File name:

74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a

Full analysis: https://app.any.run/tasks/3f09f3e7-ffdc-4bc3-9232-663283094a94
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 07:14:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

81F96ED06409E02C9CB7D16B294F26FC

SHA1:

1BA30CE41CCCD352999BD2A69B5CE9085EB7FF66

SHA256:

74D179070D51372491F55E960D47DD01280D4361BF1CFB3EF74636F475F2A84A

SSDEEP:

98304:ozSli5peppp5DVV0e+Lq0SG/PvpoQMdQ3RHTkNMOatXS18wLkPrkVHSYcCtve0lj:/WIeISI4Jw0dFSnZaNyQIh0c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 5200)
      • wmcUpdater.exe (PID: 1704)
      • ScheduleTask.exe (PID: 556)
      • PCInfo7.exe (PID: 1864)
      • wmcUpdater.exe (PID: 4976)
      • wmcUpdater.exe (PID: 4672)
      • wmcSystem7.exe (PID: 2572)
      • wmcUser7.exe (PID: 716)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 4716)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2012)
      • net.exe (PID: 6012)

    • Actions looks like stealing of personal data

      • wmcSystem7.exe (PID: 1480)

  • SUSPICIOUS

    • Application launched itself

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)

    • Reads security settings of Internet Explorer

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • wmcUpdater.exe (PID: 4536)
      • PCInfo7.exe (PID: 1864)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 1480)

    • The process exported the data from the registry

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Likely accesses (executes) a file from the Public directory

      • reg.exe (PID: 3680)
      • wmcUpdater.exe (PID: 4536)

    • Executes as Windows Service

      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 1704)

    • Executable content was dropped or overwritten

      • wmcSystem7.exe (PID: 2572)
      • rundll32.exe (PID: 4716)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Creates files in the driver directory

      • wmcSystem7.exe (PID: 2572)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 5252)
      • wmcSystem7.exe (PID: 1480)

    • Uses RUNDLL32.EXE to load library

      • wmcSystem7.exe (PID: 2572)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 4596)
      • regsvr32.exe (PID: 396)
      • regsvr32.exe (PID: 6004)

    • Creates or modifies Windows services

      • wmcSystem7.exe (PID: 1480)
      • wmcSystem7.exe (PID: 2572)
      • wmcUpdater.exe (PID: 5200)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Drops a system driver (possible attempt to evade defenses)

      • wmcSystem7.exe (PID: 2572)

    • Starts itself from another location

      • wmcUpdater.exe (PID: 4536)

    • Creates a software uninstall entry

      • wmcUpdater.exe (PID: 5200)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Connects to unusual port

      • wmcSystem7.exe (PID: 1480)

    • Starts CMD.EXE for commands execution

      • PCInfo7.exe (PID: 1864)
      • wmcSystem7.exe (PID: 1480)

    • Reads the date of Windows installation

      • wmcSystem7.exe (PID: 1480)

    • Reads the Windows owner or organization settings

      • wmcSystem7.exe (PID: 1480)

    • Searches for installed software

      • wmcSystem7.exe (PID: 1480)

    • Checks Windows Trust Settings

      • wmcSystem7.exe (PID: 1480)

    • The process executes VB scripts

      • cmd.exe (PID: 3260)
      • cmd.exe (PID: 3928)
      • cmd.exe (PID: 3576)
      • cmd.exe (PID: 4804)
      • cmd.exe (PID: 5640)
      • cmd.exe (PID: 1304)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Executes application which crashes

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 1348)
      • WerFault.exe (PID: 6032)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 1796)
      • cscript.exe (PID: 4984)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 4984)
      • cscript.exe (PID: 1796)

  • INFO

    • Checks supported languages

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 1704)
      • wmcUpdater.exe (PID: 5200)
      • ScheduleTask.exe (PID: 556)
      • PCInfo7.exe (PID: 1864)
      • wmcUpdater.exe (PID: 4976)
      • wmcUpdater.exe (PID: 4672)
      • wmcUser7.exe (PID: 716)

    • Reads the computer name

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 1480)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 1704)
      • wmcUpdater.exe (PID: 5200)
      • ScheduleTask.exe (PID: 556)
      • PCInfo7.exe (PID: 1864)
      • wmcUpdater.exe (PID: 4672)
      • wmcUpdater.exe (PID: 4976)

    • The process uses the downloaded file

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • runonce.exe (PID: 4400)
      • wmcUpdater.exe (PID: 4536)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • PCInfo7.exe (PID: 1864)

    • Process checks computer location settings

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • wmcUpdater.exe (PID: 4536)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • PCInfo7.exe (PID: 1864)
      • wmcSystem7.exe (PID: 1480)

    • Sends debugging messages

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcUpdater.exe (PID: 5200)
      • wmcUpdater.exe (PID: 4536)
      • wmcUpdater.exe (PID: 1704)
      • ScheduleTask.exe (PID: 556)
      • wmcUpdater.exe (PID: 4976)
      • PCInfo7.exe (PID: 1864)
      • wmcUpdater.exe (PID: 4672)

    • The sample compiled with chinese language support

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 4320)

    • The sample compiled with german language support

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Creates files in the program directory

      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 1480)

    • Reads the machine GUID from the registry

      • wmcSystem7.exe (PID: 4628)
      • wmcSystem7.exe (PID: 2572)
      • wmcSystem7.exe (PID: 1480)
      • wmcUser7.exe (PID: 716)

    • Create files in a temporary directory

      • reg.exe (PID: 3680)
      • PCInfo7.exe (PID: 1864)

    • The sample compiled with english language support

      • wmcSystem7.exe (PID: 2572)
      • rundll32.exe (PID: 4716)
      • 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe (PID: 1580)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 4400)

    • Reads the time zone

      • runonce.exe (PID: 4400)

    • Reads Windows Product ID

      • wmcSystem7.exe (PID: 1480)

    • Reads Environment values

      • wmcSystem7.exe (PID: 1480)

    • Reads product name

      • wmcSystem7.exe (PID: 1480)

    • Reads the software policy settings

      • wmcSystem7.exe (PID: 1480)
      • WerFault.exe (PID: 1348)
      • cscript.exe (PID: 1796)
      • cscript.exe (PID: 4984)
      • WerFault.exe (PID: 6032)

    • Reads Microsoft Office registry keys

      • wmcSystem7.exe (PID: 1480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:18 09:30:40+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 212480
InitializedDataSize: 120832
UninitializedDataSize: -
EntryPoint: 0x24278
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 24.3.18.0
ProductVersionNumber: 24.3.18.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Traditional)
CharacterSet: Unicode
CompanyName: Sun & Moon Rise
FileDescription: SMR應用程式
FileVersion: 24.3.18.0
InternalName: SMR
LegalCopyright: Copyright (C) 2020 Sun & Moon Rise Co., Ltd.
ProductName: SMR應用程式
ProductVersion: 24.3.18.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
186
Monitored processes
55
Malicious processes
12
Suspicious processes
9

Behavior graph

Click at the process to see the details
start 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe reg.exe no specs conhost.exe no specs wmcsystem7.exe wmcsystem7.exe no specs wmcsystem7.exe rundll32.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs runonce.exe no specs certutil.exe no specs conhost.exe no specs grpconv.exe no specs wmcupdater.exe conhost.exe no specs wmcupdater.exe conhost.exe no specs wmcupdater.exe netsh.exe no specs conhost.exe no specs regsvr32.exe no specs scheduletask.exe pcinfo7.exe wmcupdater.exe conhost.exe no specs wmcupdater.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs wmcuser7.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe werfault.exe cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe werfault.exe cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396 /s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
556"C:\Program Files\WW2017CF\ScheduleTask.exe" -SetScheduleC:\Program Files\WW2017CF\ScheduleTask.exe
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\ww2017cf\scheduletask.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624/i /s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"C:\Windows\System32\regsvr32.exewmcSystem7.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
716\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewmcUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
716"C:\Program Files\WW2017CF\wmcUser7.exe" -assetC:\Program Files\WW2017CF\wmcUser7.exePCInfo7.exe
User:
admin
Company:
TODO: <公司名稱>
Integrity Level:
HIGH
Description:
wmcUser7
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\ww2017cf\wmcuser7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1304 /c C:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatusC:\Windows\System32\cmd.exewmcSystem7.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1348C:\WINDOWS\system32\WerFault.exe -u -p 4984 -s 1392C:\Windows\System32\WerFault.exe
cscript.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
1448"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
41 174
Read events
40 974
Write events
153
Delete events
47

Modification events

(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win7
Operation:delete keyName:(default)
Value:
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WiNet Client7
Operation:writeName:Winet
Value:
WiNet Client7
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WiNet Client7
Operation:writeName:DisplayVersion
Value:
7.24.0415
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WiNet Client7
Operation:writeName:UninstallString
Value:
C:\Windows\explorer.exe
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\WinNetDaily
Operation:writeName:EventMessageFile
Value:
%SystemRoot%\System32\WinNetDaily.dll
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\WinNetDaily
Operation:writeName:CategoryMessageFile
Value:
%SystemRoot%\System32\WinNetDaily.dll
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\WinNetDaily
Operation:writeName:TypesSupported
Value:
7
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\WinNetDaily
Operation:writeName:CategoryCount
Value:
1
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win
Operation:writeName:TestValue
Value:
0
(PID) Process:(1580) 74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win-Win
Operation:delete valueName:TestValue
Value:
Executable files
23
Suspicious files
30
Text files
19
Unknown types
1

Dropped files

PID
Process
Filename
Type
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7ClientPackage.cab
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\BrowserRecordClient.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\GCBClient.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\LogClient.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\PCInfo7.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\Version.dat
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcDataBurner7.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcEncryption7.exe
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcEnterprise.dat
MD5:
SHA256:
158074d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exeC:\Users\Public\SMR7\WM7installTemp\wmcFTSlave7.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2164
RUXIMICS.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2164
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1480
wmcSystem7.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA%2B4p0C5FY0DUUO8WdnwQCk%3D
unknown
whitelisted
1480
wmcSystem7.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSE67Nbq3jfQQg8yXEpbmqLTNn7XwQUm1%2BwNrqdBq4ZJ73AoCLAi4s4d%2B0CEAfnW6G84YhaqAP3Lhp3OtY%3D
unknown
whitelisted
4984
cscript.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4984
cscript.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2164
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
440
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.96.112:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
440
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2164
RUXIMICS.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
440
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2164
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.19.96.112
  • 2.19.96.113
  • 2.19.96.106
  • 2.19.96.107
  • 2.19.96.122
  • 2.19.96.96
  • 2.19.96.114
  • 2.19.96.104
  • 2.19.96.97
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.22
  • 20.42.73.29
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted

Threats

No threats detected
Process
Message
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] ??????:11826757 byte
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
QlnrodWhvodMdphv
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] Client.cab [11508184] [1723617132] [11489373] [0]
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
QlnrodWhvodMdphv
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] Get PatternIndex??:334336 byte ????:0x026D3020
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] ???????:11826757 byte
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[ManualUpdate] Read Install Dat(2)
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] [334336] [0x026D3020]
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[EmbedModule] UnZipFileMeta [4090] [1724999651] [1417] [11489373]
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a.exe
[ManualUpdate] Elevate(Dat size Error or Empty)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
74d179070d51372491f55e960d47dd01280d4361bf1cfb3ef74636f475f2a84a