Malware analysis setup.exe Malicious activity | ANY.RUN

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/ede70688-f57a-4bcf-bd23-54a08ba57a47
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 01, 2023, 01:29:11
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	loader smoke trojan amadey miner
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	3B9C6A8C6DD4A1B0DD359AD37EEE5EE1
SHA1:	B0F89579235F8CFBE3614B972BC73971146A7996
SHA256:	FCBB0A893857EF1A65ED50F65D9D21505AEEC595AAB6695B417BB3665E1797ED
SSDEEP:	3072:GDpyyC9KAnpNhz6Qcba2Hv9U5wTOF/9Oej5gFFch:vJKYhzQlP956Doa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Application was injected by another process
  - explorer.exe (PID: 1960)
- Runs injected code in another process
  - setup.exe (PID: 2484)
- SMOKE was detected
  - explorer.exe (PID: 1960)
- Connects to the CnC server
  - explorer.exe (PID: 1960)
  - nbveek.exe (PID: 2068)
  - ss31.exe (PID: 1672)
- Changes the autorun value in the registry
  - nbveek.exe (PID: 2068)
- Application was dropped or rewritten from another process
  - 5F96.exe (PID: 2088)
  - nbveek.exe (PID: 2068)
  - ss31.exe (PID: 1672)
  - Player3.exe (PID: 2664)
  - XandETC.exe (PID: 1928)
  - XandETC.exe (PID: 2480)
  - updater.exe (PID: 2568)
  - nbveek.exe (PID: 936)
- Uses Task Scheduler to run other applications
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2924)
- Actions looks like stealing of personal data
  - ss31.exe (PID: 1672)
  - rundll32.exe (PID: 2276)
- AMADEY detected by memory dumps
  - nbveek.exe (PID: 2068)
- AMADEY was detected
  - nbveek.exe (PID: 2068)
- Adds path to the Windows Defender exclusion list
  - explorer.exe (PID: 1960)
- Uses Task Scheduler to autorun other applications
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2056)
- Creates a writable file the system directory
  - powershell.exe (PID: 2780)
SUSPICIOUS
- Reads the Internet Settings
  - explorer.exe (PID: 1960)
  - 5F96.exe (PID: 2088)
  - ss31.exe (PID: 1672)
  - Player3.exe (PID: 2664)
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2900)
- Executable content was dropped or overwritten
  - explorer.exe (PID: 1960)
  - 5F96.exe (PID: 2088)
  - Player3.exe (PID: 2664)
  - XandETC.exe (PID: 1928)
  - nbveek.exe (PID: 2068)
  - updater.exe (PID: 2568)
- Starts itself from another location
  - Player3.exe (PID: 2664)
- Starts CMD.EXE for commands execution
  - nbveek.exe (PID: 2068)
  - cmd.exe (PID: 2320)
  - explorer.exe (PID: 1960)
  - updater.exe (PID: 2568)
- Application launched itself
  - cmd.exe (PID: 2320)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 2320)
- Reads settings of System Certificates
  - ss31.exe (PID: 1672)
  - conhost.exe (PID: 2972)
- Connects to the server without a host name
  - nbveek.exe (PID: 2068)
- Starts POWERSHELL.EXE for commands execution
  - explorer.exe (PID: 1960)
  - XandETC.exe (PID: 1928)
- The process checks if current user has admin rights
  - XandETC.exe (PID: 1928)
  - explorer.exe (PID: 1960)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2604)
  - cmd.exe (PID: 1764)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2572)
  - cmd.exe (PID: 2364)
- The process executes via Task Scheduler
  - updater.exe (PID: 2568)
  - nbveek.exe (PID: 936)
- Uses REG/REGEDIT.EXE to modify register
  - cmd.exe (PID: 2572)
  - cmd.exe (PID: 2364)
- Process requests binary or script from the Internet
  - nbveek.exe (PID: 2068)
- Loads DLL from Mozilla Firefox
  - rundll32.exe (PID: 2276)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 2216)
- Connects to unusual port
  - conhost.exe (PID: 2972)
- Unusual connection from system programs
  - powershell.exe (PID: 2780)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 548)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 2568)
INFO
- Checks supported languages
  - setup.exe (PID: 2484)
  - 5F96.exe (PID: 2088)
  - Player3.exe (PID: 2664)
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
  - XandETC.exe (PID: 1928)
  - updater.exe (PID: 2568)
  - nbveek.exe (PID: 936)
- The process checks LSA protection
  - explorer.exe (PID: 1960)
  - 5F96.exe (PID: 2088)
  - Player3.exe (PID: 2664)
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2900)
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2924)
  - powershell.exe (PID: 2780)
  - WMIC.exe (PID: 3056)
  - conhost.exe (PID: 2972)
  - powershell.exe (PID: 2056)
- Creates files or folders in the user directory
  - explorer.exe (PID: 1960)
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
- Reads the computer name
  - 5F96.exe (PID: 2088)
  - ss31.exe (PID: 1672)
  - Player3.exe (PID: 2664)
  - nbveek.exe (PID: 2068)
- Create files in a temporary directory
  - 5F96.exe (PID: 2088)
  - explorer.exe (PID: 1960)
  - Player3.exe (PID: 2664)
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2900)
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2924)
- Checks proxy server information
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
- Reads the machine GUID from the registry
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
- Reads settings of System Certificates
  - powershell.exe (PID: 2900)
  - powershell.exe (PID: 2780)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 2900)
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2924)
- Creates files in the program directory
  - XandETC.exe (PID: 1928)
  - updater.exe (PID: 2568)
  - cmd.exe (PID: 548)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(2068) nbveek.exe

Strings (116)SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

Options

Drop namenbveek.exe

Drop directory16de06bfb4

Version3.65

C2 (1)http://77.73.134.27

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductName:	Imba
LegalCopyright:	Copyright (C) 2023, shmaer
InternalName:	GodGuest
FilesVersion:	19.62.99
CharacterSet:	Unknown (01F2)
LanguageCode:	Manipuri
FileSubtype:	-
ObjectFileType:	Unknown
FileOS:	Unknown (0x20461)
FileFlags:	(none)
FileFlagsMask:	0x121a
ProductVersionNumber:	26.0.0.0
FileVersionNumber:	2.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	5
ImageVersion:	-
OSVersion:	5
EntryPoint:	0x6160
UninitializedDataSize:	-
InitializedDataSize:	494592
CodeSize:	172032
LinkerVersion:	9
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2022:03:06 15:54:45+00:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	06-Mar-2022 15:54:45
Detected languages:	Spanish - Mexico
Debug artifacts:	C:\cebaz-yonuzuyiy.pdb
FilesVersion:	19.62.99
InternalName:	GodGuest
LegalCopyright:	Copyright (C) 2023, shmaer
ProductName:	Imba

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F0

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	06-Mar-2022 15:54:45
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00029EA2	0x0002A000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.53761
.data	0x0002B000	0x0006F69C	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.22325
.rsrc	0x0009B000	0x000070C8	0x00007200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.63378
.reloc	0x000A3000	0x00002158	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	3.89961

Resources

Title	Entropy	Size	Codepage	Language	Type
1	3.34304	460	UNKNOWN	UNKNOWN	RT_VERSION
2	4.89752	2216	UNKNOWN	Spanish - Mexico	RT_ICON
3	4.72258	1736	UNKNOWN	Spanish - Mexico	RT_ICON
4	4.26743	1384	UNKNOWN	Spanish - Mexico	RT_ICON
5	3.67549	9640	UNKNOWN	Spanish - Mexico	RT_ICON
6	3.7424	4264	UNKNOWN	Spanish - Mexico	RT_ICON
7	3.79506	2440	UNKNOWN	Spanish - Mexico	RT_ICON
8	3.88036	1128	UNKNOWN	Spanish - Mexico	RT_ICON
22	3.13936	412	UNKNOWN	UNKNOWN	RT_STRING
23	3.22078	620	UNKNOWN	UNKNOWN	RT_STRING

Imports


ADVAPI32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
ole32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

123

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1252

"C:\Users\admin\AppData\Local\Temp\setup.exe"

C:\Users\admin\AppData\Local\Temp\setup.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll

2484

"C:\Users\admin\AppData\Local\Temp\setup.exe"

C:\Users\admin\AppData\Local\Temp\setup.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll

1960

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2088

C:\Users\admin\AppData\Local\Temp\5F96.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\5f96.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\advapi32.dll

2664

"C:\Users\admin\AppData\Local\Temp\Player3.exe"

C:\Users\admin\AppData\Local\Temp\Player3.exe

5F96.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\player3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\user32.dll

1672

"C:\Users\admin\AppData\Local\Temp\ss31.exe"

C:\Users\admin\AppData\Local\Temp\ss31.exe

5F96.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\ss31.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll

2068

"C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"

C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Player3.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\16de06bfb4\nbveek.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\kernelbase.dll

Amadey

(PID) Process(2068) nbveek.exe

Strings (116)SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

Options

Drop namenbveek.exe

Drop directory16de06bfb4

Version3.65

C2 (1)http://77.73.134.27

2480

"C:\Users\admin\AppData\Local\Temp\XandETC.exe"

C:\Users\admin\AppData\Local\Temp\XandETC.exe

—

5F96.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

3221226540

Version:

90,1,32,10

Modules

Images
c:\users\admin\appdata\local\temp\xandetc.exe
c:\windows\system32\ntdll.dll

700

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F

C:\Windows\SysWOW64\schtasks.exe

—

nbveek.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1928

"C:\Users\admin\AppData\Local\Temp\XandETC.exe"

C:\Users\admin\AppData\Local\Temp\XandETC.exe

5F96.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Chrome

Exit code:

Version:

90,1,32,10

Modules

Images
c:\users\admin\appdata\local\temp\xandetc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll

Add for printing

Total events

15 966

Read events

15 720

Write events

232

Delete events

Modification events


(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000040131FD0E0B45449B5325CF35709B45A0000000002000000000010660000000100002000000097BA847E5D0827CAFBC4D33F7B8AFE8834428DFEF065FA018D8CAB90C5710B0A000000000E8000000002000020000000703BDF28CF4D9DFCAB7DDC229F11B838657F02A563D675B7BA5A582848A73F4F300000008091631BBFD318C1A67DDE62193EF5F65F823DF6F3FB12C344A857963FC714699639A04F9F66927C69CA8E9AC61E02154000000007CED62AF9113E09870DE72EB5744E2CBFDC316C2CF8607885EA5CBB68D61BE0CFB49EE1C4CAF8F2769692B62252F8AB0F88C1F92875F93F72FE70BCC896EFE4
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2088	5F96.exe	C:\Users\admin\AppData\Local\Temp\Player3.exe		executable
		MD5:43A3E1C9723E124A9B495CD474A05DCB	SHA256:619BBBC9E9DDD1F6B7961CACB33D99C8F558499A33751B28D91085AAB8CB95AB
1960	explorer.exe	C:\Users\admin\AppData\Local\Temp\5F96.exe		executable
		MD5:326665E5F77114EA09307E4CD002B82F	SHA256:4244ACB6F883E56BAEBF36785CE5B2C1AFFC38B46472CD2795DF3405D98D2AC0
2664	Player3.exe	C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe		executable
		MD5:43A3E1C9723E124A9B495CD474A05DCB	SHA256:619BBBC9E9DDD1F6B7961CACB33D99C8F558499A33751B28D91085AAB8CB95AB
1960	explorer.exe	C:\Users\admin\AppData\Roaming\jbhtujv		executable
		MD5:3B9C6A8C6DD4A1B0DD359AD37EEE5EE1	SHA256:FCBB0A893857EF1A65ED50F65D9D21505AEEC595AAB6695B417BB3665E1797ED
2068	nbveek.exe	C:\Users\admin\AppData\Local\Temp\896776584425		image
		MD5:3C809C9B81CA815C9528EEBCA18365EF	SHA256:D8375A317DE583217FF1CF8F16837F53421457454BDF99C648F7704915477397
2088	5F96.exe	C:\Users\admin\AppData\Local\Temp\ss31.exe		executable
		MD5:34FF8AF4A01C1DD79149160C41DBCF7C	SHA256:CB822AB02A16A3E9925643830C692F67CB5CFE127D58E0448D9E925F27F58BA3
2900	powershell.exe	C:\Users\admin\AppData\Local\Temp\j4plwoxi.4j2.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2068	nbveek.exe	C:\Users\admin\AppData\Roaming\07c6bc37dc5087\clip64.dll		executable
		MD5:D3074D3A19629C3C6A533C86733E044E	SHA256:B1F486289739BADF85C2266B7C2BBBC6C620B05A6084081D09D0911C51F7C401
2068	nbveek.exe	C:\Users\admin\AppData\Roaming\07c6bc37dc5087\cred64.dll		executable
		MD5:2C4E958144BD089AA93A564721ED28BB	SHA256:B597B1C638AE81F03EC4BAAFA68DDA316D57E6398FE095A58ECC89E8BCC61855
2924	powershell.exe	C:\Users\admin\AppData\Local\Temp\usiii0ir.aok.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2780	powershell.exe	GET	304	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dd6850b0ae03608c	US	—	—	whitelisted
1960	explorer.exe	POST	404	188.114.97.3:80	http://potunulit.org/	US	binary	4.37 Mb	malicious
2068	nbveek.exe	POST	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/index.php?scr=1	KZ	—	—	malicious
1960	explorer.exe	POST	404	188.114.97.3:80	http://potunulit.org/	US	html	401 b	malicious
2068	nbveek.exe	GET	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll	KZ	executable	89.0 Kb	malicious
2068	nbveek.exe	GET	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll	KZ	executable	1.02 Mb	malicious
—	—	GET	200	154.221.31.191:80	http://count.iiagjaggg.com/check/safe	HK	text	96 b	malicious
1672	ss31.exe	GET	200	45.66.158.126:80	http://bz.bbbeioaag.com/sts/bimage.jpg	US	image	1.45 Mb	malicious
1960	explorer.exe	POST	404	188.114.97.3:80	http://potunulit.org/	US	binary	7 b	malicious
2068	nbveek.exe	POST	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/index.php	KZ	text	6 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1960	explorer.exe	188.114.97.3:80	potunulit.org	CLOUDFLARENET	NL	malicious
2780	powershell.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
1672	ss31.exe	157.240.20.35:443	www.facebook.com	FACEBOOK	DE	whitelisted
2068	nbveek.exe	77.73.134.27:80	—	Partner LLC	KZ	malicious
1672	ss31.exe	45.66.158.126:80	bz.bbbeioaag.com	ENZUINC	US	suspicious
1672	ss31.exe	154.221.31.191:80	count.iiagjaggg.com	YISU CLOUD LTD	HK	malicious
2972	conhost.exe	152.228.216.245:14433	xmr-eu2.nanopool.org	OVH SAS	FR	unknown
2972	conhost.exe	51.15.69.136:14433	xmr-eu1.nanopool.org	Online S.a.s.	NL	malicious
2972	conhost.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	malicious

DNS requests

Domain	IP	Reputation
potunulit.org	188.114.97.3 188.114.96.3	malicious
bz.bbbeioaag.com	45.66.158.126	malicious
www.facebook.com	157.240.20.35	whitelisted
count.iiagjaggg.com	154.221.31.191	malicious
ctldl.windowsupdate.com	93.184.221.240	whitelisted
xmr-eu2.nanopool.org	51.15.67.17 51.15.55.100 51.15.55.162 152.228.216.245 92.222.217.165 51.255.34.80	unknown
pastebin.com	172.67.34.170 104.20.68.143 104.20.67.143	shared
xmr-eu1.nanopool.org	135.125.238.108 51.15.54.102 51.15.69.136 51.255.34.118 51.68.143.81 51.15.65.182 51.15.58.224 51.15.78.68 51.68.190.80	suspicious

Threats

PID	Process	Class	Message
1960	explorer.exe	A Network Trojan was detected	ET MALWARE Suspected Smokeloader Activity (POST)
1960	explorer.exe	A Network Trojan was detected	ET MALWARE Suspected Smokeloader Activity (POST)
1960	explorer.exe	A Network Trojan was detected	ET MALWARE Suspected Smokeloader Activity (POST)
1672	ss31.exe	A Network Trojan was detected	AV INFO Suspicious UA HTTPREAD
2068	nbveek.exe	A Network Trojan was detected	AV TROJAN Agent.DHOA System Info Exfiltration
2068	nbveek.exe	Unknown Classtype	ET MALWARE Amadey CnC Check-In
2068	nbveek.exe	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST)
1672	ss31.exe	Potentially Bad Traffic	ET HUNTING Double User-Agent (User-Agent User-Agent)
2068	nbveek.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
2068	nbveek.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .dll file with no User-Agent

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

setup.exe

3B9C6A8C6DD4A1B0DD359AD37EEE5EE1

B0F89579235F8CFBE3614B972BC73971146A7996

FCBB0A893857EF1A65ED50F65D9D21505AEEC595AAB6695B417BB3665E1797ED

3072:GDpyyC9KAnpNhz6Qcba2Hv9U5wTOF/9Oej5gFFch:vJKYhzQlP956Doa

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

SMOKE was detected

Connects to the CnC server

Changes the autorun value in the registry

Application was dropped or rewritten from another process

Uses Task Scheduler to run other applications

Actions looks like stealing of personal data

AMADEY detected by memory dumps

AMADEY was detected

Adds path to the Windows Defender exclusion list

Uses Task Scheduler to autorun other applications

Creates a writable file the system directory

SUSPICIOUS

Reads the Internet Settings

Executable content was dropped or overwritten

Starts itself from another location

Starts CMD.EXE for commands execution

Application launched itself

Uses ICACLS.EXE to modify access control lists

Reads settings of System Certificates

Connects to the server without a host name

Starts POWERSHELL.EXE for commands execution

The process checks if current user has admin rights

Uses powercfg.exe to modify the power settings

Starts SC.EXE for service management

The process executes via Task Scheduler

Uses REG/REGEDIT.EXE to modify register

Process requests binary or script from the Internet

Loads DLL from Mozilla Firefox

Uses RUNDLL32.EXE to load library

Connects to unusual port

Unusual connection from system programs

Uses WMIC.EXE to obtain a list of video controllers

Drops a system driver (possible attempt to evade defenses)

INFO

Checks supported languages

The process checks LSA protection

Creates files or folders in the user directory

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Reads the machine GUID from the registry

Reads settings of System Certificates

Reads security settings of Internet Explorer

Creates files in the program directory

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules