Malware analysis USDT FLASHER.exe Malicious activity | ANY.RUN

Add for printing

File name:	USDT FLASHER.exe
Full analysis:	https://app.any.run/tasks/2296c79b-a1bb-4f42-b543-ece52d241372
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	July 22, 2024, 20:21:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	8BD7FBBED69D36D4EBC9EBBAA1CCD16B
SHA1:	FAF32AEEFA835D0580DC32B15DECCDAE76FD0EFD
SHA256:	8DFB60AA2756AB2856BFC3BBEC3258E27A5127E11B26065357B861909EA9361F
SSDEEP:	98304:tpv6ghyyJjTc2gTYCyy7r4vbNwyW7GeaGy8ewPb3ZvZ6xxvvZry8ewPb3Iyy7r44:6g3WIR2v1iX81KJZ3ZwCV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - USDT FLASHER.exe (PID: 6680)
  - c.exe (PID: 3484)
  - c.exe (PID: 1068)
  - Service_Adobe.exe (PID: 5516)
- Changes the autorun value in the registry
  - c.exe (PID: 3484)
  - relog.exe (PID: 3560)
  - c.exe (PID: 1068)
  - Service_com.adobe.dunamis.exe (PID: 2748)
  - Service_Adobe.exe (PID: 5516)
  - Service_Microsoft.exe (PID: 2476)
  - Service_Mozilla.exe (PID: 2756)
  - Service_FileZilla.exe (PID: 520)
  - Service_Macromedia.exe (PID: 4036)
  - Service_NuGet.exe (PID: 2476)
  - Service_Opera.exe (PID: 2756)
  - Service_Skype.exe (PID: 5516)
  - Service_Notepad++.exe (PID: 2732)
  - Service_Sun.exe (PID: 2748)
  - Service_vlc.exe (PID: 1980)
  - Service_WinRAR.exe (PID: 5516)
  - Service_{2F33566DA0B91573532102}.exe (PID: 5544)
  - psvhost.exe (PID: 6024)
  - Service_Adobe.exe (PID: 5516)
  - Service_com.adobe.dunamis.exe (PID: 4036)
  - Service_Macromedia.exe (PID: 2732)
  - Service_Microsoft.exe (PID: 1048)
  - Service_FileZilla.exe (PID: 6096)
  - Service_Notepad++.exe (PID: 520)
  - Service_NuGet.exe (PID: 1980)
  - Service_Mozilla.exe (PID: 6092)
  - Service_Sun.exe (PID: 5500)
  - Service_Skype.exe (PID: 1828)
  - Service_vlc.exe (PID: 6104)
  - Service_WinRAR.exe (PID: 6112)
  - Service_Opera.exe (PID: 1008)
  - Service_{2F33566DA0B91573532102}.exe (PID: 6096)
- Create files in the Startup directory
  - c.exe (PID: 3484)
  - relog.exe (PID: 3560)
  - c.exe (PID: 1068)
  - psvhost.exe (PID: 6024)
- Application was injected by another process
  - explorer.exe (PID: 5016)
  - explorer.exe (PID: 4708)
- Actions looks like stealing of personal data
  - relog.exe (PID: 3560)
  - relog.exe (PID: 468)
  - Service_Skype.exe (PID: 5516)
  - Service_Skype.exe (PID: 1828)
- Runs injected code in another process
  - relog.exe (PID: 3560)
  - relog.exe (PID: 468)
SUSPICIOUS
- Executable content was dropped or overwritten
  - USDT FLASHER.exe (PID: 6680)
  - c.exe (PID: 3484)
  - relog.exe (PID: 3560)
  - c.exe (PID: 1068)
  - Service_Adobe.exe (PID: 5516)
  - relog.exe (PID: 468)
- The process creates files with name similar to system file names
  - c.exe (PID: 3484)
- Potential Corporate Privacy Violation
  - relog.exe (PID: 3560)
  - relog.exe (PID: 468)
- There is functionality for taking screenshot (YARA)
  - USDT FLASHER.exe (PID: 6680)
- The process executes via Task Scheduler
  - PLUGScheduler.exe (PID: 4252)
INFO
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 5016)
  - relog.exe (PID: 3560)
  - explorer.exe (PID: 4708)
  - relog.exe (PID: 468)
- Creates files or folders in the user directory
  - USDT FLASHER.exe (PID: 6680)
  - c.exe (PID: 3484)
  - relog.exe (PID: 3560)
  - explorer.exe (PID: 5016)
  - explorer.exe (PID: 4708)
  - psvhost.exe (PID: 6024)
- Checks supported languages
  - USDT FLASHER.exe (PID: 6680)
  - c.exe (PID: 3484)
  - usdtflash.exe (PID: 5540)
  - TextInputHost.exe (PID: 5740)
  - c.exe (PID: 1068)
  - Service_Adobe.exe (PID: 5516)
  - PLUGScheduler.exe (PID: 4252)
  - Service_FileZilla.exe (PID: 520)
  - Service_Mozilla.exe (PID: 2756)
  - Service_Notepad++.exe (PID: 2732)
  - Service_Macromedia.exe (PID: 4036)
  - Service_com.adobe.dunamis.exe (PID: 2748)
  - Service_Microsoft.exe (PID: 2476)
  - Service_NuGet.exe (PID: 2476)
  - Service_Opera.exe (PID: 2756)
  - Service_Skype.exe (PID: 5516)
  - Service_Sun.exe (PID: 2748)
  - Service_vlc.exe (PID: 1980)
  - Service_WinRAR.exe (PID: 5516)
  - Service_{2F33566DA0B91573532102}.exe (PID: 5544)
  - psvhost.exe (PID: 6024)
  - Service_Adobe.exe (PID: 5516)
  - Service_com.adobe.dunamis.exe (PID: 4036)
  - Service_Macromedia.exe (PID: 2732)
  - Service_Microsoft.exe (PID: 1048)
  - Service_FileZilla.exe (PID: 6096)
  - Service_Notepad++.exe (PID: 520)
  - Service_NuGet.exe (PID: 1980)
  - Service_Opera.exe (PID: 1008)
  - Service_Mozilla.exe (PID: 6092)
  - Service_Sun.exe (PID: 5500)
  - Service_vlc.exe (PID: 6104)
  - Service_WinRAR.exe (PID: 6112)
  - Service_Skype.exe (PID: 1828)
  - Service_{2F33566DA0B91573532102}.exe (PID: 6096)
- Reads the computer name
  - c.exe (PID: 3484)
  - usdtflash.exe (PID: 5540)
  - TextInputHost.exe (PID: 5740)
  - c.exe (PID: 1068)
  - Service_Adobe.exe (PID: 5516)
  - PLUGScheduler.exe (PID: 4252)
  - Service_com.adobe.dunamis.exe (PID: 2748)
  - Service_Microsoft.exe (PID: 2476)
  - Service_Mozilla.exe (PID: 2756)
  - Service_FileZilla.exe (PID: 520)
  - Service_Macromedia.exe (PID: 4036)
  - Service_Opera.exe (PID: 2756)
  - Service_Notepad++.exe (PID: 2732)
  - Service_NuGet.exe (PID: 2476)
  - Service_Skype.exe (PID: 5516)
  - Service_Sun.exe (PID: 2748)
  - Service_vlc.exe (PID: 1980)
  - Service_WinRAR.exe (PID: 5516)
  - Service_{2F33566DA0B91573532102}.exe (PID: 5544)
  - psvhost.exe (PID: 6024)
  - Service_Adobe.exe (PID: 5516)
  - Service_com.adobe.dunamis.exe (PID: 4036)
  - Service_Microsoft.exe (PID: 1048)
  - Service_FileZilla.exe (PID: 6096)
  - Service_Macromedia.exe (PID: 2732)
  - Service_Mozilla.exe (PID: 6092)
  - Service_Notepad++.exe (PID: 520)
  - Service_NuGet.exe (PID: 1980)
  - Service_Opera.exe (PID: 1008)
  - Service_Skype.exe (PID: 1828)
  - Service_WinRAR.exe (PID: 6112)
  - Service_Sun.exe (PID: 5500)
  - Service_vlc.exe (PID: 6104)
  - Service_{2F33566DA0B91573532102}.exe (PID: 6096)
- Checks proxy server information
  - relog.exe (PID: 3560)
  - explorer.exe (PID: 4708)
  - relog.exe (PID: 468)
- Reads the software policy settings
  - relog.exe (PID: 3560)
- Reads the machine GUID from the registry
  - usdtflash.exe (PID: 5540)
- Create files in a temporary directory
  - relog.exe (PID: 3560)
  - relog.exe (PID: 468)
- Drops the executable file immediately after the start
  - relog.exe (PID: 3560)
  - relog.exe (PID: 468)
- Reads Microsoft Office registry keys
  - explorer.exe (PID: 4708)
- Manual execution by a user
  - c.exe (PID: 1068)
  - Service_Adobe.exe (PID: 5516)
  - Service_com.adobe.dunamis.exe (PID: 2748)
  - Service_Mozilla.exe (PID: 2756)
  - Service_Notepad++.exe (PID: 2732)
  - Service_FileZilla.exe (PID: 520)
  - Service_Microsoft.exe (PID: 2476)
  - Service_Macromedia.exe (PID: 4036)
  - Service_NuGet.exe (PID: 2476)
  - Service_Skype.exe (PID: 5516)
  - Service_Opera.exe (PID: 2756)
  - Service_Sun.exe (PID: 2748)
  - Service_vlc.exe (PID: 1980)
  - Service_WinRAR.exe (PID: 5516)
  - Service_{2F33566DA0B91573532102}.exe (PID: 5544)
  - psvhost.exe (PID: 6024)
  - Service_Adobe.exe (PID: 5516)
  - Service_FileZilla.exe (PID: 6096)
  - Service_Macromedia.exe (PID: 2732)
  - Service_Microsoft.exe (PID: 1048)
  - Service_com.adobe.dunamis.exe (PID: 4036)
  - Service_Notepad++.exe (PID: 520)
  - Service_NuGet.exe (PID: 1980)
  - Service_Opera.exe (PID: 1008)
  - Service_Mozilla.exe (PID: 6092)
  - Service_Skype.exe (PID: 1828)
  - Service_Sun.exe (PID: 5500)
  - Service_vlc.exe (PID: 6104)
  - Service_WinRAR.exe (PID: 6112)
  - Service_{2F33566DA0B91573532102}.exe (PID: 6096)
- Creates files in the program directory
  - PLUGScheduler.exe (PID: 4252)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:12 15:09:45+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.4
CodeSize:	116224
InitializedDataSize:	13163520
UninitializedDataSize:	-
EntryPoint:	0x7415
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.4.0.0
ProductVersionNumber:	1.4.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Unknown (2000)
CharacterSet:	Unicode
CompanyName:	ChatGpt
FileDescription:	ChatGpt
FileVersion:	1.4.0.0
InternalName:	ChatGpt.exe
LegalCopyright:	Copyright (C) 2024
OriginalFileName:	ChatGpt.exe
ProductName:	ChatGpt Software
ProductVersion:	1.4.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

318

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

468

C:\WINDOWS\system32\relog.exe

C:\Windows\System32\relog.exe

c.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Performance Relogging Utility

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\thc7b5.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

520

"C:\Users\admin\AppData\Roaming\FileZilla\Service_FileZilla.exe"

C:\Users\admin\AppData\Roaming\FileZilla\Service_FileZilla.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\filezilla\service_filezilla.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

520

C:\WINDOWS\system32\relog.exe

C:\Windows\System32\relog.exe

—

Service_Microsoft.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Performance Relogging Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\thcdbf.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

520

C:\WINDOWS\system32\relog.exe

C:\Windows\System32\relog.exe

—

Service_FileZilla.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Performance Relogging Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\thdc75.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

520

"C:\Users\admin\AppData\Roaming\Notepad++\Service_Notepad++.exe"

C:\Users\admin\AppData\Roaming\Notepad++\Service_Notepad++.exe

explorer.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

Services.exe

Exit code:

Version:

1.0.0.1

Modules

Images
c:\users\admin\appdata\roaming\notepad++\service_notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1008

C:\WINDOWS\system32\relog.exe

C:\Windows\System32\relog.exe

—

psvhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Performance Relogging Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\thd88d.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1008

"C:\Users\admin\AppData\Roaming\Opera\Service_Opera.exe"

C:\Users\admin\AppData\Roaming\Opera\Service_Opera.exe

explorer.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

Services.exe

Exit code:

Version:

1.0.0.1

Modules

Images
c:\users\admin\appdata\roaming\opera\service_opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1036

C:\WINDOWS\system32\relog.exe

C:\Windows\System32\relog.exe

—

Service_NuGet.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Performance Relogging Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\thd0dc.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1048

C:\WINDOWS\system32\relog.exe

C:\Windows\System32\relog.exe

—

Service_Adobe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Performance Relogging Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\thda43.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1048

"C:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exe"

C:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exe

explorer.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

Services.exe

Exit code:

Version:

1.0.0.1

Modules

Images
c:\users\admin\appdata\roaming\microsoft\service_microsoft.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

135 379

Read events

135 132

Write events

234

Delete events

Modification events


(PID) Process:	(5016) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 00000000000000000000000000000000030001000100010010000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000120000000000000065006C00730065007400680072006500610064002E0070006E0067003E002000200000001000000000000000660061007300740076006500720079002E007200740066003E0020002000000011000000000000006D00610072007000720069006300650073002E006A00700067003E002000200000000E000000000000006E00790063006100720074002E007200740066003E00200020000000120000000000000070006100720074006D006900640064006C0065002E0070006E0067003E0020002000000011000000000000007000720065006500750072006F00700065002E007200740066003E002000200000001D00000000000000720065006C006100740069006F006E007300680069007000730070006F006E0073006F007200650064002E007200740066003E0020002000000014000000000000005500530044005400200046004C00410053004800450052002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001000000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000040400F00
(PID) Process:	(5016) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconNameVersion
Value: 1
(PID) Process:	(5016) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 56BF9E6600000000
(PID) Process:	(5016) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F00620000000000000000000000010000004000000000000000
(PID) Process:	(3484) c.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	WpnUserService
Value: C:\Users\admin\AppData\Roaming\c.exe
(PID) Process:	(3560) relog.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3560) relog.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3560) relog.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3560) relog.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5016) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:	write	Name:	InstalledWin32AppsRevision
Value: {E9B29DEB-F4B1-4E72-B0B7-BF4848B44DAD}

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3484	c.exe	C:\Users\admin\AppData\Local\Temp\TH342B.tmp		binary
		MD5:9516763B23679C4A0EA3A0AAF5735072	SHA256:AD1B9FE22199F95094A31D8B68FFFAD6B39151A7953129C689AD837C8122F5AC
3560	relog.exe	C:\Users\admin\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe		executable
		MD5:65D4FA69A651E309EA75B701059C3360	SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219
3484	c.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk		binary
		MD5:356A3111264556716198F17048307AFA	SHA256:8198F8BBF1A77870C11AB94F2F7518093B19B4187166F4E7C656200C6B40F5F7
3560	relog.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk		binary
		MD5:EBCE8C70F784BC5BACCD8038AA1DE3D9	SHA256:79585E8ACFC317668FF371A61907F45ACAFE90B60633FC504E9E54D69D6EA095
3560	relog.exe	C:\Users\admin\AppData\Roaming\FileZilla\Service_FileZilla.exe		executable
		MD5:65D4FA69A651E309EA75B701059C3360	SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219
3560	relog.exe	C:\Users\admin\AppData\Local\Temp\SystemUpdate.exe		executable
		MD5:65D4FA69A651E309EA75B701059C3360	SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219
3560	relog.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61		binary
		MD5:3F2DC5215485252BDD9F7316EDCAF990	SHA256:8A46E2A86F4E26E34CBBD921B1D4D0C18B297D56006AA1571D62E6C547FB5EE1
3560	relog.exe	C:\Users\admin\AppData\Roaming\Adobe\Service_Adobe.exe		executable
		MD5:65D4FA69A651E309EA75B701059C3360	SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219
3560	relog.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_FileZilla.exe.lnk		binary
		MD5:6A761730B0A14FC355A3F69B083F302F	SHA256:6D8FA4E9BD6117A0FEA0C3E0B9C196CE1D3AA006C0D35B55B35ABBBCEDFC5672
3560	relog.exe	C:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exe		executable
		MD5:65D4FA69A651E309EA75B701059C3360	SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3560	relog.exe	GET	200	72.246.169.163:80	http://x2.c.lencr.org/	unknown	—	—	whitelisted
3560	relog.exe	GET	200	188.114.96.3:80	http://auth.xn--conbase-sfb.xyz/api/update2.pack	unknown	—	—	whitelisted
3560	relog.exe	GET	200	188.114.96.3:80	http://auth.xn--conbase-sfb.xyz/api/update.pack	unknown	—	—	whitelisted
5016	explorer.exe	POST	—	188.114.96.3:80	http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}	unknown	—	—	unknown
5016	explorer.exe	POST	200	188.114.96.3:80	http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}	unknown	—	—	whitelisted
468	relog.exe	GET	200	188.114.97.3:80	http://auth.xn--conbase-sfb.xyz/api/update.pack	unknown	—	—	whitelisted
4708	explorer.exe	POST	200	188.114.96.3:80	http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}	unknown	—	—	unknown
468	relog.exe	GET	200	188.114.97.3:80	http://auth.xn--conbase-sfb.xyz/api/update2.pack	unknown	—	—	whitelisted
4708	explorer.exe	POST	200	188.114.96.3:80	http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}	unknown	—	—	unknown
4708	explorer.exe	POST	200	188.114.96.3:80	http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
5368	SearchApp.exe	2.20.142.4:443	www.bing.com	Akamai International B.V.	DE	unknown
916	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5272	svchost.exe	40.126.31.69:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4204	svchost.exe	4.209.32.198:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3296	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1044	svchost.exe	23.213.166.81:443	go.microsoft.com	AKAMAI-AS	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	216.58.206.78	whitelisted
www.bing.com	2.20.142.4 2.20.142.160 2.20.142.162 2.20.142.180 2.20.142.184 2.20.142.179 2.20.142.178 2.20.142.2 2.20.142.182 2.20.142.138 2.20.142.129 2.20.142.139 2.20.142.145 92.122.215.99 2.20.142.154 2.20.142.146 92.122.215.75 2.20.142.153	whitelisted
login.live.com	40.126.31.69 20.190.159.0 40.126.31.67 20.190.159.68 40.126.31.73 20.190.159.23 20.190.159.71 20.190.159.4 40.126.32.138 20.190.160.14 40.126.32.72 20.190.160.20 40.126.32.133 40.126.32.76 40.126.32.68 40.126.32.136	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
go.microsoft.com	23.213.166.81 184.28.89.167	whitelisted
auth.xn--conbase-sfb.xyz	188.114.96.3 188.114.97.3	unknown
x2.c.lencr.org	72.246.169.163	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
orders.coinbasse.xyz	188.114.96.3 188.114.97.3	unknown

Threats

PID	Process	Class	Message
3560	relog.exe	Potentially Bad Traffic	ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3560	relog.exe	A Network Trojan was detected	ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
3560	relog.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3560	relog.exe	A Network Trojan was detected	ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
3560	relog.exe	Misc activity	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
468	relog.exe	Potentially Bad Traffic	ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
468	relog.exe	A Network Trojan was detected	ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
468	relog.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
468	relog.exe	A Network Trojan was detected	ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
468	relog.exe	Misc activity	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

Add for printing

No debug info

General Info

USDT FLASHER.exe

8BD7FBBED69D36D4EBC9EBBAA1CCD16B

FAF32AEEFA835D0580DC32B15DECCDAE76FD0EFD

8DFB60AA2756AB2856BFC3BBEC3258E27A5127E11B26065357B861909EA9361F

98304:tpv6ghyyJjTc2gTYCyy7r4vbNwyW7GeaGy8ewPb3ZvZ6xxvvZry8ewPb3Iyy7r44:6g3WIR2v1iX81KJZ3ZwCV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Create files in the Startup directory

Application was injected by another process

Actions looks like stealing of personal data

Runs injected code in another process

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Potential Corporate Privacy Violation

There is functionality for taking screenshot (YARA)

The process executes via Task Scheduler

INFO

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Create files in a temporary directory

Drops the executable file immediately after the start

Reads Microsoft Office registry keys

Manual execution by a user

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings