Malware analysis SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942 Malicious activity

Add for printing

File name:	SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942
Full analysis:	https://app.any.run/tasks/f5a2c572-3a48-40ee-ac49-32754803fb0c
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 09, 2023, 06:50:40
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir loader gcleaner stealc stealer rhadamanthys amadey botnet onlylogger smoke phishing neoreklami
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	65ACBF192DDEF924085504F07E559AD7
SHA1:	991FFA6FAE12E521118BF1800FB9D534037C04FC
SHA256:	CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8
SSDEEP:	6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - explorer.exe (PID: 1944)
- Create files in the Startup directory
  - CasPol.exe (PID: 1088)
- Drops the executable file immediately after the start
  - CasPol.exe (PID: 1088)
  - eOHA2VCsfCBKKMh0RzO51F2N.exe (PID: 2308)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - 5922194382.exe (PID: 1176)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
  - Install.exe (PID: 1764)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
  - Utsysc.exe (PID: 2272)
  - updater.exe (PID: 2748)
  - Install.exe (PID: 3044)
- Connects to the CnC server
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - explorer.exe (PID: 1944)
- STEALC has been detected (SURICATA)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- GCLEANER has been detected (SURICATA)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Runs injected code in another process
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2820)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Steals credentials
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - rundll32.exe (PID: 1192)
- RHADAMANTHYS has been detected (SURICATA)
  - dialer.exe (PID: 1180)
- Uses Task Scheduler to run other applications
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
  - explorer.exe (PID: 1944)
  - hXOvTzQ.exe (PID: 2084)
- Changes the autorun value in the registry
  - Utsysc.exe (PID: 2272)
- AMADEY has been detected (SURICATA)
  - Utsysc.exe (PID: 2272)
- Steals credentials from Web Browsers
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
- Starts CMD.EXE for self-deleting
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- ONLYLOGGER has been detected (YARA)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 1824)
  - powershell.EXE (PID: 2868)
  - powershell.EXE (PID: 600)
  - powershell.EXE (PID: 2276)
- Actions looks like stealing of personal data
  - dllhost.exe (PID: 648)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - hXOvTzQ.exe (PID: 2084)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 1944)
- Unusual connection from system programs
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - rundll32.exe (PID: 2268)
  - rundll32.exe (PID: 2920)
- Modifies hosts file to block updates
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
- Creates a writable file the system directory
  - powershell.exe (PID: 2952)
  - hXOvTzQ.exe (PID: 2084)
- Neoreklami has been detected
  - hXOvTzQ.exe (PID: 2084)
- Modifies exclusions in Windows Defender
  - reg.exe (PID: 1448)
SUSPICIOUS
- Reads the Internet Settings
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - 5922194382.exe (PID: 1176)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
  - powershell.EXE (PID: 1824)
  - cmd.exe (PID: 2460)
  - powershell.exe (PID: 3068)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - rundll32.exe (PID: 2268)
  - rundll32.exe (PID: 2920)
  - Utsysc.exe (PID: 2956)
  - powershell.EXE (PID: 2868)
  - powershell.EXE (PID: 600)
  - powershell.EXE (PID: 2276)
- Script adds exclusion path to Windows Defender
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - explorer.exe (PID: 1944)
- Starts POWERSHELL.EXE for commands execution
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - explorer.exe (PID: 1944)
- Reads settings of System Certificates
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Process requests binary or script from the Internet
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - Utsysc.exe (PID: 2272)
- Application launched itself
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2800)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2476)
  - explorer.exe (PID: 1944)
- Checks Windows Trust Settings
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Reads security settings of Internet Explorer
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Connects to the server without a host name
  - CasPol.exe (PID: 1088)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Connects to unusual port
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - dialer.exe (PID: 1180)
  - dllhost.exe (PID: 648)
  - explorer.exe (PID: 2852)
- Searches for installed software
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - dllhost.exe (PID: 648)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 1180)
- Starts CMD.EXE for commands execution
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - forfiles.exe (PID: 1092)
  - forfiles.exe (PID: 2732)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - explorer.exe (PID: 1944)
  - hXOvTzQ.exe (PID: 2084)
- Drops 7-zip archiver for unpacking
  - CasPol.exe (PID: 1088)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
- Starts itself from another location
  - 5922194382.exe (PID: 1176)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
- The process drops C-runtime libraries
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Process drops legitimate windows executable
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- The process drops Mozilla's DLL files
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 1012)
  - cmd.exe (PID: 2468)
  - cmd.exe (PID: 1092)
  - cmd.exe (PID: 2864)
  - cmd.exe (PID: 2748)
  - cmd.exe (PID: 1448)
  - cmd.exe (PID: 2160)
  - cmd.exe (PID: 1072)
  - wscript.exe (PID: 2112)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 1092)
  - forfiles.exe (PID: 2732)
  - hXOvTzQ.exe (PID: 2084)
- Reads the BIOS version
  - Install.exe (PID: 3044)
- Reads browser cookies
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 312)
- Loads DLL from Mozilla Firefox
  - dllhost.exe (PID: 648)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
- Accesses Microsoft Outlook profiles
  - dllhost.exe (PID: 648)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
- The process executes via Task Scheduler
  - powershell.EXE (PID: 1824)
  - hXOvTzQ.exe (PID: 2084)
  - Utsysc.exe (PID: 2956)
  - powershell.EXE (PID: 2868)
  - powershell.EXE (PID: 600)
  - powershell.EXE (PID: 2276)
- Starts SC.EXE for service management
  - cmd.exe (PID: 1176)
  - cmd.exe (PID: 1584)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2844)
  - cmd.exe (PID: 2380)
- Executes as Windows Service
  - updater.exe (PID: 2748)
  - raserver.exe (PID: 2940)
  - raserver.exe (PID: 2736)
  - raserver.exe (PID: 2660)
- Uses NETSH.EXE to obtain data on the network
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 2380)
  - rundll32.exe (PID: 1092)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 1692)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 2748)
- The Powershell connects to the Internet
  - powershell.exe (PID: 2952)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 2112)
- Unusual connection from system programs
  - powershell.exe (PID: 2952)
INFO
- Checks supported languages
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - CasPol.exe (PID: 1088)
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2800)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2476)
  - dm1vwqYFK8abRFgZn7nbzp4z.exe (PID: 2284)
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2820)
  - AppLaunch.exe (PID: 2676)
  - eOHA2VCsfCBKKMh0RzO51F2N.exe (PID: 2308)
  - 325VOYHzbgqGiCT0hueR3jb6.exe (PID: 2396)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
  - 5922194382.exe (PID: 1176)
  - khecpDjRjuqIukWbLZDmUWnY.exe (PID: 2744)
  - Utsysc.exe (PID: 2272)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
  - Install.exe (PID: 1764)
  - Install.exe (PID: 3044)
  - updater.exe (PID: 2748)
  - Utsysc.exe (PID: 2956)
  - hXOvTzQ.exe (PID: 2084)
- Reads the computer name
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - 325VOYHzbgqGiCT0hueR3jb6.exe (PID: 2396)
  - khecpDjRjuqIukWbLZDmUWnY.exe (PID: 2744)
  - 5922194382.exe (PID: 1176)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
- Reads the machine GUID from the registry
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - 5922194382.exe (PID: 1176)
  - khecpDjRjuqIukWbLZDmUWnY.exe (PID: 2744)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
- Reads Environment values
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Creates files or folders in the user directory
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - explorer.exe (PID: 1944)
  - Utsysc.exe (PID: 2272)
- Create files in a temporary directory
  - CasPol.exe (PID: 1088)
  - eOHA2VCsfCBKKMh0RzO51F2N.exe (PID: 2308)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
  - 5922194382.exe (PID: 1176)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 1764)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
  - Install.exe (PID: 3044)
- Checks proxy server information
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - Utsysc.exe (PID: 2272)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - rundll32.exe (PID: 2268)
  - rundll32.exe (PID: 2920)
- Reads product name
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Reads CPU info
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Creates files in the program directory
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
- The executable file from the user directory is run by the CMD process
  - 5922194382.exe (PID: 1176)
- Manual execution by a user
  - dllhost.exe (PID: 648)
- Drops the executable file immediately after the start
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

OnlyLogger

(PID) Process(2408) IBYXbieN81AJAXFofh4mSEmZ.exe

C285.209.11.204

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (49.4)
.scr	\|	Windows screen saver (23.4)
.dll	\|	Win32 Dynamic Link Library (generic) (11.7)
.exe	\|	Win32 Executable (generic) (8)
.exe	\|	Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:07 19:07:31+01:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	433075
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x6bbad
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.34.311.48
ProductVersionNumber:	6.34.311.48
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	IWaYiCOgA
FileDescription:	AvOvEma AKiJoAaGI eUUwUNaAiwE AKeuIkiv EVAfA uzUlaLu edayu OLEPuP.
FileVersion:	6.34.311.48
InternalName:	AnAZUXoX
LegalCopyright:	© 2023 IWaYiCOgA.
OriginalFileName:	aEoJOoA
ProductName:	iEOKapuooy
ProductVersion:	6.34.311.48
Comments:	OhaOOb UhiVoVi uTInusA IPok EDeHiI isedOcOj aOExIV oqIJeNeu IrOraIExU.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

288

Monitored processes

157

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

244

"C:\Users\admin\Pictures\vrMlHFrJEre4vJcGRewvCkDG.exe"

C:\Users\admin\Pictures\vrMlHFrJEre4vJcGRewvCkDG.exe

CasPol.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\pictures\vrmlhfrjere4vjcgrewvckdg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll

284

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

288

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VxrjVBYufVUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

312

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\admin\Pictures\mHMPa76o5Y1e2xa5vGD4kYCd.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\cmd.exe

—

mHMPa76o5Y1e2xa5vGD4kYCd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

460

sc stop wuauserv

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1062

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

584

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

—

taskeng.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

648

"C:\Windows\system32\dllhost.exe"

C:\Windows\System32\dllhost.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

796

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NmcYmBndU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

952

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

Add for printing

Total events

33 007

Read events

32 401

Write events

605

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
584	powershell.exe	C:\Users\admin\AppData\Local\Temp\whsg3whd.uj3.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
1088	CasPol.exe	C:\Users\admin\AppData\Local\Temp\CabA8AA.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
1088	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKzpki8Tqr48N3x5Yks7kgYz.bat		text
		MD5:D26623166462B5C38F029F5172DA76D7	SHA256:175AD6A1C9F404C0B77B88F4B4B230506505104C28476FAE6CDF3C2449C60792
1088	CasPol.exe	C:\Users\admin\Pictures\Q55LBaQ0GHyj5hUM39vJpsbj.exe		html
		MD5:FCAD815E470706329E4E327194ACC07C	SHA256:280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
584	powershell.exe	C:\Users\admin\AppData\Local\Temp\ol1wploz.hoa.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
1088	CasPol.exe	C:\Users\admin\AppData\Local\Temp\CabA8DB.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
1088	CasPol.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:8786DDD44E34BB851B03E5BE460B43F8	SHA256:BFFC132BD5A3E054D63BE4152AB6BAAB4DE74405A7D5BD1E835AC922C1196C6B
1088	CasPol.exe	C:\Users\admin\AppData\Local\Temp\TarA8AB.tmp		binary
		MD5:9441737383D21192400ECA82FDA910EC	SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
1088	CasPol.exe	C:\Users\admin\AppData\Local\Temp\TarA8DC.tmp		binary
		MD5:9441737383D21192400ECA82FDA910EC	SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
584	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:446DD1CF97EABA21CF14D03AEBC79F27	SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

116

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2160	mHMPa76o5Y1e2xa5vGD4kYCd.exe	GET	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	—	—	unknown
1088	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56e02b563dbccaec	unknown	compressed	61.6 Kb	unknown
1088	CasPol.exe	GET	200	5.42.67.10:80	http://5.42.67.10/setupdownload.exe	unknown	executable	1.41 Mb	unknown
1088	CasPol.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/software/s5.exe	unknown	executable	326 Kb	unknown
1088	CasPol.exe	GET	200	89.191.234.21:80	http://gobo11fc.top/build.exe	unknown	executable	324 Kb	unknown
1088	CasPol.exe	GET	301	185.26.182.112:80	http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767	unknown	html	162 b	unknown
1088	CasPol.exe	GET	200	194.49.94.67:80	http://194.49.94.67/files/My2.exe	unknown	executable	5.24 Mb	unknown
1088	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5bb5d7e14f221a81	unknown	compressed	61.6 Kb	unknown
1088	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4e8985cacbd3f720	unknown	compressed	61.6 Kb	unknown
1088	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7ac514a272f19814	unknown	compressed	61.6 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1088	CasPol.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1088	CasPol.exe	104.21.93.225:443	flyawayaero.net	CLOUDFLARENET	—	unknown
1088	CasPol.exe	194.49.94.85:443	632432.space	Enes Koken	DE	unknown
1088	CasPol.exe	104.21.32.208:443	lycheepanel.info	CLOUDFLARENET	—	unknown
1088	CasPol.exe	179.61.12.110:443	globalsystemperu.com	TECNOWEB PERU SAC	CL	unknown
1088	CasPol.exe	194.49.94.67:80	—	Enes Koken	DE	unknown
1088	CasPol.exe	85.209.11.204:80	—	LLC Baxet	RU	malicious
1088	CasPol.exe	5.42.67.10:80	—	CJSC Kolomna-Sviaz TV	RU	unknown
1088	CasPol.exe	185.26.182.112:80	net.geo.opera.com	Opera Software AS	—	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	172.67.34.170 104.20.68.143 104.20.67.143	shared
flyawayaero.net	104.21.93.225 172.67.216.81	unknown
gobo11fc.top	89.191.234.21	unknown
632432.space	194.49.94.85	malicious
galandskiyher5.com	95.214.26.28	malicious
lycheepanel.info	104.21.32.208 172.67.187.122	unknown
net.geo.opera.com	185.26.182.112 185.26.182.111	whitelisted
globalsystemperu.com	179.61.12.110	unknown
yip.su	188.114.97.3 188.114.96.3	whitelisted
ctldl.windowsupdate.com	95.140.236.128 178.79.242.128 95.140.236.0	whitelisted

Threats

PID	Process	Class	Message
324	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
324	svchost.exe	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
1088	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1088	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
1088	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1088	CasPol.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
1088	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
1088	CasPol.exe	Misc activity	ET INFO Packed Executable Download
1088	CasPol.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1088	CasPol.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

13 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942

65ACBF192DDEF924085504F07E559AD7

991FFA6FAE12E521118BF1800FB9D534037C04FC

CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8

6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Create files in the Startup directory

Drops the executable file immediately after the start

Connects to the CnC server

STEALC has been detected (SURICATA)

GCLEANER has been detected (SURICATA)

Runs injected code in another process

Application was injected by another process

Steals credentials

RHADAMANTHYS has been detected (SURICATA)

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

AMADEY has been detected (SURICATA)

Steals credentials from Web Browsers

Starts CMD.EXE for self-deleting

ONLYLOGGER has been detected (YARA)

Run PowerShell with an invisible window

Actions looks like stealing of personal data

SMOKE has been detected (SURICATA)

Unusual connection from system programs

Modifies hosts file to block updates

Creates a writable file the system directory

Neoreklami has been detected

Modifies exclusions in Windows Defender

SUSPICIOUS

Reads the Internet Settings

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Reads settings of System Certificates

Process requests binary or script from the Internet

Application launched itself

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Connects to the server without a host name

Connects to unusual port

Searches for installed software

The process checks if it is being run in the virtual environment

Starts CMD.EXE for commands execution

Drops 7-zip archiver for unpacking

Starts itself from another location

The process drops C-runtime libraries

Process drops legitimate windows executable

The process drops Mozilla's DLL files

Uses REG/REGEDIT.EXE to modify registry

Found strings related to reading or modifying Windows Defender settings

Reads the BIOS version

Reads browser cookies

Uses TIMEOUT.EXE to delay execution

Loads DLL from Mozilla Firefox

Accesses Microsoft Outlook profiles

The process executes via Task Scheduler

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Executes as Windows Service

Uses NETSH.EXE to obtain data on the network

Uses RUNDLL32.EXE to load library

Uses TASKKILL.EXE to kill process

Drops a system driver (possible attempt to evade defenses)

The Powershell connects to the Internet

Runs shell command (SCRIPT)

Unusual connection from system programs

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Creates files or folders in the user directory

Create files in a temporary directory