Malware analysis Oden_PO2339.exe Malicious activity | ANY.RUN

Add for printing

File name:	Oden_PO2339.exe
Full analysis:	https://app.any.run/tasks/360448a1-5786-42b3-a8f8-d21c889eb05f
Verdict:	Malicious activity
Analysis date:	December 21, 2023, 07:49:18
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	warzone
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	7CE47DEE0EF61A16D0811FBE451E02F2
SHA1:	3C7271B7AB2E80EF40BE568D7CD4C36A2212EC64
SHA256:	D2D549D6DD5D017CE1B853932513EC389DE11E6443FE466487B2ED2E1528B857
SSDEEP:	49152:waeK3eJrsU//aUEORYXfXaIGoMT1QFt5NBcQMvyM88TJuHK8WMxeitSexEsat7OZ:waeKyN/aUEvXfXPt4ytPou8oHK8TIith

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Oden_PO2339.exe (PID: 2544)
  - zxfvzxvr.exe (PID: 388)
  - drgsfszs.sfx.exe (PID: 2444)
  - drgsfszs.exe (PID: 2148)
  - zxfvzxvr.sfx.exe (PID: 1792)
- WARZONE has been detected (YARA)
  - mimages.exe (PID: 2044)
SUSPICIOUS
- Reads the Internet Settings
  - Oden_PO2339.exe (PID: 2544)
  - zxfvzxvr.exe (PID: 388)
  - drgsfszs.sfx.exe (PID: 2444)
  - zxfvzxvr.sfx.exe (PID: 1792)
- Executing commands from a ".bat" file
  - zxfvzxvr.exe (PID: 388)
- Starts CMD.EXE for commands execution
  - zxfvzxvr.exe (PID: 388)
  - Oden_PO2339.exe (PID: 2544)
- Connects to unusual port
  - mimages.exe (PID: 2044)
- Executing commands from ".cmd" file
  - Oden_PO2339.exe (PID: 2544)
INFO
- Checks supported languages
  - Oden_PO2339.exe (PID: 2544)
  - drgsfszs.sfx.exe (PID: 2444)
  - drgsfszs.exe (PID: 2148)
  - drgsfszs.exe (PID: 1504)
  - mimages.exe (PID: 2044)
  - mimages.exe (PID: 3000)
  - zxfvzxvr.sfx.exe (PID: 1792)
  - zxfvzxvr.exe (PID: 388)
- Reads the computer name
  - Oden_PO2339.exe (PID: 2544)
  - zxfvzxvr.sfx.exe (PID: 1792)
  - zxfvzxvr.exe (PID: 388)
  - drgsfszs.sfx.exe (PID: 2444)
  - drgsfszs.exe (PID: 1504)
  - drgsfszs.exe (PID: 2148)
  - mimages.exe (PID: 3000)
  - mimages.exe (PID: 2044)
- Creates files or folders in the user directory
  - Oden_PO2339.exe (PID: 2544)
  - zxfvzxvr.sfx.exe (PID: 1792)
  - drgsfszs.exe (PID: 2148)
- Application launched itself
  - chrome.exe (PID: 2996)
  - drgsfszs.exe (PID: 1504)
  - mimages.exe (PID: 3000)
- The executable file from the user directory is run by the CMD process
  - zxfvzxvr.sfx.exe (PID: 1792)
  - drgsfszs.sfx.exe (PID: 2444)
- Starts itself from another location
  - zxfvzxvr.sfx.exe (PID: 1792)
  - drgsfszs.exe (PID: 2148)
- Create files in a temporary directory
  - zxfvzxvr.exe (PID: 388)
  - drgsfszs.sfx.exe (PID: 2444)
- Reads the machine GUID from the registry
  - drgsfszs.exe (PID: 1504)
  - mimages.exe (PID: 3000)
- The process uses the downloaded file
  - chrome.exe (PID: 2484)
  - chrome.exe (PID: 2800)
  - chrome.exe (PID: 388)
- Drops the executable file immediately after the start
  - chrome.exe (PID: 2472)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

WarZone

(PID) Process(2044) mimages.exe

C2 (1)glotreobmoenry.sytes.net:5210

BuildIDT37PC1JH48

Options

Install FlagTrue

Install namemimages.exe

Startup FlagTrue

Startup nameMImages

Reverse Proxy local port5000

Offline logFalse

PersistanceFalse

UAC bypassFalse

Defender bypassFalse

Use ADSFalse

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:04:27 22:03:27+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	190976
InitializedDataSize:	71680
UninitializedDataSize:	-
EntryPoint:	0x1d759
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

388

"C:\Users\admin\AppData\Roaming\zxfvzxvr.exe"

C:\Users\admin\AppData\Roaming\zxfvzxvr.exe

—

zxfvzxvr.sfx.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\zxfvzxvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

388

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3624 --field-trial-handle=1248,i,1687315606856097483,14012608080577865884,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

756

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1248,i,1687315606856097483,14012608080577865884,131072 /prefetch:2

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1096

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1248,i,1687315606856097483,14012608080577865884,131072 /prefetch:2

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1100

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2136 --field-trial-handle=1248,i,1687315606856097483,14012608080577865884,131072 /prefetch:1

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1368

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3512 --field-trial-handle=1248,i,1687315606856097483,14012608080577865884,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1488

"C:\Users\admin\AppData\Local\Google\Chrome\User Data\SwReporter\112.300.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=B2i5awYBScXxNpEhuXJb+MuwnTKPHuJgt0ttZqME --registry-suffix=ESET

C:\Users\admin\AppData\Local\Google\Chrome\User Data\SwReporter\112.300.200\software_reporter_tool.exe

—

chrome.exe

User:

admin

Company:

Google

Integrity Level:

MEDIUM

Description:

Software Reporter Tool

Exit code:

3221225785

Version:

112.300.200

Modules

Images
c:\users\admin\appdata\local\google\chrome\user data\swreporter\112.300.200\software_reporter_tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1504

"C:\Users\admin\AppData\Local\Temp\drgsfszs.exe"

C:\Users\admin\AppData\Local\Temp\drgsfszs.exe

—

drgsfszs.sfx.exe

User:

admin

Company:

Vopth View Vitch

Integrity Level:

MEDIUM

Description:

Vopth View

Exit code:

Version:

9.8.8.8

Modules

Images
c:\users\admin\appdata\local\temp\drgsfszs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll

1644

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3696 --field-trial-handle=1248,i,1687315606856097483,14012608080577865884,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1644

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3720 --field-trial-handle=1248,i,1687315606856097483,14012608080577865884,131072 /prefetch:1

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

6 756

Read events

6 628

Write events

127

Delete events

Modification events


(PID) Process:	(2544) Oden_PO2339.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2544) Oden_PO2339.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2544) Oden_PO2339.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2544) Oden_PO2339.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2996) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2996) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(2996) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(2996) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(1792) zxfvzxvr.sfx.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1792) zxfvzxvr.sfx.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

114

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2996	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF108280.TMP		—
		MD5:—	SHA256:—
2996	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2996	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat		binary
		MD5:9C7925A6B262C5676D1C36638981A6EA	SHA256:07F6FB1E9CBCE4D15C00A9FBF9A95C1F31DE20C4C48B433198862E8759CD128D
2544	Oden_PO2339.exe	C:\Users\admin\AppData\Roaming\zxfvzxvr.sfx.exe		executable
		MD5:2ED7448479CC04EB63F750814199AE6F	SHA256:74BD13647CE1BC6B000510E88DC437403AD83483F9A12757F980B2D98170967F
2544	Oden_PO2339.exe	C:\Users\admin\AppData\Roaming\kubSample.webp		image
		MD5:550C8AD1E9FA820795B6087624C05BD4	SHA256:520F8F4599399887EAA61010D27F48036611F1D4410D199E929BB4B6D9ACB9AC
2996	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF1083a9.TMP		text
		MD5:83DFA02A36C9307E698CB66E868BF1B6	SHA256:—
2996	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version		text
		MD5:9F941EA08DBDCA2EB3CFA1DBBBA6F5DC	SHA256:127F71DF0D2AD895D4F293E62284D85971AE047CA15F90B87BF6335898B0B655
2544	Oden_PO2339.exe	C:\Users\admin\AppData\Roaming\hycxhxtr.cmd		text
		MD5:29E365C43A5C339CF02E30A520EDAC31	SHA256:347AE171E7BD0F8AAC406AD585C241FA76E54FEC61CD6DB92F5071108ECE58EB
388	zxfvzxvr.exe	C:\Users\admin\AppData\Local\Temp\hjbhsfhxtr.bat		text
		MD5:3F149C4F4A1996114DA1D147B7CD5989	SHA256:595DCFB1DF46752EA2F0BE4B75E2770397BFEF329D19E2D471871BDC6D5A74BC
1792	zxfvzxvr.sfx.exe	C:\Users\admin\AppData\Roaming\zxfvzxvr.exe		executable
		MD5:2A0C5B7AF46C1EA79907CD7957C4779C	SHA256:F1B234DA3066573E18CE57C1DEE3B4B4DFA3D152268FC5544D9F5CC0F52F17E2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
864	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	—	—	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	10.1 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	5.64 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	9.88 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	10.0 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	44.5 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	21.4 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	90.5 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	181 Kb	unknown
864	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ncrr3jrkc3nerq4tdp7lehlppe_112.300.200/gkmgaooipdjhmangpemjhigmamcehddo_112.300.200_win64_nrpvirsu5aw3cszevrlqbmhv34.crx3	unknown	binary	342 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1220	svchost.exe	239.255.255.250:3702	—	—	—	whitelisted
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2136	chrome.exe	172.217.23.99:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
2996	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
2136	chrome.exe	173.194.76.84:443	accounts.google.com	GOOGLE	US	whitelisted
2996	chrome.exe	224.0.0.251:5353	—	—	—	unknown
2136	chrome.exe	142.250.186.67:443	update.googleapis.com	GOOGLE	US	whitelisted
2044	mimages.exe	91.92.252.239:5210	glotreobmoenry.sytes.net	—	BG	malicious
2136	chrome.exe	142.250.185.170:443	optimizationguide-pa.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
clientservices.googleapis.com	172.217.23.99	whitelisted
accounts.google.com	173.194.76.84	shared
update.googleapis.com	142.250.186.67	whitelisted
glotreobmoenry.sytes.net	91.92.252.239	unknown
optimizationguide-pa.googleapis.com	142.250.185.170 142.250.185.202 142.250.185.234 142.250.186.74 142.250.186.106 142.250.181.234 172.217.16.138 142.250.184.202 142.250.184.234 142.250.186.138 142.250.186.42 172.217.18.10 172.217.16.202 142.250.186.170 216.58.206.42 172.217.18.106	whitelisted
www.googleapis.com	216.58.212.138 142.250.185.74 142.250.185.106 142.250.185.138 142.250.185.170 142.250.185.202 142.250.185.234 142.250.186.74 142.250.186.106 142.250.181.234 172.217.16.138 142.250.184.202 142.250.184.234 142.250.186.138 142.250.74.202 142.250.186.42	whitelisted
support.google.com	142.250.186.78	whitelisted
safebrowsing.googleapis.com	172.217.16.138	whitelisted
fonts.googleapis.com	142.250.186.170	whitelisted
www.google-analytics.com	142.250.184.206	whitelisted

Threats

PID	Process	Class	Message
352	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.sytes.net Domain
352	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.sytes.net Domain

Add for printing

No debug info

General Info

Oden_PO2339.exe

7CE47DEE0EF61A16D0811FBE451E02F2

3C7271B7AB2E80EF40BE568D7CD4C36A2212EC64

D2D549D6DD5D017CE1B853932513EC389DE11E6443FE466487B2ED2E1528B857

49152:waeK3eJrsU//aUEORYXfXaIGoMT1QFt5NBcQMvyM88TJuHK8WMxeitSexEsat7OZ:waeKyN/aUEvXfXPt4ytPou8oHK8TIith

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

WARZONE has been detected (YARA)

SUSPICIOUS

Reads the Internet Settings

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Connects to unusual port

Executing commands from ".cmd" file

INFO

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Application launched itself

The executable file from the user directory is run by the CMD process

Starts itself from another location

Create files in a temporary directory

Reads the machine GUID from the registry

The process uses the downloaded file

Drops the executable file immediately after the start

Malware configuration

WarZone

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings