Malware analysis winserv.exe Malicious activity | ANY.RUN

Add for printing

File name:	winserv.exe
Full analysis:	https://app.any.run/tasks/4de861c7-fcc3-472c-8e5e-d27eb77d9f69
Verdict:	Malicious activity
Threats:	Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 18, 2023, 14:39:10
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	rat rms metamorfo evasion autoit
Indicators:
MIME:	application/x-dosexec
File info:	MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:	3F4F5A6CB95047FEA6102BD7D2226AA9
SHA1:	FC09DD898B6E7FF546E4A7517A715928FBAFC297
SHA256:	99FD9E75E6241EFF30E01C5B59DF9E901FB24D12BEE89C069CC6158F78B3CC98
SSDEEP:	196608:iz+UZcWP4jBrfWgEgIV8Rzy7Vj4FZvEoo:i6UZcWWeVj4FZ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- RMS is detected
  - winserv.exe (PID: 988)
- METAMORFO has been detected (YARA)
  - winserv.exe (PID: 988)
- Uses Task Scheduler to run other applications
  - smss.exe (PID: 2308)
- Uses Task Scheduler to autorun other applications
  - smss.exe (PID: 2308)
- Creates a writable file the system directory
  - IP.exe (PID: 648)
- Disables Windows Defender
  - Crack.exe (PID: 2820)
- Drops the executable file immediately after the start
  - IP.exe (PID: 648)
  - smss.exe (PID: 2308)
  - RDPWinst.exe (PID: 2668)
- Starts NET.EXE to view/change users localgroup
  - net.exe (PID: 2896)
  - cmd.exe (PID: 2272)
  - cmd.exe (PID: 2292)
  - net.exe (PID: 1580)
  - cmd.exe (PID: 1672)
  - net.exe (PID: 2084)
  - net.exe (PID: 3056)
  - cmd.exe (PID: 192)
  - net.exe (PID: 1204)
  - cmd.exe (PID: 2264)
  - net.exe (PID: 2796)
  - cmd.exe (PID: 284)
- Starts NET.EXE to view/add/change user profiles
  - net.exe (PID: 2548)
  - cmd.exe (PID: 2432)
- Creates or modifies Windows services
  - RDPWinst.exe (PID: 2668)
SUSPICIOUS
- Connects to unusual port
  - winserv.exe (PID: 988)
- Reads the BIOS version
  - IP.exe (PID: 648)
  - Crack.exe (PID: 2820)
- Reads the Internet Settings
  - smss.exe (PID: 2308)
  - IP.exe (PID: 648)
- Detected use of alternative data streams (AltDS)
  - IP.exe (PID: 648)
  - smss.exe (PID: 2308)
- Checks Windows Trust Settings
  - IP.exe (PID: 648)
- Reads security settings of Internet Explorer
  - IP.exe (PID: 648)
- Reads settings of System Certificates
  - IP.exe (PID: 648)
  - smss.exe (PID: 2308)
- Process drops legitimate windows executable
  - IP.exe (PID: 648)
- Starts CMD.EXE for commands execution
  - Crack.exe (PID: 2820)
  - smss.exe (PID: 2308)
- Starts SC.EXE for service management
  - cmd.exe (PID: 936)
  - cmd.exe (PID: 2940)
  - cmd.exe (PID: 2912)
  - cmd.exe (PID: 1724)
  - cmd.exe (PID: 460)
  - cmd.exe (PID: 1416)
- Uses NETSH.EXE to change the status of the firewall
  - cmd.exe (PID: 1176)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 392)
  - cmd.exe (PID: 2660)
  - cmd.exe (PID: 2896)
  - cmd.exe (PID: 2956)
  - cmd.exe (PID: 2924)
  - cmd.exe (PID: 1480)
  - RDPWinst.exe (PID: 2668)
- Executing commands from a ".bat" file
  - Crack.exe (PID: 2820)
  - smss.exe (PID: 2308)
- The process verifies whether the antivirus software is installed
  - smss.exe (PID: 2308)
- Checks for external IP
  - smss.exe (PID: 2308)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 2944)
  - cmd.exe (PID: 2724)
- The process executes via Task Scheduler
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 1828)
  - winserv.exe (PID: 2592)
INFO
- Reads Windows Product ID
  - winserv.exe (PID: 988)
  - winserv.exe (PID: 1716)
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 2592)
  - winserv.exe (PID: 1828)
- Checks supported languages
  - winserv.exe (PID: 988)
  - IP.exe (PID: 648)
  - Crack.exe (PID: 2820)
  - smss.exe (PID: 2308)
  - winserv.exe (PID: 1716)
  - RDPWinst.exe (PID: 2668)
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 1828)
  - winserv.exe (PID: 2592)
- Process checks computer location settings
  - winserv.exe (PID: 988)
  - winserv.exe (PID: 1716)
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 2592)
  - winserv.exe (PID: 1828)
- Reads the computer name
  - winserv.exe (PID: 988)
  - smss.exe (PID: 2308)
  - IP.exe (PID: 648)
  - Crack.exe (PID: 2820)
  - winserv.exe (PID: 1716)
  - RDPWinst.exe (PID: 2668)
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 2592)
  - winserv.exe (PID: 1828)
- Reads Environment values
  - winserv.exe (PID: 988)
  - IP.exe (PID: 648)
  - winserv.exe (PID: 1716)
  - smss.exe (PID: 2308)
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 2592)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 1828)
- Reads the machine GUID from the registry
  - winserv.exe (PID: 988)
  - IP.exe (PID: 648)
  - smss.exe (PID: 2308)
  - winserv.exe (PID: 1716)
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 2592)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 1828)
- Creates files or folders in the user directory
  - winserv.exe (PID: 988)
  - IP.exe (PID: 648)
  - smss.exe (PID: 2308)
- Reads product name
  - winserv.exe (PID: 988)
  - IP.exe (PID: 648)
  - winserv.exe (PID: 1716)
  - smss.exe (PID: 2308)
  - winserv.exe (PID: 2564)
  - winserv.exe (PID: 2592)
  - winserv.exe (PID: 984)
  - winserv.exe (PID: 1828)
- Manual execution by a user
  - IP.exe (PID: 2968)
  - IP.exe (PID: 648)
  - Crack.exe (PID: 2160)
  - Crack.exe (PID: 2820)
  - smss.exe (PID: 2868)
  - smss.exe (PID: 2308)
  - chrome.exe (PID: 1672)
- Process checks are UAC notifies on
  - IP.exe (PID: 648)
  - Crack.exe (PID: 2820)
- Reads mouse settings
  - smss.exe (PID: 2308)
  - IP.exe (PID: 648)
  - Crack.exe (PID: 2820)
  - unsecapp.exe (PID: 1924)
- Create files in a temporary directory
  - smss.exe (PID: 2308)
  - IP.exe (PID: 648)
  - Crack.exe (PID: 2820)
- Creates files in the program directory
  - smss.exe (PID: 2308)
  - RDPWinst.exe (PID: 2668)
  - Crack.exe (PID: 2820)
- Checks proxy server information
  - smss.exe (PID: 2308)
  - IP.exe (PID: 648)
- Reads CPU info
  - smss.exe (PID: 2308)
- The process uses the downloaded file
  - chrome.exe (PID: 2240)
  - chrome.exe (PID: 2724)
  - chrome.exe (PID: 2556)
- Application launched itself
  - chrome.exe (PID: 1672)
- Drops the executable file immediately after the start
  - chrome.exe (PID: 2200)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, No debug, Bytes reversed hi
PEType:	PE32
LinkerVersion:	7
CodeSize:	10563584
InitializedDataSize:	118784
UninitializedDataSize:	-
EntryPoint:	0x77b96c
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.7.0.2
ProductVersionNumber:	6.7.0.2
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	tox
FileDescription:	System
FileVersion:	6.7.0.2
LegalCopyright:	Copyright © 2017 tektonit. All rights reserved.
LegalTrademarks:	System
ProductName:	System
ProductVersion:	6.7.0.2
PROGRAMID:	PROGRAM

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

164

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

sc stop mbamservice

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

192

C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add

C:\Windows\System32\cmd.exe

—

smss.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

284

C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\System32\cmd.exe

—

smss.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

284

timeout 5

C:\Windows\System32\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

timeout - pauses command processing

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll

392

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\System32\cmd.exe

—

Crack.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

396

timeout 10

C:\Windows\System32\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

timeout - pauses command processing

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll

460

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\System32\cmd.exe

—

Crack.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

1060

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

648

"C:\Users\admin\Desktop\IP.exe"

C:\Users\admin\Desktop\IP.exe

explorer.exe

User:

admin

Company:

Microsoft Update

Integrity Level:

HIGH

Description:

NT Kernel & System

Exit code:

Version:

16.8.0.0

Modules

Images
c:\users\admin\desktop\ip.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

776

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4168 --field-trial-handle=1220,i,3381762155809958362,15199651847538420811,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

844

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=1220,i,3381762155809958362,15199651847538420811,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

28 609

Read events

28 044

Write events

565

Delete events

Modification events


(PID) Process:	(988) winserv.exe	Key:	HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:	write	Name:	Options
Value: 545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E0915486964655472617949636F6E506F7075704D656E75080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70080C497046696C746572547970650202105573654C656761637943617074757265081750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F727402000D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E6773081544697361626C6552656D6F74655072696E74696E67080A44697361626C65526470080F4E6F7469667953686F7750616E656C09144E6F746966794368616E67655472617949636F6E09104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E64080C4E6F7469667950616E656C5802FF0C4E6F7469667950616E656C5902FF064C6F6755736509055369644964061034353234382E363130363331373437371144697361626C65496E7465726E65744964080B536166654D6F6465536574080F53796E6341757468456E61626C6564081253686F7749644E6F74696669636174696F6E081953686F7749644E6F74696669636174696F6E52657175657374081A496E746567726174654669726577616C6C417453747572747570080000
(PID) Process:	(988) winserv.exe	Key:	HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:	write	Name:	InternetId
Value: EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223637303032223E3C696E7465726E65745F69643E3C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E66616C73653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
(PID) Process:	(988) winserv.exe	Key:	HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
Operation:	write	Name:	InternetId
Value: EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223637303032223E3C696E7465726E65745F69643E3534352D3834342D3731372D3738383C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E747275653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
(PID) Process:	(2820) Crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Operation:	write	Name:	Exclusions_Paths
Value: 1
(PID) Process:	(2820) Crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\ProgramData
Value: System
(PID) Process:	(2820) Crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\ProgramData\Windows Tasks Service\winserv.exe
Value: SystemService
(PID) Process:	(2820) Crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\ProgramData\ReaItekHD\taskhost.exe
Value: TaskHostSystem
(PID) Process:	(2820) Crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\ProgramData\WindowsTask\MicrosoftHost.exe
Value: MicrosoftHostSystem
(PID) Process:	(2820) Crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\ProgramData\WindowsTask\AppModule.exe
Value: AppModuleSystem
(PID) Process:	(2820) Crack.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\ProgramData\WindowsTask\audiodg.exe
Value: AudioHDSystem

Add for printing

Executable files

Suspicious files

115

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2308	smss.exe	C:\Users\admin\AppData\Local\Temp\aut545B.tmp		—
		MD5:—	SHA256:—
988	winserv.exe	C:\Users\admin\AppData\Roaming\RMS_settings\Logs\rms_log_2023-11.html		html
		MD5:18421C76BAD7CC9925B6A0154917107E	SHA256:B96DD5DE34CC9C7D099D770F1FC8030658514F46D9B5146A24E7F5995CA89571
648	IP.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CPLP6PCT.txt		text
		MD5:2B1C8BCDDC0A8057181940CA10EC8935	SHA256:AFC1EA1FE8A0BD942C553C6C54D00698B6B702111B77319F02756E781D001FFD
2308	smss.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\STATUS[1].htm		text
		MD5:86D1DEBF3F3AA9B77C0D976A4FA33862	SHA256:AC7E24813998D31D5E116002BCD241061B59884F2DB9167C1B976E9C151B8E1E
2308	smss.exe	C:\ProgramData\Windows Tasks Service\winserv.exe		executable
		MD5:3F4F5A6CB95047FEA6102BD7D2226AA9	SHA256:99FD9E75E6241EFF30E01C5B59DF9E901FB24D12BEE89C069CC6158F78B3CC98
1672	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2668	RDPWinst.exe	C:\Program Files\RDP Wrapper\rdpwrap.dll		executable
		MD5:461ADE40B800AE80A40985594E1AC236	SHA256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
1672	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History-journal		—
		MD5:—	SHA256:—
2308	smss.exe	C:\Users\admin\Desktop\rdpwrap.ini		binary
		MD5:5ADFD081ACEB76F5166EE70921997E5E	SHA256:9048F665F8D4D3B1692C2B9089D0343F3DF787F64D32F554314C947B3BCD6271
2308	smss.exe	C:\Users\admin\AppData\Local\Temp\aut6832.tmp		binary
		MD5:C7576E21622AC3E025680BA86E0AD15C	SHA256:32BF0265F01EF7951A84F12BE56F25C70284A2140BFEA7C0653653676688B3D1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
884	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567854667.14/obedbbhbpmojnkanicioggnmelmoomoc_20230916.567854667.14_all_ENUS500000_lr7434qyx46lykosg2elaepqdi.crx3	unknown	—	—	unknown
2308	smss.exe	GET	200	45.95.203.83:80	http://idserver.xyz/settings.dat	unknown	binary	2.85 Kb	unknown
2308	smss.exe	GET	200	45.95.203.83:80	http://idserver.xyz/STATUS.html	unknown	text	6 b	unknown
2308	smss.exe	GET	200	45.95.203.83:80	http://idserver.xyz/rdpwrap.ini	unknown	binary	367 Kb	unknown
648	IP.exe	GET	302	162.255.119.152:80	http://ftpsoftware.xyz/KA.html	unknown	html	57 b	unknown
884	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567854667.14/obedbbhbpmojnkanicioggnmelmoomoc_20230916.567854667.14_all_ENUS500000_lr7434qyx46lykosg2elaepqdi.crx3	unknown	binary	6.10 Kb	unknown
2308	smss.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	binary	293 b	unknown
648	IP.exe	GET	200	91.195.240.19:80	http://www.ftpsoftware.xyz/KA.html	unknown	html	22.6 Kb	unknown
884	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567854667.14/obedbbhbpmojnkanicioggnmelmoomoc_20230916.567854667.14_all_ENUS500000_lr7434qyx46lykosg2elaepqdi.crx3	unknown	binary	9.90 Kb	unknown
884	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567854667.14/obedbbhbpmojnkanicioggnmelmoomoc_20230916.567854667.14_all_ENUS500000_lr7434qyx46lykosg2elaepqdi.crx3	unknown	binary	363 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
988	winserv.exe	95.213.205.83:5655	rms-server.tektonit.ru	OOO Network of data-centers Selectel	RU	unknown
2308	smss.exe	45.95.203.83:80	idserver.xyz	Network Management Ltd	RU	unknown
648	IP.exe	172.67.194.188:443	iplogger.com	CLOUDFLARENET	US	unknown
648	IP.exe	162.255.119.152:80	ftpsoftware.xyz	NAMECHEAP-NET	US	unknown
2448	svchost.exe	224.0.0.252:5355	—	—	—	unknown
648	IP.exe	91.195.240.19:80	www.ftpsoftware.xyz	SEDO GmbH	DE	unknown

DNS requests

Domain	IP	Reputation
rms-server.tektonit.ru	95.213.205.83	unknown
idserver.xyz	45.95.203.83	malicious
iplogger.com	172.67.194.188 104.21.12.138	shared
ftpsoftware.xyz	162.255.119.152	unknown
teredo.ipv6.microsoft.com	—	unknown
www.ftpsoftware.xyz	91.195.240.19	unknown
ip-api.com	208.95.112.1	shared
freemail.freehost.com.ua	194.0.200.251	unknown
clientservices.googleapis.com	142.250.185.227	whitelisted
accounts.google.com	172.217.16.205	shared

Threats

PID	Process	Class	Message
324	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
648	IP.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
2308	smss.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2308	smss.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
2308	smss.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2308	smss.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
2308	smss.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2308	smss.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
2308	smss.exe	Potentially Bad Traffic	ET POLICY RDP Wrapper Download (ini)
648	IP.exe	A Network Trojan was detected	ET MALWARE System Information Being Sent in User-Agent

5 ETPRO signatures available at the full report

Add for printing

Process	Message
winserv.exe	Error WTSQueryUserToken #1314
winserv.exe	18-11-2023_14:39:18:583#T:Error #20 @2
winserv.exe	MSG_KEEP_ALIVE
winserv.exe	18-11-2023_14:39:48:505#T:Msg Size: 104
winserv.exe	18-11-2023_14:39:48:505#T:Msg code: 3
winserv.exe	18-11-2023_14:39:48:505#T:MSG_KEEP_ALIVE
winserv.exe	18-11-2023_14:40:20:458#T:Msg Size: 104
winserv.exe	18-11-2023_14:40:20:458#T:Msg code: 3
winserv.exe	18-11-2023_14:40:20:458#T:MSG_KEEP_ALIVE
winserv.exe	MSG_KEEP_ALIVE

General Info

winserv.exe

3F4F5A6CB95047FEA6102BD7D2226AA9

FC09DD898B6E7FF546E4A7517A715928FBAFC297

99FD9E75E6241EFF30E01C5B59DF9E901FB24D12BEE89C069CC6158F78B3CC98

196608:iz+UZcWP4jBrfWgEgIV8Rzy7Vj4FZvEoo:i6UZcWWeVj4FZ8

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

RMS is detected

METAMORFO has been detected (YARA)

Uses Task Scheduler to run other applications

Uses Task Scheduler to autorun other applications

Creates a writable file the system directory

Disables Windows Defender

Drops the executable file immediately after the start

Starts NET.EXE to view/change users localgroup

Starts NET.EXE to view/add/change user profiles

Creates or modifies Windows services

SUSPICIOUS

Connects to unusual port

Reads the BIOS version

Reads the Internet Settings

Detected use of alternative data streams (AltDS)

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Reads settings of System Certificates

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Uses NETSH.EXE to change the status of the firewall

Uses NETSH.EXE to add a firewall rule or allowed programs

Executing commands from a ".bat" file

The process verifies whether the antivirus software is installed

Checks for external IP

Uses TIMEOUT.EXE to delay execution

The process executes via Task Scheduler

INFO

Reads Windows Product ID

Checks supported languages

Process checks computer location settings

Reads the computer name

Reads Environment values

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads product name

Manual execution by a user

Process checks are UAC notifies on

Reads mouse settings

Create files in a temporary directory

Creates files in the program directory

Checks proxy server information

Reads CPU info

The process uses the downloaded file

Application launched itself

Drops the executable file immediately after the start

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules