File name:

Scriptware_protected.exe

Full analysis: https://app.any.run/tasks/43eb057c-30ce-4513-b9d1-1983cb4c0c06
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Analysis date: May 26, 2023, 22:02:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
orcus
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

82A10F282AD38DF97046EDF8717348FA

SHA1:

8831189C1FBCC8AC85C982F3FEE43032E1D03084

SHA256:

0FDC4E6CC88A99F2B0871C2720B06EAA6F64E2D0DF56E21F7C241D46DC3B993B

SSDEEP:

98304:xwafcOVwv4sMeNIJGnOLuvV51IHD8pKyrnX7i03DDHN:hcOVwA9w8VsH1eyXtDDHN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Orcus is detected

      • Scriptware_protected.exe (PID: 1840)
      • svchost.exe (PID: 2116)
      • svchost (1).exe (PID: 2236)
      • svchost.exe (PID: 924)
    • Starts Visual C# compiler

      • Scriptware_protected.exe (PID: 1840)
    • Creates a writable file the system directory

      • Scriptware_protected.exe (PID: 1840)
      • WindowsInput.exe (PID: 2100)
    • Application was dropped or rewritten from another process

      • WindowsInput.exe (PID: 2100)
      • WindowsInput.exe (PID: 3276)
      • svchost (1).exe (PID: 2724)
      • svchost (1).exe (PID: 2236)
    • ORCUS was detected

      • svchost.exe (PID: 2116)
    • ORCUS detected by memory dumps

      • svchost.exe (PID: 2116)
    • Loads dropped or rewritten executable

      • svchost.exe (PID: 2116)
  • SUSPICIOUS

    • Reads the BIOS version

      • Scriptware_protected.exe (PID: 1840)
      • svchost.exe (PID: 2116)
      • svchost.exe (PID: 924)
    • Uses .NET C# to load dll

      • Scriptware_protected.exe (PID: 1840)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 1004)
      • Scriptware_protected.exe (PID: 1840)
      • svchost.exe (PID: 2116)
    • Reads the Internet Settings

      • Scriptware_protected.exe (PID: 1840)
      • WindowsInput.exe (PID: 2100)
      • svchost.exe (PID: 2116)
      • svchost (1).exe (PID: 2236)
    • Executes as Windows Service

      • WindowsInput.exe (PID: 3276)
    • The process creates files with name similar to system file names

      • Scriptware_protected.exe (PID: 1840)
    • Creates executable files that already exist in Windows

      • Scriptware_protected.exe (PID: 1840)
    • Starts itself from another location

      • Scriptware_protected.exe (PID: 1840)
    • Application launched itself

      • svchost (1).exe (PID: 2236)
    • The process executes via Task Scheduler

      • svchost.exe (PID: 924)
    • Reads settings of System Certificates

      • svchost.exe (PID: 2116)
    • Connects to unusual port

      • svchost.exe (PID: 2116)
    • Searches for installed software

      • svchost.exe (PID: 2116)
  • INFO

    • Process checks are UAC notifies on

      • Scriptware_protected.exe (PID: 1840)
      • svchost.exe (PID: 2116)
      • svchost.exe (PID: 924)
    • Checks supported languages

      • Scriptware_protected.exe (PID: 1840)
      • csc.exe (PID: 1004)
      • cvtres.exe (PID: 2472)
      • WindowsInput.exe (PID: 2100)
      • WindowsInput.exe (PID: 3276)
      • svchost (1).exe (PID: 2236)
      • svchost.exe (PID: 2116)
      • svchost.exe (PID: 924)
      • svchost (1).exe (PID: 2724)
      • wmpnscfg.exe (PID: 596)
    • Reads the machine GUID from the registry

      • Scriptware_protected.exe (PID: 1840)
      • csc.exe (PID: 1004)
      • cvtres.exe (PID: 2472)
      • WindowsInput.exe (PID: 2100)
      • WindowsInput.exe (PID: 3276)
      • svchost.exe (PID: 2116)
      • svchost (1).exe (PID: 2236)
      • svchost (1).exe (PID: 2724)
      • svchost.exe (PID: 924)
      • wmpnscfg.exe (PID: 596)
    • The process checks LSA protection

      • Scriptware_protected.exe (PID: 1840)
      • csc.exe (PID: 1004)
      • cvtres.exe (PID: 2472)
      • WindowsInput.exe (PID: 2100)
      • WindowsInput.exe (PID: 3276)
      • svchost (1).exe (PID: 2236)
      • svchost.exe (PID: 2116)
      • svchost (1).exe (PID: 2724)
      • svchost.exe (PID: 924)
      • wmpnscfg.exe (PID: 596)
    • Create files in a temporary directory

      • Scriptware_protected.exe (PID: 1840)
      • csc.exe (PID: 1004)
      • cvtres.exe (PID: 2472)
      • svchost.exe (PID: 2116)
    • Reads the computer name

      • Scriptware_protected.exe (PID: 1840)
      • WindowsInput.exe (PID: 2100)
      • WindowsInput.exe (PID: 3276)
      • svchost.exe (PID: 2116)
      • svchost (1).exe (PID: 2236)
      • svchost.exe (PID: 924)
      • svchost (1).exe (PID: 2724)
      • wmpnscfg.exe (PID: 596)
    • Creates files in the program directory

      • Scriptware_protected.exe (PID: 1840)
    • Creates files or folders in the user directory

      • svchost.exe (PID: 2116)
    • Reads Environment values

      • svchost.exe (PID: 2116)
    • Manual execution by a user

      • wmpnscfg.exe (PID: 596)
      • WINWORD.EXE (PID: 3200)
      • WINWORD.EXE (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Orcus

(PID) Process(2116) svchost.exe
C2 (2)0.0.0.0:10134
194.26.192.209:1920
Keys
AES0dde8f777b4262089ee8bc480d9fe72c9b04dd11e8aef4044b7461350f1f9a7f
Salt
Options
AutostartBuilderProperty
AutostartMethodRegistry
TaskSchedulerTaskNamedllhost
TaskHighestPrivilegestrue
RegistryHiddenStarttrue
RegistryKeyNamesvchost
TryAllAutostartMethodsOnFailtrue
ChangeAssemblyInformationBuilderProperty
ChangeAssemblyInformationfalse
AssemblyTitlenull
AssemblyDescriptionnull
AssemblyCompanyNamenull
AssemblyProductNamenull
AssemblyCopyrightnull
AssemblyTrademarksnull
AssemblyProductVersion1.0.0.0
AssemblyFileVersion1.0.0.0
ChangeCreationDateBuilderProperty
IsEnabledtrue
NewCreationDate2019-03-23T18:02:02
ChangeIconBuilderProperty
ChangeIconfalse
IconPathnull
ClientTagBuilderProperty
ClientTagpacov
DataFolderBuilderProperty
Path%appdata%\EasyAntiCheat
DefaultPrivilegesBuilderProperty
RequireAdministratorRightstrue
DisableInstallationPromptBuilderProperty
IsDisabledtrue
FrameworkVersionBuilderProperty
FrameworkVersionNET35
HideFileBuilderProperty
HideFiletrue
InstallationLocationBuilderProperty
Path%programfiles%\Microsoft\svchost.exe
InstallBuilderProperty
Installtrue
KeyloggerBuilderProperty
IsEnabledtrue
MutexBuilderProperty
Mutexeb4259216d7440f19b9a508156fd6925
ProxyBuilderProperty
ProxyOptionNone
ProxyAddressnull
ProxyPort1080
ProxyType2
ReconnectDelayProperty
Delay10000
RequireAdministratorPrivilegesInstallerBuilderProperty
RequireAdministratorPrivilegestrue
RespawnTaskBuilderProperty
IsEnabledtrue
TaskNamesvchost
ServiceBuilderProperty
Installtrue
SetRunProgramAsAdminFlagBuilderProperty
SetFlagtrue
WatchdogBuilderProperty
IsEnabledtrue
Namesvchost.exe
WatchdogLocationAppData
PreventFileDeletiontrue
Plugins (0)
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: -
OriginalFileName: Scriptware.exe
LegalTrademarks: -
LegalCopyright: -
InternalName: Scriptware.exe
FileVersion: 1.0.0.0
FileDescription: -
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x63e058
UninitializedDataSize: -
InitializedDataSize: 128512
CodeSize: 933376
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2023:05:26 21:27:54+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-May-2023 21:27:54
Detected languages:
  • English - United States
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Scriptware.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFilename: Scriptware.exe
ProductName: -
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 26-May-2023 21:27:54
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x00002000
0x000E4000
0x0009CA56
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.96304
K\xf3\x01
0x000E6000
0x0001F34B
0x0000A998
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.97169
\x0c
0x00106000
0x0000000C
0x0000000F
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.90689
.imports
0x00108000
0x00002000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.14055
.rsrc
0x0010A000
0x0001F400
0x0001F400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.8964
.themida
0x0012A000
0x00514000
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.boot
0x0063E000
0x002FD000
0x002FCF45
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.95928

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.28751
831
UNKNOWN
English - United States
RT_MANIFEST
2
1.9013
67624
UNKNOWN
UNKNOWN
RT_ICON
3
2.44053
16936
UNKNOWN
UNKNOWN
RT_ICON
4
2.86094
9640
UNKNOWN
UNKNOWN
RT_ICON
5
3.3069
4264
UNKNOWN
UNKNOWN
RT_ICON
6
3.91202
1128
UNKNOWN
UNKNOWN
RT_ICON
WHITE-SHADOW.503A8492-REMOVEBG-PREVIEW
2.79908
90
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

kernel32.dll
mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
13
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
596"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
748"C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exe" C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\scriptware_protected.exe
c:\windows\system32\ntdll.dll
924"C:\Program Files\Microsoft\svchost.exe" C:\Program Files\Microsoft\svchost.exe
taskeng.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\microsoft\svchost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1004"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\hvly4nvo.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Scriptware_protected.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1840"C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exe" C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\scriptware_protected.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
2100"C:\Windows\system32\WindowsInput.exe" --installC:\Windows\System32\WindowsInput.exeScriptware_protected.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Windows Input
Exit code:
0
Version:
0.1.0
Modules
Images
c:\windows\system32\windowsinput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2116"C:\Program Files\Microsoft\svchost.exe" C:\Program Files\Microsoft\svchost.exe
Scriptware_protected.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\microsoft\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Orcus
(PID) Process(2116) svchost.exe
C2 (2)0.0.0.0:10134
194.26.192.209:1920
Keys
AES0dde8f777b4262089ee8bc480d9fe72c9b04dd11e8aef4044b7461350f1f9a7f
Salt
Options
AutostartBuilderProperty
AutostartMethodRegistry
TaskSchedulerTaskNamedllhost
TaskHighestPrivilegestrue
RegistryHiddenStarttrue
RegistryKeyNamesvchost
TryAllAutostartMethodsOnFailtrue
ChangeAssemblyInformationBuilderProperty
ChangeAssemblyInformationfalse
AssemblyTitlenull
AssemblyDescriptionnull
AssemblyCompanyNamenull
AssemblyProductNamenull
AssemblyCopyrightnull
AssemblyTrademarksnull
AssemblyProductVersion1.0.0.0
AssemblyFileVersion1.0.0.0
ChangeCreationDateBuilderProperty
IsEnabledtrue
NewCreationDate2019-03-23T18:02:02
ChangeIconBuilderProperty
ChangeIconfalse
IconPathnull
ClientTagBuilderProperty
ClientTagpacov
DataFolderBuilderProperty
Path%appdata%\EasyAntiCheat
DefaultPrivilegesBuilderProperty
RequireAdministratorRightstrue
DisableInstallationPromptBuilderProperty
IsDisabledtrue
FrameworkVersionBuilderProperty
FrameworkVersionNET35
HideFileBuilderProperty
HideFiletrue
InstallationLocationBuilderProperty
Path%programfiles%\Microsoft\svchost.exe
InstallBuilderProperty
Installtrue
KeyloggerBuilderProperty
IsEnabledtrue
MutexBuilderProperty
Mutexeb4259216d7440f19b9a508156fd6925
ProxyBuilderProperty
ProxyOptionNone
ProxyAddressnull
ProxyPort1080
ProxyType2
ReconnectDelayProperty
Delay10000
RequireAdministratorPrivilegesInstallerBuilderProperty
RequireAdministratorPrivilegestrue
RespawnTaskBuilderProperty
IsEnabledtrue
TaskNamesvchost
ServiceBuilderProperty
Installtrue
SetRunProgramAsAdminFlagBuilderProperty
SetFlagtrue
WatchdogBuilderProperty
IsEnabledtrue
Namesvchost.exe
WatchdogLocationAppData
PreventFileDeletiontrue
Plugins (0)
2236"C:\Users\admin\AppData\Roaming\svchost (1).exe" /launchSelfAndExit "C:\Program Files\Microsoft\svchost.exe" 2116 /protectFileC:\Users\admin\AppData\Roaming\svchost (1).exe
svchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2724
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\svchost (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\rpcrt4.dll
2472C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE6C9.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE6C8.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
2724"C:\Users\admin\AppData\Roaming\svchost (1).exe" /watchProcess "C:\Program Files\Microsoft\svchost.exe" 2116 "/protectFile"C:\Users\admin\AppData\Roaming\svchost (1).exesvchost (1).exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\roaming\svchost (1).exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
Total events
11 127
Read events
10 886
Write events
97
Delete events
144

Modification events

(PID) Process:(1840) Scriptware_protected.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1840) Scriptware_protected.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1840) Scriptware_protected.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1840) Scriptware_protected.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2100) WindowsInput.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2100) WindowsInput.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2100) WindowsInput.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2100) WindowsInput.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2116) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2116) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
17
Suspicious files
12
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
1840Scriptware_protected.exeC:\Users\admin\AppData\Local\Temp\hvly4nvo.0.cstext
MD5:0F972D116AAF9B5255352449037ED345
SHA256:CDCD271F738A4CDE9DDB3EC64F2C7439DFDB5F5661E36E632042DF86F33EA644
1840Scriptware_protected.exeC:\Users\admin\AppData\Local\Temp\hvly4nvo.cmdlinetext
MD5:1EF50015EFECD468D8B5AA04A55E262B
SHA256:7F16AA5066F75DC1CA1FBEECFAFA0AC9706A682C0A179326A2D867433BD8B77C
1004csc.exeC:\Users\admin\AppData\Local\Temp\CSCE6C8.tmpbinary
MD5:6F87B7162972D3B2C5B96715039A03A2
SHA256:486A9837D1635B210B195AEAEF00BD3ABA286B694B1DA093865AC55D28330DB0
1004csc.exeC:\Users\admin\AppData\Local\Temp\hvly4nvo.dllexecutable
MD5:679BA599C936E44AAB6DBCD62195C785
SHA256:08DDE2288EB1E0B0E680C3B36D9F3DD254761F1A118C4B314F3ED27BC0A2CDA5
3200WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA560.tmp.cvr
MD5:
SHA256:
1840Scriptware_protected.exeC:\Windows\system32\WindowsInput.exeexecutable
MD5:E6FCF516D8ED8D0D4427F86E08D0D435
SHA256:8DBE814359391ED6B0B5B182039008CF1D00964DA9FBC4747F46242A95C24337
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA7C1.tmp.cvr
MD5:
SHA256:
2100WindowsInput.exeC:\Windows\system32\WindowsInput.InstallStatexml
MD5:FFB29BD88BD23C639985F1D369DBD1CA
SHA256:1ADB4F9D1D152E018246A0A2762B473D910906340207F57D3F8CE1097E1DE09F
2116svchost.exeC:\Users\admin\AppData\Local\Temp\Cab1C4F.tmpcompressed
MD5:3AC860860707BAAF32469FA7CC7C0192
SHA256:D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
2116svchost.exeC:\Users\admin\AppData\Roaming\svchost (1).exe.configxml
MD5:A2B76CEA3A59FA9AF5EA21FF68139C98
SHA256:F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2116
svchost.exe
GET
200
67.27.234.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?01c5ead56df16a6d
US
compressed
62.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
3704
svchost.exe
239.255.255.250:1900
whitelisted
2116
svchost.exe
67.27.234.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
2116
svchost.exe
194.26.192.209:1920
1337 Services GmbH
NL
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 67.27.234.126
  • 67.27.235.254
  • 8.241.9.254
  • 67.27.235.126
  • 8.241.11.254
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info