Malware analysis 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe Malicious activity

Add for printing

File name:	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe
Full analysis:	https://app.any.run/tasks/ed621a8d-41c8-478e-964c-ab5d8165bf7f
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	February 15, 2026, 19:56:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto redline stealer amadey botnet rdp teamviewer rmm-tool tightvnc stealc vidar generic xmrig miner upx xor-url pastebin winring0-sys vuln-driver golang antivm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	156F4A8F006779A3493D9D476F1E8DDA
SHA1:	C1B667B0FF98BBB1D2495B4FD5DDA1EECA494799
SHA256:	C36ED034D523DA1F54D43176334D4BDA9F9ADCB940948646B43902A620EBDA45
SSDEEP:	6144:/vsc/drd+CNwoJmm1+eETFzyzT0Y40cS9rI4MV44i46DRuvXUIO:8MEC3HUeET54T0P0/m4q44i46D0rO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- REDLINE has been found (auto)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- AMADEY has been detected (SURICATA)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- AMADEY mutex has been found
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- Actions looks like stealing of personal data
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- Steals credentials from Web Browsers
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- AMADEY has been detected (YARA)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- VIDAR has been found (auto)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- STEALC has been detected (SURICATA)
  - eNLe4nm.exe (PID: 6432)
  - 491702078e.exe (PID: 7360)
- GENERIC has been found (auto)
  - expand.exe (PID: 7320)
- XORed URL has been found (YARA)
  - eNLe4nm.exe (PID: 6432)
  - TXpyp1Y.exe (PID: 2608)
  - Launcher.exe (PID: 3700)
- Executing a file with an untrusted certificate
  - update.exe (PID: 7736)
  - update.exe (PID: 8364)
  - update.exe (PID: 6332)
  - qpaglljfhxkw.exe (PID: 5448)
- Changes Windows Defender settings
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- XMRIG has been detected
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- Uninstalls Malicious Software Removal Tool (MRT)
  - cmd.exe (PID: 7000)
  - cmd.exe (PID: 1824)
- Adds extension to the Windows Defender exclusion list
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- Changes the autorun value in the registry
  - RKXRn1l.exe (PID: 2392)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- Application was injected by another process
  - dllhost.exe (PID: 8692)
- Runs injected code in another process
  - powershell.exe (PID: 7640)
- Dynamically loads an assembly (POWERSHELL)
  - powershell.exe (PID: 7640)
- Vulnerable driver has been detected
  - qpaglljfhxkw.exe (PID: 5448)
SUSPICIOUS
- Contacting a server suspected of hosting an CnC
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - eNLe4nm.exe (PID: 6432)
  - 491702078e.exe (PID: 7360)
- Possible stealing of cloud data
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- Searches for installed software
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- There is functionality for enable RDP (YARA)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- Possible stealing from crypto wallets
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- The process verifies whether the antivirus software is installed
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- Possible stealing of VPN data
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- Possible stealing of FTP data
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- Possible stealing from password managers
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- Possible stealing from browsers
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- Loads DLL from Mozilla Firefox
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- Reads browser cookies
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- Reads the date of Windows installation
  - eNLe4nm.exe (PID: 6432)
  - 491702078e.exe (PID: 7360)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 8996)
- Unpacks CAB file
  - expand.exe (PID: 7320)
- Multiple wallet extension IDs have been found
  - eNLe4nm.exe (PID: 6432)
- Executes application which crashes
  - Q2Dqcpm.exe (PID: 5536)
  - powershell.exe (PID: 8376)
  - Q2Dqcpm.exe (PID: 7076)
- Starts POWERSHELL.EXE for commands execution
  - update.exe (PID: 7736)
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- Starts process via Powershell
  - powershell.exe (PID: 6468)
- Script adds exclusion extension to Windows Defender
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- Script adds exclusion path to Windows Defender
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- Manipulates environment variables
  - powershell.exe (PID: 1932)
  - powershell.exe (PID: 2244)
- The process creates files with name similar to system file names
  - RKXRn1l.exe (PID: 2392)
  - WerFault.exe (PID: 4680)
- Stops a currently running service
  - sc.exe (PID: 6980)
  - sc.exe (PID: 1036)
  - sc.exe (PID: 5464)
  - sc.exe (PID: 2096)
  - sc.exe (PID: 4700)
  - sc.exe (PID: 6148)
  - sc.exe (PID: 2620)
  - sc.exe (PID: 2764)
  - sc.exe (PID: 8744)
  - sc.exe (PID: 5508)
  - sc.exe (PID: 8180)
- Process uninstalls Windows update
  - wusa.exe (PID: 9072)
  - wusa.exe (PID: 6320)
- Windows service management via SC.EXE
  - sc.exe (PID: 8360)
  - sc.exe (PID: 6272)
- Creates a new Windows service
  - sc.exe (PID: 8704)
- Obfuscation pattern (POWERSHELL)
  - powershell.exe (PID: 7640)
  - powershell.exe (PID: 8376)
- The process executes via Task Scheduler
  - powershell.exe (PID: 7640)
  - powershell.exe (PID: 8376)
- ASCII char obfuscation (POWERSHELL)
  - powershell.exe (PID: 7640)
  - powershell.exe (PID: 8376)
- Invokes assembly entry point (POWERSHELL)
  - powershell.exe (PID: 7640)
  - powershell.exe (PID: 8376)
- Starts SC.EXE for service management
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- File deletion via cmd.exe
  - cmd.exe (PID: 7944)
- Starts CMD.EXE for commands execution
  - update.exe (PID: 8364)
  - qpaglljfhxkw.exe (PID: 5448)
- Executes as Windows Service
  - qpaglljfhxkw.exe (PID: 5448)
- Drops a system driver (possible attempt to evade defenses)
  - qpaglljfhxkw.exe (PID: 5448)
- Crypto Currency Mining Activity Detected
  - svchost.exe (PID: 2292)
- There is functionality for VM detection VMWare (YARA)
  - Launcher.exe (PID: 3700)
- Starts a Microsoft application from unusual location
  - msiexec.exe (PID: 4024)
INFO
- Checks supported languages
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - Q2Dqcpm.exe (PID: 5536)
  - RKXRn1l.exe (PID: 2392)
  - TXpyp1Y.exe (PID: 2608)
  - msiexec.exe (PID: 8996)
  - msiexec.exe (PID: 6072)
  - expand.exe (PID: 7320)
  - Launcher.exe (PID: 3700)
  - aJqN6D8.exe (PID: 6728)
  - update.exe (PID: 7736)
  - update.exe (PID: 8364)
  - 5GFpJxh.exe (PID: 1856)
  - z6HdLiH.exe (PID: 8792)
  - 491702078e.exe (PID: 7360)
  - update.exe (PID: 6332)
  - Q2Dqcpm.exe (PID: 7076)
  - qpaglljfhxkw.exe (PID: 5448)
  - da8c9410f4.exe (PID: 8124)
  - 3d176447c5.exe (PID: 3236)
  - msiexec.exe (PID: 4024)
  - da8c9410f4.exe (PID: 5152)
  - 3d176447c5.exe (PID: 8112)
- Reads the computer name
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - TXpyp1Y.exe (PID: 2608)
  - msiexec.exe (PID: 8996)
  - msiexec.exe (PID: 6072)
  - Launcher.exe (PID: 3700)
  - Q2Dqcpm.exe (PID: 5536)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
  - 5GFpJxh.exe (PID: 1856)
  - z6HdLiH.exe (PID: 8792)
  - RKXRn1l.exe (PID: 2392)
  - qpaglljfhxkw.exe (PID: 5448)
  - Q2Dqcpm.exe (PID: 7076)
  - da8c9410f4.exe (PID: 8124)
  - 3d176447c5.exe (PID: 3236)
  - msiexec.exe (PID: 4024)
  - da8c9410f4.exe (PID: 5152)
  - 3d176447c5.exe (PID: 8112)
- Checks proxy server information
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - eNLe4nm.exe (PID: 6432)
  - WerFault.exe (PID: 8892)
  - 491702078e.exe (PID: 7360)
  - WerFault.exe (PID: 5964)
  - slui.exe (PID: 8228)
- Reads security settings of Internet Explorer
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - eNLe4nm.exe (PID: 6432)
  - msiexec.exe (PID: 6072)
  - 491702078e.exe (PID: 7360)
- Process checks computer location settings
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - aJqN6D8.exe (PID: 5048)
  - msiexec.exe (PID: 6072)
  - aJqN6D8.exe (PID: 6728)
- Reads the machine GUID from the registry
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - expand.exe (PID: 7320)
  - msiexec.exe (PID: 6072)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- Create files in a temporary directory
  - aJqN6D8.exe (PID: 5048)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - expand.exe (PID: 7320)
  - msiexec.exe (PID: 6072)
  - aJqN6D8.exe (PID: 6728)
  - RKXRn1l.exe (PID: 2392)
- Creates files or folders in the user directory
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - eNLe4nm.exe (PID: 6432)
  - WerFault.exe (PID: 8892)
  - WerFault.exe (PID: 5964)
- Reads Environment values
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- Reads product name
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- Reads CPU info
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - 491702078e.exe (PID: 7360)
- Drops script file
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - aJqN6D8.exe (PID: 6728)
  - powershell.exe (PID: 6468)
  - powershell.exe (PID: 1932)
  - powershell.exe (PID: 7640)
  - powershell.exe (PID: 2244)
  - 491702078e.exe (PID: 7360)
- There is functionality for taking screenshot (YARA)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
  - aJqN6D8.exe (PID: 5048)
  - eNLe4nm.exe (PID: 6432)
  - TXpyp1Y.exe (PID: 2608)
- TEAMVIEWER has been detected
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- TIGHTVNC has been detected
  - aJqN6D8.exe (PID: 5048)
  - aJqN6D8.exe (PID: 6728)
- Creates files in the program directory
  - eNLe4nm.exe (PID: 6432)
  - update.exe (PID: 8364)
  - 491702078e.exe (PID: 7360)
- UPX packer has been detected
  - eNLe4nm.exe (PID: 6432)
  - TXpyp1Y.exe (PID: 2608)
- Application launched itself
  - chrome.exe (PID: 5012)
  - chrome.exe (PID: 2764)
  - chrome.exe (PID: 4816)
  - chrome.exe (PID: 5160)
  - chrome.exe (PID: 1212)
  - chrome.exe (PID: 2756)
- The executable file from the user directory is run by the Powershell process
  - update.exe (PID: 8364)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 1932)
  - powershell.exe (PID: 2244)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 1932)
  - powershell.exe (PID: 2244)
- Launching a file from a Registry key
  - RKXRn1l.exe (PID: 2392)
  - 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe (PID: 8196)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 7640)
- Application based on Golang
  - Launcher.exe (PID: 3700)
- Manual execution by a user
  - da8c9410f4.exe (PID: 5152)
  - 3d176447c5.exe (PID: 8112)
  - msiexec.exe (PID: 4024)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(8196) 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe

C2 (1)94.154.35.25

URLs (1)http://94.154.35.25/di9ku38f/index.php

Version5.55

Options

Drop directory96a319e745

Drop nameSrxelqcif.exe

Strings (125)S-%lu-

Startup

Norton

2016

00000422

cred.dll

POST

360TotalSecurity

lv:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

" Content-Type: application/octet-stream

Content-Disposition: form-data; name="data"; filename="

Sophos

Comodo

0123456789

clip.dll

<c>

&unit=

------

dm:

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

shell32.dll

SYSTEM\ControlSet001\Services\BasicDisplay\Video

"taskkill /f /im "

exe

msi

av:

vs:

ar:

00000423

rundll32.exe

+++

sd:

kernel32.dll

94.154.35.25

ps1

SOFTWARE\Microsoft\Windows NT\CurrentVersion

2025

.jpg

0000043f

abcdefghijklmnopqrstuvwxyz0123456789-_

CurrentBuild

cred.dll|clip.dll|

shutdown -s -t 0

Powershell.exe

Avira

ProductName

dll

/Plugins/

Panda Security

96a319e745

2022

" && ren

pc:

AVG

http://

:::

<d>

WinDefender

GetNativeSystemInfo

AVAST Software

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

5.55

zip

ComputerName

\App

DefaultSettings.XResolution

og:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

00000419

id:

DefaultSettings.YResolution

Programs

un:

\0000

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

2019

ESET

Bitdefender

%-lu

cmd /C RMDIR /s/q

random

bi:

Main

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

st=s

------

ProgramData\

?scr=1

/di9ku38f/index.php

Content-Type: multipart/form-data; boundary=----

Srxelqcif.exe

Rem

GET

-unicode-

%USERPROFILE%

-executionpolicy remotesigned -File "

&& Exit"

VideoID

" && timeout 1 && del

cmd

os:

Content-Type: application/x-www-form-urlencoded

https://

-%lu

rundll32

Doctor Web

/quiet

Kaspersky Lab

Keyboard Layout\Preload

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:07:23 10:41:41+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	318464
InitializedDataSize:	123392
UninitializedDataSize:	-
EntryPoint:	0x28dc7
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

319

Monitored processes

167

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3820,i,13048004322541553869,5301358374829343767,262144 --variations-seed-version=20260215-030006.524000-production --mojo-platform-channel-handle=3840 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

144

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2060,i,687847013768810793,6239688227306818597,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2080 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

768

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --subproc-heap-profiling --field-trial-handle=2284,i,10482889115002302659,2051391379379656629,262144 --variations-seed-version=20260215-030006.524000-production --mojo-platform-channel-handle=2664 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

792

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

936

"C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\12101180271\X5P2hQO.msi" /quiet

C:\Windows\SysWOW64\msiexec.exe

—

0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1036

C:\WINDOWS\system32\sc.exe stop UsoSvc

C:\Windows\System32\sc.exe

—

update.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1040

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,17255378300064094232,7858087307633703629,262144 --variations-seed-version=20260215-030006.524000-production --mojo-platform-channel-handle=1916 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1136

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=2404,i,4393356621964064115,4550734237053576061,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1212

"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

491702078e.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1320

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,4393356621964064115,4550734237053576061,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

119 021

Read events

118 989

Write events

Delete events

Modification events


(PID) Process:	(8196) 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8196) 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(8196) 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6432) eNLe4nm.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6432) eNLe4nm.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6432) eNLe4nm.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(8196) 0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:	write	Name:	Msi.Package
Value:
(PID) Process:	(8996) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 24230000C52E3543B59EDC01
(PID) Process:	(8996) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 6BA6DD3D62F4C9A7EF5B8D500C4CE9782B53AF9202F8EBE37E25329BEF8EBFE2
(PID) Process:	(8996) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

433

Dropped files

PID	Process	Filename		Type
5048	aJqN6D8.exe	C:\Users\admin\AppData\Local\Temp\his8FFF.tmp		—
		MD5:—	SHA256:—
5048	aJqN6D8.exe	C:\Users\admin\AppData\Local\Temp\his901F.tmp		—
		MD5:—	SHA256:—
5048	aJqN6D8.exe	C:\Users\admin\AppData\Local\Temp\his9041.tmp		—
		MD5:—	SHA256:—
5048	aJqN6D8.exe	C:\Users\admin\AppData\Local\Temp\his9061.tmp		—
		MD5:—	SHA256:—
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\Q2Dqcpm[1].exe		binary
		MD5:666CD55E251F8A071ED256E7C73DC285	SHA256:06CB74C0CAFE0EE369C727B5041BBA96EEE44D849D66FB67DEF1C2AFBE448D9A
5048	aJqN6D8.exe	C:\Users\admin\AppData\Local\Temp\Log.txt		binary
		MD5:179D5EFF980D4E05E1A82A323D4BF4B4	SHA256:D16A143CFED1B61559D7320CD858997EC13094F00C119C63A7FE674745C744E9
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\aJqN6D8[1].exe		binary
		MD5:A0449CD30BCD9D8EEB9C4E4528299DD0	SHA256:885B57AC755EB84C505FD41C55BC451746B29FB8101A8E1CFF74D46E85A80BEE
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	C:\Users\admin\AppData\Local\Temp\12089080101\aJqN6D8.exe		binary
		MD5:A0449CD30BCD9D8EEB9C4E4528299DD0	SHA256:885B57AC755EB84C505FD41C55BC451746B29FB8101A8E1CFF74D46E85A80BEE
5048	aJqN6D8.exe	C:\Users\admin\AppData\Local\Temp\Systemlog.txt		binary
		MD5:FE34E08B54DCBC4EA2EFAFB7527B9E6B	SHA256:A2404EC5FA9AABE4C3DF721ACBD8A04ADDAC4CC7C12FCEFBF1529664A43E9897
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	C:\Users\admin\AppData\Local\Temp\12101150101\eNLe4nm.exe		binary
		MD5:97B9EA648B18CBA18E0A57E68773ACF1	SHA256:B43BBDF8CD383959AB62A587F80CA301E66AF67C9673EDA6FF901E35BF2AFE34

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

204

TCP/UDP connections

169

DNS requests

122

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6768	MoUsoCoreWorker.exe	GET	304	51.124.78.146:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
356	svchost.exe	POST	200	20.190.159.75:443	https://login.live.com/RST2.srf	US	—	10.3 Kb	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	US	binary	313 b	whitelisted
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	960 b	whitelisted
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	POST	200	94.154.35.25:80	http://94.154.35.25/di9ku38f/index.php	SC	binary	1.59 Kb	unknown
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	POST	200	94.154.35.25:80	http://94.154.35.25/di9ku38f/index.php	SC	binary	8 b	malicious
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	GET	200	130.12.180.43:80	http://130.12.180.43/files/7103746036/aJqN6D8.exe	SC	binary	3.92 Mb	unknown
8964	svchost.exe	GET	200	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	—	5.70 Kb	whitelisted
356	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
8964	svchost.exe	GET	304	51.124.78.146:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
8964	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5660	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	92.123.104.46:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	94.154.35.25:80	—	OMEGATECH-AS	SC	malicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
www.bing.com	92.123.104.46 92.123.104.37 92.123.104.50 92.123.104.38 92.123.104.49 92.123.104.52 92.123.104.41 92.123.104.47 92.123.104.53	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
google.com	142.251.208.174	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.159.75 20.190.159.2 20.190.159.23 40.126.31.67 40.126.31.130 40.126.31.0 40.126.31.73 20.190.159.0 40.126.32.68 20.190.160.3 20.190.160.22 20.190.160.14 20.190.160.128 40.126.32.133 20.190.160.20 40.126.32.136	whitelisted
crl.microsoft.com	184.24.77.41 184.24.77.30 184.24.77.42 184.24.77.23 184.24.77.11 184.24.77.37 184.24.77.35 184.24.77.29 2.16.241.12 2.16.241.19	whitelisted
toot.community	104.26.14.209 104.26.15.209 172.67.70.222	whitelisted
ruruurururururu.ru	195.177.94.44	malicious

Threats

PID	Process	Class	Message
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Misc activity	INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 16
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 24
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Amadey CnC related IP address
8196	0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe	Misc activity	ET INFO Packed Executable Download
6432	eNLe4nm.exe	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Add for printing

Process	Message
RKXRn1l.exe	[m0yv] brute key 0X15FEAD7E invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD7F invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD80 invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD81 invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD82 invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD83 invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD84 invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD85 invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD86 invalid hash in result buffer
RKXRn1l.exe	[m0yv] brute key 0X15FEAD87 invalid hash in result buffer

General Info

0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe

156F4A8F006779A3493D9D476F1E8DDA

C1B667B0FF98BBB1D2495B4FD5DDA1EECA494799

C36ED034D523DA1F54D43176334D4BDA9F9ADCB940948646B43902A620EBDA45

6144:/vsc/drd+CNwoJmm1+eETFzyzT0Y40cS9rI4MV44i46DRuvXUIO:8MEC3HUeET54T0P0/m4q44i46D0rO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

REDLINE has been found (auto)

AMADEY has been detected (SURICATA)

AMADEY mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

AMADEY has been detected (YARA)

VIDAR has been found (auto)

STEALC has been detected (SURICATA)

GENERIC has been found (auto)

XORed URL has been found (YARA)

Executing a file with an untrusted certificate

Changes Windows Defender settings

XMRIG has been detected

Uninstalls Malicious Software Removal Tool (MRT)

Adds extension to the Windows Defender exclusion list

Changes the autorun value in the registry

Application was injected by another process

Runs injected code in another process

Dynamically loads an assembly (POWERSHELL)

Vulnerable driver has been detected

SUSPICIOUS

Contacting a server suspected of hosting an CnC

Possible stealing of cloud data

Searches for installed software

There is functionality for enable RDP (YARA)

Possible stealing from crypto wallets

The process verifies whether the antivirus software is installed

Possible stealing of VPN data

Possible stealing of FTP data

Possible stealing from password managers

Possible stealing from browsers

Loads DLL from Mozilla Firefox

Reads browser cookies

Reads the date of Windows installation

Reads the Windows owner or organization settings

Unpacks CAB file

Multiple wallet extension IDs have been found

Executes application which crashes

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Script adds exclusion extension to Windows Defender

Script adds exclusion path to Windows Defender

Manipulates environment variables

The process creates files with name similar to system file names

Stops a currently running service

Process uninstalls Windows update

Windows service management via SC.EXE

Creates a new Windows service

Obfuscation pattern (POWERSHELL)

The process executes via Task Scheduler

ASCII char obfuscation (POWERSHELL)

Invokes assembly entry point (POWERSHELL)

Starts SC.EXE for service management

File deletion via cmd.exe

Starts CMD.EXE for commands execution

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Crypto Currency Mining Activity Detected

There is functionality for VM detection VMWare (YARA)

Starts a Microsoft application from unusual location

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Reads security settings of Internet Explorer

Process checks computer location settings

Reads the machine GUID from the registry

Create files in a temporary directory