local\Temp\.tmpxwuJp6\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exeexecutable
MD5:D7D6889BFA96724F7B3F951BC06E8C02
SHA256:0283C0F02307ADC4EE46C0382DF4B5D7B4EB80114FBAF5CB7FE5412F027D165E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
1 161
DNS requests
79
Threats
121

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2464
gbudn.exe
GET
404
188.40.187.155:80
http://mynexa.io/hfv23svj2/plugins/cred.dll
unknown
unknown
2464
gbudn.exe
GET
404
188.40.187.155:80
http://mynexa.io/hfv23svj2/plugins/scr.dll
unknown
unknown
GET
301
13.107.213.64:80
http://api.nuget.org/packages/taskscheduler.2.5.23.nupkg
unknown
unknown
GET
301
13.107.213.64:80
http://api.nuget.org/packages/sharpziplib.0.86.0.nupkg
unknown
unknown
2968
mtk.exe
GET
200
178.79.242.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?24558d65c4ee8523
unknown
compressed
61.6 Kb
unknown
3116
utilview.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
html
105 b
unknown
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
html
105 b
unknown
3804
40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe
GET
302
3.33.130.190:80
http://hementuttur.com/docs/book1.pdf
unknown
html
142 b
unknown
2772
75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe
GET
404
123.57.60.215:80
http://123.57.60.215/DotNetLoader40.exe
unknown
text
19 b
unknown
3116
utilview.exe
GET
301
13.56.33.8:80
http://yumproject.com/wp-content/uploads/2014/11/questd.pdf
unknown
html
175 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2968
mtk.exe
45.67.85.72:443
m.crep.vip
US
unknown
2968
mtk.exe
178.79.242.0:80
ctldl.windowsupdate.com
LLNW
DE
whitelisted
58.158.177.102:443
flash-update.buyonebuy.top
ARTERIA Networks Corporation
JP
unknown
193.135.12.107:80
LLC Baxet
RU
unknown
158.101.44.242:80
checkip.dyndns.org
ORACLE-BMC-31898
US
unknown
141.105.141.87:13982
Everest Tv And Radio Company LLC
UA
unknown

DNS requests

Domain
IP
Reputation
m.crep.vip
  • 45.67.85.72
unknown
ctldl.windowsupdate.com
  • 178.79.242.0
  • 95.140.236.128
whitelisted
flash-update.buyonebuy.top
  • 58.158.177.102
unknown
checkip.dyndns.org
  • 158.101.44.242
  • 193.122.6.168
  • 132.226.8.169
  • 132.226.247.73
  • 193.122.130.0
shared
exusin.ru
unknown
www.microsoft.com
  • 23.35.229.160
whitelisted
www.google.com
  • 142.251.140.68
  • 172.217.17.100
whitelisted
imagisp.ru
unknown
mynexa.io
  • 188.40.187.155
unknown
7tno4hib47vlep5o.tor2web.org
  • 103.198.0.111
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
324
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
324
svchost.exe
Misc activity
AV INFO Query to checkip.dyndns. Domain
A Network Trojan was detected
ET MALWARE Common Upatre Header Structure 2
A Network Trojan was detected
ET MALWARE Mazilla Suspicious User-Agent Jan 15 2015
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET MALWARE Upatre External IP Check
3116
utilview.exe
A Network Trojan was detected
ET MALWARE Common Upatre Header Structure 2
3116
utilview.exe
A Network Trojan was detected
ET MALWARE Mazilla Suspicious User-Agent Jan 15 2015
3116
utilview.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
35 ETPRO signatures available at the full report
Process
Message
7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe
Script Error
7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe
Run OK
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mtk.exe