Malware analysis SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942 Malicious activity

Add for printing

File name:	SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942
Full analysis:	https://app.any.run/tasks/f5a2c572-3a48-40ee-ac49-32754803fb0c
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 09, 2023, 06:50:40
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir loader gcleaner stealc stealer rhadamanthys amadey botnet onlylogger smoke phishing neoreklami
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	65ACBF192DDEF924085504F07E559AD7
SHA1:	991FFA6FAE12E521118BF1800FB9D534037C04FC
SHA256:	CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8
SSDEEP:	6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - explorer.exe (PID: 1944)
- Create files in the Startup directory
  - CasPol.exe (PID: 1088)
- Drops the executable file immediately after the start
  - CasPol.exe (PID: 1088)
  - eOHA2VCsfCBKKMh0RzO51F2N.exe (PID: 2308)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - 5922194382.exe (PID: 1176)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
  - Install.exe (PID: 1764)
  - Utsysc.exe (PID: 2272)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
  - Install.exe (PID: 3044)
  - updater.exe (PID: 2748)
- STEALC has been detected (SURICATA)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- GCLEANER has been detected (SURICATA)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Connects to the CnC server
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - explorer.exe (PID: 1944)
- Runs injected code in another process
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2820)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Steals credentials
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - rundll32.exe (PID: 1192)
- RHADAMANTHYS has been detected (SURICATA)
  - dialer.exe (PID: 1180)
- Changes the autorun value in the registry
  - Utsysc.exe (PID: 2272)
- Uses Task Scheduler to run other applications
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
  - explorer.exe (PID: 1944)
  - hXOvTzQ.exe (PID: 2084)
- AMADEY has been detected (SURICATA)
  - Utsysc.exe (PID: 2272)
- Starts CMD.EXE for self-deleting
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Steals credentials from Web Browsers
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
- ONLYLOGGER has been detected (YARA)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 1824)
  - powershell.EXE (PID: 2868)
  - powershell.EXE (PID: 600)
  - powershell.EXE (PID: 2276)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 1944)
- Modifies hosts file to block updates
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
- Unusual connection from system programs
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - rundll32.exe (PID: 2920)
  - rundll32.exe (PID: 2268)
- Actions looks like stealing of personal data
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - dllhost.exe (PID: 648)
  - hXOvTzQ.exe (PID: 2084)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Creates a writable file the system directory
  - powershell.exe (PID: 2952)
  - hXOvTzQ.exe (PID: 2084)
- Neoreklami has been detected
  - hXOvTzQ.exe (PID: 2084)
- Modifies exclusions in Windows Defender
  - reg.exe (PID: 1448)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - CasPol.exe (PID: 1088)
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - 5922194382.exe (PID: 1176)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
  - cmd.exe (PID: 2460)
  - powershell.EXE (PID: 1824)
  - powershell.exe (PID: 3068)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - rundll32.exe (PID: 2268)
  - rundll32.exe (PID: 2920)
  - powershell.EXE (PID: 2868)
  - powershell.EXE (PID: 600)
  - Utsysc.exe (PID: 2956)
  - powershell.EXE (PID: 2276)
- Script adds exclusion path to Windows Defender
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - explorer.exe (PID: 1944)
- Reads settings of System Certificates
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Connects to the server without a host name
  - CasPol.exe (PID: 1088)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
- Application launched itself
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2800)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2476)
  - explorer.exe (PID: 1944)
- Checks Windows Trust Settings
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Reads security settings of Internet Explorer
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Process requests binary or script from the Internet
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - Utsysc.exe (PID: 2272)
- Connects to unusual port
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - dialer.exe (PID: 1180)
  - dllhost.exe (PID: 648)
  - explorer.exe (PID: 2852)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 1180)
- Searches for installed software
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - dllhost.exe (PID: 648)
- The process drops Mozilla's DLL files
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Starts CMD.EXE for commands execution
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - forfiles.exe (PID: 1092)
  - forfiles.exe (PID: 2732)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - explorer.exe (PID: 1944)
  - hXOvTzQ.exe (PID: 2084)
- Drops 7-zip archiver for unpacking
  - CasPol.exe (PID: 1088)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
- The process drops C-runtime libraries
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Starts itself from another location
  - 5922194382.exe (PID: 1176)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
- Process drops legitimate windows executable
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Reads the BIOS version
  - Install.exe (PID: 3044)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 1092)
  - forfiles.exe (PID: 2732)
  - hXOvTzQ.exe (PID: 2084)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 1012)
  - cmd.exe (PID: 2468)
  - cmd.exe (PID: 2864)
  - cmd.exe (PID: 2748)
  - cmd.exe (PID: 1448)
  - cmd.exe (PID: 2160)
  - cmd.exe (PID: 1092)
  - cmd.exe (PID: 1072)
  - wscript.exe (PID: 2112)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 312)
- Reads browser cookies
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Loads DLL from Mozilla Firefox
  - dllhost.exe (PID: 648)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
- The process executes via Task Scheduler
  - powershell.EXE (PID: 1824)
  - hXOvTzQ.exe (PID: 2084)
  - Utsysc.exe (PID: 2956)
  - powershell.EXE (PID: 600)
  - powershell.EXE (PID: 2868)
  - powershell.EXE (PID: 2276)
- Accesses Microsoft Outlook profiles
  - dllhost.exe (PID: 648)
  - rundll32.exe (PID: 1192)
  - rundll32.exe (PID: 1560)
- Starts SC.EXE for service management
  - cmd.exe (PID: 1176)
  - cmd.exe (PID: 1584)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2844)
  - cmd.exe (PID: 2380)
- Executes as Windows Service
  - updater.exe (PID: 2748)
  - raserver.exe (PID: 2940)
  - raserver.exe (PID: 2736)
  - raserver.exe (PID: 2660)
- Uses NETSH.EXE to obtain data on the network
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 2380)
  - rundll32.exe (PID: 1092)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 1692)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 2748)
- Unusual connection from system programs
  - powershell.exe (PID: 2952)
- The Powershell connects to the Internet
  - powershell.exe (PID: 2952)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 2112)
INFO
- Reads the machine GUID from the registry
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - 5922194382.exe (PID: 1176)
  - khecpDjRjuqIukWbLZDmUWnY.exe (PID: 2744)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
- Reads the computer name
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - 325VOYHzbgqGiCT0hueR3jb6.exe (PID: 2396)
  - 5922194382.exe (PID: 1176)
  - khecpDjRjuqIukWbLZDmUWnY.exe (PID: 2744)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 3044)
- Checks supported languages
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 3020)
  - CasPol.exe (PID: 1088)
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2800)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2476)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - dm1vwqYFK8abRFgZn7nbzp4z.exe (PID: 2284)
  - AppLaunch.exe (PID: 2676)
  - qfrl0VezEeVkYQAg00KQpUKx.exe (PID: 2820)
  - eOHA2VCsfCBKKMh0RzO51F2N.exe (PID: 2308)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - 325VOYHzbgqGiCT0hueR3jb6.exe (PID: 2396)
  - khecpDjRjuqIukWbLZDmUWnY.exe (PID: 2744)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
  - 5922194382.exe (PID: 1176)
  - Utsysc.exe (PID: 2272)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
  - Install.exe (PID: 1764)
  - Install.exe (PID: 3044)
  - updater.exe (PID: 2748)
  - hXOvTzQ.exe (PID: 2084)
  - Utsysc.exe (PID: 2956)
- Reads Environment values
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Create files in a temporary directory
  - CasPol.exe (PID: 1088)
  - eOHA2VCsfCBKKMh0RzO51F2N.exe (PID: 2308)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - 5922194382.exe (PID: 1176)
  - Y9WclbSmTRO0ryLdJ6aV3Xi6.exe (PID: 1660)
  - Utsysc.exe (PID: 2272)
  - Install.exe (PID: 1764)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
  - Install.exe (PID: 3044)
- Creates files or folders in the user directory
  - CasPol.exe (PID: 1088)
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - explorer.exe (PID: 1944)
  - Utsysc.exe (PID: 2272)
- Checks proxy server information
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - IBYXbieN81AJAXFofh4mSEmZ.exe (PID: 2408)
  - Utsysc.exe (PID: 2272)
  - rundll32.exe (PID: 1560)
  - rundll32.exe (PID: 1192)
  - rundll32.exe (PID: 2268)
  - rundll32.exe (PID: 2920)
- Reads product name
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Reads CPU info
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
- Creates files in the program directory
  - mHMPa76o5Y1e2xa5vGD4kYCd.exe (PID: 2160)
  - vrMlHFrJEre4vJcGRewvCkDG.exe (PID: 244)
- The executable file from the user directory is run by the CMD process
  - 5922194382.exe (PID: 1176)
- Manual execution by a user
  - dllhost.exe (PID: 648)
- Drops the executable file immediately after the start
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

OnlyLogger

(PID) Process(2408) IBYXbieN81AJAXFofh4mSEmZ.exe

C285.209.11.204

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (49.4)
.scr	\|	Windows screen saver (23.4)
.dll	\|	Win32 Dynamic Link Library (generic) (11.7)
.exe	\|	Win32 Executable (generic) (8)
.exe	\|	Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:07 19:07:31+01:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	433075
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x6bbad
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.34.311.48
ProductVersionNumber:	6.34.311.48
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	IWaYiCOgA
FileDescription:	AvOvEma AKiJoAaGI eUUwUNaAiwE AKeuIkiv EVAfA uzUlaLu edayu OLEPuP.
FileVersion:	6.34.311.48
InternalName:	AnAZUXoX
LegalCopyright:	© 2023 IWaYiCOgA.
OriginalFileName:	aEoJOoA
ProductName:	iEOKapuooy
ProductVersion:	6.34.311.48
Comments:	OhaOOb UhiVoVi uTInusA IPok EDeHiI isedOcOj aOExIV oqIJeNeu IrOraIExU.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

288

Monitored processes

157

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

244

"C:\Users\admin\Pictures\vrMlHFrJEre4vJcGRewvCkDG.exe"

C:\Users\admin\Pictures\vrMlHFrJEre4vJcGRewvCkDG.exe

CasPol.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\pictures\vrmlhfrjere4vjcgrewvckdg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll

284

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

288

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VxrjVBYufVUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

312

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\admin\Pictures\mHMPa76o5Y1e2xa5vGD4kYCd.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\cmd.exe

—

mHMPa76o5Y1e2xa5vGD4kYCd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

460

sc stop wuauserv

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1062

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

584

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

—

taskeng.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

648

"C:\Windows\system32\dllhost.exe"

C:\Windows\System32\dllhost.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

796

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NmcYmBndU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

952

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

Add for printing

Total events

33 007

Read events

32 401

Write events

605

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3020) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1088) CasPol.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
584	powershell.exe	C:\Users\admin\AppData\Local\Temp\whsg3whd.uj3.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
584	powershell.exe	C:\Users\admin\AppData\Local\Temp\ol1wploz.hoa.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
1088	CasPol.exe	C:\Users\admin\AppData\Local\qfjHtvN5u1Tb1jqoc19sLzZc.exe		html
		MD5:FCAD815E470706329E4E327194ACC07C	SHA256:280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
1088	CasPol.exe	C:\Users\admin\AppData\Local\Temp\CabA8AA.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
1088	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKzpki8Tqr48N3x5Yks7kgYz.bat		text
		MD5:D26623166462B5C38F029F5172DA76D7	SHA256:175AD6A1C9F404C0B77B88F4B4B230506505104C28476FAE6CDF3C2449C60792
1088	CasPol.exe	C:\Users\admin\AppData\Local\Temp\TarA8DC.tmp		binary
		MD5:9441737383D21192400ECA82FDA910EC	SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
1088	CasPol.exe	C:\Users\admin\Pictures\Q55LBaQ0GHyj5hUM39vJpsbj.exe		html
		MD5:FCAD815E470706329E4E327194ACC07C	SHA256:280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
1088	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BRETfSbWV4QmgcY9xvnbWv9S.bat		text
		MD5:57DE6BA43A8460F69CAF82729E331A2C	SHA256:14B2213913C86C20715AB6ACD9EF46871790E7BED69C773375C8A5B4E7473DF4
1088	CasPol.exe	C:\Users\admin\Pictures\IBYXbieN81AJAXFofh4mSEmZ.exe		executable
		MD5:2969F0854C39B8675D1CC6FC184E466F	SHA256:10B1C07CDB1FCF27D73392369141B77671472DB7494B7234314C3DB3A7A10A79
1088	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q95y0WADZ9dgu6sKOt1ONlub.bat		text
		MD5:D6DAF94EF21334D7DB0488284F0E0A0E	SHA256:CB9C1D614FF3A754F7319F96BA0284972CEAA86D84369300D2334C01AB0F13D5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

116

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2160	mHMPa76o5Y1e2xa5vGD4kYCd.exe	GET	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	—	—	—
1088	CasPol.exe	GET	200	194.49.94.67:80	http://194.49.94.67/files/My2.exe	unknown	executable	5.24 Mb	—
1088	CasPol.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/software/s5.exe	unknown	executable	326 Kb	—
2408	IBYXbieN81AJAXFofh4mSEmZ.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/client/s51	unknown	executable	887 Kb	—
1088	CasPol.exe	GET	200	5.42.67.10:80	http://5.42.67.10/setupdownload.exe	unknown	executable	1.41 Mb	—
1088	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56e02b563dbccaec	unknown	compressed	61.6 Kb	—
2408	IBYXbieN81AJAXFofh4mSEmZ.exe	GET	200	85.209.11.204:80	http://85.209.11.204/ip.php	unknown	text	13 b	—
1088	CasPol.exe	GET	301	185.26.182.112:80	http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767	unknown	html	162 b	—
2160	mHMPa76o5Y1e2xa5vGD4kYCd.exe	POST	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	text	2 b	—
2160	mHMPa76o5Y1e2xa5vGD4kYCd.exe	POST	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	text	1.52 Kb	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1088	CasPol.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	unknown
4	System	192.168.100.255:137	—	—	—	unknown
1088	CasPol.exe	104.21.93.225:443	flyawayaero.net	CLOUDFLARENET	—	unknown
1088	CasPol.exe	194.49.94.85:443	632432.space	Enes Koken	DE	unknown
1088	CasPol.exe	104.21.32.208:443	lycheepanel.info	CLOUDFLARENET	—	unknown
1088	CasPol.exe	179.61.12.110:443	globalsystemperu.com	TECNOWEB PERU SAC	CL	unknown
1088	CasPol.exe	194.49.94.67:80	—	Enes Koken	DE	unknown
1088	CasPol.exe	85.209.11.204:80	—	LLC Baxet	RU	unknown
1088	CasPol.exe	5.42.67.10:80	—	CJSC Kolomna-Sviaz TV	RU	unknown
1088	CasPol.exe	185.26.182.112:80	net.geo.opera.com	Opera Software AS	—	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	172.67.34.170 104.20.68.143 104.20.67.143	unknown
flyawayaero.net	104.21.93.225 172.67.216.81	unknown
gobo11fc.top	89.191.234.21	unknown
632432.space	194.49.94.85	unknown
galandskiyher5.com	95.214.26.28	unknown
lycheepanel.info	104.21.32.208 172.67.187.122	unknown
net.geo.opera.com	185.26.182.112 185.26.182.111	unknown
globalsystemperu.com	179.61.12.110	unknown
yip.su	188.114.97.3 188.114.96.3	unknown
ctldl.windowsupdate.com	95.140.236.128 178.79.242.128 95.140.236.0	unknown

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
—	—	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

13 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942

65ACBF192DDEF924085504F07E559AD7

991FFA6FAE12E521118BF1800FB9D534037C04FC

CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8

6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Create files in the Startup directory

Drops the executable file immediately after the start

STEALC has been detected (SURICATA)

GCLEANER has been detected (SURICATA)

Connects to the CnC server

Runs injected code in another process

Application was injected by another process

Steals credentials

RHADAMANTHYS has been detected (SURICATA)

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

AMADEY has been detected (SURICATA)

Starts CMD.EXE for self-deleting

Steals credentials from Web Browsers

ONLYLOGGER has been detected (YARA)

Run PowerShell with an invisible window

SMOKE has been detected (SURICATA)

Modifies hosts file to block updates

Unusual connection from system programs

Actions looks like stealing of personal data

Creates a writable file the system directory

Neoreklami has been detected

Modifies exclusions in Windows Defender

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Reads the Internet Settings

Script adds exclusion path to Windows Defender

Reads settings of System Certificates

Connects to the server without a host name

Application launched itself

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Process requests binary or script from the Internet

Connects to unusual port

The process checks if it is being run in the virtual environment

Searches for installed software

The process drops Mozilla's DLL files

Starts CMD.EXE for commands execution

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

Starts itself from another location

Process drops legitimate windows executable

Reads the BIOS version

Found strings related to reading or modifying Windows Defender settings

Uses REG/REGEDIT.EXE to modify registry

Uses TIMEOUT.EXE to delay execution

Reads browser cookies

Loads DLL from Mozilla Firefox

The process executes via Task Scheduler

Accesses Microsoft Outlook profiles

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Executes as Windows Service

Uses NETSH.EXE to obtain data on the network

Uses RUNDLL32.EXE to load library

Uses TASKKILL.EXE to kill process

Drops a system driver (possible attempt to evade defenses)

Unusual connection from system programs

The Powershell connects to the Internet

Runs shell command (SCRIPT)

INFO

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Reads Environment values

Create files in a temporary directory

Creates files or folders in the user directory