Malware analysis Scooby launcher.exe Malicious activity

Add for printing

File name:	Scooby launcher.exe
Full analysis:	https://app.any.run/tasks/f9c97862-505d-4b62-be72-d31b104d7397
Verdict:	Malicious activity
Analysis date:	December 13, 2025, 15:23:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	themida
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:	BC87C56157F338381B734742980E1292
SHA1:	057CADD428AEE51ADF391A7F80D2425FF7FCEBAF
SHA256:	48E171B71EAD1599D56B0EBF85CBE88BA1268FFE4E7AF89AE6F53BFED693FBBD
SSDEEP:	98304:gsqr22qgbFw9T08f6xvmLNVHMBvQdk52f/l+2jwLPHm3OAkLywifAKx+t59morhn:HpEfQQqTUB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Scooby launcher.exe (PID: 7532)
  - Scooby launcher.exe (PID: 7728)
- Reads the date of Windows installation
  - Scooby launcher.exe (PID: 7532)
  - Scooby launcher.exe (PID: 7728)
- Application launched itself
  - Scooby launcher.exe (PID: 7532)
- Reads the BIOS version
  - Scooby launcher.exe (PID: 7728)
  - Scooby launcher.exe (PID: 7532)
- Starts SC.EXE for service management
  - cmd.exe (PID: 7360)
- Starts CMD.EXE for commands execution
  - Scooby launcher.exe (PID: 7728)
- Windows service management via SC.EXE
  - sc.exe (PID: 6900)
INFO
- Checks supported languages
  - Scooby launcher.exe (PID: 7532)
  - Scooby launcher.exe (PID: 7728)
- Process checks computer location settings
  - Scooby launcher.exe (PID: 7532)
  - Scooby launcher.exe (PID: 7728)
- Reads the computer name
  - Scooby launcher.exe (PID: 7532)
  - Scooby launcher.exe (PID: 7728)
- Process checks whether UAC notifications are on
  - Scooby launcher.exe (PID: 7728)
- Creates files or folders in the user directory
  - Scooby launcher.exe (PID: 7728)
- Checks proxy server information
  - Scooby launcher.exe (PID: 7728)
- Reads the machine GUID from the registry
  - Scooby launcher.exe (PID: 7728)
- Gets the hash of the file via CERTUTIL.EXE
  - certutil.exe (PID: 7884)
- Create files in a temporary directory
  - Scooby launcher.exe (PID: 7728)
- Themida protector has been detected
  - Scooby launcher.exe (PID: 7728)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:12:07 17:18:58+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	1040384
InitializedDataSize:	1576448
UninitializedDataSize:	-
EntryPoint:	0x8620b0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

148

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2292

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

6900

sc delete BEService

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

7272

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7360

"C:\Windows\System32\cmd.exe" /c sc delete BEService

C:\Windows\System32\cmd.exe

—

Scooby launcher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

7408

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7532

"C:\Users\admin\AppData\Local\Temp\Scooby launcher.exe"

C:\Users\admin\AppData\Local\Temp\Scooby launcher.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

4294967295

Modules

Images
c:\users\admin\appdata\local\temp\scooby launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\d3d11.dll

7728

"C:\Users\admin\AppData\Local\Temp\Scooby launcher.exe"

C:\Users\admin\AppData\Local\Temp\Scooby launcher.exe

Scooby launcher.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\scooby launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\gdi32full.dll

7824

C:\WINDOWS\system32\cmd.exe /c certutil -hashfile "C:\Users\admin\AppData\Local\Temp\Scooby launcher.exe" MD5

C:\Windows\System32\cmd.exe

—

Scooby launcher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

7832

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7884

certutil -hashfile "C:\Users\admin\AppData\Local\Temp\Scooby launcher.exe" MD5

C:\Windows\System32\certutil.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

CertUtil.exe

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

1 750

Read events

1 744

Write events

Delete events

Modification events


(PID) Process:	(7728) Scooby launcher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7728) Scooby launcher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7728) Scooby launcher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7884) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:	(7884) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:	(7884) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7728	Scooby launcher.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84E9C41C2BA57C13343EE3A180E06388		binary
		MD5:71C1149E279CCC94D67475A7168C505F	SHA256:F3EAF78B5FBBD9F1439475F4C91D16709D0532158F55E6EBF3F691EE4727DFC1
7728	Scooby launcher.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\fonAwsm[1].ttf		binary
		MD5:45DF513B56B07E3A644A2FA362FD078B	SHA256:D247DD2E4FB1D4B48C8B9AF075037227F5441238E20320E0F222C093A107611C
7728	Scooby launcher.exe	C:\scooby\launcher\settings.json		binary
		MD5:B93B64F49C124DC4A0E3D05E765F8124	SHA256:66BFBC02560138BFB39FEC4374BADD745FA847F7E759C60DA3B460C910AE393B
7728	Scooby launcher.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84E9C41C2BA57C13343EE3A180E06388		binary
		MD5:5C5C9A2C198F75808611D92EB169E067	SHA256:5D317FCB7B61C63FAAD752B7AE8A0DCF2248A8A6756F050A6BB7173588F3360B
7728	Scooby launcher.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751		binary
		MD5:7F924EAEA21BB91214FF7B4525F3BD29	SHA256:E718475014C8F51A8F2746FBE90A7BFF516B65BEF36EE6340A5FC746BC5DFC32
7728	Scooby launcher.exe	C:\Users\admin\AppData\Local\Temp\imgui.ini		text
		MD5:9958E00437FA026DCC7E29E3E5F85BA4	SHA256:752F06DE73D490333C0FA181CC41FA28B897EDCA1FDC7AB3E9B786104F7B0984
7728	Scooby launcher.exe	C:\scooby\launcher\fonAwsm.ttf		binary
		MD5:45DF513B56B07E3A644A2FA362FD078B	SHA256:D247DD2E4FB1D4B48C8B9AF075037227F5441238E20320E0F222C093A107611C
7728	Scooby launcher.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\fonAwsm[1].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6768	MoUsoCoreWorker.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
7728	Scooby launcher.exe	GET	200	104.18.21.213:80	http://r12.c.lencr.org/50.crl	US	binary	229 Kb	whitelisted
7728	Scooby launcher.exe	POST	200	104.26.0.5:443	https://keyauth.win/api/1.3/	US	binary	452 b	whitelisted
4708	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
2432	SIHClient.exe	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	US	—	—	whitelisted
4708	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
2432	SIHClient.exe	GET	200	135.233.95.144:443	https://slscr.update.microsoft.com/sls/ping	US	—	—	whitelisted
2432	SIHClient.exe	GET	304	135.233.95.144:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
2308	svchost.exe	POST	200	40.126.32.138:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
4708	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
872	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7728	Scooby launcher.exe	185.199.110.153:80	whatwhatboy.com	FASTLY	US	whitelisted
7728	Scooby launcher.exe	185.199.110.153:443	whatwhatboy.com	FASTLY	US	whitelisted
7728	Scooby launcher.exe	104.18.21.213:80	r12.c.lencr.org	CLOUDFLARENET	US	whitelisted
7728	Scooby launcher.exe	104.26.0.5:443	keyauth.win	CLOUDFLARENET	US	malicious
4708	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.251.208.14	whitelisted
whatwhatboy.com	185.199.110.153 185.199.111.153 185.199.108.153 185.199.109.153	unknown
r12.c.lencr.org	104.18.21.213 104.18.20.213	whitelisted
keyauth.win	104.26.0.5 104.26.1.5 172.67.72.57	malicious
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
login.live.com	40.126.32.138 40.126.32.74 20.190.160.22 40.126.32.140 20.190.160.4 40.126.32.72 20.190.160.20 20.190.160.3	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted

Threats

PID	Process	Class	Message
7728	Scooby launcher.exe	Misc activity	ET INFO Observed UA-CPU Header
2292	svchost.exe	Potentially Bad Traffic	ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
7728	Scooby launcher.exe	Potentially Bad Traffic	ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

No debug info

General Info

Scooby launcher.exe

BC87C56157F338381B734742980E1292

057CADD428AEE51ADF391A7F80D2425FF7FCEBAF

48E171B71EAD1599D56B0EBF85CBE88BA1268FFE4E7AF89AE6F53BFED693FBBD

98304:gsqr22qgbFw9T08f6xvmLNVHMBvQdk52f/l+2jwLPHm3OAkLywifAKx+t59morhn:HpEfQQqTUB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Reads the BIOS version

Starts SC.EXE for service management

Starts CMD.EXE for commands execution

Windows service management via SC.EXE

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Process checks whether UAC notifications are on

Creates files or folders in the user directory

Checks proxy server information

Reads the machine GUID from the registry

Gets the hash of the file via CERTUTIL.EXE

Create files in a temporary directory

Themida protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings