Malware analysis setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/ede70688-f57a-4bcf-bd23-54a08ba57a47
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 01, 2023, 01:29:11
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	loader smoke trojan amadey miner
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	3B9C6A8C6DD4A1B0DD359AD37EEE5EE1
SHA1:	B0F89579235F8CFBE3614B972BC73971146A7996
SHA256:	FCBB0A893857EF1A65ED50F65D9D21505AEEC595AAB6695B417BB3665E1797ED
SSDEEP:	3072:GDpyyC9KAnpNhz6Qcba2Hv9U5wTOF/9Oej5gFFch:vJKYhzQlP956Doa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Application was injected by another process
  - explorer.exe (PID: 1960)
- Runs injected code in another process
  - setup.exe (PID: 2484)
- SMOKE was detected
  - explorer.exe (PID: 1960)
- Connects to the CnC server
  - explorer.exe (PID: 1960)
  - nbveek.exe (PID: 2068)
  - ss31.exe (PID: 1672)
- Application was dropped or rewritten from another process
  - nbveek.exe (PID: 2068)
  - 5F96.exe (PID: 2088)
  - Player3.exe (PID: 2664)
  - ss31.exe (PID: 1672)
  - XandETC.exe (PID: 2480)
  - XandETC.exe (PID: 1928)
  - nbveek.exe (PID: 936)
  - updater.exe (PID: 2568)
- Changes the autorun value in the registry
  - nbveek.exe (PID: 2068)
- Uses Task Scheduler to run other applications
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2924)
- AMADEY was detected
  - nbveek.exe (PID: 2068)
- Actions looks like stealing of personal data
  - ss31.exe (PID: 1672)
  - rundll32.exe (PID: 2276)
- AMADEY detected by memory dumps
  - nbveek.exe (PID: 2068)
- Adds path to the Windows Defender exclusion list
  - explorer.exe (PID: 1960)
- Uses Task Scheduler to autorun other applications
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2056)
- Creates a writable file the system directory
  - powershell.exe (PID: 2780)
SUSPICIOUS
- Reads the Internet Settings
  - 5F96.exe (PID: 2088)
  - explorer.exe (PID: 1960)
  - Player3.exe (PID: 2664)
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2900)
- Executable content was dropped or overwritten
  - explorer.exe (PID: 1960)
  - 5F96.exe (PID: 2088)
  - Player3.exe (PID: 2664)
  - XandETC.exe (PID: 1928)
  - nbveek.exe (PID: 2068)
  - updater.exe (PID: 2568)
- Starts itself from another location
  - Player3.exe (PID: 2664)
- Starts CMD.EXE for commands execution
  - nbveek.exe (PID: 2068)
  - cmd.exe (PID: 2320)
  - explorer.exe (PID: 1960)
  - updater.exe (PID: 2568)
- Application launched itself
  - cmd.exe (PID: 2320)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 2320)
- Reads settings of System Certificates
  - ss31.exe (PID: 1672)
  - conhost.exe (PID: 2972)
- Connects to the server without a host name
  - nbveek.exe (PID: 2068)
- Starts POWERSHELL.EXE for commands execution
  - explorer.exe (PID: 1960)
  - XandETC.exe (PID: 1928)
- Uses REG/REGEDIT.EXE to modify register
  - cmd.exe (PID: 2572)
  - cmd.exe (PID: 2364)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2604)
  - cmd.exe (PID: 1764)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2572)
  - cmd.exe (PID: 2364)
- The process checks if current user has admin rights
  - explorer.exe (PID: 1960)
  - XandETC.exe (PID: 1928)
- The process executes via Task Scheduler
  - updater.exe (PID: 2568)
  - nbveek.exe (PID: 936)
- Process requests binary or script from the Internet
  - nbveek.exe (PID: 2068)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 2216)
- Loads DLL from Mozilla Firefox
  - rundll32.exe (PID: 2276)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 2568)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 548)
- Unusual connection from system programs
  - powershell.exe (PID: 2780)
- Connects to unusual port
  - conhost.exe (PID: 2972)
INFO
- Checks supported languages
  - setup.exe (PID: 2484)
  - 5F96.exe (PID: 2088)
  - ss31.exe (PID: 1672)
  - Player3.exe (PID: 2664)
  - nbveek.exe (PID: 2068)
  - XandETC.exe (PID: 1928)
  - updater.exe (PID: 2568)
  - nbveek.exe (PID: 936)
- Creates files or folders in the user directory
  - explorer.exe (PID: 1960)
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
- The process checks LSA protection
  - explorer.exe (PID: 1960)
  - 5F96.exe (PID: 2088)
  - Player3.exe (PID: 2664)
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2900)
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2924)
  - powershell.exe (PID: 2780)
  - powershell.exe (PID: 2056)
  - WMIC.exe (PID: 3056)
  - conhost.exe (PID: 2972)
- Create files in a temporary directory
  - explorer.exe (PID: 1960)
  - Player3.exe (PID: 2664)
  - 5F96.exe (PID: 2088)
  - nbveek.exe (PID: 2068)
  - powershell.exe (PID: 2900)
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2924)
- Reads the computer name
  - 5F96.exe (PID: 2088)
  - ss31.exe (PID: 1672)
  - Player3.exe (PID: 2664)
  - nbveek.exe (PID: 2068)
- Checks proxy server information
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
- Reads the machine GUID from the registry
  - ss31.exe (PID: 1672)
  - nbveek.exe (PID: 2068)
- Reads settings of System Certificates
  - powershell.exe (PID: 2900)
  - powershell.exe (PID: 2780)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 2468)
  - powershell.exe (PID: 2924)
  - powershell.exe (PID: 2900)
- Creates files in the program directory
  - XandETC.exe (PID: 1928)
  - updater.exe (PID: 2568)
  - cmd.exe (PID: 548)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(2068) nbveek.exe

C2 (1)http://77.73.134.27

Version3.65

Options

Drop directory16de06bfb4

Drop namenbveek.exe

Strings (116)SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductName:	Imba
LegalCopyright:	Copyright (C) 2023, shmaer
InternalName:	GodGuest
FilesVersion:	19.62.99
CharacterSet:	Unknown (01F2)
LanguageCode:	Manipuri
FileSubtype:	-
ObjectFileType:	Unknown
FileOS:	Unknown (0x20461)
FileFlags:	(none)
FileFlagsMask:	0x121a
ProductVersionNumber:	26.0.0.0
FileVersionNumber:	2.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	5
ImageVersion:	-
OSVersion:	5
EntryPoint:	0x6160
UninitializedDataSize:	-
InitializedDataSize:	494592
CodeSize:	172032
LinkerVersion:	9
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2022:03:06 15:54:45+00:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	06-Mar-2022 15:54:45
Detected languages:	Spanish - Mexico
Debug artifacts:	C:\cebaz-yonuzuyiy.pdb
FilesVersion:	19.62.99
InternalName:	GodGuest
LegalCopyright:	Copyright (C) 2023, shmaer
ProductName:	Imba

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F0

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	06-Mar-2022 15:54:45
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00029EA2	0x0002A000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.53761
.data	0x0002B000	0x0006F69C	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.22325
.rsrc	0x0009B000	0x000070C8	0x00007200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.63378
.reloc	0x000A3000	0x00002158	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	3.89961

Resources

Title	Entropy	Size	Codepage	Language	Type
1	3.34304	460	UNKNOWN	UNKNOWN	RT_VERSION
2	4.89752	2216	UNKNOWN	Spanish - Mexico	RT_ICON
3	4.72258	1736	UNKNOWN	Spanish - Mexico	RT_ICON
4	4.26743	1384	UNKNOWN	Spanish - Mexico	RT_ICON
5	3.67549	9640	UNKNOWN	Spanish - Mexico	RT_ICON
6	3.7424	4264	UNKNOWN	Spanish - Mexico	RT_ICON
7	3.79506	2440	UNKNOWN	Spanish - Mexico	RT_ICON
8	3.88036	1128	UNKNOWN	Spanish - Mexico	RT_ICON
22	3.13936	412	UNKNOWN	UNKNOWN	RT_STRING
23	3.22078	620	UNKNOWN	UNKNOWN	RT_STRING

Imports


ADVAPI32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
ole32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

123

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

308

CACLS "..\16de06bfb4" /P "admin:N"

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll

548

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\cmd.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

564

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

600

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

700

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F

C:\Windows\SysWOW64\schtasks.exe

—

nbveek.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

936

C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

—

taskeng.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\16de06bfb4\nbveek.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1032

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Power Settings Command-Line Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1252

"C:\Users\admin\AppData\Local\Temp\setup.exe"

C:\Users\admin\AppData\Local\Temp\setup.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll

1332

sc stop UsoSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll

1356

sc stop dosvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

15 966

Read events

15 720

Write events

232

Delete events

Modification events


(PID) Process:	(1960) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB0100000040131FD0E0B45449B5325CF35709B45A0000000002000000000010660000000100002000000097BA847E5D0827CAFBC4D33F7B8AFE8834428DFEF065FA018D8CAB90C5710B0A000000000E8000000002000020000000703BDF28CF4D9DFCAB7DDC229F11B838657F02A563D675B7BA5A582848A73F4F300000008091631BBFD318C1A67DDE62193EF5F65F823DF6F3FB12C344A857963FC714699639A04F9F66927C69CA8E9AC61E02154000000007CED62AF9113E09870DE72EB5744E2CBFDC316C2CF8607885EA5CBB68D61BE0CFB49EE1C4CAF8F2769692B62252F8AB0F88C1F92875F93F72FE70BCC896EFE4
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2088) 5F96.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1672) ss31.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2088	5F96.exe	C:\Users\admin\AppData\Local\Temp\Player3.exe		executable
		MD5:—	SHA256:—
1960	explorer.exe	C:\Users\admin\AppData\Roaming\jbhtujv		executable
		MD5:—	SHA256:—
2088	5F96.exe	C:\Users\admin\AppData\Local\Temp\ss31.exe		executable
		MD5:—	SHA256:—
1960	explorer.exe	C:\Users\admin\AppData\Local\Temp\5F96.exe		executable
		MD5:—	SHA256:—
2068	nbveek.exe	C:\Users\admin\AppData\Local\Temp\896776584425		image
		MD5:—	SHA256:—
2664	Player3.exe	C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe		executable
		MD5:—	SHA256:—
2068	nbveek.exe	C:\Users\admin\AppData\Roaming\07c6bc37dc5087\clip64.dll		executable
		MD5:—	SHA256:—
2088	5F96.exe	C:\Users\admin\AppData\Local\Temp\XandETC.exe		executable
		MD5:3006B49F3A30A80BB85074C279ACC7DF	SHA256:F283B4C0AD4A902E1CB64201742CA4C5118F275E7B911A7DAFDA1EF01B825280
2468	powershell.exe	C:\Users\admin\AppData\Local\Temp\4t5o1wug.5e2.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2900	powershell.exe	C:\Users\admin\AppData\Local\Temp\j4plwoxi.4j2.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2780	powershell.exe	GET	304	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dd6850b0ae03608c	US	—	—	whitelisted
1960	explorer.exe	POST	404	188.114.97.3:80	http://potunulit.org/	US	binary	4.37 Mb	malicious
2068	nbveek.exe	POST	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/index.php?scr=1	KZ	—	—	malicious
2068	nbveek.exe	GET	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll	KZ	executable	1.02 Mb	malicious
—	—	GET	200	154.221.31.191:80	http://count.iiagjaggg.com/check/safe	HK	text	96 b	malicious
2068	nbveek.exe	GET	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll	KZ	executable	89.0 Kb	malicious
1672	ss31.exe	GET	200	45.66.158.126:80	http://bz.bbbeioaag.com/sts/bimage.jpg	US	image	1.45 Mb	malicious
2068	nbveek.exe	POST	200	77.73.134.27:80	http://77.73.134.27/8bmdh3Slb2/index.php	KZ	text	6 b	malicious
1960	explorer.exe	POST	404	188.114.97.3:80	http://potunulit.org/	US	binary	7 b	malicious
1960	explorer.exe	POST	404	188.114.97.3:80	http://potunulit.org/	US	html	401 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1960	explorer.exe	188.114.97.3:80	potunulit.org	CLOUDFLARENET	NL	malicious
1672	ss31.exe	45.66.158.126:80	bz.bbbeioaag.com	ENZUINC	US	suspicious
2068	nbveek.exe	77.73.134.27:80	—	Partner LLC	KZ	malicious
1672	ss31.exe	157.240.20.35:443	www.facebook.com	FACEBOOK	DE	whitelisted
1672	ss31.exe	154.221.31.191:80	count.iiagjaggg.com	YISU CLOUD LTD	HK	malicious
2972	conhost.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	malicious
2972	conhost.exe	51.15.69.136:14433	xmr-eu1.nanopool.org	Online S.a.s.	NL	malicious
2780	powershell.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
2972	conhost.exe	152.228.216.245:14433	xmr-eu2.nanopool.org	OVH SAS	FR	unknown

DNS requests

Domain	IP	Reputation
potunulit.org	188.114.97.3 188.114.96.3	malicious
bz.bbbeioaag.com	45.66.158.126	malicious
www.facebook.com	157.240.20.35	whitelisted
count.iiagjaggg.com	154.221.31.191	malicious
ctldl.windowsupdate.com	93.184.221.240	whitelisted
xmr-eu2.nanopool.org	51.15.67.17 51.15.55.100 51.15.55.162 152.228.216.245 92.222.217.165 51.255.34.80	unknown
pastebin.com	172.67.34.170 104.20.68.143 104.20.67.143	malicious
xmr-eu1.nanopool.org	135.125.238.108 51.15.54.102 51.15.69.136 51.255.34.118 51.68.143.81 51.15.65.182 51.15.58.224 51.15.78.68 51.68.190.80	suspicious

Threats

PID	Process	Class	Message
1960	explorer.exe	A Network Trojan was detected	ET MALWARE Suspected Smokeloader Activity (POST)
1960	explorer.exe	A Network Trojan was detected	ET MALWARE Suspected Smokeloader Activity (POST)
1960	explorer.exe	A Network Trojan was detected	ET MALWARE Suspected Smokeloader Activity (POST)
1672	ss31.exe	A Network Trojan was detected	AV INFO Suspicious UA HTTPREAD
2068	nbveek.exe	A Network Trojan was detected	AV TROJAN Agent.DHOA System Info Exfiltration
2068	nbveek.exe	Unknown Classtype	ET MALWARE Amadey CnC Check-In
2068	nbveek.exe	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST)
1672	ss31.exe	Potentially Bad Traffic	ET HUNTING Double User-Agent (User-Agent User-Agent)
2068	nbveek.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
2068	nbveek.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .dll file with no User-Agent

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

setup.exe

3B9C6A8C6DD4A1B0DD359AD37EEE5EE1

B0F89579235F8CFBE3614B972BC73971146A7996

FCBB0A893857EF1A65ED50F65D9D21505AEEC595AAB6695B417BB3665E1797ED

3072:GDpyyC9KAnpNhz6Qcba2Hv9U5wTOF/9Oej5gFFch:vJKYhzQlP956Doa

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

SMOKE was detected

Connects to the CnC server

Application was dropped or rewritten from another process

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

AMADEY was detected

Actions looks like stealing of personal data

AMADEY detected by memory dumps

Adds path to the Windows Defender exclusion list

Uses Task Scheduler to autorun other applications

Creates a writable file the system directory

SUSPICIOUS

Reads the Internet Settings

Executable content was dropped or overwritten

Starts itself from another location

Starts CMD.EXE for commands execution

Application launched itself

Uses ICACLS.EXE to modify access control lists

Reads settings of System Certificates

Connects to the server without a host name

Starts POWERSHELL.EXE for commands execution

Uses REG/REGEDIT.EXE to modify register

Uses powercfg.exe to modify the power settings

Starts SC.EXE for service management

The process checks if current user has admin rights

The process executes via Task Scheduler

Process requests binary or script from the Internet

Uses RUNDLL32.EXE to load library

Loads DLL from Mozilla Firefox

Drops a system driver (possible attempt to evade defenses)

Uses WMIC.EXE to obtain a list of video controllers

Unusual connection from system programs

Connects to unusual port

INFO

Checks supported languages

Creates files or folders in the user directory

The process checks LSA protection

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Reads settings of System Certificates

Reads security settings of Internet Explorer

Creates files in the program directory

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules