File name:

ConsoleAct_3.0.exe

Full analysis: https://app.any.run/tasks/c4799fcb-7ef4-4104-9556-67b8622f2020
Verdict: Malicious activity
Analysis date: July 30, 2024, 06:38:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

BAA4274E11B6EEE268D0F6F80D517CB4

SHA1:

B81EF15BFEFC1D7A823CD0F97BA4BE916F04A31B

SHA256:

7E55D8AEA1ACDD0DADA0E9CA17F8CD9E8399C2E3B95742A4D7DC788F2F684C52

SSDEEP:

49152:2RSmQfZch2d77ABcM5w9heoxSiVHGSMbW3Y0GoHXFI0uiIfUyMB97wFKE7e+FygA:2RTAd7cBUh5XVHZY0d2hYBZwqWygxiUG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ConsoleAct_3.0.exe (PID: 6776)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • cmd.exe (PID: 4128)
      • cmd.exe (PID: 2188)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 4276)
      • net.exe (PID: 1256)

    • Accesses name of the domain to which a computer belongs via WMI (SCRIPT)

      • cscript.exe (PID: 6812)
      • cscript.exe (PID: 7080)
      • cscript.exe (PID: 4632)

  • SUSPICIOUS

    • Found strings related to reading or modifying Windows Defender settings

      • ConsoleAct_3.0.exe (PID: 6776)

    • Starts CMD.EXE for commands execution

      • ConsoleAct_3.0.exe (PID: 6776)

    • Hides command output

      • cmd.exe (PID: 6224)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6224)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 6964)
      • cmd.exe (PID: 5340)
      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 3384)
      • cmd.exe (PID: 6084)
      • cmd.exe (PID: 6708)
      • cmd.exe (PID: 1136)
      • cmd.exe (PID: 4988)
      • cmd.exe (PID: 5692)
      • cmd.exe (PID: 6388)
      • cmd.exe (PID: 2116)
      • ConsoleAct_3.0.exe (PID: 6776)
      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 6632)
      • cmd.exe (PID: 6044)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 6432)

    • Executable content was dropped or overwritten

      • ConsoleAct_3.0.exe (PID: 6776)

    • The process executes VB scripts

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 3588)
      • cmd.exe (PID: 4432)
      • cmd.exe (PID: 2976)
      • cmd.exe (PID: 6044)
      • cmd.exe (PID: 1780)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6224)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 1388)
      • cscript.exe (PID: 3384)
      • cscript.exe (PID: 4632)
      • cscript.exe (PID: 6812)
      • cscript.exe (PID: 7080)
      • cscript.exe (PID: 1712)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 1388)
      • cscript.exe (PID: 3384)
      • cscript.exe (PID: 4632)
      • cscript.exe (PID: 6812)
      • cscript.exe (PID: 7080)
      • cscript.exe (PID: 1712)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 1388)
      • cscript.exe (PID: 3384)
      • cscript.exe (PID: 4632)
      • cscript.exe (PID: 6812)
      • cscript.exe (PID: 7080)
      • cscript.exe (PID: 1712)

    • The process downloads a VBScript from the remote host

      • cmd.exe (PID: 6044)

  • INFO

    • Reads Environment values

      • ConsoleAct_3.0.exe (PID: 6776)

    • Reads product name

      • ConsoleAct_3.0.exe (PID: 6776)

    • Checks supported languages

      • ConsoleAct_3.0.exe (PID: 6776)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2368)
      • WMIC.exe (PID: 7004)
      • cscript.exe (PID: 1388)
      • cscript.exe (PID: 3384)
      • cscript.exe (PID: 4632)
      • cscript.exe (PID: 6812)
      • cscript.exe (PID: 7080)
      • cscript.exe (PID: 1712)

    • Checks proxy server information

      • slui.exe (PID: 6788)

    • UPX packer has been detected

      • ConsoleAct_3.0.exe (PID: 6776)

    • Reads Microsoft Office registry keys

      • reg.exe (PID: 5084)
      • reg.exe (PID: 4580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:12:25 02:25:27+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 1032192
InitializedDataSize: 73728
UninitializedDataSize: 1286144
EntryPoint: 0x2362d0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.0
ProductVersionNumber: 3.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
OriginalFileName: ConsoleAct_x64.exe
LegalCopyright: MSFree Inc., Ratiborus
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
209
Monitored processes
69
Malicious processes
7
Suspicious processes
7

Behavior graph

Click at the process to see the details
start THREAT consoleact_3.0.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs slui.exe cmd.exe no specs sc.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs netsh.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs consoleact_3.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1136"C:\WINDOWS\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1C:\Windows\System32\cmd.exeConsoleAct_3.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1256net.exe stop sppsvc /y C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mpr.dll
c:\windows\system32\rpcrt4.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1388cscript.exe C:\WINDOWS\System32\slmgr.vbs //NoLogo /sdns C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1712cscript.exe C:\WINDOWS\System32\slmgr.vbs //NoLogo /ato C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1780"C:\WINDOWS\System32\cmd.exe" /c cscript.exe C:\WINDOWS\System32\slmgr.vbs //NoLogo /ato 2>&1C:\Windows\System32\cmd.exeConsoleAct_3.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1884reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2116"C:\WINDOWS\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1C:\Windows\System32\cmd.exeConsoleAct_3.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
5 483
Read events
5 465
Write events
18
Delete events
0

Modification events

(PID) Process:(6776) ConsoleAct_3.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(6056) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe
Operation:writeName:KMS_Emulation
Value:
1
(PID) Process:(5128) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe
Operation:writeName:GlobalFlag
Value:
256
(PID) Process:(6652) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe
Operation:writeName:KMS_ActivationInterval
Value:
120
(PID) Process:(5272) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe
Operation:writeName:KMS_RenewalInterval
Value:
10080
(PID) Process:(4016) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe
Operation:writeName:VerifierDlls
Value:
SppExtComObjHook.dll
(PID) Process:(5296) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe
Operation:writeName:KMS_HWID
Value:
7000B60096041C9B
(PID) Process:(6716) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe
Operation:writeName:KMS_Emulation
Value:
1
(PID) Process:(6704) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe
Operation:writeName:GlobalFlag
Value:
256
(PID) Process:(1884) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe
Operation:writeName:KMS_ActivationInterval
Value:
120
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6776ConsoleAct_3.0.exeC:\Windows\System32\SppExtComObjHook.dllexecutable
MD5:95F143EC661A5DA85C3C8199D9FE06E7
SHA256:F239C27B50CEF792FEA5B34378FBAC83BCC06B8442D508BD9ADD7DDF8CA5C632
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
44
DNS requests
26
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6700
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
752
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6220
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5368
SearchApp.exe
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5368
SearchApp.exe
2.23.209.167:443
www.bing.com
Akamai International B.V.
GB
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1620
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 2.23.209.167
  • 2.23.209.155
  • 2.23.209.157
  • 2.23.209.160
  • 2.23.209.163
  • 2.23.209.162
  • 2.23.209.154
  • 2.23.209.166
  • 2.23.209.156
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.23
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted
self.events.data.microsoft.com
  • 20.50.201.195
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ConsoleAct_3.0.exe