File name:

105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4

Full analysis: https://app.any.run/tasks/4aebc021-ef93-4cd8-a2a3-8138a0250844
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 14:04:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netreactor
stealer
ultravnc
rmm-tool
smtp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

EFB47EF635280EB370191212AE23453A

SHA1:

914A79437C08E3650AC1A03B24CEF60D5B0B9B9C

SHA256:

105723D9D7A4CEBAD5FDD0454435D7FF2776D8084FBC94795C5E9CD863DFF0D4

SSDEEP:

24576:Z5O2kXIHzemRH8hSOPi6V+Pfqud6jcWb/DXwZB342yYZixx3x6:Z5O2kUzemRHmSGi6V+Pfqud6jcWb/DXw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)

    • Changes the autorun value in the registry

      • RegSvcs.exe (PID: 2040)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 2040)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 2040)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)
      • RegSvcs.exe (PID: 2040)

    • Reads security settings of Internet Explorer

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)

    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 2040)

    • Connects to SMTP port

      • RegSvcs.exe (PID: 2040)

  • INFO

    • Process checks computer location settings

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)

    • Creates files or folders in the user directory

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)
      • RegSvcs.exe (PID: 2040)

    • .NET Reactor protector has been detected

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)

    • Create files in a temporary directory

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)

    • Reads the machine GUID from the registry

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)
      • RegSvcs.exe (PID: 2040)

    • Reads the computer name

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)
      • RegSvcs.exe (PID: 2040)

    • Checks supported languages

      • 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe (PID: 5548)
      • RegSvcs.exe (PID: 2040)

    • The sample compiled with english language support

      • RegSvcs.exe (PID: 2040)

    • ULTRAVNC has been detected

      • RegSvcs.exe (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:08 01:46:42+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 602112
InitializedDataSize: 6656
UninitializedDataSize: -
EntryPoint: 0x94f9a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 114.4.5.0
ProductVersionNumber: 114.4.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Little GameBox
CompanyName: Lord of 13
FileDescription: WF_Xtension
FileVersion: 114.4.5.0
InternalName: DZzPc.exe
LegalCopyright: Copyright © Lord of 13
LegalTrademarks: -
OriginalFileName: DZzPc.exe
ProductName: WF_Xtension
ProductVersion: 114.4.5.0
AssemblyVersion: 114.4.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe sppextcomobj.exe no specs slui.exe no specs schtasks.exe no specs conhost.exe no specs regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
2040"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2384C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5548"C:\Users\admin\AppData\Local\Temp\105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe" C:\Users\admin\AppData\Local\Temp\105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe
explorer.exe
User:
admin
Company:
Lord of 13
Integrity Level:
MEDIUM
Description:
WF_Xtension
Exit code:
0
Version:
114.4.5.0
Modules
Images
c:\users\admin\appdata\local\temp\105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5756"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uRuKbBB" /XML "C:\Users\admin\AppData\Local\Temp\tmp415B.tmp"C:\Windows\SysWOW64\schtasks.exe105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6048"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
1 373
Read events
1 371
Write events
2
Delete events
0

Modification events

(PID) Process:(2040) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LGJKTZa
Value:
C:\Users\admin\AppData\Roaming\LGJKTZa\LGJKTZa.exe
(PID) Process:(2040) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:LGJKTZa
Value:
020000000000000000000000
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040RegSvcs.exeC:\Users\admin\AppData\Roaming\LGJKTZa\LGJKTZa.exeexecutable
MD5:6279D136310C22894F605938B4CB93D8
SHA256:FB7D514B3322810463655473D2D7C704D3405C1C9DD81F0D4D423518EF416987
5548105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exeC:\Users\admin\AppData\Local\Temp\tmp415B.tmpxml
MD5:DDA98676079107D2D1ED07BBD7956B3C
SHA256:DCD15BEE2E08DC0CAD1CDA868309E563984CB82E7B13152A3E06DBD2002764BE
5548105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4.exeC:\Users\admin\AppData\Roaming\uRuKbBB.exeexecutable
MD5:EFB47EF635280EB370191212AE23453A
SHA256:105723D9D7A4CEBAD5FDD0454435D7FF2776D8084FBC94795C5E9CD863DFF0D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
13
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5544
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5544
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.216.77.21
  • 23.216.77.30
  • 23.216.77.26
  • 23.216.77.13
  • 23.216.77.42
  • 23.216.77.20
  • 23.216.77.18
  • 23.216.77.15
  • 23.216.77.25
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.69
  • 40.126.31.130
  • 40.126.31.67
  • 40.126.31.129
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
mail.goldeneaglelog.com.my
  • 103.6.245.21
whitelisted

Threats

PID
Process
Class
Message
2040
RegSvcs.exe
Generic Protocol Command Decode
SURICATA SMTP invalid reply
2040
RegSvcs.exe
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4