Malware analysis splwow64.exe Malicious activity | ANY.RUN

Add for printing

File name:	splwow64.exe
Full analysis:	https://app.any.run/tasks/264bda92-63de-45bd-9dbf-405326e5b3d7
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 23, 2024, 20:10:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer loader metastealer redline
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	2B01C9B0C69F13DA5EE7889A4B17C45E
SHA1:	27F0C1AE0DDEDDC9EFAC38BC473476B103FEF043
SHA256:	D5526528363CEEB718D30BC669038759C4CD80A1D3E9C8C661B12B261DCC9E29
SSDEEP:	49152:xbJ5NYRgPOau6akedLowwEoE62lde2gje64fzvlTgR/LLiWaBWoKpl7mXLLiA6+0:xbJ5MgdZakcA1E6Gc7jgfcZaLM7mHiTh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- AMADEY has been detected (SURICATA)
  - Waters.pif (PID: 6184)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 736)
- Connects to the CnC server
  - Waters.pif (PID: 6184)
  - ZusYB3MdCO.exe (PID: 6384)
- REDLINE has been detected (SURICATA)
  - ZusYB3MdCO.exe (PID: 6384)
- Stealers network behavior
  - Aw9ir134T1.exe (PID: 5160)
  - ZusYB3MdCO.exe (PID: 6384)
- METASTEALER has been detected (SURICATA)
  - ZusYB3MdCO.exe (PID: 6384)
  - Aw9ir134T1.exe (PID: 5160)
- REDLINE has been detected (YARA)
  - ZusYB3MdCO.exe (PID: 6384)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - splwow64.exe (PID: 4476)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 2892)
  - splwow64.exe (PID: 4476)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 2892)
  - Waters.pif (PID: 6184)
  - RegAsm.exe (PID: 6352)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 2892)
- Application launched itself
  - cmd.exe (PID: 2892)
- Starts application with an unusual extension
  - cmd.exe (PID: 2892)
  - wscript.exe (PID: 4520)
- Executing commands from a ".bat" file
  - splwow64.exe (PID: 4476)
- Get information on the list of running processes
  - cmd.exe (PID: 2892)
- The executable file from the user directory is run by the CMD process
  - Waters.pif (PID: 6184)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 2892)
- Contacting a server suspected of hosting an CnC
  - Waters.pif (PID: 6184)
  - Aw9ir134T1.exe (PID: 5160)
- Connects to unusual port
  - ZusYB3MdCO.exe (PID: 6384)
  - Aw9ir134T1.exe (PID: 5160)
- Potential Corporate Privacy Violation
  - Waters.pif (PID: 6184)
- The process executes via Task Scheduler
  - wscript.exe (PID: 4520)
INFO
- The process uses the downloaded file
  - splwow64.exe (PID: 4476)
- Create files in a temporary directory
  - splwow64.exe (PID: 4476)
- Checks supported languages
  - splwow64.exe (PID: 4476)
- Reads the computer name
  - splwow64.exe (PID: 4476)
- Process checks computer location settings
  - splwow64.exe (PID: 4476)
- Manual execution by a user
  - cmd.exe (PID: 736)
  - cmd.exe (PID: 6680)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(6384) ZusYB3MdCO.exe

C2 (1)65.21.18.51:45580

Botnet@LOGSCLOUDYT_BOT

Options

ErrorMessage

Keys

XorBackswords

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:19:43+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	28672
InitializedDataSize:	4120064
UninitializedDataSize:	16896
EntryPoint:	0x3899
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	10.0.22621.3672
ProductVersionNumber:	10.0.22621.3672
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Print driver host for applications
FileVersion:	10.0.22621.3672 (WinBuild.160101.0800)
InternalName:	splwow64.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	splwow64.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.22621.3672

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

376

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

736

cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

740

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1048

schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1076

cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2472

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Aw9ir134T1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2892

"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat

C:\Windows\SysWOW64\cmd.exe

splwow64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3140

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3324

"C:\Users\admin\AppData\Local\Temp\1000434001\12dsvc.exe"

C:\Users\admin\AppData\Local\Temp\1000434001\12dsvc.exe

—

Waters.pif

User:

admin

Company:

Production subsumption

Integrity Level:

MEDIUM

Description:

protestations wonk separationist

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1000434001\12dsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

4280

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

12dsvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

10 550

Read events

10 546

Write events

Delete events

Modification events


(PID) Process:	(6184) Waters.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6184) Waters.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6184) Waters.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4520) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 6F88230000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Streaming		binary
		MD5:1501DE696D22F872DB44B548CBA0E4FA	SHA256:DCF4784EA71A3E1A42318C09183D4B5981009D296814D3679CA68EB0A7C9E2EF
2892	cmd.exe	C:\Users\admin\AppData\Local\Temp\Emotions.bat		text
		MD5:B98D78C3ABE777A5474A60E970A674AD	SHA256:2BC28AFB291ECE550A7CD2D0C5C060730EB1981D1CF122558D6971526C637EB4
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Emotions		text
		MD5:B98D78C3ABE777A5474A60E970A674AD	SHA256:2BC28AFB291ECE550A7CD2D0C5C060730EB1981D1CF122558D6971526C637EB4
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Language		binary
		MD5:5DE7106DF85E2F96F46F642D98433AD1	SHA256:9201319C9C07E4312717845E59C9FE3A987F70575CD63E4C042DB778EBE4D5E9
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Bet		binary
		MD5:0F3F07B667E947C4DA38813D6D651E2A	SHA256:32B3D9D5BC58659EA524AA2CABD9CFC81B73E679E3D2CC899DFB00439612F5FF
1076	cmd.exe	C:\Users\admin\AppData\Local\Temp\607698\Q		binary
		MD5:7B5632DCD418BCBAE2A9009DBAF85F37	SHA256:361E9C3B62719B79BC280420B5F710E160FD55F2250BF605911DED7162483DB4
6184	Waters.pif	C:\Users\admin\AppData\Local\QuantumDynamics Lab\W		binary
		MD5:7B5632DCD418BCBAE2A9009DBAF85F37	SHA256:361E9C3B62719B79BC280420B5F710E160FD55F2250BF605911DED7162483DB4
6184	Waters.pif	C:\Users\admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js		text
		MD5:CA21689FE68A876F068F8A87A906FE9A	SHA256:E0DD98EA1A93E08F544D822A56336CBD422564AF81A5759C4759430E2B055A12
2892	cmd.exe	C:\Users\admin\AppData\Local\Temp\607698\Waters.pif		executable
		MD5:71E28D40E99E3136459D1A310748A687	SHA256:141E3E9EDF7943E768B146BA6AB8B4A6A79F162B5054EF9AFA0D11E236DB07E1
4476	splwow64.exe	C:\Users\admin\AppData\Local\Temp\Ensures		binary
		MD5:C6FA82D60CFBF9E83B4CF3CBD1F01552	SHA256:2686B284D1C21D06AB10829C16657334E13428210CCDA89F68BFB8ACBFC72B42

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
936	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2340	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2340	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6184	Waters.pif	POST	200	185.215.113.19:80	http://185.215.113.19/CoreOPT/index.php	unknown	—	—	unknown
6184	Waters.pif	POST	200	185.215.113.19:80	http://185.215.113.19/CoreOPT/index.php	unknown	—	—	unknown
6184	Waters.pif	GET	200	194.116.215.195:80	http://194.116.215.195/12dsvc.exe	unknown	—	—	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	52.167.17.97:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2120	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
936	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
936	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	20.189.173.7:443	browser.pipe.aria.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5336	SearchApp.exe	2.23.209.143:443	www.bing.com	Akamai International B.V.	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	52.167.17.97 4.231.128.59	whitelisted
google.com	142.250.185.238	whitelisted
www.microsoft.com	95.101.149.131 88.221.169.152	whitelisted
login.live.com	40.126.32.74 40.126.32.140 40.126.32.76 20.190.160.22 40.126.32.133 40.126.32.72 20.190.160.14 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
HAYtAoQHDCIZfrnmkrkib.HAYtAoQHDCIZfrnmkrkib	—	unknown
browser.pipe.aria.microsoft.com	20.189.173.7	whitelisted
www.bing.com	2.23.209.143 2.23.209.150 2.23.209.130 2.23.209.187 2.23.209.183 2.23.209.135 2.23.209.154 2.23.209.189 2.23.209.133	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

PID	Process	Class	Message
6184	Waters.pif	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
6184	Waters.pif	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST) M1
6184	Waters.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6184	Waters.pif	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST)
6184	Waters.pif	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6184	Waters.pif	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6184	Waters.pif	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6184	Waters.pif	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
5160	Aw9ir134T1.exe	Malware Command and Control Activity Detected	ET MALWARE [ANY.RUN] MetaStealer v.5 (MC-NMF TLS Server Certificate)
5160	Aw9ir134T1.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] MetaStealer v.5 TLS Certificate

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

splwow64.exe

2B01C9B0C69F13DA5EE7889A4B17C45E

27F0C1AE0DDEDDC9EFAC38BC473476B103FEF043

D5526528363CEEB718D30BC669038759C4CD80A1D3E9C8C661B12B261DCC9E29

49152:xbJ5NYRgPOau6akedLowwEoE62lde2gje64fzvlTgR/LLiWaBWoKpl7mXLLiA6+0:xbJ5MgdZakcA1E6Gc7jgfcZaLM7mHiTh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY has been detected (SURICATA)

Uses Task Scheduler to run other applications

Connects to the CnC server

REDLINE has been detected (SURICATA)

Stealers network behavior

METASTEALER has been detected (SURICATA)

REDLINE has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Using 'findstr.exe' to search for text patterns in files and output

Application launched itself

Starts application with an unusual extension

Executing commands from a ".bat" file

Get information on the list of running processes

The executable file from the user directory is run by the CMD process

Drops a file with a rarely used extension (PIF)

Contacting a server suspected of hosting an CnC

Connects to unusual port

Potential Corporate Privacy Violation

The process executes via Task Scheduler

INFO

The process uses the downloaded file

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Manual execution by a user

Malware configuration

RedLine

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests