| File name: | 68WAntiLagApp.exe |
| Full analysis: | https://app.any.run/tasks/c711b9d3-38b0-4ed2-a20f-880d0dd5acc8 |
| Verdict: | Malicious activity |
| Analysis date: | July 12, 2024, 13:41:07 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows |
| MD5: | 4D93355DA73959AD7FD2DE1FBFD452D3 |
| SHA1: | B02460AF636A8950A287E8DFF3975C74AA33D685 |
| SHA256: | 4C793877ABD7AD2A0A4CC0FBEB45970F2104A766EC42F82892FCD5D863BAC8AA |
| SSDEEP: | 6144:MK1EF9bw7q+eQWeQfeQI92dddddddddddddEkSOsOvZ11tcX6k:91KWVZ2dddddddddddddEazZfmKk |
MALICIOUS
Drops the executable file immediately after the start
- 68WAntiLagApp.exe (PID: 3972)
Changes the autorun value in the registry
- 68WAntiLagApp.exe (PID: 3972)
SUSPICIOUS
Checks Windows Trust Settings
- 68WAntiLagApp.exe (PID: 3972)
- 68WAntiLagApp.exe (PID: 5864)
Reads security settings of Internet Explorer
- 68WAntiLagApp.exe (PID: 3972)
- 68WAntiLagApp.exe (PID: 5864)
Reads the date of Windows installation
- 68WAntiLagApp.exe (PID: 3972)
Starts CMD.EXE for commands execution
- 68WAntiLagApp.exe (PID: 3972)
- cmd.exe (PID: 3660)
The system shut down or reboot
- 68WAntiLagApp.exe (PID: 3972)
The process executes via Task Scheduler
- PLUGScheduler.exe (PID: 3716)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 1068)
Uses powercfg.exe to modify the power settings
- cmd.exe (PID: 1120)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 5912)
- cmd.exe (PID: 3660)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 1120)
Application launched itself
- cmd.exe (PID: 3660)
INFO
Creates files or folders in the user directory
- 68WAntiLagApp.exe (PID: 3972)
Reads the machine GUID from the registry
- 68WAntiLagApp.exe (PID: 3972)
- 68WAntiLagApp.exe (PID: 5864)
Reads the computer name
- 68WAntiLagApp.exe (PID: 3972)
- PLUGScheduler.exe (PID: 3716)
- 68WAntiLagApp.exe (PID: 5864)
Checks supported languages
- 68WAntiLagApp.exe (PID: 3972)
- PLUGScheduler.exe (PID: 3716)
- 68WAntiLagApp.exe (PID: 5864)
Reads the software policy settings
- 68WAntiLagApp.exe (PID: 3972)
- 68WAntiLagApp.exe (PID: 5864)
Process checks computer location settings
- 68WAntiLagApp.exe (PID: 3972)
Creates files in the program directory
- PLUGScheduler.exe (PID: 3716)
Manual execution by a user
- 68WAntiLagApp.exe (PID: 5864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2044:09:29 06:28:06+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 48 |
| CodeSize: | 496128 |
| InitializedDataSize: | 111616 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x0000 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.3.0 |
| ProductVersionNumber: | 0.0.3.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | AntiLag makes your system run as smooth as possible. |
| CompanyName: | *68Whiskey |
| FileDescription: | AntiLag |
| FileVersion: | 0.0.3.0 |
| InternalName: | 68WAntiLagApp.exe |
| LegalCopyright: | Copyright © *68Whiskey 2021 |
| LegalTrademarks: | - |
| OriginalFileName: | 68WAntiLagApp.exe |
| ProductName: | 68WAntiLagApp |
| ProductVersion: | 0.0.3.0 |
| AssemblyVersion: | 0.0.3.0 |
Total processes
307
Monitored processes
72
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 240 | powercfg /SETDCVALUEINDEX SCHEME_CURRENT SUB_PROCESSOR PROCTHROTTLEMIN 100 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 368 | powercfg /SETACVALUEINDEX SCHEME_CURRENT 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 776 | powercfg /SETACVALUEINDEX SCHEME_CURRENT SUB_PROCESSOR CPMINCORES1 100 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1068 | "C:\Windows\System32\cmd.exe" /C bcdedit /set useplatformtick yes&bcdedit /set disabledynamictick yes&bcdedit /deletevalue useplatformclock® add HKLM\SYSTEM\ControlSet001\Control\PriorityControl /t REG_DWORD /v Win32PrioritySeparation /d 42 /f® add HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /t REG_DWORD /v HwSchMode /d 2 /f® add HKCU\Software\Microsoft\GameBar /t REG_DWORD /v AllowAutoGameMode /d 0 /f® add HKCU\Software\Microsoft\GameBar /t REG_DWORD /v AutoGameModeEnabled /d 0 /f® add HKCU\System\GameConfigStore /t REG_DWORD /v GameDVR_Enabled /d 0 /f® add HKCU\System\GameConfigStore /t REG_DWORD /v GameDVR_FSEBehaviorMode /d 2 /f® add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR /t REG_DWORD /v AppCaptureEnabled /d 0 /f® add HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR /t REG_DWORD /v value /d 0 /f® add HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\ApplicationManagement /t REG_DWORD /v AllowGameDVR /d 0 /f&exit | C:\Windows\System32\cmd.exe | 68WAntiLagApp.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1120 | C:\WINDOWS\system32\cmd.exe /c powercfg -list | findstr /C:"AntiLag Supreme Performance" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1200 | reg add HKLM\SYSTEM\ControlSet001\Control\PriorityControl /t REG_DWORD /v Win32PrioritySeparation /d 42 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1200 | powercfg /SETDCVALUEINDEX SCHEME_CURRENT SUB_DISK DISKIDLE 0 | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1204 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1220 | powercfg -duplicatescheme 381b4222-f694-41f0-9685-ff5bb260df2e | C:\Windows\System32\powercfg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1236 | reg add HKCU\System\GameConfigStore /t REG_DWORD /v GameDVR_FSEBehaviorMode /d 2 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 908
Read events
9 877
Write events
31
Delete events
0
Modification events
| (PID) Process: | (3972) 68WAntiLagApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3972) 68WAntiLagApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3972) 68WAntiLagApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3972) 68WAntiLagApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1296) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{7bcdbaa8-85a9-11eb-90a8-9a9b76358421}\Elements\260000a4 |
| Operation: | write | Name: | Element |
Value: 01 | |||
| (PID) Process: | (1672) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{7bcdbaa8-85a9-11eb-90a8-9a9b76358421}\Elements\260000a5 |
| Operation: | write | Name: | Element |
Value: 01 | |||
| (PID) Process: | (1200) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PriorityControl |
| Operation: | write | Name: | Win32PrioritySeparation |
Value: 42 | |||
| (PID) Process: | (1824) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GraphicsDrivers |
| Operation: | write | Name: | HwSchMode |
Value: 2 | |||
| (PID) Process: | (4020) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar |
| Operation: | write | Name: | AllowAutoGameMode |
Value: 0 | |||
| (PID) Process: | (1512) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar |
| Operation: | write | Name: | AutoGameModeEnabled |
Value: 0 | |||
Executable files
0
Suspicious files
12
Text files
1
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.024.etl | etl | |
MD5:868E79A00A8204448B2FFC4F4D5C08EA | SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.023.etl | etl | |
MD5:44A0E917AD0C126931B1BCD959285A9A | SHA256:DDFBE47E7DFD6D8B7517F2F6FF9808ECF3C0A25F588A9F96D04F4E2B4A578573 | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.020.etl | etl | |
MD5:5EA68411BF8E9EAF4621BAF73F61449E | SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7 | |||
| 3972 | 68WAntiLagApp.exe | C:\Users\admin\AppData\Local\68WAntiLagApp\settings.config | xml | |
MD5:C741E80AFB1F4960AD10AAF4C2B0CED4 | SHA256:84B09B723070FCCEE860F6F1C2193FF8C0CA6F5E232752AFDD8222DEB39327B7 | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.027.etl | etl | |
MD5:673727AF7C6805E869C9F8BE1E468F4A | SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.029.etl | etl | |
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898 | SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22 | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.019.etl | etl | |
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671 | SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970 | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.025.etl | etl | |
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB | SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50 | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.012.etl | etl | |
MD5:09359EE89B0634478ADFF73CDA7BFB12 | SHA256:4D800AC7C55960B107C9D3E40F63130407835E69DF4F5C558C500FC0BD20D8ED | |||
| 3716 | PLUGScheduler.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.018.etl | binary | |
MD5:FED961067F664B5381B65A534B7AB728 | SHA256:652F31A8284AE812D1D9D24192BC800976BF74C240591C6AC443A28C4709FB7C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
55
DNS requests
12
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1888 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1888 | svchost.exe | GET | — | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1776 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2140 | RUXIMICS.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1776 | MoUsoCoreWorker.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.126.37.139:443 | https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w | unknown | text | 21.3 Kb | unknown |
— | — | GET | 200 | 52.109.28.46:443 | https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3 | unknown | xml | 170 Kb | unknown |
— | — | POST | 200 | 20.44.10.123:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | unknown |
— | — | GET | 200 | 104.126.37.129:443 | https://r.bing.com/rb/3E/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w | unknown | text | 15.5 Kb | unknown |
— | — | POST | 204 | 104.126.37.139:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1888 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2140 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1776 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.186:443 | www.bing.com | Akamai International B.V. | DE | unknown |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
4656 | SearchApp.exe | 104.126.37.186:443 | www.bing.com | Akamai International B.V. | DE | unknown |
1888 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1776 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1888 | svchost.exe | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
r.bing.com |
| whitelisted |