File name:

update_task.exe

Full analysis: https://app.any.run/tasks/8584c317-0490-427a-9024-4a1ee926b541
Verdict: Malicious activity
Analysis date: July 10, 2024, 17:42:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

624A9592ECF9DC33A8F837DC5256A2BC

SHA1:

4217D74F3DC4BAE644D3A847E1262C60F2AC90D5

SHA256:

A4B2439027F2F45D95D6C9DF9979B76AB6B3252886CDDE436BF5F9AE88D79B13

SSDEEP:

12288:KvGvpKBvEKw8rPR+ABwiLyN/CoYYdg5DUq19LS95KBNvDhfBB4p2:KvGvKvbw8VwGYC59LS7KHhfcp2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • WerFault.exe (PID: 2972)

    • Drops the executable file immediately after the start

      • update_task.exe (PID: 3848)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • LockApp.exe (PID: 6796)
      • update_task.exe (PID: 7076)

    • Reads the date of Windows installation

      • update_task.exe (PID: 7076)

    • Executes as Windows Service

      • wsc_proxy.exe (PID: 6612)

    • Executable content was dropped or overwritten

      • dllhost.exe (PID: 6980)

    • Executes application which crashes

      • wsc_proxy.exe (PID: 6612)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 6744)
      • WerFault.exe (PID: 2972)
      • slui.exe (PID: 6956)

    • Manual execution by a user

      • update_task.exe (PID: 7076)
      • update_task.exe (PID: 6896)

    • Drops the executable file immediately after the start

      • dllhost.exe (PID: 6980)

    • Process checks computer location settings

      • update_task.exe (PID: 7076)

    • Checks supported languages

      • LockApp.exe (PID: 6796)
      • SkypeApp.exe (PID: 6444)
      • wsc_proxy.exe (PID: 6612)
      • update_task.exe (PID: 7076)

    • Reads the computer name

      • update_task.exe (PID: 7076)
      • LockApp.exe (PID: 6796)
      • SkypeApp.exe (PID: 6444)
      • wsc_proxy.exe (PID: 6612)

    • Reads the machine GUID from the registry

      • wsc_proxy.exe (PID: 6612)

    • Creates files in the program directory

      • wsc_proxy.exe (PID: 6612)

    • Reads CPU info

      • wsc_proxy.exe (PID: 6612)

    • Checks proxy server information

      • update_task.exe (PID: 7076)
      • slui.exe (PID: 6956)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:03:02 04:24:19+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 338944
InitializedDataSize: 165376
UninitializedDataSize: -
EntryPoint: 0x22180
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 7.2.4.972
ProductVersionNumber: 7.2.4.972
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Fortinet Inc.
FileDescription: FortiClient Virus Feedback Service
FileVersion: 7.2.4.0972
InternalName: submitv.exe
LegalCopyright: 2024 Fortinet Inc. All rights reserved.
LegalTrademarks: -
OriginalFileName: submitv.exe
PrivateBuild: -
ProductName: FortiClient virus submit daemon
ProductVersion: 7.2.4.0972
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
16
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start update_task.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs Copy/Move/Rename/Delete/Link Object update_task.exe no specs update_task.exe conhost.exe no specs skypeapp.exe no specs conhost.exe no specs lockapp.exe no specs wsc_proxy.exe werfault.exe slui.exe update_task.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2972C:\WINDOWS\system32\WerFault.exe -u -p 6612 -s 1336C:\Windows\System32\WerFault.exe
wsc_proxy.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
3848"C:\Users\admin\AppData\Local\Temp\update_task.exe" C:\Users\admin\AppData\Local\Temp\update_task.exe
explorer.exe
User:
admin
Company:
Fortinet Inc.
Integrity Level:
HIGH
Description:
FortiClient Virus Feedback Service
Exit code:
3221225781
Version:
7.2.4.0972
Modules
Images
c:\users\admin\appdata\local\temp\update_task.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4320"C:\Users\admin\AppData\Local\Temp\update_task.exe" C:\Users\admin\AppData\Local\Temp\update_task.exeexplorer.exe
User:
admin
Company:
Fortinet Inc.
Integrity Level:
MEDIUM
Description:
FortiClient Virus Feedback Service
Exit code:
3221226540
Version:
7.2.4.0972
Modules
Images
c:\users\admin\appdata\local\temp\update_task.exe
c:\windows\system32\ntdll.dll
5764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeupdate_task.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6444"C:\Windows\en-US\SkypeApp.exe" C:\Windows\en-US\SkypeApp.exeupdate_task.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\windows\en-us\skypeapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSkypeApp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6612"C:\Windows\en-US\wsc_proxy.exe" /runassvc /rpcserver /wsc_name:" "C:\Windows\en-US\wsc_proxy.exe
services.exe
User:
SYSTEM
Company:
AVAST Software
Integrity Level:
SYSTEM
Description:
Avast remediation exe
Exit code:
3221226505
Version:
21.4.6162.0
Modules
Images
c:\windows\en-us\wsc_proxy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\en-us\wsc.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6712C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6744"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6796"C:\WINDOWS\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" -ServerName:WindowsDefaultLockScreen.AppX7y4nbzq37zn4ks9k7amqjywdat7d3j2z.mcaC:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LockApp.exe
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.lockapp_cw5n1h2txyewy\lockapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
8 921
Read events
8 876
Write events
39
Delete events
6

Modification events

(PID) Process:(7076) update_task.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7076) update_task.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7076) update_task.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7076) update_task.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6444) SkypeApp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast
Operation:writeName:ProgramFolder
Value:
C:\Windows\en-US
(PID) Process:(6612) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\properties
Operation:writeName:UseRegistry
Value:
1
(PID) Process:(6612) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\Wsc
Operation:writeName:IWscASStatus
Value:
(PID) Process:(6612) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\Wsc
Operation:writeName:IWscAVStatus4
Value:
(PID) Process:(2972) WerFault.exeKey:\REGISTRY\A\{1bd03abe-a23b-a81f-ffa3-2fa15df675ea}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(2972) WerFault.exeKey:\REGISTRY\A\{1bd03abe-a23b-a81f-ffa3-2fa15df675ea}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
6
Suspicious files
5
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2972WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_wsc_proxy.exe_8b25899f1fb3d5d2785872911ba1ea1fea2dfb1c_e2da83c0_9e393ef0-562e-41e5-a62e-b5985c08aedd\Report.wer
MD5:
SHA256:
6980dllhost.exeC:\Windows\en-US\powrprof.dllexecutable
MD5:E0B6BD1728237354A7FB60407ED098D0
SHA256:0B8B72E4C1EA80AF57EE638BC8E65BA48550E716C77EB88EA319CC007C7C3B57
6980dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msbinary
MD5:7AFD23CCED1529B2BC33F11B103130ED
SHA256:98E59FFF2EBA8B6361559385740419A80115D403F43CFDD4E0593EA6FB921A63
2972WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC3CB.tmp.dmpbinary
MD5:7470202D9340AC5536C2265C3749F517
SHA256:6D9A2E9C94310016E204A3AE92139D9C327D8B041BD1912870FE2B2E45F1A07B
6980dllhost.exeC:\Windows\en-US\utilsdll.dllexecutable
MD5:88118F697925A8DD74691B714AB8B4C9
SHA256:E0EDE21DCEE0D47825D7B869395C0805EA9AF2797D1E7CED8F296D55E15DA9A0
6980dllhost.exeC:\Windows\en-US\bootstat.datbinary
MD5:CD92E4F79851F17ACF0719F3C9C12B39
SHA256:7A510517252AA94DBD5E0C185F3B42C3AAA87292DA681ECF0B6B755B3C627754
6444SkypeApp.exeC:\Windows\en-US\ctx.binbinary
MD5:441077CC9E57554DD476BDFB8B8B8102
SHA256:B413F47D13EE2FE6C845B2EE141AF81DE858DF4EC549A58B7970BB96645BC8D2
6980dllhost.exeC:\Windows\en-US\wsc.dllexecutable
MD5:D60E8A632A3FF1F145F84C7231BAA6BD
SHA256:DE820B5E592CF456F6A4F8356195C4A335A51C6354CA7AC32CCD390E62D9BECC
2972WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC469.tmp.xmlxml
MD5:C93B256D652F65D77EC3BACDBE8CE76E
SHA256:AEBA1C6A8D3667D26E58422C37537D69370F932B7B386339C2CD648B4C4789D8
6980dllhost.exeC:\Windows\en-US\wsc_proxy.exeexecutable
MD5:1B231B5C4D36DE4750A587F08338DEDE
SHA256:79E53D36A40951AB328E153BAC9C1E3ADF3330B45899345E645889B9046F06E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
80
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
1436
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
1272
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
2032
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
740
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
6176
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
2032
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
6176
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4032
svchost.exe
239.255.255.250:1900
unknown
2032
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
2052
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3676
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4656
SearchApp.exe
92.123.104.43:443
www.bing.com
Akamai International B.V.
DE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
1436
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1436
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 4.231.128.59
unknown
www.bing.com
  • 92.123.104.43
  • 92.123.104.64
  • 92.123.104.47
  • 92.123.104.63
  • 92.123.104.60
  • 92.123.104.46
  • 92.123.104.59
  • 92.123.104.51
  • 92.123.104.38
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
google.com
  • 142.250.186.174
unknown
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.71
  • 20.190.159.23
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.0
unknown
go.microsoft.com
  • 23.35.238.131
unknown
nexusrules.officeapps.live.com
  • 52.111.227.13
unknown
client.wns.windows.com
  • 40.113.110.67
unknown
arc.msn.com
  • 20.74.47.205
  • 20.223.35.26
unknown
fd.api.iris.microsoft.com
  • 20.74.47.205
unknown

Threats

No threats detected
Process
Message
wsc_proxy.exe
[2024-07-10 17:45:04.721] [error ] [crashguard ] [ 6612: 4600] [E9669F: 103] Dump path 'C:\ProgramData\Avast Software\Avast\log' does not exist. Directory should be already created.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
update_task.exe