File name:

Monoxidex86.harmless.exe

Full analysis: https://app.any.run/tasks/d84ff5b0-0b6c-4b84-aadb-816075dbeff1
Verdict: Malicious activity
Analysis date: November 23, 2024, 19:04:48
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
dyndns
monoxide
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

189957C510F529FC2021B84AE99F5757

SHA1:

29F73B40E866F0DDEA48E2744A0F9287C30FCE02

SHA256:

753A3EECEE5EE27EAF31051BFAE24F8C16C91AC83AE128190EF2E13CF2D69C01

SSDEEP:

24576:13HzLnqOaNMCFJ6kPvOxrcg0i7uFdEUETfoDsE:13HzLnqOaNMCFJ6kPvO1cg0i7VUETfoT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Monoxidex86.harmless.exe (PID: 3364)

    • Monoxide mutex has been found

      • ._cache_Monoxidex86.harmless.exe (PID: 2984)

    • Connects to the CnC server

      • Synaptics.exe (PID: 2796)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Monoxidex86.harmless.exe (PID: 3364)
      • Synaptics.exe (PID: 2796)

    • Reads security settings of Internet Explorer

      • Monoxidex86.harmless.exe (PID: 3364)
      • Synaptics.exe (PID: 2796)

    • Executable content was dropped or overwritten

      • Monoxidex86.harmless.exe (PID: 3364)

    • Contacting a server suspected of hosting an CnC

      • Synaptics.exe (PID: 2796)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 2796)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 2796)

    • There is functionality for taking screenshot (YARA)

      • Synaptics.exe (PID: 2796)

  • INFO

    • Checks supported languages

      • Monoxidex86.harmless.exe (PID: 3364)
      • ._cache_Monoxidex86.harmless.exe (PID: 2984)
      • Synaptics.exe (PID: 2796)

    • Reads the computer name

      • Monoxidex86.harmless.exe (PID: 3364)
      • Synaptics.exe (PID: 2796)
      • ._cache_Monoxidex86.harmless.exe (PID: 2984)

    • The process uses the downloaded file

      • Monoxidex86.harmless.exe (PID: 3364)

    • Creates files in the program directory

      • Monoxidex86.harmless.exe (PID: 3364)
      • Synaptics.exe (PID: 2796)

    • Checks proxy server information

      • Synaptics.exe (PID: 2796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (96.4)
.exe | Win32 Executable Delphi generic (2)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.3)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 274944
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
CompanyName: Synaptics
FileDescription: Synaptics Pointing Device Driver
FileVersion: 1.0.0.4
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: Synaptics Pointing Device Driver
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start monoxidex86.harmless.exe ._cache_monoxidex86.harmless.exe no specs synaptics.exe

Process information

PID
CMD
Path
Indicators
Parent process
2796"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateC:\ProgramData\Synaptics\Synaptics.exe
Monoxidex86.harmless.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Version:
1.0.0.4
Modules
Images
c:\programdata\synaptics\synaptics.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2984"C:\Users\admin\Desktop\._cache_Monoxidex86.harmless.exe" C:\Users\admin\Desktop\._cache_Monoxidex86.harmless.exeMonoxidex86.harmless.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\._cache_monoxidex86.harmless.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
3364"C:\Users\admin\Desktop\Monoxidex86.harmless.exe" C:\Users\admin\Desktop\Monoxidex86.harmless.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
MEDIUM
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\desktop\monoxidex86.harmless.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
4 854
Read events
4 832
Write events
22
Delete events
0

Modification events

(PID) Process:(3364) Monoxidex86.harmless.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D28010000BD0E0C47735D584D9CEDE91E22E23282290100006078A409B011A54DAFA526D86198A7801302000060B81DB4E464D2119906E49FADC173CAD40100000114020000000000C000000000000046BF020000
(PID) Process:(3364) Monoxidex86.harmless.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3364) Monoxidex86.harmless.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3364) Monoxidex86.harmless.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3364) Monoxidex86.harmless.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3364) Monoxidex86.harmless.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Synaptics Pointing Device Driver
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(3364) Monoxidex86.harmless.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{B41DB860-8EE4-11D2-9906-E49FADC173CA} {000214E4-0000-0000-C000-000000000046} 0xFFFF
Value:
0100000000000000E926A996DA3DDB01
(PID) Process:(2796) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2796) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2796) Synaptics.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3364Monoxidex86.harmless.exeC:\Users\admin\Desktop\._cache_Monoxidex86.harmless.exeexecutable
MD5:BD65D387482DEF1FE00B50406F731763
SHA256:1AB7375550516D7445C47FD9B551ED864F227401A14FF3F1FF0D70CACA3BD997
2796Synaptics.exeC:\Users\admin\AppData\Local\Temp\Cu8cct4.inihtml
MD5:7F9277F46CC371D290C71C17B442C6BF
SHA256:C97537D059D7EC3E04F8CFE8159A7A4463E3229EFC2774600B15E2C30C24C188
3364Monoxidex86.harmless.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:189957C510F529FC2021B84AE99F5757
SHA256:753A3EECEE5EE27EAF31051BFAE24F8C16C91AC83AE128190EF2E13CF2D69C01
3364Monoxidex86.harmless.exeC:\ProgramData\Synaptics\RCXF52D.tmpexecutable
MD5:C84EEC31EF88A4F342D1283B8EB852E1
SHA256:7B8489F453223B9B232581677BA106ED2EB3C5B1D1153A11288940440B0FCA4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
32
DNS requests
39
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1776
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
HEAD
200
23.213.164.137:443
https://fs.microsoft.com/fs/windows/config.json
unknown
1296
svchost.exe
GET
200
23.55.161.191:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
1776
firefox.exe
POST
200
23.53.40.161:80
http://r10.o.lencr.org/
unknown
whitelisted
1776
firefox.exe
POST
200
23.53.40.154:80
http://r10.o.lencr.org/
unknown
whitelisted
1776
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
1776
firefox.exe
POST
200
23.53.40.161:80
http://r10.o.lencr.org/
unknown
whitelisted
2860
svchost.exe
GET
304
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a32176130b135011
unknown
whitelisted
GET
303
74.125.206.84:443
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
2860
svchost.exe
GET
200
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?34b29c7dc8be1260
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3484
rundll32.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6848
OfficeC2RClient.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
1296
svchost.exe
23.55.161.191:80
Akamai International B.V.
DE
unknown
1776
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1776
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
1776
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1776
firefox.exe
23.53.40.154:80
r10.o.lencr.org
Akamai International B.V.
DE
whitelisted
1776
firefox.exe
23.53.40.161:80
r10.o.lencr.org
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
google.com
  • 142.250.185.174
whitelisted
r10.o.lencr.org
  • 23.53.40.154
  • 23.53.40.161
  • 23.53.40.144
  • 23.53.40.123
  • 23.53.40.122
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted

Threats

PID
Process
Class
Message
1656
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Monoxidex86.harmless.exe