| File name: | 2.png |
| Full analysis: | https://app.any.run/tasks/e57b87df-c3fd-4e46-b3ef-582383511d2b |
| Verdict: | Malicious activity |
| Analysis date: | April 15, 2024, 12:48:07 |
| OS: | Windows 10 Professional (build: 19045, 32 bit) |
| Indicators: | |
| MIME: | image/png |
| File info: | PNG image data, 1920 x 1080, 8-bit/color RGBA, non-interlaced |
| MD5: | 635B5134EE98789357540F7E1587940A |
| SHA1: | C25B1CF60A32C76C277925A80F3684781C07AA38 |
| SHA256: | AE0B93762CF191C465CBE0F105A194C0C6D1DC61E273EDFAA144873B65EBA6A3 |
| SSDEEP: | 12288:v/ii4HEgZt3I3f+jarVfXwhhCsPj4IMb9jtzwSe:v/ii4kgZt3I3f+jaRfXFsPj4IMb9jtz8 |
MALICIOUS
Creates a writable file in the system directory
- WMIADAP.exe (PID: 4064)
SUSPICIOUS
The process executes via Task Scheduler
- WMIADAP.exe (PID: 4064)
Executes as Windows Service
- SecurityHealthService.exe (PID: 4744)
- uhssvc.exe (PID: 3404)
INFO
Reads Microsoft Office registry keys
- rundll32.exe (PID: 6064)
Reads the computer name
- uhssvc.exe (PID: 3404)
Checks supported languages
- uhssvc.exe (PID: 3404)
Creates files in the program directory
- SecurityHealthService.exe (PID: 4744)
- uhssvc.exe (PID: 3404)
Reads Environment values
- uhssvc.exe (PID: 3404)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 6064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .png | | | Portable Network Graphics (100) |
|---|
EXIF
PNG
| ImageWidth: | 1920 |
|---|---|
| ImageHeight: | 1080 |
| BitDepth: | 8 |
| ColorType: | RGB with Alpha |
| Compression: | Deflate/Inflate |
| Filter: | Adaptive |
| Interlace: | Noninterlaced |
| SignificantBits: | 8 8 8 8 |
| Software: | gnome-screenshot |
| CreationTime: | Пт 22 дек 2023 09:38:09 |
Composite
| ImageSize: | 1920x1080 |
|---|---|
| Megapixels: | 2.1 |
Total processes
72
Monitored processes
4
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3404 | "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe" | C:\Program Files\Microsoft Update Health Tools\uhssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Update Health Service Version: 10.0.19041.3626 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4064 | wmiadap.exe /F /T /R | C:\Windows\System32\wbem\WMIADAP.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Reverse Performance Adapter Maintenance Utility Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4744 | C:\WINDOWS\system32\SecurityHealthService.exe | C:\Windows\System32\SecurityHealthService.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Security Health Service Version: 4.18.1907.16384 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6064 | "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\2.png | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 968
Read events
9 913
Write events
41
Delete events
14
Modification events
| (PID) Process: | (3404) uhssvc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Remediation\LocalState\TelemetryUpdateHealthTools |
| Operation: | write | Name: | GlobalEventCounter |
Value: 1100000000000000 | |||
| (PID) Process: | (3404) uhssvc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Remediation\LocalState\TelemetryUpdateHealthTools |
| Operation: | write | Name: | GlobalEventCounter |
Value: 1200000000000000 | |||
| (PID) Process: | (6064) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids |
| Operation: | write | Name: | PhotoViewer.FileAssoc.Tiff |
Value: | |||
| (PID) Process: | (6064) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Program Files\Windows Photo Viewer\PhotoViewer.dll.FriendlyAppName |
Value: Windows Photo Viewer | |||
| (PID) Process: | (6064) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Program Files\Windows Photo Viewer\PhotoViewer.dll.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (6064) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\system32\mspaint.exe.FriendlyAppName |
Value: Paint | |||
| (PID) Process: | (6064) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\system32\mspaint.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (6064) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ScreenSketch_10.1907.2471.0_x86__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-3775154099-3075979740-599700546-1001-MergedResources-0.pri\1d5aca39d46a865\55e3c056 |
| Operation: | write | Name: | @{microsoft.screensketch_10.1907.2471.0_x86__8wekyb3d8bbwe?ms-resource://microsoft.screensketch/files/assets/screensketchsquare44x44logo.png} |
Value: C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x86__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png | |||
| (PID) Process: | (4064) WMIADAP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib |
| Operation: | write | Name: | Updating |
Value: WmiApRpl | |||
| (PID) Process: | (4064) WMIADAP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib |
| Operation: | write | Name: | Last Counter |
Value: 7882 | |||
Executable files
0
Suspicious files
5
Text files
6
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3404 | uhssvc.exe | C:\Program Files\Microsoft Update Health Tools\Logs\UpdateHealthTools.006.etl | etl | |
MD5:— | SHA256:— | |||
| 3404 | uhssvc.exe | C:\Program Files\Microsoft Update Health Tools\Logs\UpdateHealthTools.005.etl | etl | |
MD5:— | SHA256:— | |||
| 3404 | uhssvc.exe | C:\Program Files\Microsoft Update Health Tools\Logs\UpdateHealthTools.004.etl | etl | |
MD5:— | SHA256:— | |||
| 3404 | uhssvc.exe | C:\Program Files\Microsoft Update Health Tools\Logs\UpdateHealthTools.003.etl | etl | |
MD5:— | SHA256:— | |||
| 3404 | uhssvc.exe | C:\Program Files\Microsoft Update Health Tools\Logs\UpdateHealthTools.002.etl | etl | |
MD5:— | SHA256:— | |||
| 4064 | WMIADAP.exe | C:\WINDOWS\system32\wbem\Performance\WmiApRpl_new.h | text | |
MD5:— | SHA256:— | |||
| 4064 | WMIADAP.exe | C:\Windows\System32\wbem\Performance\WmiApRpl.h | text | |
MD5:— | SHA256:— | |||
| 4064 | WMIADAP.exe | C:\WINDOWS\system32\wbem\Performance\WmiApRpl_new.ini | text | |
MD5:— | SHA256:— | |||
| 4064 | WMIADAP.exe | C:\Windows\System32\wbem\Performance\WmiApRpl.ini | text | |
MD5:— | SHA256:— | |||
| 4064 | WMIADAP.exe | C:\WINDOWS\system32\perfc009.dat | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report