File name:

vmtoolsd.exe

Full analysis: https://app.any.run/tasks/0dfe2b46-8e35-4a68-b63a-92e6e6dbff03
Verdict: Malicious activity
Analysis date: August 14, 2024, 01:17:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dyndns
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

871B363207470C04AD381250F8523CEA

SHA1:

7AE4DFDF7BCC9233BBEAB58369D2C0E66E76A1BC

SHA256:

38EB0BDC6D722BCF1083C90B1FAD9B2D5A31B64D400C33D84750EFA41C18A76A

SSDEEP:

24576:43HzLnqOaNMCFJ6kPvOxrcg0i7uFNHgNvXym0ss:43HzLnqOaNMCFJ6kPvO1cg0i7sgNvXlG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • Synaptics.exe (PID: 6248)

    • Changes the autorun value in the registry

      • vmtoolsd.exe (PID: 6908)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • vmtoolsd.exe (PID: 6908)

    • Reads security settings of Internet Explorer

      • vmtoolsd.exe (PID: 6908)
      • Synaptics.exe (PID: 6248)

    • Executable content was dropped or overwritten

      • vmtoolsd.exe (PID: 6908)

    • Reads the date of Windows installation

      • vmtoolsd.exe (PID: 6908)

    • There is functionality for communication over UDP network (YARA)

      • vmtoolsd.exe (PID: 6908)
      • Synaptics.exe (PID: 6248)

    • There is functionality for taking screenshot (YARA)

      • vmtoolsd.exe (PID: 6908)
      • Synaptics.exe (PID: 6248)

    • There is functionality for communication dyndns network (YARA)

      • vmtoolsd.exe (PID: 6908)
      • Synaptics.exe (PID: 6248)

    • Checks Windows Trust Settings

      • Synaptics.exe (PID: 6248)

    • Contacting a server suspected of hosting an CnC

      • Synaptics.exe (PID: 6248)

  • INFO

    • Checks supported languages

      • vmtoolsd.exe (PID: 6908)
      • ._cache_vmtoolsd.exe (PID: 6964)
      • Synaptics.exe (PID: 6248)

    • Reads the computer name

      • vmtoolsd.exe (PID: 6908)
      • Synaptics.exe (PID: 6248)

    • Process checks computer location settings

      • vmtoolsd.exe (PID: 6908)

    • Creates files in the program directory

      • vmtoolsd.exe (PID: 6908)
      • Synaptics.exe (PID: 6248)

    • Checks proxy server information

      • Synaptics.exe (PID: 6248)

    • Reads the machine GUID from the registry

      • Synaptics.exe (PID: 6248)

    • Create files in a temporary directory

      • Synaptics.exe (PID: 6248)

    • Reads the software policy settings

      • Synaptics.exe (PID: 6248)

    • Creates files or folders in the user directory

      • Synaptics.exe (PID: 6248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (96.4)
.exe | Win32 Executable Delphi generic (2)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.3)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 205312
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
CompanyName: Synaptics
FileDescription: Synaptics Pointing Device Driver
FileVersion: 1.0.0.4
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: Synaptics Pointing Device Driver
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT vmtoolsd.exe ._cache_vmtoolsd.exe no specs THREAT synaptics.exe

Process information

PID
CMD
Path
Indicators
Parent process
6248"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateC:\ProgramData\Synaptics\Synaptics.exe
vmtoolsd.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Version:
1.0.0.4
Modules
Images
c:\programdata\synaptics\synaptics.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6908"C:\Users\admin\Desktop\vmtoolsd.exe" C:\Users\admin\Desktop\vmtoolsd.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
MEDIUM
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\desktop\vmtoolsd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6964"C:\Users\admin\Desktop\._cache_vmtoolsd.exe" C:\Users\admin\Desktop\._cache_vmtoolsd.exevmtoolsd.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware Tools Core Service
Exit code:
3221225781
Version:
10.0.12.325
Modules
Images
c:\users\admin\desktop\._cache_vmtoolsd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
3 576
Read events
3 554
Write events
22
Delete events
0

Modification events

(PID) Process:(6908) vmtoolsd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6908) vmtoolsd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6908) vmtoolsd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6908) vmtoolsd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6908) vmtoolsd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6908) vmtoolsd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Synaptics Pointing Device Driver
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(6908) vmtoolsd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA7D000000
(PID) Process:(6248) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6248) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6248) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
4
Suspicious files
8
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6248Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:212A39F8532E6DF6856304100E0ED090
SHA256:461C43B8EA2A8FFE26D8B910F4C392F48C51A6B6E4201145E64511C029AFA3D5
6248Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552binary
MD5:B89424BB626B300FF7ADFA1161C6DE25
SHA256:C3A38C2962568975563281BB01BFAD14D2A3B2ED79CD6AD89CC37FA742F4B7C2
6908vmtoolsd.exeC:\ProgramData\Synaptics\RCX5B0C.tmpexecutable
MD5:A66204F4F25319A09BD8913A6D3457DF
SHA256:94DE8E56137E92418C6CC48F1FDCDB6E922FF830C969A1ED359EC10918429D5F
6248Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_A58CEA7B0829C957B9B2C6786493EE99binary
MD5:141F7B01619217147062F14790673755
SHA256:E0DC5EB6AE3947E7AE850B5DCA08FB5D6007A09568234580D6BF810BF956572D
6908vmtoolsd.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:871B363207470C04AD381250F8523CEA
SHA256:38EB0BDC6D722BCF1083C90B1FAD9B2D5A31B64D400C33D84750EFA41C18A76A
6248Synaptics.exeC:\Users\admin\AppData\Local\Temp\ZOnZdKi.inihtml
MD5:EB1D1E56ACC7A5E7998988D23FEADBEF
SHA256:5BB018D981B0B3D51302A304B88E1F71314858F5AE7C835DC7C74B0D6BE1F994
6248Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:FCFCA3A1DAFC7455C06CA4F61257264B
SHA256:078C647E915531B0D990625112B79E732FEFAF872291CB5ECB2ED7C930638C9D
6248Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_A58CEA7B0829C957B9B2C6786493EE99binary
MD5:38BE5E9B582996E3077EF90CEF7B8669
SHA256:AC4FDEDD24130A5CCEE0FACA7C702EC9FACD7BB8678E9A4A0E45AC4107C73AE0
6248Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:27CC9762BA0AA5F6DDD0326700B2CFE7
SHA256:EB0CADC23EF08F1D6E2E2506F3A4CB1BB50CB5D06E6ECA1528A7CF84A34CBFB7
6248Synaptics.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199der
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
45
DNS requests
24
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5484
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6592
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6620
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6248
Synaptics.exe
GET
200
142.251.140.35:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
6248
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
6248
Synaptics.exe
GET
200
142.251.140.35:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
6248
Synaptics.exe
GET
200
142.250.187.163:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHGN%2BKTRSIp4CcztJxB9gYQ%3D
unknown
whitelisted
6248
Synaptics.exe
GET
200
142.250.187.163:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCnNXjqMmu3chAgO%2BmpN88J
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
5244
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5484
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5484
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.145
  • 104.126.37.129
  • 104.126.37.163
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.136
  • 104.126.37.130
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.75
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
th.bing.com
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.176
  • 104.126.37.136
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.139
  • 104.126.37.163
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
xred.mooo.com
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
vmtoolsd.exe