File name:

74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a

Full analysis: https://app.any.run/tasks/3f09f3e7-ffdc-4bc3-9232-663283094a94
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 07:14:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

81F96ED06409E02C9CB7D16B294F26FC

SHA1:

1BA30CE41CCCD352999BD2A69B5CE9085EB7FF66

SHA256:

74D179070D51372491F55E960D47DD01280D4361BF1CFB3EF74636F475F2A84A

SSDEEP:

98304:ozSli5peppp5DVV0e+Lq0SG/PvpoQMdQ3RHTkNMOatXS18wLkPrkVHSYcCtve0lj:/WIeISI4Jw0dFSnZaNyQIh0c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • wmcSystem7.exe (PID: 1480)
      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 2572)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 5200)
      • wmcUpdater.exe (PID: 1704)
      • PCInfo7.exe (PID: 1864)
      • wmcUpdater.exe (PID: 4672)
      • wmcUpdater.exe (PID: 4976)
      • ScheduleTask.exe (PID: 556)
      • wmcUser7.exe (PID: 716)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 4716)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2012)
      • net.exe (PID: 6012)

    • Actions looks like stealing of personal data

      • wmcSystem7.exe (PID: 1480)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • wmcUpdater.exe (PID: 4536)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • PCInfo7.exe (PID: 1864)
      • wmcSystem7.exe (PID: 1480)

    • Application launched itself

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)

    • Creates a software uninstall entry

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcUpdater.exe (PID: 5200)

    • The process exported the data from the registry

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Executable content was dropped or overwritten

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 2572)
      • rundll32.exe (PID: 4716)

    • Creates or modifies Windows services

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 5200)

    • Likely accesses (executes) a file from the Public directory

      • reg.exe (PID: 3680)
      • wmcUpdater.exe (PID: 4536)

    • Executes as Windows Service

      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 1704)

    • Creates files in the driver directory

      • wmcSystem7.exe (PID: 2572)

    • Uses RUNDLL32.EXE to load library

      • wmcSystem7.exe (PID: 2572)

    • Drops a system driver (possible attempt to evade defenses)

      • wmcSystem7.exe (PID: 2572)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 4596)
      • regsvr32.exe (PID: 396)
      • regsvr32.exe (PID: 6004)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 5252)
      • wmcSystem7.exe (PID: 1480)

    • Starts itself from another location

      • wmcUpdater.exe (PID: 4536)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Connects to unusual port

      • wmcSystem7.exe (PID: 1480)

    • Starts CMD.EXE for commands execution

      • PCInfo7.exe (PID: 1864)
      • wmcSystem7.exe (PID: 1480)

    • Reads the Windows owner or organization settings

      • wmcSystem7.exe (PID: 1480)

    • Searches for installed software

      • wmcSystem7.exe (PID: 1480)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Reads the date of Windows installation

      • wmcSystem7.exe (PID: 1480)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • The process executes VB scripts

      • cmd.exe (PID: 3260)
      • cmd.exe (PID: 3928)
      • cmd.exe (PID: 3576)
      • cmd.exe (PID: 4804)
      • cmd.exe (PID: 1304)
      • cmd.exe (PID: 5640)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Checks Windows Trust Settings

      • wmcSystem7.exe (PID: 1480)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Executes application which crashes

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 1348)
      • WerFault.exe (PID: 6032)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

  • INFO

    • Creates files in the program directory

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 1480)

    • The process uses the downloaded file

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • runonce.exe (PID: 4400)
      • wmcUpdater.exe (PID: 4536)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • PCInfo7.exe (PID: 1864)

    • The sample compiled with chinese language support

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)

    • Process checks computer location settings

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • wmcUpdater.exe (PID: 4536)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • PCInfo7.exe (PID: 1864)
      • wmcSystem7.exe (PID: 1480)

    • Reads the computer name

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 5200)
      • wmcUpdater.exe (PID: 1704)
      • ScheduleTask.exe (PID: 556)
      • PCInfo7.exe (PID: 1864)
      • wmcUpdater.exe (PID: 4976)
      • wmcUpdater.exe (PID: 4672)

    • Checks supported languages

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 5200)
      • wmcUpdater.exe (PID: 1704)
      • ScheduleTask.exe (PID: 556)
      • PCInfo7.exe (PID: 1864)
      • wmcUpdater.exe (PID: 4976)
      • wmcUpdater.exe (PID: 4672)
      • wmcUser7.exe (PID: 716)

    • The sample compiled with german language support

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Sends debugging messages

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 5200)
      • wmcUpdater.exe (PID: 1704)
      • ScheduleTask.exe (PID: 556)
      • wmcUpdater.exe (PID: 4976)
      • wmcUpdater.exe (PID: 4672)
      • PCInfo7.exe (PID: 1864)

    • The sample compiled with english language support

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 2572)
      • rundll32.exe (PID: 4716)

    • Reads the machine GUID from the registry

      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 1480)
      • wmcUser7.exe (PID: 716)

    • Create files in a temporary directory

      • reg.exe (PID: 3680)
      • PCInfo7.exe (PID: 1864)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 4400)

    • Reads the time zone

      • runonce.exe (PID: 4400)

    • Reads Environment values

      • wmcSystem7.exe (PID: 1480)

    • Reads Microsoft Office registry keys

      • wmcSystem7.exe (PID: 1480)

    • Reads the software policy settings

      • wmcSystem7.exe (PID: 1480)
      • cscript.exe (PID: 4984)
      • WerFault.exe (PID: 1348)
      • cscript.exe (PID: 1796)
      • WerFault.exe (PID: 6032)

    • Reads product name

      • wmcSystem7.exe (PID: 1480)

    • Reads Windows Product ID

      • wmcSystem7.exe (PID: 1480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 24.3.18.0
ProductName: SMR應用程式
LegalCopyright: Copyright (C) 2020 Sun & Moon Rise Co., Ltd.
InternalName: SMR
FileVersion: 24.3.18.0
FileDescription: SMR應用程式
CompanyName: Sun & Moon Rise
CharacterSet: Unicode
LanguageCode: Chinese (Traditional)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 24.3.18.0
FileVersionNumber: 24.3.18.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x24278
UninitializedDataSize: -
InitializedDataSize: 120832
CodeSize: 212480
LinkerVersion: 10
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:03:18 09:30:40+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
186
Monitored processes
55
Malicious processes
12
Suspicious processes
9

Behavior graph

Click at the process to see the details
start 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe reg.exe no specs conhost.exe no specs wmcsystem7.exe wmcsystem7.exe no specs wmcsystem7.exe rundll32.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs runonce.exe no specs certutil.exe no specs conhost.exe no specs grpconv.exe no specs wmcupdater.exe conhost.exe no specs wmcupdater.exe conhost.exe no specs wmcupdater.exe netsh.exe no specs conhost.exe no specs regsvr32.exe no specs scheduletask.exe pcinfo7.exe wmcupdater.exe conhost.exe no specs wmcupdater.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs wmcuser7.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe werfault.exe cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe werfault.exe cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4320"C:\Users\admin\Desktop\74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe" C:\Users\admin\Desktop\74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
explorer.exe
User:
admin
Company:
Sun & Moon Rise
Integrity Level:
MEDIUM
Description:
SMR應用程式
Exit code:
1
Version:
24.3.18.0
Modules
Images
c:\users\admin\desktop\74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1580"C:\Users\admin\Desktop\74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe" C:\Users\admin\Desktop\74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
User:
admin
Company:
Sun & Moon Rise
Integrity Level:
HIGH
Description:
SMR應用程式
Exit code:
1
Version:
24.3.18.0
Modules
Images
c:\users\admin\desktop\74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3680C:\WINDOWS\system32\reg.exe export HKLM\SYSTEM\CurrentControlSet\Services\Win-Win7 "C:\Users\Public\SMR7\Debug\WinWin7.RegDebug.log"C:\Windows\SysWOW64\reg.exe74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3260\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2572"C:\Program Files\WW2017CF\wmcSystem7.exe" -diC:\Program Files\WW2017CF\wmcSystem7.exe
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
User:
admin
Company:
TODO: <公司名稱>
Integrity Level:
HIGH
Description:
wmcSystem7
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\ww2017cf\wmcsystem7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4628"C:\Program Files\WW2017CF\wmcSystem7.exe" -aiC:\Program Files\WW2017CF\wmcSystem7.exe74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
User:
admin
Company:
TODO: <公司名稱>
Integrity Level:
HIGH
Description:
wmcSystem7
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\ww2017cf\wmcsystem7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1480"C:\Program Files\WW2017CF\wmcSystem7.exe"C:\Program Files\WW2017CF\wmcSystem7.exe
services.exe
User:
SYSTEM
Company:
TODO: <公司名稱>
Integrity Level:
SYSTEM
Description:
wmcSystem7
Version:
1.0.0.1
Modules
Images
c:\program files\ww2017cf\wmcsystem7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4716C:\WINDOWS\system32\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\WINDOWS\System32\drivers\WM7F.infC:\Windows\System32\rundll32.exe
wmcSystem7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
4264/i /s "C:\Program Files\WW2017CF\XceedCry.dll"C:\Windows\System32\regsvr32.exewmcSystem7.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
624/i /s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"C:\Windows\System32\regsvr32.exewmcSystem7.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
41 174
Read events
40 974
Write events
153
Delete events
47

Modification events

(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:delete keyName:(default)
Value:
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win
Operation:writeName:TestValue
Value:
0
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win
Operation:delete valueName:TestValue
Value:
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win
Operation:delete keyName:(default)
Value:
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:writeName:License
Value:
180270007700003001900006400360000140337220455
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:writeName:Version
Value:
7.24.0415
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:writeName:SerialNumber
Value:
5501-1CTC-89MS
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:writeName:ConsolePublicKey
Value:
0602000000A40000525341310004000001000100B9CE27FF1CFF9D975F9CE473885E10EBA0F663CBA8036B08E839526191F52598F0F3ACA4A968D80FE9285D3D3DF5C37C53CDA654B49EBBB45C5E10CCA621556B11ACF2B0BEB00C7D99929A6356A19B02FD074524017575F0698022472EDB6CCC258E6E3D6FD142DC5C65AC80D4EB8BDFC19EE7064808F4B50D72B6E95B354DD2
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:writeName:SignedPublicKey
Value:
06020000002400005253413100080000010001002DF4E2DABEEB52D4C2AA69AFE287450CB93B89C72D8B6ADE775315B4358343A269A35CE0675857DEF06E403DDBEF9E3E5A0F2BB5604E0EA799534108DC5E3CC9030AD29DC67353109E365B400E1AEA7A1B6AC11B6264DA76F45DC42CD969B2EE7DE69BE713DA367EF431C9FE61DE8536DF5ACAA5E5FE76BB23605CE946F884395E2C74B6C6C91EB8A5DF7BE8C0ECFC6F7FDCB12805FBF9D6AC5032D35110996067BB486FAAC31045BE88325F88E39A351C941ADC3D38AFCE162E18DEFA30AFB0FB058AB63B3D219074902ECC06DC30465F5DB7E31F3ABC0854B96904897A143287132DF684555E69D8F3328BBF2A114810E9AA8A3892E313011641B1555A2FC6
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:writeName:ConsoleIdentify
Value:
236BCD63B7E7FFE5D6C0575F8D769776B6621CFFD3A129EDA83AC16E79FE620C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
23
Suspicious files
30
Text files
19
Unknown types
1

Dropped files

PID
Process
Filename
Type
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7ClientPackage.cab
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\BrowserRecordClient.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\GCBClient.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\LogClient.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\PCInfo7.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\Version.dat
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcDataBurner7.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcEncryption7.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcEnterprise.dat
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcFTSlave7.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1480
wmcSystem7.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA%2B4p0C5FY0DUUO8WdnwQCk%3D
unknown
whitelisted
2164
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
440
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1480
wmcSystem7.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSE67Nbq3jfQQg8yXEpbmqLTNn7XwQUm1%2BwNrqdBq4ZJ73AoCLAi4s4d%2B0CEAfnW6G84YhaqAP3Lhp3OtY%3D
unknown
whitelisted
4984
cscript.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
440
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2164
RUXIMICS.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4984
cscript.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2164
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
440
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.96.112:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
440
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2164
RUXIMICS.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
440
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2164
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.19.96.112
  • 2.19.96.113
  • 2.19.96.106
  • 2.19.96.107
  • 2.19.96.122
  • 2.19.96.96
  • 2.19.96.114
  • 2.19.96.104
  • 2.19.96.97
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.22
  • 20.42.73.29
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted

Threats

No threats detected
Process
Message
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] ??????:11826757 byte
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
QlnrodWhvodMdphv
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
QlnrodWhvodMdphv
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] Get PatternIndex??:334336 byte ????:0x026D3020
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] ???????:11826757 byte
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] Client.cab [11508184] [1723617132] [11489373] [0]
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[ManualUpdate] Read Install Dat(2)
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] UnZipFileMeta [4090] [1724999651] [1417] [11489373]
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] [334336] [0x026D3020]
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
Elevate Run: C:\Users\admin\Desktop\74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a