Malware analysis Extract[1].exe Malicious activity | ANY.RUN

Add for printing

File name:	Extract[1].exe
Full analysis:	https://app.any.run/tasks/9aedf38c-b426-4e28-a293-88c9fba47bb8
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 18, 2020, 11:39:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan miner qwertminer adware oxypumper evasion loader pup linkury glupteba
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	4872F6282C5881A74F6D18F0A89F0EE8
SHA1:	8937E3EF6D25A9E1EA59DB9E2EB36F49A8CF7025
SHA256:	A90A646476ABE504646082B8451616E5E0794A193A3A6329A03C4D53801607FB
SSDEEP:	6144:gcs6IrDlNg2oYfzUSyhD4OthcCPtAOHnQV3m0lnA:gcnINg2rzTyF4OHlW0GnA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads the Task Scheduler COM API
  - Extract[1].exe (PID: 2684)
  - 7065.tmp.exe (PID: 2472)
  - schtasks.exe (PID: 3604)
  - schtasks.exe (PID: 3804)
  - schtasks.exe (PID: 3812)
  - schtasks.exe (PID: 2248)
  - schtasks.exe (PID: 2116)
  - schtasks.exe (PID: 4084)
  - schtasks.exe (PID: 2264)
  - schtasks.exe (PID: 2420)
  - schtasks.exe (PID: 3516)
  - schtasks.exe (PID: 3484)
  - schtasks.exe (PID: 3236)
  - schtasks.exe (PID: 2212)
  - schtasks.exe (PID: 1160)
  - schtasks.exe (PID: 1936)
  - schtasks.exe (PID: 3180)
  - schtasks.exe (PID: 3284)
  - schtasks.exe (PID: 3192)
  - schtasks.exe (PID: 2880)
  - schtasks.exe (PID: 3904)
  - schtasks.exe (PID: 3788)
  - schtasks.exe (PID: 3492)
  - schtasks.exe (PID: 2496)
  - schtasks.exe (PID: 4056)
  - schtasks.exe (PID: 2676)
  - schtasks.exe (PID: 584)
  - schtasks.exe (PID: 1636)
  - schtasks.exe (PID: 1932)
  - schtasks.exe (PID: 2820)
  - schtasks.exe (PID: 3232)
  - schtasks.exe (PID: 2552)
  - schtasks.exe (PID: 3288)
  - schtasks.exe (PID: 4044)
  - schtasks.exe (PID: 1880)
  - schtasks.exe (PID: 2176)
  - schtasks.exe (PID: 776)
  - schtasks.exe (PID: 3728)
  - schtasks.exe (PID: 3984)
  - schtasks.exe (PID: 496)
- Changes settings of System certificates
  - Extract[1].exe (PID: 2684)
- QWERTMINER was detected
  - Extract[1].exe (PID: 2684)
  - CBE6.tmp.exe (PID: 4052)
- Connects to CnC server
  - Extract[1].exe (PID: 2684)
  - fish.exe (PID: 3376)
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - set.exe (PID: 4088)
  - app.exe (PID: 3796)
  - csrss.exe (PID: 3356)
  - Pangoc.exe (PID: 3100)
- Downloads executable files from the Internet
  - CBE6.tmp.exe (PID: 4052)
  - fish.exe (PID: 3376)
  - Extract[1].exe (PID: 2684)
- Application was dropped or rewritten from another process
  - CBE6.tmp.exe (PID: 4052)
  - K-Lab.exe (PID: 2584)
  - fish.exe (PID: 3376)
  - Phys-Tough.exe (PID: 3532)
  - CloudPrinter.exe (PID: 1248)
  - Salttech.bin (PID: 1412)
  - LogicHandler.exe (PID: 3964)
  - Pangoc.exe (PID: 3100)
  - LogicHandler.exe (PID: 992)
  - set.exe (PID: 4088)
  - app.exe (PID: 3796)
  - app.exe (PID: 4092)
  - 7065.tmp.exe (PID: 2472)
  - csrss.exe (PID: 3356)
  - setup.exe (PID: 2412)
  - 654410859.exe (PID: 4008)
  - 5yalxuiepvw.exe (PID: 3500)
  - 654410859.exe (PID: 272)
  - 654410859.exe (PID: 2284)
  - WebCompanionInstaller.exe (PID: 252)
  - WCInstaller.exe (PID: 3048)
  - windefender.exe (PID: 2544)
  - windefender.exe (PID: 2892)
  - Pangoc.exe (PID: 3060)
  - Pangoc.exe (PID: 1516)
  - Pangoc.exe (PID: 2448)
  - Pangoc.exe (PID: 2924)
  - WebCompanion.exe (PID: 2208)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - Ad-Aware Web Companion.exe (PID: 2696)
  - WebCompanion.exe (PID: 2256)
- LINKURY was detected
  - fish.exe (PID: 3376)
  - K-Lab.exe (PID: 2584)
  - CloudPrinter.exe (PID: 1248)
  - Phys-Tough.exe (PID: 3532)
  - Pangoc.exe (PID: 3100)
  - LogicHandler.exe (PID: 3964)
  - set.exe (PID: 4088)
- GLUPTEBA was detected
  - app.exe (PID: 3796)
  - app.exe (PID: 4092)
  - csrss.exe (PID: 3356)
  - windefender.exe (PID: 2892)
- Loads dropped or rewritten executable
  - set.exe (PID: 4088)
  - Pangoc.exe (PID: 3100)
  - schtasks.exe (PID: 4084)
  - schtasks.exe (PID: 2264)
  - conhost.exe (PID: 1504)
  - cmd.exe (PID: 2652)
  - schtasks.exe (PID: 2420)
  - conhost.exe (PID: 1268)
  - conhost.exe (PID: 2136)
  - cmd.exe (PID: 1596)
  - cmd.exe (PID: 3972)
  - regedit.exe (PID: 2836)
  - schtasks.exe (PID: 3516)
  - schtasks.exe (PID: 3484)
  - conhost.exe (PID: 2492)
  - cmd.exe (PID: 1416)
  - schtasks.exe (PID: 3236)
  - conhost.exe (PID: 1948)
  - cmd.exe (PID: 3700)
  - schtasks.exe (PID: 2212)
  - taskeng.exe (PID: 3540)
  - cmd.exe (PID: 1904)
  - cmd.exe (PID: 564)
  - schtasks.exe (PID: 1160)
  - Pangoc.exe (PID: 3060)
  - conhost.exe (PID: 2872)
  - cmd.exe (PID: 2856)
  - schtasks.exe (PID: 1936)
  - cmd.exe (PID: 2660)
  - conhost.exe (PID: 3440)
  - conhost.exe (PID: 2132)
  - conhost.exe (PID: 3592)
  - schtasks.exe (PID: 3180)
  - schtasks.exe (PID: 3284)
  - Pangoc.exe (PID: 1516)
  - cmd.exe (PID: 3612)
  - conhost.exe (PID: 2352)
  - conhost.exe (PID: 3544)
  - cmd.exe (PID: 3908)
  - schtasks.exe (PID: 3192)
  - schtasks.exe (PID: 2880)
  - conhost.exe (PID: 2788)
  - conhost.exe (PID: 784)
  - cmd.exe (PID: 1876)
  - SearchProtocolHost.exe (PID: 3960)
  - schtasks.exe (PID: 3904)
  - regedit.exe (PID: 2240)
  - schtasks.exe (PID: 3788)
  - DllHost.exe (PID: 2556)
  - conhost.exe (PID: 3268)
  - cmd.exe (PID: 2068)
  - schtasks.exe (PID: 3492)
  - conhost.exe (PID: 592)
  - cmd.exe (PID: 3508)
  - cmd.exe (PID: 2384)
  - schtasks.exe (PID: 2496)
  - conhost.exe (PID: 3308)
  - conhost.exe (PID: 324)
  - cmd.exe (PID: 1728)
  - schtasks.exe (PID: 4056)
  - cmd.exe (PID: 2708)
  - regedit.exe (PID: 3460)
  - conhost.exe (PID: 720)
  - schtasks.exe (PID: 2676)
  - cmd.exe (PID: 4016)
  - schtasks.exe (PID: 584)
  - conhost.exe (PID: 3580)
  - schtasks.exe (PID: 1636)
  - cmd.exe (PID: 3424)
  - conhost.exe (PID: 2336)
  - schtasks.exe (PID: 1932)
  - cmd.exe (PID: 2772)
  - conhost.exe (PID: 2028)
  - cmd.exe (PID: 1800)
  - schtasks.exe (PID: 2820)
  - WebCompanionInstaller.exe (PID: 252)
  - werfault.exe (PID: 3880)
  - schtasks.exe (PID: 3232)
  - conhost.exe (PID: 3256)
  - conhost.exe (PID: 3132)
  - cmd.exe (PID: 976)
  - cmd.exe (PID: 3228)
  - regedit.exe (PID: 1940)
  - schtasks.exe (PID: 2552)
  - conhost.exe (PID: 3780)
  - cmd.exe (PID: 600)
  - werfault.exe (PID: 2564)
  - conhost.exe (PID: 1784)
  - schtasks.exe (PID: 4044)
  - conhost.exe (PID: 3164)
  - Pangoc.exe (PID: 2448)
  - cmd.exe (PID: 2800)
  - schtasks.exe (PID: 1880)
  - conhost.exe (PID: 1448)
  - cmd.exe (PID: 2040)
  - schtasks.exe (PID: 2176)
  - schtasks.exe (PID: 3288)
  - cmd.exe (PID: 3420)
  - cmd.exe (PID: 3660)
  - Pangoc.exe (PID: 2924)
  - conhost.exe (PID: 3372)
  - cmd.exe (PID: 2920)
  - schtasks.exe (PID: 3728)
  - conhost.exe (PID: 3112)
  - conhost.exe (PID: 1944)
  - conhost.exe (PID: 2056)
  - DllHost.exe (PID: 2196)
  - conhost.exe (PID: 3432)
  - schtasks.exe (PID: 776)
  - cmd.exe (PID: 3768)
  - schtasks.exe (PID: 3984)
  - cmd.exe (PID: 2984)
  - werfault.exe (PID: 2896)
  - netsh.exe (PID: 3452)
  - conhost.exe (PID: 2712)
  - schtasks.exe (PID: 496)
  - cmd.exe (PID: 1712)
  - conhost.exe (PID: 2988)
  - conhost.exe (PID: 1532)
  - werfault.exe (PID: 2764)
  - WebCompanion.exe (PID: 2208)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - cmd.exe (PID: 2740)
  - conhost.exe (PID: 3832)
  - conhost.exe (PID: 2760)
  - netsh.exe (PID: 3316)
  - csc.exe (PID: 2736)
  - cvtres.exe (PID: 2608)
  - Ad-Aware Web Companion.exe (PID: 2696)
  - WebCompanion.exe (PID: 2256)
  - PresentationFontCache.exe (PID: 2112)
  - iexplore.exe (PID: 3404)
  - SearchProtocolHost.exe (PID: 952)
  - SearchFilterHost.exe (PID: 2060)
- Modifies exclusions in Windows Defender
  - app.exe (PID: 4092)
- Changes the autorun value in the registry
  - app.exe (PID: 4092)
  - Blowkit.tmp (PID: 1096)
  - 5yalxuiepvw.tmp (PID: 2916)
  - 654410859.exe (PID: 272)
  - regedit.exe (PID: 1816)
  - regedit.exe (PID: 2836)
  - regedit.exe (PID: 2240)
  - regedit.exe (PID: 3460)
  - regedit.exe (PID: 1940)
  - WebCompanion.exe (PID: 2208)
- Uses Task Scheduler to autorun other applications
  - csrss.exe (PID: 3356)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 2776)
  - cmd.exe (PID: 1520)
  - cmd.exe (PID: 284)
  - cmd.exe (PID: 1556)
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 2652)
  - cmd.exe (PID: 3972)
  - cmd.exe (PID: 1596)
  - cmd.exe (PID: 1416)
  - cmd.exe (PID: 3700)
  - cmd.exe (PID: 564)
  - cmd.exe (PID: 1904)
  - cmd.exe (PID: 2660)
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 3612)
  - cmd.exe (PID: 3908)
  - cmd.exe (PID: 2384)
  - cmd.exe (PID: 1876)
  - cmd.exe (PID: 2068)
  - cmd.exe (PID: 3508)
  - cmd.exe (PID: 2708)
  - cmd.exe (PID: 1728)
  - cmd.exe (PID: 4016)
  - cmd.exe (PID: 3424)
  - cmd.exe (PID: 2772)
  - cmd.exe (PID: 1800)
  - cmd.exe (PID: 976)
  - cmd.exe (PID: 3228)
  - cmd.exe (PID: 600)
  - cmd.exe (PID: 3420)
  - cmd.exe (PID: 2800)
  - cmd.exe (PID: 2040)
  - cmd.exe (PID: 3660)
  - cmd.exe (PID: 2920)
  - cmd.exe (PID: 3768)
  - cmd.exe (PID: 1712)
- Changes AppInit_DLLs value (autorun option)
  - regedit.exe (PID: 1816)
  - regedit.exe (PID: 2836)
  - regedit.exe (PID: 2240)
  - regedit.exe (PID: 3460)
  - regedit.exe (PID: 1940)
- Changes internet zones settings
  - WebCompanionInstaller.exe (PID: 252)
- Starts Visual C# compiler
  - WebCompanion.exe (PID: 2208)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Extract[1].exe (PID: 2684)
  - CBE6.tmp.exe (PID: 4052)
  - fish.exe (PID: 3376)
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - Salttech.bin (PID: 1412)
  - LogicHandler.exe (PID: 992)
  - 7065.tmp.exe (PID: 2472)
  - app.exe (PID: 4092)
  - setup.tmp (PID: 2748)
  - setup.exe (PID: 2412)
  - Blowkit.exe (PID: 1888)
  - Blowkit.tmp (PID: 1096)
  - 654410859.exe (PID: 4008)
  - 5yalxuiepvw.exe (PID: 3500)
  - csrss.exe (PID: 3356)
  - 5yalxuiepvw.tmp (PID: 2916)
  - WCInstaller.exe (PID: 3048)
  - Pangoc.exe (PID: 3100)
  - WebCompanionInstaller.exe (PID: 252)
- Creates files in the user directory
  - Extract[1].exe (PID: 2684)
  - 7065.tmp.exe (PID: 2472)
  - Pangoc.exe (PID: 3100)
  - WebCompanionInstaller.exe (PID: 252)
  - WebCompanion.exe (PID: 2208)
- Checks for external IP
  - Extract[1].exe (PID: 2684)
- Creates files in the program directory
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - LogicHandler.exe (PID: 3964)
  - LogicHandler.exe (PID: 992)
  - fish.exe (PID: 3376)
  - Pangoc.exe (PID: 3100)
  - WebCompanionInstaller.exe (PID: 252)
  - WebCompanion.exe (PID: 2208)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - WebCompanion.exe (PID: 2256)
- Adds / modifies Windows certificates
  - Extract[1].exe (PID: 2684)
- Starts itself from another location
  - fish.exe (PID: 3376)
  - app.exe (PID: 4092)
- Starts SC.EXE for service management
  - K-Lab.exe (PID: 2584)
  - Phys-Tough.exe (PID: 3532)
  - cmd.exe (PID: 1852)
  - LogicHandler.exe (PID: 992)
  - cmd.exe (PID: 1848)
  - cmd.exe (PID: 3104)
  - cmd.exe (PID: 1416)
  - cmd.exe (PID: 3204)
  - WebCompanionInstaller.exe (PID: 252)
- Creates files in the Windows directory
  - CloudPrinter.exe (PID: 1248)
  - set.exe (PID: 4088)
  - app.exe (PID: 4092)
  - csrss.exe (PID: 3356)
  - 654410859.exe (PID: 4008)
  - Pangoc.exe (PID: 3100)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - WebCompanion.exe (PID: 2208)
  - WebCompanionInstaller.exe (PID: 252)
- Executed as Windows Service
  - CloudPrinter.exe (PID: 1248)
  - Pangoc.exe (PID: 3100)
  - set.exe (PID: 4088)
  - windefender.exe (PID: 2544)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - PresentationFontCache.exe (PID: 2112)
- Starts application with an unusual extension
  - fish.exe (PID: 3376)
- Application launched itself
  - LogicHandler.exe (PID: 3964)
  - app.exe (PID: 3796)
  - 654410859.exe (PID: 4008)
  - 654410859.exe (PID: 272)
- Starts CMD.EXE for commands execution
  - LogicHandler.exe (PID: 992)
  - app.exe (PID: 4092)
  - csrss.exe (PID: 3356)
  - windefender.exe (PID: 2892)
  - Pangoc.exe (PID: 3100)
  - Pangoc.exe (PID: 3060)
  - Pangoc.exe (PID: 1516)
  - Pangoc.exe (PID: 2448)
  - WebCompanionInstaller.exe (PID: 252)
  - Pangoc.exe (PID: 2924)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
- Creates a software uninstall entry
  - fish.exe (PID: 3376)
  - WebCompanionInstaller.exe (PID: 252)
- Reads the machine GUID from the registry
  - app.exe (PID: 3796)
  - csrss.exe (PID: 3356)
- Removes files from Windows directory
  - set.exe (PID: 4088)
  - Pangoc.exe (PID: 3100)
  - Lavasoft.WCAssistant.WinService.exe (PID: 1972)
  - WebCompanion.exe (PID: 2208)
  - WebCompanionInstaller.exe (PID: 252)
- Uses NETSH.EXE for network configuration
  - cmd.exe (PID: 2876)
  - cmd.exe (PID: 1528)
  - cmd.exe (PID: 2984)
  - cmd.exe (PID: 2740)
- Starts Internet Explorer
  - 7065.tmp.exe (PID: 2472)
- Creates files in the driver directory
  - csrss.exe (PID: 3356)
- Searches for installed software
  - csrss.exe (PID: 3356)
  - Pangoc.exe (PID: 3100)
- Executed via Task Scheduler
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 1596)
  - Pangoc.exe (PID: 3060)
  - cmd.exe (PID: 1876)
  - cmd.exe (PID: 1728)
  - cmd.exe (PID: 3228)
- Changes the started page of IE
  - Pangoc.exe (PID: 3100)
  - WebCompanion.exe (PID: 2208)
INFO
- Application launched itself
  - iexplore.exe (PID: 2744)
- Changes internet zones settings
  - iexplore.exe (PID: 2744)
- Creates files in the user directory
  - iexplore.exe (PID: 3400)
  - iexplore.exe (PID: 3404)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3400)
  - 654410859.exe (PID: 2284)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3400)
- Reads internet explorer settings
  - iexplore.exe (PID: 3400)
  - iexplore.exe (PID: 3404)
- Creates files in the program directory
  - setup.tmp (PID: 2748)
  - 5yalxuiepvw.tmp (PID: 2916)
- Application was dropped or rewritten from another process
  - setup.tmp (PID: 2748)
  - Blowkit.exe (PID: 1888)
  - Blowkit.tmp (PID: 1096)
  - 5yalxuiepvw.tmp (PID: 2916)
- Changes settings of System certificates
  - iexplore.exe (PID: 3400)
- Loads dropped or rewritten executable
  - setup.tmp (PID: 2748)
  - Blowkit.tmp (PID: 1096)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 2744)
  - iexplore.exe (PID: 3404)
- Creates a software uninstall entry
  - 5yalxuiepvw.tmp (PID: 2916)
- Dropped object may contain Bitcoin addresses
  - WebCompanionInstaller.exe (PID: 252)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:01:17 06:27:38+01:00
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	254976
InitializedDataSize:	147968
UninitializedDataSize:	-
EntryPoint:	0x2019e
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	17-Jan-2020 05:27:38
Detected languages:	English - United States

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000110

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	17-Jan-2020 05:27:38
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0003E3EC	0x0003E400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.41325
.rdata	0x00040000	0x0001EF0A	0x0001F000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.64962
.data	0x0005F000	0x00001E80	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.50791
.rsrc	0x00061000	0x000001E8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.77204
.reloc	0x00062000	0x00002F28	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.54773

Resources

Title	Entropy	Size	Codepage	Language	Type
1	4.89623	392	UNKNOWN	English - United States	RT_MANIFEST

Imports


ADVAPI32.dll
KERNEL32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
WININET.dll
ole32.dll
urlmon.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

253

Monitored processes

194

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

252

.\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=4.9.2159.4024 --prod --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292

C:\Users\admin\AppData\Local\Temp\7zSAADC.tmp\WebCompanionInstaller.exe

WCInstaller.exe

User:

admin

Company:

Lavasoft

Integrity Level:

HIGH

Description:

Web Companion

Exit code:

Version:

4.9.2159.4024

Modules

Images
c:\users\admin\appdata\local\temp\7zsaadc.tmp\webcompanioninstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

272

"C:\Program Files\lyghoi\654410859.exe" 1 3.1579347645.5e22eebd045b0

C:\Program Files\lyghoi\654410859.exe

654410859.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

4.8.9.6

Modules

Images
c:\program files\lyghoi\654410859.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

284

"C:\Windows\System32\cmd.exe" /c SCHTASKS /Delete /TN "psv_Doublezap" /F

C:\Windows\System32\cmd.exe

—

Pangoc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

324

\??\C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

—

csrss.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

496

SCHTASKS /Delete /TN "snf" /F

C:\Windows\system32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

564

"cmd" /c SCHTASKS /Query /TN "snp"

C:\Windows\system32\cmd.exe

—

Pangoc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

584

SCHTASKS /Delete /TN "snp" /F

C:\Windows\system32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

592

\??\C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

—

csrss.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

600

"C:\Windows\System32\cmd.exe" /c SCHTASKS /Delete /TN "snp" /F

C:\Windows\System32\cmd.exe

—

Pangoc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

720

\??\C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

—

csrss.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

Add for printing

Total events

5 728

Read events

4 819

Write events

891

Delete events

Modification events


(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\WindowsUpdater
Operation:	write	Name:	installed
Value: /click.php?cnv_id=5cdeegxrnntuo3yc54
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2684) Extract[1].exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extract[1]_RASMANCS
Operation:	write	Name:	FileTracingMask
Value: 4294901760

Add for printing

Executable files

130

Suspicious files

Text files

345

Unknown types

Dropped files

PID	Process	Filename		Type
2684	Extract[1].exe	C:\Users\admin\AppData\Local\Temp\CBE6.tmp.exe		executable
		MD5:—	SHA256:—
2684	Extract[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\xml[1].xml		xml
		MD5:—	SHA256:—
3376	fish.exe	C:\Users\admin\AppData\Local\agent.dat		—
		MD5:—	SHA256:—
2684	Extract[1].exe	C:\Users\admin\AppData\Roaming\Microsoft\Launcher.exe		executable
		MD5:—	SHA256:—
3376	fish.exe	C:\Users\admin\AppData\Local\lobby.dat		binary
		MD5:—	SHA256:—
2684	Extract[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\safefinder[1].exe		executable
		MD5:—	SHA256:—
2684	Extract[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\things[1].xml		text
		MD5:—	SHA256:—
3376	fish.exe	C:\Users\admin\AppData\Local\InstallationConfiguration.xml		text
		MD5:—	SHA256:—
3532	Phys-Tough.exe	C:\ProgramData\Pangoc\Pangoc.d.dat		—
		MD5:—	SHA256:—
2584	K-Lab.exe	C:\ProgramData\CloudPrinter\Config.xml		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

203

TCP/UDP connections

102

DNS requests

Threats

406

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2684	Extract[1].exe	GET	200	52.168.94.225:80	http://hostas5.ml/click.php?cnv_id=5cdeegxrnntuo3yc54	US	—	—	malicious
2684	Extract[1].exe	GET	200	208.95.112.1:80	http://ip-api.com/xml	unknown	xml	493 b	malicious
3376	fish.exe	GET	200	65.52.153.196:80	http://madmax.utyuytjn.com/MaxMind.asmx/GetGeoInfo	NL	xml	185 b	whitelisted
3376	fish.exe	GET	200	52.166.114.5:80	http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSFPango	NL	text	13 b	shared
4052	CBE6.tmp.exe	GET	302	52.174.148.190:80	http://install.portmdfmoon.com/download/APSFPango	NL	html	182 b	whitelisted
3376	fish.exe	POST	200	52.166.114.5:80	http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee	NL	text	10 b	whitelisted
3376	fish.exe	GET	200	205.185.208.154:80	http://m4y2d5k4.ssl.hwcdn.net/installer/installers-config/safefinder-ap/apsfpango/ic090120.xml	US	text	15.8 Kb	malicious
3376	fish.exe	POST	200	52.166.114.5:80	http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee	NL	text	10 b	whitelisted
3376	fish.exe	POST	200	52.166.114.5:80	http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee	NL	text	10 b	whitelisted
3376	fish.exe	GET	200	52.174.148.190:80	http://updates.utyuytjn.com/Update/CheckInstallConfig?deviceid=a6985883-ace4-b706-fafa-0ee4efb037e4&distributer=APSFPango&channelid=3&barcodeid=54565003&country=NL&encrypt=True	NL	text	263 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2684	Extract[1].exe	52.168.94.225:80	hostas5.ml	Microsoft Corporation	US	malicious
2684	Extract[1].exe	208.95.112.1:80	ip-api.com	IBURST	—	malicious
2684	Extract[1].exe	172.217.16.132:80	google-analytics.com	Google Inc.	US	whitelisted
2684	Extract[1].exe	137.117.47.68:80	osdsoft.com	Microsoft Corporation	US	malicious
2684	Extract[1].exe	52.218.192.145:443	linkury.s3-us-west-2.amazonaws.com	Amazon.com, Inc.	US	unknown
4052	CBE6.tmp.exe	172.217.16.132:80	google-analytics.com	Google Inc.	US	whitelisted
4052	CBE6.tmp.exe	52.174.148.190:80	install.portmdfmoon.com	Microsoft Corporation	NL	whitelisted
4052	CBE6.tmp.exe	205.185.208.154:80	h8y9u9b2.ssl.hwcdn.net	Highwinds Network Group, Inc.	US	malicious
3376	fish.exe	52.166.114.5:80	svc-stats.linkury.com	Microsoft Corporation	NL	whitelisted
3376	fish.exe	65.52.153.196:80	madmax.utyuytjn.com	Microsoft Corporation	NL	whitelisted

DNS requests

Domain	IP	Reputation
hostas5.ml	52.168.94.225	malicious
ip-api.com	208.95.112.1	malicious
google-analytics.com	172.217.16.132	whitelisted
osdsoft.com	137.117.47.68	whitelisted
linkury.s3-us-west-2.amazonaws.com	52.218.192.145	shared
install.portmdfmoon.com	52.174.148.190	unknown
h8y9u9b2.ssl.hwcdn.net	205.185.208.154	malicious
svc-stats.linkury.com	52.166.114.5	shared
madmax.utyuytjn.com	65.52.153.196	unknown
updates.utyuytjn.com	52.174.148.190	unknown

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .ml Domain
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
—	—	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
—	—	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

254 ETPRO signatures available at the full report

Add for printing

Process	Message
Extract[1].exe	[18/01/2020 11:39:49:0602] CommandLine: i
Extract[1].exe	[18/01/2020 11:39:49:0602] 4.0
Extract[1].exe	[18/01/2020 11:39:49:0774] Country: NL
Extract[1].exe	[18/01/2020 11:39:49:0774] Start count: 0
Extract[1].exe	[18/01/2020 11:39:49:0774] Start count: 0
Extract[1].exe	[18/01/2020 11:39:53:0149] SF,XtexK,multishare,MultiTimerE,XtexEU,CloudExtender,WebCompanionEU,WebCompanion,ShutdownTime,pushbot
Extract[1].exe	[18/01/2020 11:39:53:0165] SF
Extract[1].exe	[18/01/2020 11:39:53:0165] Didn't installed
Extract[1].exe	[18/01/2020 11:39:53:0165]
Extract[1].exe	[18/01/2020 11:39:54:0727]

General Info

Extract[1].exe

4872F6282C5881A74F6D18F0A89F0EE8

8937E3EF6D25A9E1EA59DB9E2EB36F49A8CF7025

A90A646476ABE504646082B8451616E5E0794A193A3A6329A03C4D53801607FB

6144:gcs6IrDlNg2oYfzUSyhD4OthcCPtAOHnQV3m0lnA:gcnINg2rzTyF4OHlW0GnA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads the Task Scheduler COM API

Changes settings of System certificates

QWERTMINER was detected

Connects to CnC server

Downloads executable files from the Internet

Application was dropped or rewritten from another process

LINKURY was detected

GLUPTEBA was detected

Loads dropped or rewritten executable

Modifies exclusions in Windows Defender

Changes the autorun value in the registry

Uses Task Scheduler to autorun other applications

Uses Task Scheduler to run other applications

Changes AppInit_DLLs value (autorun option)

Changes internet zones settings

Starts Visual C# compiler

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Checks for external IP

Creates files in the program directory

Adds / modifies Windows certificates

Starts itself from another location

Starts SC.EXE for service management

Creates files in the Windows directory

Executed as Windows Service

Starts application with an unusual extension

Application launched itself

Starts CMD.EXE for commands execution

Creates a software uninstall entry

Reads the machine GUID from the registry

Removes files from Windows directory

Uses NETSH.EXE for network configuration

Starts Internet Explorer

Creates files in the driver directory

Searches for installed software

Executed via Task Scheduler

Changes the started page of IE

INFO

Application launched itself

Changes internet zones settings

Creates files in the user directory

Reads settings of System Certificates

Adds / modifies Windows certificates

Reads internet explorer settings

Creates files in the program directory

Application was dropped or rewritten from another process

Changes settings of System certificates

Loads dropped or rewritten executable

Reads Internet Cache Settings

Creates a software uninstall entry

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information