Malware analysis splwow64.exe Malicious activity | ANY.RUN

Add for printing

File name:	splwow64.exe
Full analysis:	https://app.any.run/tasks/264bda92-63de-45bd-9dbf-405326e5b3d7
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 23, 2024, 20:10:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer loader metastealer redline
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	2B01C9B0C69F13DA5EE7889A4B17C45E
SHA1:	27F0C1AE0DDEDDC9EFAC38BC473476B103FEF043
SHA256:	D5526528363CEEB718D30BC669038759C4CD80A1D3E9C8C661B12B261DCC9E29
SSDEEP:	49152:xbJ5NYRgPOau6akedLowwEoE62lde2gje64fzvlTgR/LLiWaBWoKpl7mXLLiA6+0:xbJ5MgdZakcA1E6Gc7jgfcZaLM7mHiTh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 736)
- AMADEY has been detected (SURICATA)
  - Waters.pif (PID: 6184)
- Connects to the CnC server
  - Waters.pif (PID: 6184)
  - ZusYB3MdCO.exe (PID: 6384)
- REDLINE has been detected (YARA)
  - ZusYB3MdCO.exe (PID: 6384)
- REDLINE has been detected (SURICATA)
  - ZusYB3MdCO.exe (PID: 6384)
- METASTEALER has been detected (SURICATA)
  - ZusYB3MdCO.exe (PID: 6384)
  - Aw9ir134T1.exe (PID: 5160)
- Stealers network behavior
  - ZusYB3MdCO.exe (PID: 6384)
  - Aw9ir134T1.exe (PID: 5160)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - splwow64.exe (PID: 4476)
- Starts CMD.EXE for commands execution
  - splwow64.exe (PID: 4476)
  - cmd.exe (PID: 2892)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 2892)
- Get information on the list of running processes
  - cmd.exe (PID: 2892)
- Executing commands from a ".bat" file
  - splwow64.exe (PID: 4476)
- Application launched itself
  - cmd.exe (PID: 2892)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 2892)
  - Waters.pif (PID: 6184)
  - RegAsm.exe (PID: 6352)
- Starts application with an unusual extension
  - cmd.exe (PID: 2892)
  - wscript.exe (PID: 4520)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 2892)
- The executable file from the user directory is run by the CMD process
  - Waters.pif (PID: 6184)
- Connects to unusual port
  - ZusYB3MdCO.exe (PID: 6384)
  - Aw9ir134T1.exe (PID: 5160)
- Contacting a server suspected of hosting an CnC
  - Waters.pif (PID: 6184)
  - Aw9ir134T1.exe (PID: 5160)
- Potential Corporate Privacy Violation
  - Waters.pif (PID: 6184)
- The process executes via Task Scheduler
  - wscript.exe (PID: 4520)
INFO
- Checks supported languages
  - splwow64.exe (PID: 4476)
- The process uses the downloaded file
  - splwow64.exe (PID: 4476)
- Create files in a temporary directory
  - splwow64.exe (PID: 4476)
- Reads the computer name
  - splwow64.exe (PID: 4476)
- Process checks computer location settings
  - splwow64.exe (PID: 4476)
- Manual execution by a user
  - cmd.exe (PID: 736)
  - cmd.exe (PID: 6680)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(6384) ZusYB3MdCO.exe

C2 (1)65.21.18.51:45580

Botnet@LOGSCLOUDYT_BOT

Options

ErrorMessage

Keys

XorBackswords

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:19:43+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	28672
InitializedDataSize:	4120064
UninitializedDataSize:	16896
EntryPoint:	0x3899
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	10.0.22621.3672
ProductVersionNumber:	10.0.22621.3672
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Print driver host for applications
FileVersion:	10.0.22621.3672 (WinBuild.160101.0800)
InternalName:	splwow64.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	splwow64.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.22621.3672

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

376

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

736

cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

740

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1048

schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1076

cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2472

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Aw9ir134T1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2892

"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat

C:\Windows\SysWOW64\cmd.exe

splwow64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3140

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3324

"C:\Users\admin\AppData\Local\Temp\1000434001\12dsvc.exe"

C:\Users\admin\AppData\Local\Temp\1000434001\12dsvc.exe

—

Waters.pif

User:

admin

Company:

Production subsumption

Integrity Level:

MEDIUM

Description:

protestations wonk separationist

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1000434001\12dsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

4280

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

12dsvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

10 550

Read events

10 546

Write events

Delete events

Modification events


(PID) Process:	(6184) Waters.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6184) Waters.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6184) Waters.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4520) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 6F88230000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Temperature		binary
		MD5:249D56CBE275C2258CCD964F0C6241D9	SHA256:7C16E21E29D442BF0B459D083198B22EE9C6D9926E3AA61F43DC3A1EE3ECB731
2892	cmd.exe	C:\Users\admin\AppData\Local\Temp\607698\Waters.pif		executable
		MD5:71E28D40E99E3136459D1A310748A687	SHA256:141E3E9EDF7943E768B146BA6AB8B4A6A79F162B5054EF9AFA0D11E236DB07E1
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Language		binary
		MD5:5DE7106DF85E2F96F46F642D98433AD1	SHA256:9201319C9C07E4312717845E59C9FE3A987F70575CD63E4C042DB778EBE4D5E9
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Viruses		binary
		MD5:7C9DD6F9FA719321B72805DF762A82DA	SHA256:98232A6528BEB079D8FA9D77751722159D4974E6859DF867EFB3BA7A3EEC4BEC
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Ashley		binary
		MD5:E522956891659C41BD8550B8D5E16231	SHA256:DDB7F60AB5F8957955DD20F2DC270E3EF833D3727F374A8C4C444634BD05609D
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Fla		binary
		MD5:E139E52F93AE3E19AB47F437CBE8B3DE	SHA256:E0C1C46FA4582A3826F7AED2F7FB454D3EE42A425F214321910C25CC1D8879D5
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Navy		binary
		MD5:D4EB107CFD9FC38ED7E7B253562E155A	SHA256:68E9A8D57BA2A484DD28A1AFED5262A86AFF4D81467B93B4072F329FAB984F4C
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Width		binary
		MD5:12D9AD507C856D833101C9E367466555	SHA256:8E7415ED2D0D5C6E69D6A02BC3928C9ADF685A43932E4543084B917946361974
6184	Waters.pif	C:\Users\admin\AppData\Local\QuantumDynamics Lab\W		binary
		MD5:7B5632DCD418BCBAE2A9009DBAF85F37	SHA256:361E9C3B62719B79BC280420B5F710E160FD55F2250BF605911DED7162483DB4
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Participants		binary
		MD5:F0E725ADDF4EC15A56AA0BDE5BD8B2A7	SHA256:7CBD6810CB4DD516EEB75DF79D1DB55F74471C11594333AC225F24BFC0FCA7CA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6184	Waters.pif	POST	200	185.215.113.19:80	http://185.215.113.19/CoreOPT/index.php	unknown	—	—	unknown
6184	Waters.pif	GET	200	194.116.215.195:80	http://194.116.215.195/12dsvc.exe	unknown	—	—	suspicious
6184	Waters.pif	POST	200	185.215.113.19:80	http://185.215.113.19/CoreOPT/index.php	unknown	—	—	unknown
936	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2340	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6184	Waters.pif	POST	200	185.215.113.19:80	http://185.215.113.19/CoreOPT/index.php?scr=1	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	52.167.17.97:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2120	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
936	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
936	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	20.189.173.7:443	browser.pipe.aria.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5336	SearchApp.exe	2.23.209.143:443	www.bing.com	Akamai International B.V.	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	52.167.17.97 4.231.128.59	whitelisted
google.com	142.250.185.238	whitelisted
www.microsoft.com	95.101.149.131 88.221.169.152	whitelisted
login.live.com	40.126.32.74 40.126.32.140 40.126.32.76 20.190.160.22 40.126.32.133 40.126.32.72 20.190.160.14 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
HAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkib	—	unknown
browser.pipe.aria.microsoft.com	20.189.173.7	whitelisted
www.bing.com	2.23.209.143 2.23.209.150 2.23.209.130 2.23.209.187 2.23.209.183 2.23.209.135 2.23.209.154 2.23.209.189 2.23.209.133	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

PID	Process	Class	Message
6184	Waters.pif	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
6184	Waters.pif	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST) M1
6184	Waters.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6184	Waters.pif	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST)
6184	Waters.pif	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6184	Waters.pif	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6184	Waters.pif	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6184	Waters.pif	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
5160	Aw9ir134T1.exe	Malware Command and Control Activity Detected	ET MALWARE [ANY.RUN] MetaStealer v.5 (MC-NMF TLS Server Certificate)
5160	Aw9ir134T1.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] MetaStealer v.5 TLS Certificate

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

splwow64.exe

2B01C9B0C69F13DA5EE7889A4B17C45E

27F0C1AE0DDEDDC9EFAC38BC473476B103FEF043

D5526528363CEEB718D30BC669038759C4CD80A1D3E9C8C661B12B261DCC9E29

49152:xbJ5NYRgPOau6akedLowwEoE62lde2gje64fzvlTgR/LLiWaBWoKpl7mXLLiA6+0:xbJ5MgdZakcA1E6Gc7jgfcZaLM7mHiTh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

AMADEY has been detected (SURICATA)

Connects to the CnC server

REDLINE has been detected (YARA)

REDLINE has been detected (SURICATA)

METASTEALER has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Get information on the list of running processes

Executing commands from a ".bat" file

Application launched itself

Executable content was dropped or overwritten

Starts application with an unusual extension

Drops a file with a rarely used extension (PIF)

The executable file from the user directory is run by the CMD process

Connects to unusual port

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

The process executes via Task Scheduler

INFO

Checks supported languages

The process uses the downloaded file

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Manual execution by a user

Malware configuration

RedLine

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests