File name:

USDT FLASHER.exe

Full analysis: https://app.any.run/tasks/47ce000a-e15b-40d3-a043-8c82b9d5a8cc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 22, 2024, 20:14:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
crypto-regex
telegram
evasion
python
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8BD7FBBED69D36D4EBC9EBBAA1CCD16B

SHA1:

FAF32AEEFA835D0580DC32B15DECCDAE76FD0EFD

SHA256:

8DFB60AA2756AB2856BFC3BBEC3258E27A5127E11B26065357B861909EA9361F

SSDEEP:

98304:tpv6ghyyJjTc2gTYCyy7r4vbNwyW7GeaGy8ewPb3ZvZ6xxvvZry8ewPb3Iyy7r44:6g3WIR2v1iX81KJZ3ZwCV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • USDT FLASHER.exe (PID: 4704)
      • c.exe (PID: 5304)
      • 801B.tmp.svchac.exe (PID: 4036)

    • Create files in the Startup directory

      • c.exe (PID: 5304)
      • relog.exe (PID: 2884)
      • psvhost.exe (PID: 6140)

    • Changes the autorun value in the registry

      • c.exe (PID: 5304)
      • relog.exe (PID: 2884)
      • c.exe (PID: 4572)
      • Service_com.adobe.dunamis.exe (PID: 1364)
      • Service_Adobe.exe (PID: 3008)
      • Service_FileZilla.exe (PID: 5668)
      • Service_Macromedia.exe (PID: 5664)
      • Service_Microsoft.exe (PID: 116)
      • Service_Mozilla.exe (PID: 820)
      • Service_Notepad++.exe (PID: 5456)
      • Service_NuGet.exe (PID: 3056)
      • Service_vlc.exe (PID: 5696)
      • Service_WinRAR.exe (PID: 5376)
      • Service_Sun.exe (PID: 7160)
      • psvhost.exe (PID: 6140)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5248)
      • Service_Adobe.exe (PID: 4572)
      • Service_com.adobe.dunamis.exe (PID: 2072)
      • Service_Microsoft.exe (PID: 6424)
      • Service_Notepad++.exe (PID: 3112)
      • Service_NuGet.exe (PID: 5640)
      • Service_Mozilla.exe (PID: 588)
      • Service_Opera.exe (PID: 6804)
      • Service_Skype.exe (PID: 1388)
      • Service_Opera.exe (PID: 3824)
      • Service_Macromedia.exe (PID: 4152)
      • Service_FileZilla.exe (PID: 3376)
      • Service_WinRAR.exe (PID: 5484)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5104)
      • Service_Sun.exe (PID: 996)
      • Service_Skype.exe (PID: 6592)
      • Service_vlc.exe (PID: 5684)
      • relog.exe (PID: 6136)

    • Actions looks like stealing of personal data

      • relog.exe (PID: 2884)
      • relog.exe (PID: 6136)
      • Service_Skype.exe (PID: 1388)
      • Taskmgr.exe (PID: 7028)
      • Service_Skype.exe (PID: 6592)
      • 6B88.tmp.zbi.exe (PID: 6332)

    • Application was injected by another process

      • explorer.exe (PID: 5016)
      • explorer.exe (PID: 5656)

    • Runs injected code in another process

      • relog.exe (PID: 2884)
      • relog.exe (PID: 6136)

    • Steals credentials from Web Browsers

      • 6B88.tmp.zbi.exe (PID: 6332)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • USDT FLASHER.exe (PID: 4704)
      • c.exe (PID: 5304)
      • relog.exe (PID: 2884)
      • 801B.tmp.svchac.exe (PID: 4036)

    • The process creates files with name similar to system file names

      • c.exe (PID: 5304)

    • Potential Corporate Privacy Violation

      • relog.exe (PID: 2884)
      • relog.exe (PID: 6136)
      • explorer.exe (PID: 5656)

    • There is functionality for taking screenshot (YARA)

      • USDT FLASHER.exe (PID: 4704)
      • usdtflash.exe (PID: 6572)
      • explorer.exe (PID: 5656)

    • Found regular expressions for crypto-addresses (YARA)

      • relog.exe (PID: 2884)
      • explorer.exe (PID: 5656)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 5436)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 5372)
      • SearchApp.exe (PID: 6112)

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHost.exe (PID: 5372)

    • Loads Python modules

      • 801B.tmp.svchac.exe (PID: 3404)

    • The process drops C-runtime libraries

      • 801B.tmp.svchac.exe (PID: 4036)

    • Process drops python dynamic module

      • 801B.tmp.svchac.exe (PID: 4036)

    • Process drops legitimate windows executable

      • 801B.tmp.svchac.exe (PID: 4036)

    • Application launched itself

      • 801B.tmp.svchac.exe (PID: 4036)

    • The process hide an interactive prompt from the user

      • 6B88.tmp.zbi.exe (PID: 6332)

    • The process hides Powershell's copyright startup banner

      • 6B88.tmp.zbi.exe (PID: 6332)

    • The process bypasses the loading of PowerShell profile settings

      • 6B88.tmp.zbi.exe (PID: 6332)

    • Starts POWERSHELL.EXE for commands execution

      • 6B88.tmp.zbi.exe (PID: 6332)

    • Executes application which crashes

      • msedge.exe (PID: 2292)
      • msedge.exe (PID: 5248)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 801B.tmp.svchac.exe (PID: 3404)
      • 6B88.tmp.zbi.exe (PID: 6332)

    • Starts CMD.EXE for commands execution

      • 6B88.tmp.zbi.exe (PID: 6332)

  • INFO

    • Checks supported languages

      • USDT FLASHER.exe (PID: 4704)
      • c.exe (PID: 5304)
      • usdtflash.exe (PID: 6572)
      • PLUGScheduler.exe (PID: 5436)
      • SearchApp.exe (PID: 6112)
      • StartMenuExperienceHost.exe (PID: 5372)
      • Service_Adobe.exe (PID: 3008)
      • Service_com.adobe.dunamis.exe (PID: 1364)
      • Service_FileZilla.exe (PID: 5668)
      • Service_Macromedia.exe (PID: 5664)
      • Service_Microsoft.exe (PID: 116)
      • Service_Mozilla.exe (PID: 820)
      • Service_Notepad++.exe (PID: 5456)
      • Service_NuGet.exe (PID: 3056)
      • TextInputHost.exe (PID: 5072)
      • Service_Skype.exe (PID: 1388)
      • c.exe (PID: 4572)
      • Service_Opera.exe (PID: 3824)
      • Service_vlc.exe (PID: 5696)
      • Service_WinRAR.exe (PID: 5376)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5248)
      • psvhost.exe (PID: 6140)
      • Service_com.adobe.dunamis.exe (PID: 2072)
      • Service_FileZilla.exe (PID: 3376)
      • Service_Microsoft.exe (PID: 6424)
      • Service_Macromedia.exe (PID: 4152)
      • Service_NuGet.exe (PID: 5640)
      • Service_Mozilla.exe (PID: 588)
      • Service_Notepad++.exe (PID: 3112)
      • Service_Opera.exe (PID: 6804)
      • Service_Sun.exe (PID: 7160)
      • Service_Skype.exe (PID: 6592)
      • Service_vlc.exe (PID: 5684)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5104)
      • Service_Adobe.exe (PID: 4572)
      • Service_WinRAR.exe (PID: 5484)
      • 6B88.tmp.zbi.exe (PID: 6332)
      • 801B.tmp.svchac.exe (PID: 4036)
      • 801B.tmp.svchac.exe (PID: 3404)
      • identity_helper.exe (PID: 5644)
      • Service_Sun.exe (PID: 996)

    • Reads the computer name

      • c.exe (PID: 5304)
      • usdtflash.exe (PID: 6572)
      • TextInputHost.exe (PID: 5072)
      • PLUGScheduler.exe (PID: 5436)
      • StartMenuExperienceHost.exe (PID: 5372)
      • SearchApp.exe (PID: 6112)
      • c.exe (PID: 4572)
      • Service_Adobe.exe (PID: 3008)
      • Service_FileZilla.exe (PID: 5668)
      • Service_com.adobe.dunamis.exe (PID: 1364)
      • Service_Macromedia.exe (PID: 5664)
      • Service_Microsoft.exe (PID: 116)
      • Service_Mozilla.exe (PID: 820)
      • Service_Notepad++.exe (PID: 5456)
      • Service_NuGet.exe (PID: 3056)
      • Service_vlc.exe (PID: 5696)
      • Service_Opera.exe (PID: 3824)
      • Service_WinRAR.exe (PID: 5376)
      • Service_Sun.exe (PID: 7160)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5248)
      • psvhost.exe (PID: 6140)
      • Service_Adobe.exe (PID: 4572)
      • Service_com.adobe.dunamis.exe (PID: 2072)
      • Service_FileZilla.exe (PID: 3376)
      • Service_Macromedia.exe (PID: 4152)
      • Service_NuGet.exe (PID: 5640)
      • Service_Microsoft.exe (PID: 6424)
      • Service_Notepad++.exe (PID: 3112)
      • Service_Opera.exe (PID: 6804)
      • Service_Skype.exe (PID: 1388)
      • Service_Skype.exe (PID: 6592)
      • Service_Sun.exe (PID: 996)
      • Service_Mozilla.exe (PID: 588)
      • Service_WinRAR.exe (PID: 5484)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5104)
      • Service_vlc.exe (PID: 5684)
      • 6B88.tmp.zbi.exe (PID: 6332)
      • 801B.tmp.svchac.exe (PID: 4036)
      • 801B.tmp.svchac.exe (PID: 3404)
      • identity_helper.exe (PID: 5644)

    • Creates files or folders in the user directory

      • USDT FLASHER.exe (PID: 4704)
      • relog.exe (PID: 2884)
      • c.exe (PID: 5304)
      • explorer.exe (PID: 5016)
      • dllhost.exe (PID: 4736)
      • explorer.exe (PID: 5656)
      • psvhost.exe (PID: 6140)
      • 6B88.tmp.zbi.exe (PID: 6332)
      • WerFault.exe (PID: 3936)
      • WerFault.exe (PID: 4624)

    • Checks proxy server information

      • relog.exe (PID: 2884)
      • slui.exe (PID: 2116)
      • SearchApp.exe (PID: 6112)
      • explorer.exe (PID: 5656)
      • relog.exe (PID: 6136)
      • 6B88.tmp.zbi.exe (PID: 6332)
      • 801B.tmp.svchac.exe (PID: 3404)
      • slui.exe (PID: 6652)
      • WerFault.exe (PID: 4624)
      • WerFault.exe (PID: 3936)

    • Drops the executable file immediately after the start

      • relog.exe (PID: 2884)
      • explorer.exe (PID: 5656)

    • Create files in a temporary directory

      • relog.exe (PID: 2884)
      • relog.exe (PID: 6136)
      • explorer.exe (PID: 5656)
      • 801B.tmp.svchac.exe (PID: 4036)
      • 6B88.tmp.zbi.exe (PID: 6332)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5016)
      • explorer.exe (PID: 5656)
      • dllhost.exe (PID: 4736)
      • Taskmgr.exe (PID: 7028)
      • relog.exe (PID: 2884)
      • relog.exe (PID: 6136)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 5436)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5656)
      • msedge.exe (PID: 2920)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 5372)
      • SearchApp.exe (PID: 6112)

    • Process checks Internet Explorer phishing filters

      • SearchApp.exe (PID: 6112)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 6112)
      • usdtflash.exe (PID: 6572)

    • Reads the software policy settings

      • relog.exe (PID: 2884)
      • SearchApp.exe (PID: 6112)
      • slui.exe (PID: 6652)
      • WerFault.exe (PID: 4624)
      • WerFault.exe (PID: 3936)
      • 6B88.tmp.zbi.exe (PID: 6332)

    • Manual execution by a user

      • Taskmgr.exe (PID: 7028)
      • Taskmgr.exe (PID: 6060)
      • c.exe (PID: 4572)
      • Service_Adobe.exe (PID: 3008)
      • Service_FileZilla.exe (PID: 5668)
      • Service_Macromedia.exe (PID: 5664)
      • Service_com.adobe.dunamis.exe (PID: 1364)
      • Service_Microsoft.exe (PID: 116)
      • Service_Mozilla.exe (PID: 820)
      • Service_Notepad++.exe (PID: 5456)
      • Service_NuGet.exe (PID: 3056)
      • Service_Sun.exe (PID: 7160)
      • Service_Opera.exe (PID: 3824)
      • Service_Skype.exe (PID: 1388)
      • Service_vlc.exe (PID: 5696)
      • Service_WinRAR.exe (PID: 5376)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5248)
      • psvhost.exe (PID: 6140)
      • Service_Adobe.exe (PID: 4572)
      • Service_FileZilla.exe (PID: 3376)
      • Service_com.adobe.dunamis.exe (PID: 2072)
      • Service_Macromedia.exe (PID: 4152)
      • Service_Mozilla.exe (PID: 588)
      • Service_NuGet.exe (PID: 5640)
      • Service_Notepad++.exe (PID: 3112)
      • Service_Microsoft.exe (PID: 6424)
      • Service_Opera.exe (PID: 6804)
      • Service_Skype.exe (PID: 6592)
      • Service_{2F33566DA0B91573532102}.exe (PID: 5104)
      • Service_vlc.exe (PID: 5684)
      • Service_WinRAR.exe (PID: 5484)
      • 801B.tmp.svchac.exe (PID: 4036)
      • Service_Sun.exe (PID: 996)
      • 6B88.tmp.zbi.exe (PID: 6332)

    • Reads Environment values

      • SearchApp.exe (PID: 6112)
      • identity_helper.exe (PID: 5644)

    • Attempting to use instant messaging service

      • 801B.tmp.svchac.exe (PID: 3404)
      • 6B88.tmp.zbi.exe (PID: 6332)

    • Application launched itself

      • msedge.exe (PID: 2920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 15:09:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 116224
InitializedDataSize: 13163520
UninitializedDataSize: -
EntryPoint: 0x7415
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.0
ProductVersionNumber: 1.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (2000)
CharacterSet: Unicode
CompanyName: ChatGpt
FileDescription: ChatGpt
FileVersion: 1.4.0.0
InternalName: ChatGpt.exe
LegalCopyright: Copyright (C) 2024
OriginalFileName: ChatGpt.exe
ProductName: ChatGpt Software
ProductVersion: 1.4.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
282
Monitored processes
111
Malicious processes
11
Suspicious processes
28

Behavior graph

Click at the process to see the details
start THREAT usdt flasher.exe c.exe THREAT relog.exe explorer.exe slui.exe THREAT usdtflash.exe no specs textinputhost.exe no specs plugscheduler.exe no specs slui.exe startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe dllhost.exe no specs mobsync.exe no specs taskmgr.exe no specs taskmgr.exe c.exe relog.exe service_adobe.exe relog.exe no specs service_com.adobe.dunamis.exe relog.exe no specs service_filezilla.exe relog.exe no specs service_macromedia.exe relog.exe no specs service_microsoft.exe relog.exe no specs service_mozilla.exe relog.exe no specs service_notepad++.exe relog.exe no specs service_nuget.exe relog.exe no specs service_opera.exe relog.exe no specs service_skype.exe relog.exe no specs service_sun.exe relog.exe no specs service_vlc.exe relog.exe no specs service_winrar.exe relog.exe no specs service_{2f33566da0b91573532102}.exe relog.exe no specs psvhost.exe relog.exe no specs service_adobe.exe relog.exe no specs service_com.adobe.dunamis.exe relog.exe no specs service_filezilla.exe relog.exe no specs service_macromedia.exe relog.exe no specs service_microsoft.exe relog.exe no specs service_mozilla.exe relog.exe no specs service_notepad++.exe relog.exe no specs service_nuget.exe relog.exe no specs service_opera.exe relog.exe no specs service_skype.exe relog.exe no specs service_sun.exe relog.exe no specs service_vlc.exe relog.exe no specs service_winrar.exe relog.exe no specs service_{2f33566da0b91573532102}.exe relog.exe no specs 6b88.tmp.zbi.exe THREAT explorer.exe 801b.tmp.svchac.exe 801b.tmp.svchac.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe msedge.exe msedge.exe no specs msedge.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" C:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Services.exe
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\microsoft\service_microsoft.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
116C:\WINDOWS\system32\relog.exeC:\Windows\System32\relog.exeService_Microsoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\th436f.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
484C:\WINDOWS\system32\relog.exeC:\Windows\System32\relog.exeService_FileZilla.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\th4226.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
588"C:\Users\admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" C:\Users\admin\AppData\Roaming\Mozilla\Service_Mozilla.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Services.exe
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\mozilla\service_mozilla.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
604C:\WINDOWS\system32\relog.exeC:\Windows\System32\relog.exeService_Mozilla.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\th3a18.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
672C:\WINDOWS\system32\relog.exeC:\Windows\System32\relog.exeService_Microsoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\th395c.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=1344 --field-trial-handle=2384,i,7836108600487865979,15325248804923359777,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
820"C:\Users\admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" C:\Users\admin\AppData\Roaming\Mozilla\Service_Mozilla.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Services.exe
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\mozilla\service_mozilla.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
892C:\WINDOWS\system32\relog.exeC:\Windows\System32\relog.exeService_Sun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\th3d44.tmp
c:\windows\system32\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
307 973
Read events
300 349
Write events
7 606
Delete events
18

Modification events

(PID) Process:(5304) c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WpnUserService
Value:
C:\Users\admin\AppData\Roaming\c.exe
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_Adobe
Value:
C:\Users\admin\AppData\Roaming\Adobe\Service_Adobe.exe
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_com.adobe.dunamis
Value:
C:\Users\admin\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_FileZilla
Value:
C:\Users\admin\AppData\Roaming\FileZilla\Service_FileZilla.exe
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_Macromedia
Value:
C:\Users\admin\AppData\Roaming\Macromedia\Service_Macromedia.exe
(PID) Process:(2884) relog.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_Microsoft
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exe
Executable files
76
Suspicious files
149
Text files
193
Unknown types
23

Dropped files

PID
Process
Filename
Type
2884relog.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61binary
MD5:25A1402AC5BD4C596335B5E0C6F96A08
SHA256:3DA2FF69A86AA00E5A4B227234A2A16076B68F6587BA0EE70FA3A85120E5EEBE
4704USDT FLASHER.exeC:\Users\admin\AppData\Roaming\usdtflash.exeexecutable
MD5:4F3EE81C1B34416C87178FB8886BEDEF
SHA256:F234E44B92D29D84FB0C7A4209449A8EB21F2DB95B3F4F3473C103E0EB08D5D6
2884relog.exeC:\Users\admin\AppData\Local\Temp\SystemUpdate.exeexecutable
MD5:65D4FA69A651E309EA75B701059C3360
SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219
2884relog.exeC:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exeexecutable
MD5:65D4FA69A651E309EA75B701059C3360
SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219
5304c.exeC:\Users\admin\AppData\Local\Temp\TH2D07.tmpbinary
MD5:9516763B23679C4A0EA3A0AAF5735072
SHA256:AD1B9FE22199F95094A31D8B68FFFAD6B39151A7953129C689AD837C8122F5AC
2884relog.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_FileZilla.exe.lnklnk
MD5:4928AA148B5DD75BA8A7DF674C28599A
SHA256:881B96AC124DBB7120F774B792159958490BEDC92D89801A37C17B41518F2A2B
4704USDT FLASHER.exeC:\Users\admin\AppData\Roaming\MaterialSkin.dllexecutable
MD5:301D762A76B269E1FDF391D662ACC86D
SHA256:3F075552E29E58736FF96E00C828A9A4CB28C16337744B69C5114196AD78D59E
2884relog.exeC:\Users\admin\AppData\Roaming\Adobe\Service_Adobe.exeexecutable
MD5:65D4FA69A651E309EA75B701059C3360
SHA256:273997CDA9E5D6C8A33DCFC1DC0579653ECDB3203F4B1C5BB15A3986B9451219
2884relog.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnklnk
MD5:008D4CD02E8F6BFF25B42C72C1B86955
SHA256:59AFC57854C2A7865E4640B1E61FD30BE33A27C51458E6C9DD9714EA249948A5
2884relog.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnkbinary
MD5:0960C5B27A7012DC9986159AF93E9459
SHA256:8922A9A2A77C98366C8CCAECDE4C88036E8BDE4FA378D56448F98DC12DEF1D25
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
88
DNS requests
57
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
relog.exe
GET
200
2.18.161.41:80
http://x2.c.lencr.org/
unknown
whitelisted
2884
relog.exe
GET
200
188.114.97.3:80
http://auth.xn--conbase-sfb.xyz/api/update2.pack
unknown
whitelisted
5016
explorer.exe
POST
188.114.97.3:80
http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}
unknown
whitelisted
3148
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6136
relog.exe
GET
200
188.114.97.3:80
http://auth.xn--conbase-sfb.xyz/api/update2.pack
unknown
whitelisted
5656
explorer.exe
POST
200
188.114.97.3:80
http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}
unknown
whitelisted
5656
explorer.exe
GET
200.58.111.68:80
http://cohpaflex.com/wp-content/uploads/2020/04/zbi.exe
unknown
malicious
6136
relog.exe
GET
200
188.114.97.3:80
http://auth.xn--conbase-sfb.xyz/api/update.pack
unknown
whitelisted
5656
explorer.exe
GET
200
188.114.97.3:80
http://orders.coinbasse.xyz/svchac.exe
unknown
whitelisted
5656
explorer.exe
POST
200
188.114.97.3:80
http://orders.coinbasse.xyz/api.php?{2F33566DA0B91573532102}
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3572
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4404
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4204
svchost.exe
4.208.221.206:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted
4404
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2884
relog.exe
188.114.97.3:443
auth.xn--conbase-sfb.xyz
CLOUDFLARENET
NL
unknown
2884
relog.exe
2.18.161.41:80
x2.c.lencr.org
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
  • 142.250.186.78
whitelisted
auth.xn--conbase-sfb.xyz
  • 188.114.97.3
  • 188.114.96.3
unknown
x2.c.lencr.org
  • 2.18.161.41
whitelisted
www.bing.com
  • 2.23.209.158
  • 2.23.209.182
  • 2.23.209.148
  • 2.23.209.179
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.149
  • 2.23.209.177
  • 2.23.209.193
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.189
  • 92.122.215.72
  • 92.122.215.60
  • 92.122.215.65
  • 2.20.142.122
  • 92.122.215.58
  • 92.122.215.93
  • 92.122.215.75
  • 92.122.215.57
  • 92.122.215.98
whitelisted
orders.coinbasse.xyz
  • 188.114.97.3
  • 188.114.96.3
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.138
  • 40.126.32.134
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.0
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.73
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

PID
Process
Class
Message
2884
relog.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
2884
relog.exe
A Network Trojan was detected
ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
2884
relog.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2884
relog.exe
A Network Trojan was detected
ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
2884
relog.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2884
relog.exe
Misc activity
ET HUNTING Suspicious Windows Executable WriteProcessMemory
6136
relog.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
6136
relog.exe
A Network Trojan was detected
ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
6136
relog.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6136
relog.exe
A Network Trojan was detected
ET MALWARE Possible Sniffthem/Tnaket User-Agent Observed M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
USDT FLASHER.exe