Malware analysis Extract[1].exe Malicious activity | ANY.RUN

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	Extract[1].exe
Full analysis:	https://app.any.run/tasks/9aedf38c-b426-4e28-a293-88c9fba47bb8
Verdict:	Malicious activity
Threats:	Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 18, 2020, 11:39:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan miner qwertminer adware oxypumper evasion loader pup linkury glupteba
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	4872F6282C5881A74F6D18F0A89F0EE8
SHA1:	8937E3EF6D25A9E1EA59DB9E2EB36F49A8CF7025
SHA256:	A90A646476ABE504646082B8451616E5E0794A193A3A6329A03C4D53801607FB
SSDEEP:	6144:gcs6IrDlNg2oYfzUSyhD4OthcCPtAOHnQV3m0lnA:gcnINg2rzTyF4OHlW0GnA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads the Task Scheduler COM API
  - Extract[1].exe (PID: 2684)
  - 7065.tmp.exe (PID: 2472)
  - schtasks.exe (PID: 3804)
  - schtasks.exe (PID: 3604)
  - schtasks.exe (PID: 3812)
  - schtasks.exe (PID: 2248)
  - schtasks.exe (PID: 2116)
  - schtasks.exe (PID: 4084)
  - schtasks.exe (PID: 2264)
  - schtasks.exe (PID: 3516)
  - schtasks.exe (PID: 2420)
  - schtasks.exe (PID: 3484)
  - schtasks.exe (PID: 3236)
  - schtasks.exe (PID: 2212)
  - schtasks.exe (PID: 3180)
  - schtasks.exe (PID: 1160)
  - schtasks.exe (PID: 1936)
  - schtasks.exe (PID: 3284)
  - schtasks.exe (PID: 3192)
  - schtasks.exe (PID: 2880)
  - schtasks.exe (PID: 3788)
  - schtasks.exe (PID: 3904)
  - schtasks.exe (PID: 3492)
  - schtasks.exe (PID: 2496)
  - schtasks.exe (PID: 4056)
  - schtasks.exe (PID: 2676)
  - schtasks.exe (PID: 584)
  - schtasks.exe (PID: 1636)
  - schtasks.exe (PID: 1932)
  - schtasks.exe (PID: 2820)
  - schtasks.exe (PID: 3232)
  - schtasks.exe (PID: 2552)
  - schtasks.exe (PID: 3288)
  - schtasks.exe (PID: 4044)
  - schtasks.exe (PID: 1880)
  - schtasks.exe (PID: 2176)
  - schtasks.exe (PID: 776)
  - schtasks.exe (PID: 3728)
  - schtasks.exe (PID: 3984)
  - schtasks.exe (PID: 496)
- QWERTMINER was detected
  - Extract[1].exe (PID: 2684)
  - CBE6.tmp.exe (PID: 4052)
- Connects to CnC server
  - Extract[1].exe (PID: 2684)
  - fish.exe (PID: 3376)
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - set.exe (PID: 4088)
  - app.exe (PID: 3796)
  - csrss.exe (PID: 3356)
  - Pangoc.exe (PID: 3100)
- Changes settings of System certificates
  - Extract[1].exe (PID: 2684)
- Application was dropped or rewritten from another process
  - CBE6.tmp.exe (PID: 4052)
  - fish.exe (PID: 3376)
  - K-Lab.exe (PID: 2584)
  - CloudPrinter.exe (PID: 1248)
  - Phys-Tough.exe (PID: 3532)
  - Pangoc.exe (PID: 3100)
  - Salttech.bin (PID: 1412)
  - LogicHandler.exe (PID: 992)
  - LogicHandler.exe (PID: 3964)
  - set.exe (PID: 4088)
  - app.exe (PID: 3796)
  - app.exe (PID: 4092)
  - 7065.tmp.exe (PID: 2472)
  - setup.exe (PID: 2412)
  - csrss.exe (PID: 3356)
  - 654410859.exe (PID: 4008)
  - 5yalxuiepvw.exe (PID: 3500)
  - 654410859.exe (PID: 272)
  - WebCompanionInstaller.exe (PID: 252)
  - WCInstaller.exe (PID: 3048)
  - 654410859.exe (PID: 2284)
  - windefender.exe (PID: 2544)
  - windefender.exe (PID: 2892)
  - Pangoc.exe (PID: 3060)
  - Pangoc.exe (PID: 1516)
  - Pangoc.exe (PID: 2448)
  - Pangoc.exe (PID: 2924)
  - WebCompanion.exe (PID: 2208)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - Ad-Aware Web Companion.exe (PID: 2696)
  - WebCompanion.exe (PID: 2256)
- LINKURY was detected
  - fish.exe (PID: 3376)
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - CloudPrinter.exe (PID: 1248)
  - LogicHandler.exe (PID: 3964)
  - set.exe (PID: 4088)
  - Pangoc.exe (PID: 3100)
- Downloads executable files from the Internet
  - CBE6.tmp.exe (PID: 4052)
  - fish.exe (PID: 3376)
  - Extract[1].exe (PID: 2684)
- Loads dropped or rewritten executable
  - set.exe (PID: 4088)
  - Pangoc.exe (PID: 3100)
  - schtasks.exe (PID: 4084)
  - schtasks.exe (PID: 2264)
  - conhost.exe (PID: 1504)
  - schtasks.exe (PID: 3516)
  - schtasks.exe (PID: 2420)
  - conhost.exe (PID: 1268)
  - conhost.exe (PID: 2136)
  - regedit.exe (PID: 2836)
  - cmd.exe (PID: 3972)
  - cmd.exe (PID: 1596)
  - cmd.exe (PID: 2652)
  - schtasks.exe (PID: 3484)
  - cmd.exe (PID: 1416)
  - cmd.exe (PID: 3700)
  - conhost.exe (PID: 1948)
  - conhost.exe (PID: 3592)
  - taskeng.exe (PID: 3540)
  - schtasks.exe (PID: 3236)
  - conhost.exe (PID: 2492)
  - schtasks.exe (PID: 2212)
  - cmd.exe (PID: 564)
  - schtasks.exe (PID: 1160)
  - Pangoc.exe (PID: 3060)
  - conhost.exe (PID: 2132)
  - schtasks.exe (PID: 3180)
  - conhost.exe (PID: 2872)
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 2660)
  - schtasks.exe (PID: 1936)
  - cmd.exe (PID: 1904)
  - schtasks.exe (PID: 3284)
  - conhost.exe (PID: 3440)
  - conhost.exe (PID: 3544)
  - Pangoc.exe (PID: 1516)
  - cmd.exe (PID: 3908)
  - conhost.exe (PID: 2352)
  - cmd.exe (PID: 3612)
  - schtasks.exe (PID: 3192)
  - schtasks.exe (PID: 2880)
  - schtasks.exe (PID: 3904)
  - conhost.exe (PID: 784)
  - conhost.exe (PID: 2788)
  - cmd.exe (PID: 1876)
  - cmd.exe (PID: 2384)
  - SearchProtocolHost.exe (PID: 3960)
  - DllHost.exe (PID: 2556)
  - cmd.exe (PID: 2068)
  - schtasks.exe (PID: 3788)
  - regedit.exe (PID: 2240)
  - schtasks.exe (PID: 3492)
  - conhost.exe (PID: 3268)
  - conhost.exe (PID: 592)
  - cmd.exe (PID: 3508)
  - schtasks.exe (PID: 2496)
  - conhost.exe (PID: 3308)
  - regedit.exe (PID: 3460)
  - conhost.exe (PID: 324)
  - schtasks.exe (PID: 4056)
  - cmd.exe (PID: 2708)
  - cmd.exe (PID: 1728)
  - conhost.exe (PID: 720)
  - schtasks.exe (PID: 2676)
  - cmd.exe (PID: 4016)
  - cmd.exe (PID: 3424)
  - conhost.exe (PID: 3580)
  - schtasks.exe (PID: 584)
  - conhost.exe (PID: 2336)
  - schtasks.exe (PID: 1932)
  - cmd.exe (PID: 2772)
  - schtasks.exe (PID: 1636)
  - cmd.exe (PID: 1800)
  - conhost.exe (PID: 2028)
  - WebCompanionInstaller.exe (PID: 252)
  - werfault.exe (PID: 3880)
  - schtasks.exe (PID: 2820)
  - werfault.exe (PID: 2564)
  - conhost.exe (PID: 3132)
  - cmd.exe (PID: 976)
  - cmd.exe (PID: 3228)
  - conhost.exe (PID: 3256)
  - regedit.exe (PID: 1940)
  - schtasks.exe (PID: 2552)
  - cmd.exe (PID: 600)
  - conhost.exe (PID: 3780)
  - schtasks.exe (PID: 3232)
  - conhost.exe (PID: 1784)
  - schtasks.exe (PID: 4044)
  - cmd.exe (PID: 3420)
  - schtasks.exe (PID: 3288)
  - Pangoc.exe (PID: 2448)
  - cmd.exe (PID: 2800)
  - conhost.exe (PID: 3164)
  - cmd.exe (PID: 2040)
  - schtasks.exe (PID: 1880)
  - conhost.exe (PID: 1448)
  - schtasks.exe (PID: 2176)
  - cmd.exe (PID: 3660)
  - conhost.exe (PID: 3432)
  - schtasks.exe (PID: 776)
  - Pangoc.exe (PID: 2924)
  - conhost.exe (PID: 3372)
  - schtasks.exe (PID: 3728)
  - cmd.exe (PID: 2920)
  - conhost.exe (PID: 2056)
  - DllHost.exe (PID: 2196)
  - conhost.exe (PID: 1944)
  - conhost.exe (PID: 3112)
  - conhost.exe (PID: 2988)
  - conhost.exe (PID: 1532)
  - cmd.exe (PID: 3768)
  - schtasks.exe (PID: 3984)
  - netsh.exe (PID: 3452)
  - cmd.exe (PID: 2984)
  - werfault.exe (PID: 2896)
  - conhost.exe (PID: 2712)
  - cmd.exe (PID: 1712)
  - schtasks.exe (PID: 496)
  - werfault.exe (PID: 2764)
  - WebCompanion.exe (PID: 2208)
  - conhost.exe (PID: 3832)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - cmd.exe (PID: 2740)
  - conhost.exe (PID: 2760)
  - cvtres.exe (PID: 2608)
  - netsh.exe (PID: 3316)
  - csc.exe (PID: 2736)
  - Ad-Aware Web Companion.exe (PID: 2696)
  - SearchProtocolHost.exe (PID: 952)
  - WebCompanion.exe (PID: 2256)
  - iexplore.exe (PID: 3404)
  - PresentationFontCache.exe (PID: 2112)
  - SearchFilterHost.exe (PID: 2060)
- GLUPTEBA was detected
  - app.exe (PID: 3796)
  - app.exe (PID: 4092)
  - csrss.exe (PID: 3356)
  - windefender.exe (PID: 2892)
- Modifies exclusions in Windows Defender
  - app.exe (PID: 4092)
- Changes the autorun value in the registry
  - app.exe (PID: 4092)
  - Blowkit.tmp (PID: 1096)
  - 5yalxuiepvw.tmp (PID: 2916)
  - 654410859.exe (PID: 272)
  - regedit.exe (PID: 1816)
  - regedit.exe (PID: 2836)
  - regedit.exe (PID: 2240)
  - regedit.exe (PID: 3460)
  - regedit.exe (PID: 1940)
  - WebCompanion.exe (PID: 2208)
- Uses Task Scheduler to autorun other applications
  - csrss.exe (PID: 3356)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 2776)
  - cmd.exe (PID: 1556)
  - cmd.exe (PID: 1520)
  - cmd.exe (PID: 284)
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 2652)
  - cmd.exe (PID: 3972)
  - cmd.exe (PID: 1596)
  - cmd.exe (PID: 564)
  - cmd.exe (PID: 1416)
  - cmd.exe (PID: 3700)
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 2660)
  - cmd.exe (PID: 1904)
  - cmd.exe (PID: 3612)
  - cmd.exe (PID: 3908)
  - cmd.exe (PID: 2384)
  - cmd.exe (PID: 1876)
  - cmd.exe (PID: 2068)
  - cmd.exe (PID: 3508)
  - cmd.exe (PID: 1728)
  - cmd.exe (PID: 2708)
  - cmd.exe (PID: 4016)
  - cmd.exe (PID: 3424)
  - cmd.exe (PID: 2772)
  - cmd.exe (PID: 1800)
  - cmd.exe (PID: 3228)
  - cmd.exe (PID: 976)
  - cmd.exe (PID: 600)
  - cmd.exe (PID: 3420)
  - cmd.exe (PID: 2800)
  - cmd.exe (PID: 2040)
  - cmd.exe (PID: 3660)
  - cmd.exe (PID: 2920)
  - cmd.exe (PID: 3768)
  - cmd.exe (PID: 1712)
- Changes AppInit_DLLs value (autorun option)
  - regedit.exe (PID: 1816)
  - regedit.exe (PID: 2836)
  - regedit.exe (PID: 2240)
  - regedit.exe (PID: 3460)
  - regedit.exe (PID: 1940)
- Changes internet zones settings
  - WebCompanionInstaller.exe (PID: 252)
- Starts Visual C# compiler
  - WebCompanion.exe (PID: 2208)
SUSPICIOUS
- Creates files in the user directory
  - Extract[1].exe (PID: 2684)
  - 7065.tmp.exe (PID: 2472)
  - Pangoc.exe (PID: 3100)
  - WebCompanionInstaller.exe (PID: 252)
  - WebCompanion.exe (PID: 2208)
- Executable content was dropped or overwritten
  - Extract[1].exe (PID: 2684)
  - CBE6.tmp.exe (PID: 4052)
  - fish.exe (PID: 3376)
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - Salttech.bin (PID: 1412)
  - LogicHandler.exe (PID: 992)
  - 7065.tmp.exe (PID: 2472)
  - app.exe (PID: 4092)
  - setup.tmp (PID: 2748)
  - setup.exe (PID: 2412)
  - Blowkit.exe (PID: 1888)
  - Blowkit.tmp (PID: 1096)
  - csrss.exe (PID: 3356)
  - 654410859.exe (PID: 4008)
  - 5yalxuiepvw.tmp (PID: 2916)
  - 5yalxuiepvw.exe (PID: 3500)
  - Pangoc.exe (PID: 3100)
  - WCInstaller.exe (PID: 3048)
  - WebCompanionInstaller.exe (PID: 252)
- Adds / modifies Windows certificates
  - Extract[1].exe (PID: 2684)
- Checks for external IP
  - Extract[1].exe (PID: 2684)
- Starts itself from another location
  - fish.exe (PID: 3376)
  - app.exe (PID: 4092)
- Starts SC.EXE for service management
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - LogicHandler.exe (PID: 992)
  - cmd.exe (PID: 1852)
  - cmd.exe (PID: 1416)
  - cmd.exe (PID: 1848)
  - cmd.exe (PID: 3104)
  - cmd.exe (PID: 3204)
  - WebCompanionInstaller.exe (PID: 252)
- Executed as Windows Service
  - CloudPrinter.exe (PID: 1248)
  - Pangoc.exe (PID: 3100)
  - set.exe (PID: 4088)
  - windefender.exe (PID: 2544)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - PresentationFontCache.exe (PID: 2112)
- Creates files in the program directory
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - LogicHandler.exe (PID: 3964)
  - LogicHandler.exe (PID: 992)
  - fish.exe (PID: 3376)
  - Pangoc.exe (PID: 3100)
  - WebCompanionInstaller.exe (PID: 252)
  - WebCompanion.exe (PID: 2208)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - WebCompanion.exe (PID: 2256)
- Creates files in the Windows directory
  - CloudPrinter.exe (PID: 1248)
  - set.exe (PID: 4088)
  - app.exe (PID: 4092)
  - csrss.exe (PID: 3356)
  - 654410859.exe (PID: 4008)
  - Pangoc.exe (PID: 3100)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - WebCompanion.exe (PID: 2208)
  - WebCompanionInstaller.exe (PID: 252)
- Application launched itself
  - LogicHandler.exe (PID: 3964)
  - app.exe (PID: 3796)
  - 654410859.exe (PID: 4008)
  - 654410859.exe (PID: 272)
- Starts application with an unusual extension
  - fish.exe (PID: 3376)
- Creates a software uninstall entry
  - fish.exe (PID: 3376)
  - WebCompanionInstaller.exe (PID: 252)
- Starts CMD.EXE for commands execution
  - LogicHandler.exe (PID: 992)
  - app.exe (PID: 4092)
  - csrss.exe (PID: 3356)
  - windefender.exe (PID: 2892)
  - Pangoc.exe (PID: 3100)
  - Pangoc.exe (PID: 3060)
  - Pangoc.exe (PID: 1516)
  - Pangoc.exe (PID: 2448)
  - WebCompanionInstaller.exe (PID: 252)
  - Pangoc.exe (PID: 2924)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
- Starts Internet Explorer
  - 7065.tmp.exe (PID: 2472)
- Reads the machine GUID from the registry
  - app.exe (PID: 3796)
  - csrss.exe (PID: 3356)
- Uses NETSH.EXE for network configuration
  - cmd.exe (PID: 2876)
  - cmd.exe (PID: 1528)
  - cmd.exe (PID: 2984)
  - cmd.exe (PID: 2740)
- Removes files from Windows directory
  - set.exe (PID: 4088)
  - Pangoc.exe (PID: 3100)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - WebCompanion.exe (PID: 2208)
  - WebCompanionInstaller.exe (PID: 252)
- Creates files in the driver directory
  - csrss.exe (PID: 3356)
- Searches for installed software
  - csrss.exe (PID: 3356)
  - Pangoc.exe (PID: 3100)
- Executed via Task Scheduler
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 1596)
  - Pangoc.exe (PID: 3060)
  - cmd.exe (PID: 1876)
  - cmd.exe (PID: 1728)
  - cmd.exe (PID: 3228)
- Changes the started page of IE
  - Pangoc.exe (PID: 3100)
  - WebCompanion.exe (PID: 2208)
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 2744)
- Application launched itself
  - iexplore.exe (PID: 2744)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3400)
  - 654410859.exe (PID: 2284)
- Creates files in the user directory
  - iexplore.exe (PID: 3400)
  - iexplore.exe (PID: 3404)
- Changes settings of System certificates
  - iexplore.exe (PID: 3400)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3400)
- Reads internet explorer settings
  - iexplore.exe (PID: 3400)
  - iexplore.exe (PID: 3404)
- Creates files in the program directory
  - setup.tmp (PID: 2748)
  - 5yalxuiepvw.tmp (PID: 2916)
- Application was dropped or rewritten from another process
  - setup.tmp (PID: 2748)
  - Blowkit.exe (PID: 1888)
  - Blowkit.tmp (PID: 1096)
  - 5yalxuiepvw.tmp (PID: 2916)
- Loads dropped or rewritten executable
  - setup.tmp (PID: 2748)
  - Blowkit.tmp (PID: 1096)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 2744)
  - iexplore.exe (PID: 3404)
- Creates a software uninstall entry
  - 5yalxuiepvw.tmp (PID: 2916)
- Dropped object may contain Bitcoin addresses
  - WebCompanionInstaller.exe (PID: 252)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

Subsystem:	Windows GUI
SubsystemVersion:	5.1
ImageVersion:	-
OSVersion:	5.1
EntryPoint:	0x2019e
UninitializedDataSize:	-
InitializedDataSize:	147968
CodeSize:	254976
LinkerVersion:	14.16
PEType:	PE32
TimeStamp:	2020:01:17 06:27:38+01:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	17-Jan-2020 05:27:38
Detected languages:	English - United States

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000110

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	17-Jan-2020 05:27:38
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0003E3EC	0x0003E400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.41325
.rdata	0x00040000	0x0001EF0A	0x0001F000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.64962
.data	0x0005F000	0x00001E80	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.50791
.rsrc	0x00061000	0x000001E8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.77204
.reloc	0x00062000	0x00002F28	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.54773

Resources

Title	Entropy	Size	Codepage	Language	Type
1	4.89623	392	UNKNOWN	English - United States	RT_MANIFEST

Imports


ADVAPI32.dll
KERNEL32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
WININET.dll
ole32.dll
urlmon.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

253

Monitored processes

194

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1796

"C:\Users\admin\AppData\Local\Temp\Extract[1].exe"

C:\Users\admin\AppData\Local\Temp\Extract[1].exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\extract[1].exe
c:\systemroot\system32\ntdll.dll

2684

"C:\Users\admin\AppData\Local\Temp\Extract[1].exe"

C:\Users\admin\AppData\Local\Temp\Extract[1].exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\extract[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

4052

C:\Users\admin\AppData\Local\Temp\CBE6.tmp.exe

Extract[1].exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\cbe6.tmp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3376

C:\Users\admin\AppData\Local\Temp\fish.exe {"packer":{"DistributerName":"APSFPango","ChannelId":"3"},"Agent":{"SetAll":"true"}}

C:\Users\admin\AppData\Local\Temp\fish.exe

CBE6.tmp.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\fish.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2584

"C:\Users\admin\AppData\Local\K-Lab.exe" shuz -f "lobby.dat" -l -a DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 Distributer=APSFPango ChannelId=3 BarcodeId=54565003 ApName=Pangoc

C:\Users\admin\AppData\Local\K-Lab.exe

fish.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\k-lab.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3284

"C:\Windows\system32\sc.exe" create CloudPrinter binpath= "C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f \"C:\ProgramData\\CloudPrinter\\CloudPrinter.dat\" -l -a" DisplayName= CloudPrinter start= auto

C:\Windows\system32\sc.exe

—

K-Lab.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1248

C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f "C:\ProgramData\\CloudPrinter\\CloudPrinter.dat" -l -a

C:\ProgramData\CloudPrinter\CloudPrinter.exe

services.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Modules

Images
c:\programdata\cloudprinter\cloudprinter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3532

"C:\Users\admin\AppData\Local\Phys-Tough.exe" shuz -f "noah.dat" -l -a DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 Distributer=APSFPango ChannelId=3 BarcodeId=54565003 DefaultSearchDomain=https://feed.sonic-search.com HomePageDomain=https://feed.helperbar.com NewTabDomain=https://feed.helperbar.com EncryptUrl=true AddRemove=false AgentName=Pangoc YBSearch=false ApName=Pangoc SetAll=true

C:\Users\admin\AppData\Local\Phys-Tough.exe

fish.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\phys-tough.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

4088

"C:\Windows\system32\sc.exe" create Pangoc binpath= "C:\ProgramData\\Pangoc\\Pangoc.exe shuz -f \"C:\ProgramData\\Pangoc\\Pangoc.dat\" -l -a" DisplayName= Pangoc start= auto

C:\Windows\system32\sc.exe

—

Phys-Tough.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3100

C:\ProgramData\\Pangoc\\Pangoc.exe shuz -f "C:\ProgramData\\Pangoc\\Pangoc.dat" -l -a

C:\ProgramData\Pangoc\Pangoc.exe

services.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Modules

Images
c:\programdata\pangoc\pangoc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

5 728

Read events

4 819

Write events

Delete events

Modification events

No data

Add for printing

Executable files

130

Suspicious files

Text files

345

Unknown types

Dropped files

PID	Process	Filename		Type
2684	Extract[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\things[1].xml		text
		MD5:469447BA1F8378A13CBF6DFD6F7A7550	SHA256:8E9C87626DE4F9959905B6906B7F1EB60676F9919FB1D9AA8790885DD5FB44C4
4052	CBE6.tmp.exe	C:\Users\admin\AppData\Local\Temp\fish.exe		executable
		MD5:1F972207384DA52E3EAA7327E218281B	SHA256:8DA4B1756ED0DAAA4B90E8F00F243157B80E9BED17DFCB71906CA6800871E04F
3376	fish.exe	C:\Users\admin\AppData\Local\agent.dat		—
		MD5:—	SHA256:—
3376	fish.exe	C:\Users\admin\AppData\Local\lobby.dat		binary
		MD5:98805852F7BDBD8A014A0120F05C0D8F	SHA256:83F29BE82A2480FD936B1D2DC4A6A9B0558F1E00E273CEB6D2F93BC25FBA9D44
2584	K-Lab.exe	C:\ProgramData\CloudPrinter\Config.xml		text
		MD5:12E2D4C11224901674F7DE685D2FA8F4	SHA256:EF37BF3C9035B8BFCD2304AF61F06CA8C0501A1AAB64FA173A4CFDCF3473F1CE
2684	Extract[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\xml[1].xml		xml
		MD5:62D951A84EA68E9C38818D621D3DD8FC	SHA256:A36DB17E0FCF705C1206D9B15359DBD3C67FE40B369D8DCE069B586B2CD023A7
2584	K-Lab.exe	C:\ProgramData\CloudPrinter\CloudPrinter.exe		executable
		MD5:1F972207384DA52E3EAA7327E218281B	SHA256:8DA4B1756ED0DAAA4B90E8F00F243157B80E9BED17DFCB71906CA6800871E04F
3376	fish.exe	C:\Users\admin\AppData\Local\installer.dat		binary
		MD5:A07ACE2DAE174E64B28C75FC38C010E0	SHA256:BE785C75E5147AF85C97C74367B100FB4C23E9429D7D719B663BA3B5C6F492E6
3376	fish.exe	C:\Users\admin\AppData\Local\InstallationConfiguration.xml		text
		MD5:43BCB3596F548E3D89A3F5B37E8CDC32	SHA256:BA508968F2C860295FE24ECA583619C329E3FFD464576D2B858077238251453F
2684	Extract[1].exe	C:\Users\admin\AppData\Roaming\Microsoft\Launcher.exe		executable
		MD5:4872F6282C5881A74F6D18F0A89F0EE8	SHA256:A90A646476ABE504646082B8451616E5E0794A193A3A6329A03C4D53801607FB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

203

TCP/UDP connections

102

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2684	Extract[1].exe	GET	200	52.168.94.225:80	http://hostas5.ml/click.php?cnv_id=5cdeegxrnntuo3yc54	US	—	—	malicious
2684	Extract[1].exe	GET	200	208.95.112.1:80	http://ip-api.com/xml	unknown	xml	493 b	shared
3376	fish.exe	GET	200	52.166.114.5:80	http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSFPango	NL	text	13 b	shared
4052	CBE6.tmp.exe	GET	302	52.174.148.190:80	http://install.portmdfmoon.com/download/APSFPango	NL	html	182 b	whitelisted
4052	CBE6.tmp.exe	GET	200	205.185.208.154:80	http://h8y9u9b2.ssl.hwcdn.net/APSFPango/dynlink_1579267140397.exe	US	executable	1.69 Mb	malicious
3376	fish.exe	POST	200	52.166.114.5:80	http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee	NL	text	10 b	whitelisted
3376	fish.exe	POST	200	52.166.114.5:80	http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee	NL	text	10 b	whitelisted
3376	fish.exe	GET	200	52.174.148.190:80	http://updates.utyuytjn.com/Update/CheckInstallConfig?deviceid=a6985883-ace4-b706-fafa-0ee4efb037e4&distributer=APSFPango&channelid=3&barcodeid=54565003&country=NL&encrypt=True	NL	text	263 b	whitelisted
3376	fish.exe	POST	200	52.166.114.5:80	http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee	NL	text	10 b	whitelisted
3376	fish.exe	GET	200	205.185.208.154:80	http://m4y2d5k4.ssl.hwcdn.net/installer/installers-config/safefinder-ap/apsfpango/ic090120.xml	US	text	15.8 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2684	Extract[1].exe	172.217.16.132:80	google-analytics.com	Google Inc.	US	whitelisted
4052	CBE6.tmp.exe	172.217.16.132:80	google-analytics.com	Google Inc.	US	whitelisted
2684	Extract[1].exe	52.168.94.225:80	hostas5.ml	Microsoft Corporation	US	malicious
2684	Extract[1].exe	137.117.47.68:80	osdsoft.com	Microsoft Corporation	US	malicious
2684	Extract[1].exe	52.218.192.145:443	linkury.s3-us-west-2.amazonaws.com	Amazon.com, Inc.	US	unknown
2684	Extract[1].exe	208.95.112.1:80	ip-api.com	IBURST	—	malicious
3376	fish.exe	65.52.153.196:80	madmax.utyuytjn.com	Microsoft Corporation	NL	whitelisted
4052	CBE6.tmp.exe	205.185.208.154:80	h8y9u9b2.ssl.hwcdn.net	Highwinds Network Group, Inc.	US	malicious
2584	K-Lab.exe	65.52.153.196:80	madmax.utyuytjn.com	Microsoft Corporation	NL	whitelisted
3376	fish.exe	205.185.208.154:80	h8y9u9b2.ssl.hwcdn.net	Highwinds Network Group, Inc.	US	malicious

DNS requests

Domain	IP	Reputation
hostas5.ml	52.168.94.225	malicious
ip-api.com	208.95.112.1	shared
google-analytics.com	172.217.16.132	whitelisted
osdsoft.com	137.117.47.68	whitelisted
linkury.s3-us-west-2.amazonaws.com	52.218.192.145	shared
install.portmdfmoon.com	52.174.148.190	unknown
h8y9u9b2.ssl.hwcdn.net	205.185.208.154	malicious
svc-stats.linkury.com	52.166.114.5	shared
madmax.utyuytjn.com	65.52.153.196	unknown
updates.utyuytjn.com	52.174.148.190	unknown

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .ml Domain
2684	Extract[1].exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
2684	Extract[1].exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
2684	Extract[1].exe	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
2684	Extract[1].exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2684	Extract[1].exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
2684	Extract[1].exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
2684	Extract[1].exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
4052	CBE6.tmp.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
4052	CBE6.tmp.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

254 ETPRO signatures available at the full report

Add for printing

Process	Message
Extract[1].exe	[18/01/2020 11:39:49:0602] 4.0
Extract[1].exe	[18/01/2020 11:39:49:0602] CommandLine: i
Extract[1].exe	[18/01/2020 11:39:49:0774] Country: NL
Extract[1].exe	[18/01/2020 11:39:49:0774] Start count: 0
Extract[1].exe	[18/01/2020 11:39:49:0774] Start count: 0
Extract[1].exe	[18/01/2020 11:39:53:0149] SF,XtexK,multishare,MultiTimerE,XtexEU,CloudExtender,WebCompanionEU,WebCompanion,ShutdownTime,pushbot
Extract[1].exe	[18/01/2020 11:39:53:0165]
Extract[1].exe	[18/01/2020 11:39:53:0165] SF
Extract[1].exe	[18/01/2020 11:39:53:0165] Didn't installed
Extract[1].exe	[18/01/2020 11:39:54:0727] Downloaded

General Info

Extract[1].exe

4872F6282C5881A74F6D18F0A89F0EE8

8937E3EF6D25A9E1EA59DB9E2EB36F49A8CF7025

A90A646476ABE504646082B8451616E5E0794A193A3A6329A03C4D53801607FB

6144:gcs6IrDlNg2oYfzUSyhD4OthcCPtAOHnQV3m0lnA:gcnINg2rzTyF4OHlW0GnA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads the Task Scheduler COM API

QWERTMINER was detected

Connects to CnC server

Changes settings of System certificates

Application was dropped or rewritten from another process

LINKURY was detected

Downloads executable files from the Internet

Loads dropped or rewritten executable

GLUPTEBA was detected

Modifies exclusions in Windows Defender

Changes the autorun value in the registry

Uses Task Scheduler to autorun other applications

Uses Task Scheduler to run other applications

Changes AppInit_DLLs value (autorun option)

Changes internet zones settings

Starts Visual C# compiler

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Adds / modifies Windows certificates

Checks for external IP

Starts itself from another location

Starts SC.EXE for service management

Executed as Windows Service

Creates files in the program directory

Creates files in the Windows directory

Application launched itself

Starts application with an unusual extension

Creates a software uninstall entry

Starts CMD.EXE for commands execution

Starts Internet Explorer

Reads the machine GUID from the registry

Uses NETSH.EXE for network configuration

Removes files from Windows directory

Creates files in the driver directory

Searches for installed software

Executed via Task Scheduler

Changes the started page of IE

INFO

Changes internet zones settings

Application launched itself

Reads settings of System Certificates

Creates files in the user directory

Changes settings of System certificates

Adds / modifies Windows certificates

Reads internet explorer settings

Creates files in the program directory

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Reads Internet Cache Settings

Creates a software uninstall entry

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information