File name:	Underware.exe
Full analysis:	https://app.any.run/tasks/02abdcd0-c538-4b6c-90dc-68f00b60242a
Verdict:	Malicious activity
Analysis date:	January 30, 2026, 23:57:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion auto-reg auto-startup
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	533B899EFB97EA137CDCD54981B0BEF8
SHA1:	6A4C235BD6679DD62C9059DD7148ECAEAB497F17
SHA256:	0614F7DBEF0DA1EA74A00283446C20E64318B75C114BBCA8F65BD2F6B1DF0CD6
SSDEEP:	6144:yi/5EIg4NFp0tkbDMXO4Qd7sROBki1nfwqt+BLEZIk77AE8ISUEm92oBF8OPvFYL:ZCIg4xGOBk6fTTIk7gjUEm92EF6qW

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2026:01:30 23:55:54+00:00
ImageFileCharacteristics:	Executable
PEType:	PE32
LinkerVersion:	8
CodeSize:	484864
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x7850e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	Underware.exe
LegalCopyright:
OriginalFileName:	Underware.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(1368) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1368) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(1368) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(1368) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(1368) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(1368) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(1368) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(1368) cmstp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:	write	Name:	DesktopShortcut
Value: 0
(PID) Process:	(5440) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5440) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
2092	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_epfsctp3.ovf.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1876	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ahfhxpgg.tgc.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1876	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e0bwcg35.2ex.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1876	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:E0782DE94B61C72B3EE3447CBDF846E7	SHA256:A1D79E26DE165BFD2966071E3BA6C5FD5E0911FC48ACD51E8B9D22AAB7CB6B39
7672	Underware.exe	C:\Windows\Temp\neq04z3e.inf		text
		MD5:356FD40431C972DD2F2FFDAAEFF0F16C	SHA256:FCE684EF93AE99FA068FC3F72613D9FCB6C986C37709C3DCAB5DE1A8D6754932
476	Underware.exe	C:\Windows\AggregatorHost.exe		executable
		MD5:533B899EFB97EA137CDCD54981B0BEF8	SHA256:0614F7DBEF0DA1EA74A00283446C20E64318B75C114BBCA8F65BD2F6B1DF0CD6
2092	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gu3200sf.aoe.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2092	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_snbigm5z.k4o.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1876	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hoypkajb.lbg.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5164	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1ta1fpuv.vix.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7244	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7208	RUXIMICS.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1856	AggregatorHost.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	unknown
—	—	POST	204	92.123.104.49:443	https://www.bing.com/threshold/xls.aspx?t=5&dl=1&wsbc=1	unknown	—	—	unknown
5568	SearchApp.exe	POST	204	2.16.241.201:443	https://www.bing.com/threshold/xls.aspx?t=5&dl=1&wsbc=1	unknown	—	—	whitelisted
8276	slui.exe	POST	500	128.24.231.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	unknown
3292	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	—	—	whitelisted
3292	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7244	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7208	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7244	svchost.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7208	RUXIMICS.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7244	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
self.events.data.microsoft.com	52.182.143.211 20.189.173.10	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
ip-api.com	208.95.112.1	whitelisted
www.bing.com	2.16.241.201 2.16.241.218	whitelisted
Jari25u777-33269.portmap.host	193.161.193.99	unknown
activation-v2.sls.microsoft.com	128.24.231.64 48.192.1.64	whitelisted
www.microsoft.com	23.52.181.212	whitelisted

PID	Process	Class	Message
2292	svchost.exe	Misc activity	INFO [ANY.RUN] External IP Check (ip-api .com)
2292	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
1856	AggregatorHost.exe	A Network Trojan was detected	ET MALWARE Common Stealer Behavior - Source IP Associated with Hosting Provider Check via ip.api .com
1856	AggregatorHost.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
2292	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2292	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed

General Info

Underware.exe

533B899EFB97EA137CDCD54981B0BEF8

6A4C235BD6679DD62C9059DD7148ECAEAB497F17

0614F7DBEF0DA1EA74A00283446C20E64318B75C114BBCA8F65BD2F6B1DF0CD6

6144:yi/5EIg4NFp0tkbDMXO4Qd7sROBki1nfwqt+BLEZIk77AE8ISUEm92oBF8OPvFYL:ZCIg4xGOBk6fTTIk7gjUEm92EF6qW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Changes Windows Defender settings

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Adds process to the Windows Defender exclusion list

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

Create files in the Startup directory

Known privilege escalation attack

SUSPICIOUS

Reads the date of Windows installation

Runs shell command (SCRIPT)

Uses TASKKILL.EXE to kill process

Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

Used cmstp for execute code hidden within an inf file

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Script adds exclusion process to Windows Defender

Executable content was dropped or overwritten

The process creates files with name similar to system file names

The process executes via Task Scheduler

Checks for external IP

Executes as Windows Service

Potential Corporate Privacy Violation

INFO

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Checks supported languages

Reads Internet Explorer settings

Process checks computer location settings

Reads the computer name

Disables trace logs

Checks if a key exists in the options dictionary (POWERSHELL)

Drops script file

Script raised an exception (POWERSHELL)

Creates files in the program directory

Reads Environment values

Checks proxy server information

Launching a file from a Registry key

Creates files or folders in the user directory

Checks transactions between databases Windows and Oracle

Launching a file from the Startup directory

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules