File name:

SmoothWizard_SETUP_PL.exe

Full analysis: https://app.any.run/tasks/cd482911-afd3-4d8a-9474-3def45917069
Verdict: Malicious activity
Analysis date: December 29, 2024, 19:07:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

CC0634071F925A01990000C38FC52354

SHA1:

6D3E1961C7B34B3D4C4E71FFBA14AF514EDA94C5

SHA256:

AC1FA094E05C44748C641DAD1809794EEE8617708D164CCB7D4E1BA46EAA6BE9

SSDEEP:

98304:XsHZNsWAMsdYosZ8mPOQqs4EEsuYyi1Tlb0svNsvaJAsBdaOvzVJ4/7Mxxc3/wKo:x7WSBk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • smoothwizard.exe (PID: 4640)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • SmoothWizard_SETUP_PL.exe (PID: 6508)

    • Reads security settings of Internet Explorer

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Executable content was dropped or overwritten

      • SmoothWizard_SETUP_PL.exe (PID: 6508)

    • The process creates files with name similar to system file names

      • SmoothWizard_SETUP_PL.exe (PID: 6508)

    • Searches for installed software

      • SmoothWizard_SETUP_PL.exe (PID: 6508)

    • Creates a software uninstall entry

      • SmoothWizard_SETUP_PL.exe (PID: 6508)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 5256)

    • Starts CMD.EXE for commands execution

      • smoothwizard.exe (PID: 4640)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6804)

    • Starts POWERSHELL.EXE for commands execution

      • smoothwizard.exe (PID: 4640)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 5268)
      • powershell.exe (PID: 4056)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 6668)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 5268)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 4056)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 6668)

    • Application launched itself

      • powershell.exe (PID: 5268)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 4056)
      • powershell.exe (PID: 6668)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 2424)
      • smoothwizard.exe (PID: 4640)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 5268)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 4056)

    • The process executes Powershell scripts

      • smoothwizard.exe (PID: 4640)

    • Reads binary file using Get-Content

      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 5268)
      • powershell.exe (PID: 4056)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 6668)

    • Uses powercfg.exe to modify the power settings

      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 5920)
      • powershell.exe (PID: 3680)
      • powershell.exe (PID: 6856)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 2292)
      • powershell.exe (PID: 6328)

  • INFO

    • Reads the computer name

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Checks supported languages

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Creates files in the program directory

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Reads the machine GUID from the registry

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Disables trace logs

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Checks proxy server information

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Reads the software policy settings

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • Creates files or folders in the user directory

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • smoothwizard.exe (PID: 4640)

    • The process uses the downloaded file

      • SmoothWizard_SETUP_PL.exe (PID: 6508)
      • powershell.exe (PID: 2144)
      • powershell.exe (PID: 2072)
      • powershell.exe (PID: 3692)
      • powershell.exe (PID: 1156)
      • powershell.exe (PID: 4036)

    • Process checks computer location settings

      • SmoothWizard_SETUP_PL.exe (PID: 6508)

    • Reads Environment values

      • smoothwizard.exe (PID: 4640)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6804)

    • Manual execution by a user

      • chrome.exe (PID: 6288)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6248)
      • powershell.exe (PID: 1304)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 5268)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 4056)
      • powershell.exe (PID: 6668)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • smoothwizard.exe (PID: 4640)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6704)
      • powershell.exe (PID: 6920)
      • powershell.exe (PID: 6660)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3564)

    • The sample compiled with english language support

      • chrome.exe (PID: 3564)

    • Application launched itself

      • chrome.exe (PID: 6288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (49.4)
.scr | Windows screen saver (23.4)
.dll | Win32 Dynamic Link Library (generic) (11.7)
.exe | Win32 Executable (generic) (8)
.exe | Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2038:06:21 21:44:28+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 5290496
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0x50d8ae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: App that will boost fps in games and optimize pc performance
CompanyName: SkullMedia Artur Spychalski
FileDescription: SmoothWizard_SETUP
FileVersion: 1.0.0.0
InternalName: SmoothWizard_SETUP.exe
LegalCopyright: Copyright © SmoothWizard 2023
LegalTrademarks: SmoothWizard
OriginalFileName: SmoothWizard_SETUP.exe
ProductName: SmoothWizard_SETUP
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
227
Monitored processes
90
Malicious processes
2
Suspicious processes
5

Behavior graph

Click at the process to see the details
start smoothwizard_setup_pl.exe #XOR-URL smoothwizard.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powercfg.exe no specs powercfg.exe no specs powershell.exe no specs conhost.exe no specs powercfg.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powercfg.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powercfg.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs powercfg.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs smoothwizard_setup_pl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
768\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1200"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1976 --field-trial-handle=1980,i,15973381902351304814,15116586681090652283,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1304"powershell.exe" -Command Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Power' -Name 'PowerThrottling' | Select-Object -ExpandProperty PowerThrottlingC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesmoothwizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
1304"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5648 --field-trial-handle=1980,i,15973381902351304814,15116586681090652283,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1348"powershell.exe" -Command Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching' -Name 'SearchOrderConfig' | Select-Object -ExpandProperty SearchOrderConfigC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesmoothwizard.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
1684"C:\WINDOWS\system32\powercfg.exe" -listC:\Windows\System32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
1768"C:\WINDOWS\system32\powercfg.exe" -setactive 381b4222-f694-41f0-9685-ff5bb260df2eC:\Windows\System32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
2072"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5480 --field-trial-handle=1980,i,15973381902351304814,15116586681090652283,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
137 359
Read events
137 288
Write events
64
Delete events
7

Modification events

(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6508) SmoothWizard_SETUP_PL.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SmoothWizard_SETUP_PL_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
52
Suspicious files
192
Text files
124
Unknown types
0

Dropped files

PID
Process
Filename
Type
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\Fleck.dllexecutable
MD5:762C03BEAD3B7272A73DACEFE453E227
SHA256:CB7A00483B356751E4722471B770294BE03AEC809D4AF7A7A0B2DC1FCA289937
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata.zipcompressed
MD5:F2C211635ECE5BECCDBEEB966D46B7F4
SHA256:D8EEDEE5F59100D557930698809A284F8CE2374BF32AB1980AEA235DD66572D0
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\BlurryControls.dllexecutable
MD5:635E87C0BFCA0715EA5FA77D5D993A05
SHA256:269D5A890A1BFB4F7DD9AF355DD8DE07EE4A1666C3014789A25D1DF7AF496619
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\HandyControl.dllexecutable
MD5:DA1C043707E584D9ECD7193E128544A1
SHA256:85E89A1143FCE4057E0B35E5AF3FFD9E60889C86C807382ED8DA0EAFFF983B97
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\de\Microsoft.Win32.TaskScheduler.resources.dllexecutable
MD5:C9B4EAED07EF72E5ED0F9ECB3E9FFB66
SHA256:B2996E6B102FE829B5683936DD7197F26F375EA16499CC4E6AF88E78538B9FF1
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\HandyControl.xmlxml
MD5:BE96CD8C310A4E9E76FC5B8255A384C7
SHA256:4663FE7A81DA2969F1814B7C9C28A6896C1EAEC99F0889549772E8EB5FE9311D
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\Hardcodet.NotifyIcon.Wpf.xmlxml
MD5:9678A85F3BBBF57AA1975E83F0C9A0B9
SHA256:DE29A061FAA332089C080B2BB2E99FCDFD00D2D9AA9CB1A10B26B03078DDD644
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\Hardcodet.NotifyIcon.Wpf.dllexecutable
MD5:4428D7F25EC3B9EA766BE31D634B92F0
SHA256:C6F5A071A273706A834BFB0F499B4A76E5247297E94C0DF6CE8217BB074F3329
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\ArmDot.Client.dllexecutable
MD5:E813BF95F9541F86D7E4A60E8BE815A5
SHA256:9295CE42A570A43EB8CC5EEE418BCA98DE7258873FCB543E57CF9F4430967403
6508SmoothWizard_SETUP_PL.exeC:\Program Files\SmoothWizard\installdata\Microsoft.Win32.TaskScheduler.xmlxml
MD5:BB2A97890DDC0672EFA28CA4B583A414
SHA256:EC763C1F4FD9A970EFEA78E4BD9998A31B3E987A88E8E6BB58074E12F40722CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
51
DNS requests
39
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.21.20.133:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6592
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
624
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
624
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3992
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
3992
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
3992
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.21.20.133:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6060
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.146:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.21.20.133
  • 2.21.20.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 104.126.37.146
  • 104.126.37.176
  • 104.126.37.137
  • 104.126.37.153
  • 104.126.37.169
  • 104.126.37.136
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.152
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.76
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.74
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
api.smoothwizard.com
  • 147.79.113.74
unknown
app.smoothwizard.com
  • 104.26.13.129
  • 172.67.73.252
  • 104.26.12.129
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SmoothWizard_SETUP_PL.exe