Malware analysis 1.exe Malicious activity | ANY.RUN

Add for printing

File name:	1.exe
Full analysis:	https://app.any.run/tasks/5ec3b6b4-f06b-4dfb-a190-00d187e20d7f
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 19, 2024, 13:21:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer vmprotect
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	1D64EB8C45F5F9635F5F7DAA37DDDF3F
SHA1:	86F0F1BB9109DF900003B93309455C2688475F28
SHA256:	E6FF895BCFA8F0A2C857471B807B6FC9BE9AE12D5C017BA18C139814041CD4BA
SSDEEP:	98304:6hSe5XRSKxgOO/ku6V1Th19DmawfHPgTyJxDUo/ERbrIi/UvXSXFrxFaOhS8n7Dp:9FXQyO88WeFnXg5pE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 1.exe (PID: 2116)
  - 1.tmp (PID: 2768)
  - CSIIPowerService_Setup.exe (PID: 7060)
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Creates a writable file in the system directory
  - 1.tmp (PID: 2768)
  - regsvr32.exe (PID: 7088)
- Registers / Runs the DLL via REGSVR32.EXE
  - 1.tmp (PID: 2768)
  - cmd.exe (PID: 6320)
- Actions looks like stealing of personal data
  - SvcEnvConfig.exe (PID: 6616)
- Steals credentials from Web Browsers
  - SvcEnvConfig.exe (PID: 6616)
- Modifies hosts file to block updates
  - SvcEnvConfig.exe (PID: 6616)
- Changes the autorun value in the registry
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 6560)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 7656)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 1.exe (PID: 2116)
  - 1.tmp (PID: 2768)
  - regsvr32.exe (PID: 7088)
  - CSIIPowerService_Setup.exe (PID: 7060)
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Process drops legitimate windows executable
  - 1.tmp (PID: 2768)
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Reads the Windows owner or organization settings
  - 1.tmp (PID: 2768)
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Drops a system driver (possible attempt to evade defenses)
  - regsvr32.exe (PID: 7088)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 7088)
  - regsvr32.exe (PID: 2860)
  - regsvr32.exe (PID: 7912)
  - regsvr32.exe (PID: 3540)
- Starts CMD.EXE for commands execution
  - 1.tmp (PID: 2768)
  - CSIIPowerService_Setup.tmp (PID: 6216)
  - SvcEnvConfig.exe (PID: 6616)
  - TaskTool.exe (PID: 5728)
- Executing commands from a ".bat" file
  - 1.tmp (PID: 2768)
  - TaskTool.exe (PID: 5728)
- The process drops C-runtime libraries
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Searches for installed software
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Reads security settings of Internet Explorer
  - SvcEnvConfig.exe (PID: 6616)
  - TaskTool.exe (PID: 5728)
  - CSIIPowerService.exe (PID: 5892)
- Reads the date of Windows installation
  - SvcEnvConfig.exe (PID: 6616)
  - TaskTool.exe (PID: 5728)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 7196)
- Adds/modifies Windows certificates
  - SvcEnvConfig.exe (PID: 6616)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 3500)
- Starts application with an unusual extension
  - cmd.exe (PID: 4228)
- Lists all scheduled tasks
  - schtasks.exe (PID: 6992)
- Checks Windows Trust Settings
  - CSIIPowerService.exe (PID: 5892)
INFO
- Checks supported languages
  - 1.tmp (PID: 2768)
  - 1.exe (PID: 2116)
  - CSIIPowerService_Setup.exe (PID: 7060)
  - CSIIPowerService_Setup.tmp (PID: 6216)
  - TerminateSvc.exe (PID: 7964)
  - SvcEnvConfig.exe (PID: 6616)
  - TaskTool.exe (PID: 5728)
  - chcp.com (PID: 7876)
  - CSIIPowerService.exe (PID: 5892)
  - PowerServiceProtect.exe (PID: 4372)
- Create files in a temporary directory
  - 1.exe (PID: 2116)
  - 1.tmp (PID: 2768)
  - CSIIPowerService_Setup.exe (PID: 7060)
  - CSIIPowerService_Setup.tmp (PID: 6216)
  - SvcEnvConfig.exe (PID: 6616)
- Reads the computer name
  - 1.tmp (PID: 2768)
  - CSIIPowerService_Setup.tmp (PID: 6216)
  - SvcEnvConfig.exe (PID: 6616)
  - TaskTool.exe (PID: 5728)
  - CSIIPowerService.exe (PID: 5892)
- Creates files in the program directory
  - 1.tmp (PID: 2768)
  - SvcEnvConfig.exe (PID: 6616)
  - CSIIPowerService_Setup.tmp (PID: 6216)
  - TaskTool.exe (PID: 5728)
  - CSIIPowerService.exe (PID: 5892)
- Drops the executable file immediately after the start
  - regsvr32.exe (PID: 7088)
  - firefox.exe (PID: 6260)
- Creates files in the driver directory
  - regsvr32.exe (PID: 7088)
- Creates a software uninstall entry
  - 1.tmp (PID: 2768)
  - CSIIPowerService_Setup.tmp (PID: 6216)
- Checks proxy server information
  - SvcEnvConfig.exe (PID: 6616)
  - CSIIPowerService.exe (PID: 5892)
  - slui.exe (PID: 6776)
- Reads Environment values
  - SvcEnvConfig.exe (PID: 6616)
  - TaskTool.exe (PID: 5728)
- Process checks computer location settings
  - SvcEnvConfig.exe (PID: 6616)
  - TaskTool.exe (PID: 5728)
- Creates files or folders in the user directory
  - TaskTool.exe (PID: 5728)
  - CSIIPowerService.exe (PID: 5892)
- Reads the machine GUID from the registry
  - CSIIPowerService.exe (PID: 5892)
- Reads the software policy settings
  - CSIIPowerService.exe (PID: 5892)
  - slui.exe (PID: 6776)
- VMProtect protector has been detected
  - CSIIPowerService.exe (PID: 5892)
- Application launched itself
  - firefox.exe (PID: 6032)
  - firefox.exe (PID: 6260)
- Manual execution by a user
  - firefox.exe (PID: 6032)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 6260)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 6260)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (77.7)
.exe	\|	Win32 Executable Delphi generic (10)
.dll	\|	Win32 Dynamic Link Library (generic) (4.6)
.exe	\|	Win32 Executable (generic) (3.1)
.exe	\|	Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:12:20 14:16:50+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	86016
InitializedDataSize:	53760
UninitializedDataSize:	-
EntryPoint:	0x16478
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	2.3.9.21
ProductVersionNumber:	2.3.9.21
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	CSII
FileDescription:
FileVersion:	2.3.9.21
LegalCopyright:	CSII
ProductName:
ProductVersion:	2.3.9.21

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

185

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

schtasks /create /tn CSIIPowerService /xml C:\Users\admin\AppData\Local\etSvcLog\TaskTool.xml /f

C:\Windows\SysWOW64\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

116

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2928 -prefsLen 30953 -prefMapSize 244343 -jsInitHandle 1384 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b1c89d6-70db-4721-b3ad-ca3d226c84f4} 6260 "\\.\pipe\gecko-crash-server-pipe.6260" 24a31d39850 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2116

"C:\Users\admin\AppData\Local\Temp\1.exe"

C:\Users\admin\AppData\Local\Temp\1.exe

explorer.exe

User:

admin

Company:

CSII

Integrity Level:

HIGH

Description:

Exit code:

Version:

2.3.9.21

Modules

Images
c:\users\admin\appdata\local\temp\1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

2768

"C:\Users\admin\AppData\Local\Temp\is-ART17.tmp\1.tmp" /SL5="$8027A,8881741,140800,C:\Users\admin\AppData\Local\Temp\1.exe"

C:\Users\admin\AppData\Local\Temp\is-ART17.tmp\1.tmp

1.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-art17.tmp\1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

2768

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5324 -prefMapHandle 5320 -prefsLen 34713 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dd9ce6e-371d-41af-ac1a-eb97a609ee7d} 6260 "\\.\pipe\gecko-crash-server-pipe.6260" 24a345c7910 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2860

"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\VTB IBS Security Suite\PowerSignVTB.dll"

C:\Windows\SysWOW64\regsvr32.exe

—

1.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3020

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5504 -prefMapHandle 4584 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1384 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7193c955-9a65-4e2f-bf75-1c74d3140b8b} 6260 "\\.\pipe\gecko-crash-server-pipe.6260" 24a37008a10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3104

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -childID 2 -isForBrowser -prefsHandle 4588 -prefMapHandle 2792 -prefsLen 36263 -prefMapSize 244343 -jsInitHandle 1384 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07016760-7b54-4b2d-b5c6-d6089ab15e80} 6260 "\\.\pipe\gecko-crash-server-pipe.6260" 24a33586bd0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3108

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3500

"C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="AllowCSIIPowerService" dir=in program="C:\Program Files (x86)\CSIIPowerService\CSIIPowerService.exe" security=authenticate action=allow

C:\Windows\SysWOW64\cmd.exe

—

TaskTool.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

21 722

Read events

21 565

Write events

154

Delete events

Modification events


(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:	write	Name:	C:\WINDOWS\system32\PECSP.dll
Value: 1
(PID) Process:	(2768) 1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vtbbank.cn
Operation:	write	Name:	https
Value: 2
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21
Operation:	write	Name:	Path
Value: C:\Program Files (x86)\VTB IBS Security Suite\nppowerenter-vtb.dll
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21
Operation:	write	Name:	ProductName
Value: powerenter-vtb
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21
Operation:	write	Name:	Version
Value: 2.3.9.21
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21
Operation:	write	Name:	Description
Value: PowerEnter Plug-in for VTB
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21
Operation:	write	Name:	Vendor
Value: CSII
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21
Operation:	write	Name:	GeckoVersion
Value: 1.9.1
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21\MimeTypes\application/x-vnd-csii-powerenter-vtb
Operation:	write	Name:	Description
Value: nppowerenter
(PID) Process:	(2768) 1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@csii.com.cn/powerenter-vtb,version=2.3.9.21
Operation:	write	Name:	Path
Value: C:\Program Files (x86)\VTB IBS Security Suite\nppowerenter-vtb_x64.dll

Add for printing

Executable files

Suspicious files

143

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2116	1.exe	C:\Users\admin\AppData\Local\Temp\is-ART17.tmp\1.tmp		executable
		MD5:167ECCD168DF9494921120A18A596361	SHA256:A18DC577B59F80DEB4495F927B602C0219261C8A1D10C3B38D3ECA5F45F9ACBD
2768	1.tmp	C:\Program Files (x86)\VTB IBS Security Suite\is-U56LF.tmp		executable
		MD5:167ECCD168DF9494921120A18A596361	SHA256:A18DC577B59F80DEB4495F927B602C0219261C8A1D10C3B38D3ECA5F45F9ACBD
2768	1.tmp	C:\Program Files (x86)\VTB IBS Security Suite\is-G2H4O.tmp		executable
		MD5:F2ED9A7A7E26C71EDB6C7CCBB4FA4B4F	SHA256:84967C2DADC948D294810D918586C3C5B406431FC1EFB26C8703858BB2C3F09D
2768	1.tmp	C:\Program Files (x86)\VTB IBS Security Suite\PowerEnterVTB_x64.ocx		executable
		MD5:0706E8B39D80BE188F10FF4EDE81D335	SHA256:52886E9A70826DD251CE6BCB2BADF1BA03EFEF05CB42F79EE6A0859B0029F32D
2768	1.tmp	C:\Program Files (x86)\VTB IBS Security Suite\is-H0OVE.tmp		executable
		MD5:0706E8B39D80BE188F10FF4EDE81D335	SHA256:52886E9A70826DD251CE6BCB2BADF1BA03EFEF05CB42F79EE6A0859B0029F32D
2768	1.tmp	C:\Users\admin\AppData\Local\Temp\is-7M512.tmp\DriverInstall.dll		executable
		MD5:25E001512557556B553C3354DAA819EC	SHA256:D8625914C00789E13AF0D18DF7618C7FF4DE2A09BA42D9899FA7AAE85F054DCD
2768	1.tmp	C:\Program Files (x86)\VTB IBS Security Suite\unins000.exe		executable
		MD5:167ECCD168DF9494921120A18A596361	SHA256:A18DC577B59F80DEB4495F927B602C0219261C8A1D10C3B38D3ECA5F45F9ACBD
2768	1.tmp	C:\Users\admin\AppData\Local\Temp\is-7M512.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2768	1.tmp	C:\Users\admin\AppData\Local\Temp\is-7M512.tmp\_isetup\_setup64.tmp		executable
		MD5:4FF75F505FDDCC6A9AE62216446205D9	SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
2768	1.tmp	C:\Program Files (x86)\VTB IBS Security Suite\is-5EHFP.tmp		executable
		MD5:BAFFAADD46B5DAD2C25B4663D20F0C30	SHA256:CF60DC7FA8AF69FC1DDB752CC1157F39F7A9DDF282741FAB2985DE707C5D04EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

126

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6260	firefox.exe	POST	200	23.53.40.154:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	23.53.40.161:80	http://r3.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	23.53.40.154:80	http://r11.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	23.53.40.154:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	23.53.40.154:80	http://r11.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	142.250.185.67:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6260	firefox.exe	POST	200	23.53.40.154:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	23.53.40.154:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	23.53.40.154:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6260	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4716	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	40.113.103.199:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5620	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5620	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
7972	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	20.190.159.2 20.190.159.75 20.190.159.0 20.190.159.71 20.190.159.73 40.126.31.71 20.190.159.64 40.126.31.67	whitelisted
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 51.124.78.146	whitelisted
google.com	142.250.186.46	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
www.baidu.com	103.235.46.96 103.235.47.188	whitelisted
arc.msn.com	20.223.35.26	whitelisted
www.bing.com	2.16.110.168 2.16.110.161 2.16.110.179 2.16.110.171 2.16.110.163 2.16.110.184 2.16.110.160 2.16.110.162 2.16.110.170 2.16.110.192 2.16.110.121 2.16.110.130 2.16.110.200 2.16.110.120 2.16.110.129 2.16.110.202 2.16.110.195 2.16.110.123	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
ocsp.globalsign.com	151.101.2.133 151.101.194.133 151.101.130.133 151.101.66.133	whitelisted
ocsp2.globalsign.com	151.101.66.133 151.101.194.133 151.101.130.133 151.101.2.133	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

1.exe

1D64EB8C45F5F9635F5F7DAA37DDDF3F

86F0F1BB9109DF900003B93309455C2688475F28

E6FF895BCFA8F0A2C857471B807B6FC9BE9AE12D5C017BA18C139814041CD4BA

98304:6hSe5XRSKxgOO/ku6V1Th19DmawfHPgTyJxDUo/ERbrIi/UvXSXFrxFaOhS8n7Dp:9FXQyO88WeFnXg5pE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

Registers / Runs the DLL via REGSVR32.EXE

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Modifies hosts file to block updates

Changes the autorun value in the registry

Uses Task Scheduler to autorun other applications

Uses Task Scheduler to run other applications

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads the Windows owner or organization settings

Drops a system driver (possible attempt to evade defenses)

Creates/Modifies COM task schedule object

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

The process drops C-runtime libraries

Searches for installed software

Reads security settings of Internet Explorer

Reads the date of Windows installation

Process uses IPCONFIG to clear DNS cache

Adds/modifies Windows certificates

Uses NETSH.EXE to add a firewall rule or allowed programs

Starts application with an unusual extension

Lists all scheduled tasks

Checks Windows Trust Settings

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Creates files in the program directory

Drops the executable file immediately after the start

Creates files in the driver directory

Creates a software uninstall entry

Checks proxy server information

Reads Environment values

Process checks computer location settings

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the software policy settings

VMProtect protector has been detected

Application launched itself

Manual execution by a user

Reads Microsoft Office registry keys

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules