Malware analysis SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387 Malicious activity

Add for printing

File name:	SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387
Full analysis:	https://app.any.run/tasks/85fd854c-1d76-4e22-9608-e8726f51b246
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 09, 2023, 04:32:11
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir loader gcleaner stealc stealer evasion amadey botnet smoke phishing privateloader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	ACA63B9E4AB5A783F11B125C71112242
SHA1:	82BABA92A2C1B320921AD05E56A5890F62697CF3
SHA256:	BAA0CB3BC60D90CFBE000D58B1E4FF06888722BFA81C68EF1486E7E48BA8740A
SSDEEP:	3072:m14iwt2CbSxPZVgwWij3tpuA6y+JrQTyy1G:m14i1CbSxRSpirt6y4C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe (PID: 2600)
  - explorer.exe (PID: 1944)
- Drops the executable file immediately after the start
  - CasPol.exe (PID: 2216)
  - ugbcmuwwFSnO95XZW7AA0tti.exe (PID: 2408)
  - nEud18VqsrduQL71sjEO9A7R.exe (PID: 688)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - 1260521668.exe (PID: 2456)
  - Utsysc.exe (PID: 2492)
  - FPgG0XAkVoXc2lHGGyxtP51v.exe (PID: 308)
  - updater.exe (PID: 3056)
- Create files in the Startup directory
  - CasPol.exe (PID: 2216)
- STEALC has been detected (SURICATA)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- GCLEANER has been detected (SURICATA)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
- Runs injected code in another process
  - hunU9LeEDys0MgJ5O4NFUw2W.exe (PID: 1784)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Steals credentials
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - rundll32.exe (PID: 2732)
  - rundll32.exe (PID: 2972)
- Changes the autorun value in the registry
  - Utsysc.exe (PID: 2492)
- Uses Task Scheduler to run other applications
  - Utsysc.exe (PID: 2492)
  - explorer.exe (PID: 1944)
- Connects to the CnC server
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - explorer.exe (PID: 1944)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Steals credentials from Web Browsers
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - rundll32.exe (PID: 2732)
  - rundll32.exe (PID: 2972)
- AMADEY has been detected (SURICATA)
  - Utsysc.exe (PID: 2492)
- Starts CMD.EXE for self-deleting
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 1944)
- Unusual connection from system programs
  - rundll32.exe (PID: 2732)
  - rundll32.exe (PID: 2972)
  - rundll32.exe (PID: 2952)
  - rundll32.exe (PID: 2484)
- Modifies hosts file to block updates
  - FPgG0XAkVoXc2lHGGyxtP51v.exe (PID: 308)
- Creates a writable file the system directory
  - powershell.exe (PID: 3020)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- PRIVATELOADER has been detected (SURICATA)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Actions looks like stealing of personal data
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
  - rundll32.exe (PID: 2972)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - rundll32.exe (PID: 2732)
SUSPICIOUS
- Script adds exclusion path to Windows Defender
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe (PID: 2600)
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - CasPol.exe (PID: 2216)
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe (PID: 2600)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - 1260521668.exe (PID: 2456)
  - Utsysc.exe (PID: 2492)
  - cmd.exe (PID: 2856)
  - rundll32.exe (PID: 2732)
  - powershell.exe (PID: 2712)
  - Utsysc.exe (PID: 1764)
  - rundll32.exe (PID: 2972)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
  - rundll32.exe (PID: 2484)
  - Utsysc.exe (PID: 2260)
  - rundll32.exe (PID: 2952)
- Reads settings of System Certificates
  - CasPol.exe (PID: 2216)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Application launched itself
  - hunU9LeEDys0MgJ5O4NFUw2W.exe (PID: 312)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 648)
  - explorer.exe (PID: 1944)
- Process requests binary or script from the Internet
  - CasPol.exe (PID: 2216)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - Utsysc.exe (PID: 2492)
- Connects to the server without a host name
  - CasPol.exe (PID: 2216)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Checks Windows Trust Settings
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Reads security settings of Internet Explorer
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Connects to unusual port
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - explorer.exe (PID: 984)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Starts POWERSHELL.EXE for commands execution
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe (PID: 2600)
  - explorer.exe (PID: 1944)
- Searches for installed software
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Starts CMD.EXE for commands execution
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - explorer.exe (PID: 1944)
- Starts itself from another location
  - 1260521668.exe (PID: 2456)
- The process drops C-runtime libraries
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Process drops legitimate windows executable
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- The process drops Mozilla's DLL files
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Reads browser cookies
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 1492)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 2260)
  - rundll32.exe (PID: 2396)
- Accesses Microsoft Outlook profiles
  - rundll32.exe (PID: 2732)
  - rundll32.exe (PID: 2972)
- Loads DLL from Mozilla Firefox
  - rundll32.exe (PID: 2732)
  - rundll32.exe (PID: 2972)
- Uses NETSH.EXE to obtain data on the network
  - rundll32.exe (PID: 2732)
  - rundll32.exe (PID: 2972)
- The process executes via Task Scheduler
  - Utsysc.exe (PID: 1764)
  - Utsysc.exe (PID: 2260)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 1164)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2160)
  - cmd.exe (PID: 2640)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2320)
  - cmd.exe (PID: 1556)
- Executes as Windows Service
  - updater.exe (PID: 3056)
  - raserver.exe (PID: 1696)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 3056)
- Unusual connection from system programs
  - powershell.exe (PID: 3020)
- The Powershell connects to the Internet
  - powershell.exe (PID: 3020)
- Reads the BIOS version
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Checks for external IP
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
INFO
- Reads the computer name
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe (PID: 2600)
  - CasPol.exe (PID: 2216)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - ugbcmuwwFSnO95XZW7AA0tti.exe (PID: 2408)
  - Broom.exe (PID: 2412)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - ZRrXarxyDbf2YAXhpkJ5EIUD.exe (PID: 2496)
  - 1260521668.exe (PID: 2456)
  - Utsysc.exe (PID: 2492)
  - 6kJ4P6T6tCYCLqC7ZZCu4H8j.exe (PID: 1268)
  - 2KpHlJSCa39xRpGmijiDY5an.exe (PID: 2440)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Checks supported languages
  - CasPol.exe (PID: 2216)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 648)
  - hunU9LeEDys0MgJ5O4NFUw2W.exe (PID: 312)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - hunU9LeEDys0MgJ5O4NFUw2W.exe (PID: 1784)
  - ugbcmuwwFSnO95XZW7AA0tti.exe (PID: 2408)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - Broom.exe (PID: 2412)
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe (PID: 2600)
  - ZRrXarxyDbf2YAXhpkJ5EIUD.exe (PID: 2496)
  - nEud18VqsrduQL71sjEO9A7R.exe (PID: 688)
  - 6kJ4P6T6tCYCLqC7ZZCu4H8j.exe (PID: 1268)
  - 2KpHlJSCa39xRpGmijiDY5an.exe (PID: 2440)
  - 1260521668.exe (PID: 2456)
  - Utsysc.exe (PID: 2492)
  - FPgG0XAkVoXc2lHGGyxtP51v.exe (PID: 308)
  - Utsysc.exe (PID: 1764)
  - updater.exe (PID: 3056)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
  - Utsysc.exe (PID: 2260)
- Reads Environment values
  - CasPol.exe (PID: 2216)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Creates files or folders in the user directory
  - CasPol.exe (PID: 2216)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - Utsysc.exe (PID: 2492)
  - explorer.exe (PID: 1944)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Reads the machine GUID from the registry
  - CasPol.exe (PID: 2216)
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe (PID: 2600)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - Utsysc.exe (PID: 2492)
  - 2KpHlJSCa39xRpGmijiDY5an.exe (PID: 2440)
  - 6kJ4P6T6tCYCLqC7ZZCu4H8j.exe (PID: 1268)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Create files in a temporary directory
  - CasPol.exe (PID: 2216)
  - ugbcmuwwFSnO95XZW7AA0tti.exe (PID: 2408)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - 1260521668.exe (PID: 2456)
  - nEud18VqsrduQL71sjEO9A7R.exe (PID: 688)
  - Utsysc.exe (PID: 2492)
  - FPgG0XAkVoXc2lHGGyxtP51v.exe (PID: 308)
- Checks proxy server information
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - B5jzgU6zAoh3YKAvZrsoxE5C.exe (PID: 1940)
  - Utsysc.exe (PID: 2492)
  - rundll32.exe (PID: 2732)
  - rundll32.exe (PID: 2972)
  - rundll32.exe (PID: 2952)
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
  - rundll32.exe (PID: 2484)
- Reads product name
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Reads CPU info
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
- Creates files in the program directory
  - dLU2QMHGwPdQRsBLpbT0UhfT.exe (PID: 2220)
  - FPgG0XAkVoXc2lHGGyxtP51v.exe (PID: 308)
- The executable file from the user directory is run by the CMD process
  - 1260521668.exe (PID: 2456)
- Drops the executable file immediately after the start
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)
- Process checks are UAC notifies on
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)
- Process checks computer location settings
  - 0iKe2ksxj7r6XHCrqCoEylUI.exe (PID: 2464)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:07 19:07:31+01:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	124551
InitializedDataSize:	3072
UninitializedDataSize:	-
EntryPoint:	0x20681
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.93.266.9
ProductVersionNumber:	6.93.266.9
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	ofexIbu
FileDescription:	OYiYA abOLa OhuXAY uCikoqEi UxOb euUNaI.
FileVersion:	6.93.266.9
InternalName:	IVuviBO
LegalCopyright:	© 2023 ofexIbu.
OriginalFileName:	omuQId
ProductName:	OlUmeNOi
ProductVersion:	6.93.266.9
Comments:	AVevuziIOgi EiIye aJAdavUia UzOl AfOp OtAve iZIQiCImOZO.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

133

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

308

"C:\Users\admin\Pictures\FPgG0XAkVoXc2lHGGyxtP51v.exe"

C:\Users\admin\Pictures\FPgG0XAkVoXc2lHGGyxtP51v.exe

CasPol.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\pictures\fpgg0xakvoxc2lhggyxtp51v.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll

312

"C:\Users\admin\Pictures\hunU9LeEDys0MgJ5O4NFUw2W.exe"

C:\Users\admin\Pictures\hunU9LeEDys0MgJ5O4NFUw2W.exe

—

CasPol.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\pictures\hunu9leedys0mgj5o4nfuw2w.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

364

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\admin\AppData\Local\Temp\5125296e5f\Utsysc.exe" /F

C:\Windows\SysWOW64\schtasks.exe

—

Utsysc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

392

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\admin\AppData\Local\Temp\1260521668.exe"

C:\Windows\SysWOW64\cmd.exe

—

B5jzgU6zAoh3YKAvZrsoxE5C.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

648

"C:\Users\admin\Pictures\B5jzgU6zAoh3YKAvZrsoxE5C.exe"

C:\Users\admin\Pictures\B5jzgU6zAoh3YKAvZrsoxE5C.exe

—

CasPol.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\pictures\b5jzgu6zaoh3ykavzrsoxe5c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

688

"C:\Users\admin\Pictures\nEud18VqsrduQL71sjEO9A7R.exe" --silent --allusers=0

C:\Users\admin\Pictures\nEud18VqsrduQL71sjEO9A7R.exe

—

CasPol.exe

User:

admin

Company:

Opera Software

Integrity Level:

MEDIUM

Description:

Opera Installer

Exit code:

Version:

104.0.4944.36

Modules

Images
c:\users\admin\pictures\neud18vqsrduql71sjeo9a7r.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

712

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

812

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\admin\AppData\Local\Temp\tlxvacrdjkek.xml"

C:\Windows\System32\schtasks.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

812

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\tlxvacrdjkek.xml"

C:\Windows\System32\schtasks.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

952

netsh wlan show profiles

C:\Windows\System32\netsh.exe

—

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

Add for printing

Total events

25 129

Read events

24 807

Write events

304

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(2600) SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2600) SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2600) SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2600) SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2216) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2216) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2216) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2216) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2216) CasPol.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2216	CasPol.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2688	powershell.exe	C:\Users\admin\AppData\Local\Temp\4rrzzgez.kkl.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2216	CasPol.exe	C:\Users\admin\AppData\Local\Temp\CabAE66.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2216	CasPol.exe	C:\Users\admin\Pictures\YJJidFhMmKH6lGKIWnAIffoI.exe		html
		MD5:FCAD815E470706329E4E327194ACC07C	SHA256:280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
2216	CasPol.exe	C:\Users\admin\AppData\Local\Temp\TarAE67.tmp		binary
		MD5:9441737383D21192400ECA82FDA910EC	SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
2216	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yJhL1PbjVCXIov1qA13ZnUpZ.bat		text
		MD5:1678F55E2FD81934827D9A256DD4D33D	SHA256:175D90C35D32104217A9E66A064C98EC21EDE781C504E96D8BB6EF1BD0AAA76D
2688	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:446DD1CF97EABA21CF14D03AEBC79F27	SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2220	dLU2QMHGwPdQRsBLpbT0UhfT.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\9MT7S6RO.txt		text
		MD5:E06F5DD17E939BDCAB7AD4684802332D	SHA256:9B4EEF0BBE33593BD67EFB5BB8AE9AD5C6645268B74FECD90B372A3789175D13
2216	CasPol.exe	C:\Users\admin\AppData\Local\0zT6mfF3hhYTXTOgT5xs5uCD.exe		executable
		MD5:5AB2B28BC1E00519DCD55B67E9198C2C	SHA256:D8CA36406BFACDD794CC8BBC54F38B1C88116F1A180D4D069C3AD4A2210EF2F4
2216	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rvD9Uh32eAiUWIlWpndcTcCd.bat		text
		MD5:551C094FD9FA59F53712942B17C3C861	SHA256:84E4F8AC550F97F873F4BB72C54F9636B8B9CA75F13C30A9D755296DF3EC385E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

118

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2220	dLU2QMHGwPdQRsBLpbT0UhfT.exe	GET	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	—	—	unknown
2216	CasPol.exe	GET	200	95.214.26.28:80	http://galandskiyher5.com/downloads/toolspub1.exe	unknown	executable	318 Kb	unknown
2216	CasPol.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f0f0f46a9543f796	unknown	compressed	61.6 Kb	unknown
2216	CasPol.exe	GET	200	194.49.94.48:80	http://194.49.94.48/InstallSetup3.exe	unknown	executable	2.55 Mb	unknown
1940	B5jzgU6zAoh3YKAvZrsoxE5C.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/client/s51	unknown	executable	887 Kb	unknown
2220	dLU2QMHGwPdQRsBLpbT0UhfT.exe	POST	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	text	48 b	unknown
2216	CasPol.exe	GET	200	89.191.234.21:80	http://gobo11fc.top/build.exe	unknown	executable	324 Kb	unknown
1940	B5jzgU6zAoh3YKAvZrsoxE5C.exe	GET	200	85.209.11.204:80	http://85.209.11.204/ip.php	unknown	text	13 b	unknown
1940	B5jzgU6zAoh3YKAvZrsoxE5C.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/client/s51	unknown	executable	887 Kb	unknown
2220	dLU2QMHGwPdQRsBLpbT0UhfT.exe	POST	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	text	8 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2216	CasPol.exe	188.114.96.3:443	yip.su	CLOUDFLARENET	NL	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2216	CasPol.exe	104.20.68.143:443	pastebin.com	CLOUDFLARENET	—	unknown
2216	CasPol.exe	177.229.198.250:443	etiquetaspiura.com	Mega Cable, S.A. de C.V.	MX	unknown
2216	CasPol.exe	103.55.39.107:443	wahyurahmat.id	PT Cloud Hosting Indonesia	ID	unknown
2216	CasPol.exe	85.209.11.204:80	—	LLC Baxet	RU	malicious
2216	CasPol.exe	95.214.26.28:80	galandskiyher5.com	Enes Koken	US	unknown
2216	CasPol.exe	194.49.94.48:80	—	Enes Koken	DE	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	104.20.68.143 172.67.34.170 104.20.67.143	shared
yip.su	188.114.96.3 188.114.97.3	whitelisted
etiquetaspiura.com	177.229.198.250	unknown
wahyurahmat.id	103.55.39.107	unknown
galandskiyher5.com	95.214.26.28	malicious
flyawayaero.net	104.21.93.225 172.67.216.81	unknown
gons07fc.top	—	unknown
gobo11fc.top	89.191.234.21	unknown
lycheepanel.info	172.67.187.122 104.21.32.208	unknown
laubenstein.space	—	unknown

Threats

PID	Process	Class	Message
324	svchost.exe	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
324	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2216	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2216	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2216	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2216	CasPol.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2216	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2216	CasPol.exe	Misc activity	ET INFO Packed Executable Download
2216	CasPol.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2216	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

11 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SecuriteInfo.com.IL.Trojan.MSILZilla.30886.28966.14387

ACA63B9E4AB5A783F11B125C71112242

82BABA92A2C1B320921AD05E56A5890F62697CF3

BAA0CB3BC60D90CFBE000D58B1E4FF06888722BFA81C68EF1486E7E48BA8740A

3072:m14iwt2CbSxPZVgwWij3tpuA6y+JrQTyy1G:m14i1CbSxRSpirt6y4C

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Drops the executable file immediately after the start

Create files in the Startup directory

STEALC has been detected (SURICATA)

GCLEANER has been detected (SURICATA)

Runs injected code in another process

Application was injected by another process

Steals credentials

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Connects to the CnC server

Steals credentials from Web Browsers

AMADEY has been detected (SURICATA)

Starts CMD.EXE for self-deleting

SMOKE has been detected (SURICATA)

Unusual connection from system programs

Modifies hosts file to block updates

Creates a writable file the system directory

PRIVATELOADER has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Script adds exclusion path to Windows Defender

Reads the Internet Settings

Reads settings of System Certificates

Application launched itself

Process requests binary or script from the Internet

Connects to the server without a host name

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Connects to unusual port

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Starts POWERSHELL.EXE for commands execution

Searches for installed software

Starts CMD.EXE for commands execution

Starts itself from another location

The process drops C-runtime libraries

Process drops legitimate windows executable

The process drops Mozilla's DLL files

Reads browser cookies

Uses TIMEOUT.EXE to delay execution

Uses RUNDLL32.EXE to load library

Accesses Microsoft Outlook profiles

Loads DLL from Mozilla Firefox

Uses NETSH.EXE to obtain data on the network

The process executes via Task Scheduler

Uses TASKKILL.EXE to kill process

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Unusual connection from system programs

The Powershell connects to the Internet

Reads the BIOS version

Checks for external IP

INFO

Reads the computer name

Checks supported languages

Reads Environment values

Creates files or folders in the user directory

Reads the machine GUID from the registry

Create files in a temporary directory

Checks proxy server information

Reads product name

Reads CPU info

Creates files in the program directory

The executable file from the user directory is run by the CMD process

Drops the executable file immediately after the start

Reads the Internet Settings

Process checks are UAC notifies on