Malware analysis WindowsXP-KB4012598-x86-Custom-ENU.exe Malicious activity

Add for printing

File name:	WindowsXP-KB4012598-x86-Custom-ENU.exe
Full analysis:	https://app.any.run/tasks/bdc60608-ae01-4a80-b8bc-7c0835c5c59f
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 08, 2025, 10:05:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sinkhole m0yv stealer malware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:	84CF83362C4729AE0F569BD4758A7DC3
SHA1:	5653F917451D62672A99AB6F0B321FBFBA44CB0F
SHA256:	43AD467A60C0B8FEC4DED4701E11D04D8141B147A7DC5B7062ABFB1A0127C8B2
SSDEEP:	49152:NbciWUizg4NHrM55VX3/IbYqtTke/7SKzCFkmXElc5TnyhUJCbf/WR0zX2irPr6H:mxDEiQ5jXPIbY6ky7SlGm55LyekTqgXo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- M0YV mutex has been found
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
  - FlashPlayerUpdateService.exe (PID: 7476)
  - alg.exe (PID: 7520)
  - AppVClient.exe (PID: 7616)
  - DiagnosticsHub.StandardCollector.Service.exe (PID: 7676)
  - FXSSVC.exe (PID: 7908)
  - elevation_service.exe (PID: 8104)
  - maintenanceservice.exe (PID: 5988)
  - msdtc.exe (PID: 4408)
  - PerceptionSimulationService.exe (PID: 2152)
  - elevation_service.exe (PID: 7312)
  - PSEXESVC.exe (PID: 6132)
  - Locator.exe (PID: 8004)
  - SensorDataService.exe (PID: 7956)
  - Spectrum.exe (PID: 2516)
  - snmptrap.exe (PID: 7792)
  - ssh-agent.exe (PID: 4756)
  - vds.exe (PID: 4488)
  - TieringEngineService.exe (PID: 1020)
  - AgentService.exe (PID: 4040)
  - WmiApSrv.exe (PID: 2268)
  - SearchIndexer.exe (PID: 1096)
  - VSSVC.exe (PID: 7404)
  - wbengine.exe (PID: 8028)
- Executing a file with an untrusted certificate
  - update.exe (PID: 7636)
- Request for a sinkholed resource
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- M0YV has been detected (YARA)
  - armsvc.exe (PID: 7448)
  - alg.exe (PID: 7520)
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Actions looks like stealing of personal data
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
SUSPICIOUS
- Process drops legitimate windows executable
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Starts a Microsoft application from unusual location
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7296)
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Executes as Windows Service
  - armsvc.exe (PID: 7448)
  - FlashPlayerUpdateService.exe (PID: 7476)
  - alg.exe (PID: 7520)
  - AppVClient.exe (PID: 7616)
  - MicrosoftEdgeUpdate.exe (PID: 7728)
  - DiagnosticsHub.StandardCollector.Service.exe (PID: 7676)
  - GameInputSvc.exe (PID: 8052)
  - FXSSVC.exe (PID: 7908)
  - GoogleUpdate.exe (PID: 7208)
  - maintenanceservice.exe (PID: 5988)
  - msdtc.exe (PID: 4408)
  - perfhost.exe (PID: 7656)
  - PSEXESVC.exe (PID: 6132)
  - Locator.exe (PID: 8004)
  - PerceptionSimulationService.exe (PID: 2152)
  - snmptrap.exe (PID: 7792)
  - Spectrum.exe (PID: 2516)
  - SensorDataService.exe (PID: 7956)
  - ssh-agent.exe (PID: 4756)
  - TieringEngineService.exe (PID: 1020)
  - AgentService.exe (PID: 4040)
  - vds.exe (PID: 4488)
  - VSSVC.exe (PID: 7404)
  - wbengine.exe (PID: 8028)
  - WmiApSrv.exe (PID: 2268)
  - MicrosoftEdgeUpdate.exe (PID: 7148)
  - GoogleUpdate.exe (PID: 7536)
- Drops a system driver (possible attempt to evade defenses)
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Executable content was dropped or overwritten
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Application launched itself
  - MicrosoftEdgeUpdate.exe (PID: 7728)
  - MicrosoftEdgeUpdate.exe (PID: 7772)
  - GameInputSvc.exe (PID: 8052)
  - GoogleUpdate.exe (PID: 7208)
  - GoogleUpdate.exe (PID: 7264)
  - MicrosoftEdgeUpdate.exe (PID: 7148)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7844)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8184)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7184)
  - MicrosoftEdgeUpdate.exe (PID: 7804)
- Process requests binary or script from the Internet
  - svchost.exe (PID: 5556)
- Potential Corporate Privacy Violation
  - svchost.exe (PID: 5556)
INFO
- The sample compiled with english language support
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Checks supported languages
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
  - armsvc.exe (PID: 7448)
  - FlashPlayerUpdateService.exe (PID: 7476)
  - MicrosoftEdgeUpdate.exe (PID: 7728)
  - update.exe (PID: 7636)
  - MicrosoftEdgeUpdate.exe (PID: 7772)
  - MicrosoftEdgeUpdate.exe (PID: 7804)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7844)
  - elevation_service.exe (PID: 8104)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8184)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7184)
  - MicrosoftEdgeUpdate.exe (PID: 1072)
  - GoogleUpdate.exe (PID: 7208)
  - GoogleUpdate.exe (PID: 7264)
  - elevation_service.exe (PID: 7312)
  - GoogleUpdate.exe (PID: 7052)
  - GoogleCrashHandler.exe (PID: 7288)
  - maintenanceservice.exe (PID: 5988)
  - GoogleCrashHandler64.exe (PID: 1280)
  - GoogleUpdate.exe (PID: 7384)
  - PSEXESVC.exe (PID: 6132)
  - ssh-agent.exe (PID: 4756)
  - MicrosoftEdgeUpdate.exe (PID: 7148)
  - MicrosoftEdgeUpdate.exe (PID: 684)
  - GoogleUpdate.exe (PID: 7536)
- Creates files or folders in the user directory
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
  - GoogleUpdate.exe (PID: 7384)
- Reads the computer name
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
  - armsvc.exe (PID: 7448)
  - FlashPlayerUpdateService.exe (PID: 7476)
  - MicrosoftEdgeUpdate.exe (PID: 7728)
  - MicrosoftEdgeUpdate.exe (PID: 7772)
  - MicrosoftEdgeUpdate.exe (PID: 7804)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7844)
  - elevation_service.exe (PID: 8104)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8184)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7184)
  - GoogleUpdate.exe (PID: 7208)
  - MicrosoftEdgeUpdate.exe (PID: 1072)
  - GoogleUpdate.exe (PID: 7384)
  - GoogleUpdate.exe (PID: 7264)
  - elevation_service.exe (PID: 7312)
  - GoogleCrashHandler.exe (PID: 7288)
  - maintenanceservice.exe (PID: 5988)
  - GoogleUpdate.exe (PID: 7052)
  - GoogleCrashHandler64.exe (PID: 1280)
  - PSEXESVC.exe (PID: 6132)
  - ssh-agent.exe (PID: 4756)
  - update.exe (PID: 7636)
  - MicrosoftEdgeUpdate.exe (PID: 7148)
  - MicrosoftEdgeUpdate.exe (PID: 684)
  - GoogleUpdate.exe (PID: 7536)
- Reads the machine GUID from the registry
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
  - update.exe (PID: 7636)
- Creates files in the program directory
  - FXSSVC.exe (PID: 7908)
  - GoogleUpdate.exe (PID: 7208)
  - GoogleUpdate.exe (PID: 7264)
  - GoogleUpdate.exe (PID: 7384)
  - maintenanceservice.exe (PID: 5988)
  - GoogleUpdate.exe (PID: 7052)
  - SearchIndexer.exe (PID: 1096)
  - GoogleUpdate.exe (PID: 7536)
- Reads the software policy settings
  - GameInputSvc.exe (PID: 8076)
  - GoogleUpdate.exe (PID: 7384)
  - MicrosoftEdgeUpdate.exe (PID: 684)
  - MicrosoftEdgeUpdate.exe (PID: 7148)
  - GoogleUpdate.exe (PID: 7536)
- Executes as Windows Service
  - elevation_service.exe (PID: 8104)
  - elevation_service.exe (PID: 7312)
  - SearchIndexer.exe (PID: 1096)
- Checks proxy server information
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Checks transactions between databases Windows and Oracle
  - msdtc.exe (PID: 4408)
- Reads the time zone
  - TieringEngineService.exe (PID: 1020)
- Reads Environment values
  - MicrosoftEdgeUpdate.exe (PID: 684)
- The sample compiled with bulgarian language support
  - WindowsXP-KB4012598-x86-Custom-ENU.exe (PID: 7408)
- Create files in a temporary directory
  - svchost.exe (PID: 5556)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:03:13 06:51:25+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	7.1
CodeSize:	35840
InitializedDataSize:	4096
UninitializedDataSize:	-
EntryPoint:	0x6b23
OSVersion:	5.2
ImageVersion:	5.2
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	6.3.18.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Security Update
FileVersion:	1
InternalName:	SFXCAB.EXE
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	SFXCAB.EXE
ProductName:	Windows XP Family
ProductVersion:	6.3.0018.0
BuildDate:	2017/02/11
Appliesto:	Windows XP Service Pack 3
InstallationType:	Full
InstallerVersion:	6.3.13.0
InstallerEngine:	update.exe
KBArticleNumber:	4012598
SupportLink:	http://support.microsoft.com?kbid=4012598
PackageType:	Security Update
ProcArchitecture:	x86
Self-ExtractorVersion:	SFXCAB v6.3.18.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

182

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

684

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMTciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0UyM0E4RTMtQUMxQy00QzFBLUFERDItRkZENEY5RjU5QTUwfSIgdXNlcmlkPSJ7RkQ5ODQ3MzktQTEyMi00REIwLUJFNUItNDZFM0UwOUQ4NEU0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzREQjE1OEMtMjBDQS00OERDLUI0MzUtNzU0MENCMUNDNkREfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjQiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NS40MDQ2IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRFTEwiIHByb2R1Y3RfbmFtZT0iREVMTCIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIyLjAuNjI2MS43MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0NFQiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEzNjEiIGluc3RhbGxkYXRlPSI2MjY1IiBpbnN0YWxsZGF0ZXRpbWU9IjE2MjY0NDE1MTYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzMwNTg0MTM4NDU1MjgyNjUiIGZpcnN0X2ZyZV9zZWVuX3RpbWU9IjEzMzA1ODI1NDkyOTk3MjAxMCIgZmlyc3RfZnJlX3NlZW5fdmVyc2lvbj0iMTA0LjAuMTI5My42MyI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjEwNjU0OTAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMDg3NDEzNjE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

MicrosoftEdgeUpdate.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Edge Update

Exit code:

Version:

1.3.147.37

Modules

Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll

1020

C:\WINDOWS\system32\TieringEngineService.exe

C:\Windows\System32\TieringEngineService.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Storage Tiers Management

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\tieringengineservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1072

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

—

MicrosoftEdgeUpdate.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Edge Update

Version:

1.3.147.37

Modules

Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll

1096

C:\WINDOWS\system32\SearchIndexer.exe /Embedding

C:\Windows\System32\SearchIndexer.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Indexer

Version:

7.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll

1280

"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe"

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe

—

GoogleUpdate.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

Google Crash Handler

Exit code:

Version:

1.3.36.371

Modules

Images
c:\program files (x86)\google\update\1.3.36.372\googlecrashhandler64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2152

C:\WINDOWS\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Perception Simulation Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2268

C:\WINDOWS\system32\wbem\WmiApSrv.exe

C:\Windows\System32\wbem\WmiApSrv.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

WMI Performance Reverse Adapter

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

2516

C:\WINDOWS\system32\spectrum.exe

C:\Windows\System32\Spectrum.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Perception Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\spectrum.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

4040

C:\WINDOWS\system32\AgentService.exe

C:\Windows\System32\AgentService.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

AgentService EXE

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\agentservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll

Add for printing

Total events

14 490

Read events

13 781

Write events

653

Delete events

Modification events


(PID) Process:	(7728) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:	write	Name:	omaha_version
Value: 1100B90003000100
(PID) Process:	(7728) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Booleans
Operation:	write	Name:	is_system_install
Value: 01000000
(PID) Process:	(7728) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:	write	Name:	goopdate_main
Value: 1500000000000000
(PID) Process:	(7728) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:	write	Name:	goopdate_constructor
Value: 1500000000000000
(PID) Process:	(7728) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:	write	Name:	windows_major_version
Value: 0A00000000000000
(PID) Process:	(7448) armsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:	write	Name:	iLastSvcSuccess
Value: 1097921
(PID) Process:	(7772) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
Operation:	write	Name:	InstallTime
Value:
(PID) Process:	(7844) MicrosoftEdgeUpdateComRegisterShell64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(7844) MicrosoftEdgeUpdateComRegisterShell64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(7844) MicrosoftEdgeUpdateComRegisterShell64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25D72A6A-8A84-4E25-886B-02FD23A7A104}\InprocHandler32
Operation:	write	Name:	ThreadingModel
Value: Both

Add for printing

Executable files

155

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.bin		binary
		MD5:D8BE94A360080194062ACF2C0D6BE8BA	SHA256:B5780809D0C52CD7A3826156C74D8FFCBB7602C80A9F90EB839F8DC862000AAB
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\_sfx_0009._p		binary
		MD5:889829B6ACA06BF1D538DD773A0505A8	SHA256:209246EB08EE47759155CBFC6A0B0649EE50B3AD42DDE84BCA54B29F0360539D
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\_sfx_.dll		executable
		MD5:EE207E35AEA4D5DF41D90221E1B66EFA	SHA256:CF64C95E9A2D02967EFC22B00EFB3736156B913A95231EB63C1DF45D43475E64
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\update\update.ver		text
		MD5:635C1B9842500E566C43DAA2767C1BCB	SHA256:AFD52E731FD27964AA848C1D2F188C886EDB62B2CF9BF1BC47F8736392B161B3
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\Windows\System32\alg.exe		executable
		MD5:9FA497E7A1F4F8A3A98D9E8408A240A3	SHA256:3FBE6D9AC5D8EA67CD70AD11360601031884D3CA134720D01DC1CF98C7B8F68E
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\_sfx_0008._p		binary
		MD5:998C6C3957DE8FA93801C56BDEB2022B	SHA256:E71180C118B4E22FDE90A8A0E6F57016106CDDFF0E8A8DEDD8F8905062B3DC82
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\_sfx_0003._p		binary
		MD5:4DCE7E3750EBC4E47CE0B1320673F72A	SHA256:A4402A5247E521BD42AF08493D36CDE18148956934E19AF37CA2AE8AC58741EB
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\_sfx_0001._p		binary
		MD5:5E375FAFC35FB08B7524442652DB61C5	SHA256:A4C59CEFD5F39650585F6AC882AADF1A45CA1C3A39C744794129A4DE2C7F7125
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\_sfx_0007._p		binary
		MD5:90FE98682E2FC58CD51ACA591FD4E054	SHA256:D0A0902B4F88EF2C942FF7310A3CB53DD04E582518E8795A6CDA518DBF7A1CDB
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	C:\fd9bdb2740126f640a92e39e9f91\_sfx_0006._p		binary
		MD5:48E093B220ABEA0606CC16F09AA30913	SHA256:668C7976ADF7CEE06C0128C6792B4516CD039CADB6F131837A1E5F4D8EBDD777

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

102

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7520	alg.exe	POST	200	52.11.240.239:80	http://cvgrf.biz/q	unknown	—	—	malicious
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	POST	200	52.11.240.239:80	http://cvgrf.biz/lxwig	unknown	—	—	malicious
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	POST	302	72.52.178.23:80	http://przvgke.biz/iqsbkframvym	unknown	—	—	unknown
7520	alg.exe	POST	302	72.52.178.23:80	http://przvgke.biz/vqlyy	unknown	—	—	unknown
7520	alg.exe	POST	200	3.229.117.57:80	http://npukfztj.biz/qesynvoldp	unknown	—	—	malicious
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	GET	410	76.223.26.96:80	http://ww12.przvgke.biz/iqsbkframvym?usid=24&utid=11557816035	unknown	—	—	malicious
7520	alg.exe	GET	410	76.223.26.96:80	http://ww12.przvgke.biz/vqlyy?usid=24&utid=11557816109	unknown	—	—	malicious
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	POST	200	13.213.51.196:80	http://knjghuig.biz/jilpmqqnynqrs	unknown	—	—	malicious
7520	alg.exe	POST	200	13.213.51.196:80	http://knjghuig.biz/jilpmqqnynqrs	unknown	—	—	malicious
7520	alg.exe	POST	302	192.64.119.165:80	http://anpmnmxo.biz/hiun	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	52.11.240.239:80	pywolwnvd.biz	AMAZON-02	US	malicious
7520	alg.exe	52.11.240.239:80	pywolwnvd.biz	AMAZON-02	US	malicious
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	13.213.51.196:80	ssbzmoy.biz	AMAZON-02	SG	malicious
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7520	alg.exe	13.213.51.196:80	ssbzmoy.biz	AMAZON-02	SG	malicious
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	3.229.117.57:80	npukfztj.biz	AMAZON-AES	US	malicious

DNS requests

Domain	IP	Reputation
google.com	172.217.18.110	whitelisted
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6 23.216.77.36	whitelisted
pywolwnvd.biz	52.11.240.239	malicious
ssbzmoy.biz	13.213.51.196	malicious
client.wns.windows.com	172.211.123.250	whitelisted
cvgrf.biz	52.11.240.239	malicious
npukfztj.biz	3.229.117.57	malicious
przvgke.biz	72.52.178.23	unknown
ww12.przvgke.biz	76.223.26.96 13.248.148.254	malicious

Threats

PID	Process	Class	Message
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2196	svchost.exe	A Network Trojan was detected	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2196	svchost.exe	A Network Trojan was detected	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
7408	WindowsXP-KB4012598-x86-Custom-ENU.exe	Misc activity	ET INFO Namecheap URL Forward
7520	alg.exe	Misc activity	ET INFO Namecheap URL Forward

Add for printing

No debug info

General Info

WindowsXP-KB4012598-x86-Custom-ENU.exe

84CF83362C4729AE0F569BD4758A7DC3

5653F917451D62672A99AB6F0B321FBFBA44CB0F

43AD467A60C0B8FEC4DED4701E11D04D8141B147A7DC5B7062ABFB1A0127C8B2

49152:NbciWUizg4NHrM55VX3/IbYqtTke/7SKzCFkmXElc5TnyhUJCbf/WR0zX2irPr6H:mxDEiQ5jXPIbY6ky7SlGm55LyekTqgXo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

M0YV mutex has been found

Executing a file with an untrusted certificate

Request for a sinkholed resource

M0YV has been detected (YARA)

Actions looks like stealing of personal data

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Executable content was dropped or overwritten

Application launched itself

Creates/Modifies COM task schedule object

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

INFO

The sample compiled with english language support

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Reads the machine GUID from the registry

Creates files in the program directory

Reads the software policy settings

Executes as Windows Service

Checks proxy server information

Checks transactions between databases Windows and Oracle

Reads the time zone

Reads Environment values

The sample compiled with bulgarian language support

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests