Malware analysis c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455 Malicious activity

Add for printing

File name:	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455
Full analysis:	https://app.any.run/tasks/27bbfe36-aab9-4d96-ac61-39ea31939a8f
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	May 10, 2025, 06:06:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit winring0x64-sys vuln-driver themida telegram evasion miner
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:	608E6BC28C8DC492A1BBE983962B78FD
SHA1:	79DD9D133A4257E03127D31888E9E085ED8CBF59
SHA256:	C65EA1C461F9189510633DDD67C93CE23E84D4D81B56C8CA78553D0DEC861455
SSDEEP:	196608:51/kEaK0GvltOA7/g40GerP2o6w55IKsyLPuvfkSqlf1jm:5dkEaK0GjOAz9LWenw5hTykSef1jm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Vulnerable driver has been detected
  - Packs.exe (PID: 5964)
- MINER has been detected (SURICATA)
  - MicrosoftHost.exe (PID: 4004)
- Connects to the CnC server
  - MicrosoftHost.exe (PID: 4004)
SUSPICIOUS
- Process drops legitimate windows executable
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - Packs.exe (PID: 5964)
- Reads the BIOS version
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - audiodg.exe (PID: 1228)
- Detected use of alternative data streams (AltDS)
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Starts a Microsoft application from unusual location
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 4228)
- Potential Corporate Privacy Violation
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - svchost.exe (PID: 2196)
  - MicrosoftHost.exe (PID: 4004)
  - audiodg.exe (PID: 1228)
- Executable content was dropped or overwritten
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - Packs.exe (PID: 5964)
- Reads security settings of Internet Explorer
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - audiodg.exe (PID: 1228)
- Starts CMD.EXE for commands execution
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - AppHost.exe (PID: 4152)
- The process creates files with name similar to system file names
  - Packs.exe (PID: 5964)
- Drops a system driver (possible attempt to evade defenses)
  - Packs.exe (PID: 5964)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 6872)
  - cmd.exe (PID: 5376)
  - cmd.exe (PID: 6148)
  - cmd.exe (PID: 2392)
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 2108)
  - cmd.exe (PID: 3888)
  - cmd.exe (PID: 4688)
  - cmd.exe (PID: 1224)
  - cmd.exe (PID: 1108)
  - cmd.exe (PID: 968)
  - cmd.exe (PID: 2316)
  - cmd.exe (PID: 2088)
  - cmd.exe (PID: 968)
  - cmd.exe (PID: 6136)
  - cmd.exe (PID: 5800)
  - cmd.exe (PID: 5960)
  - cmd.exe (PID: 864)
  - cmd.exe (PID: 7020)
  - cmd.exe (PID: 1280)
  - cmd.exe (PID: 5744)
  - cmd.exe (PID: 4004)
  - cmd.exe (PID: 6048)
  - cmd.exe (PID: 6668)
  - cmd.exe (PID: 1132)
  - cmd.exe (PID: 5124)
  - cmd.exe (PID: 4980)
  - cmd.exe (PID: 1108)
  - cmd.exe (PID: 4180)
  - cmd.exe (PID: 4620)
  - cmd.exe (PID: 2980)
  - cmd.exe (PID: 5112)
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 6344)
  - cmd.exe (PID: 1312)
  - cmd.exe (PID: 5376)
  - cmd.exe (PID: 3768)
  - cmd.exe (PID: 6004)
  - cmd.exe (PID: 6388)
  - cmd.exe (PID: 5744)
  - cmd.exe (PID: 2108)
  - cmd.exe (PID: 3140)
  - cmd.exe (PID: 6620)
  - cmd.exe (PID: 5936)
  - cmd.exe (PID: 4408)
  - cmd.exe (PID: 1628)
  - cmd.exe (PID: 2644)
  - cmd.exe (PID: 7012)
  - cmd.exe (PID: 4996)
  - cmd.exe (PID: 1012)
  - cmd.exe (PID: 1244)
  - cmd.exe (PID: 6372)
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 6344)
  - cmd.exe (PID: 4180)
  - cmd.exe (PID: 5200)
  - cmd.exe (PID: 5744)
  - cmd.exe (PID: 1348)
  - cmd.exe (PID: 2108)
  - cmd.exe (PID: 5608)
  - cmd.exe (PID: 7020)
  - cmd.exe (PID: 4688)
  - cmd.exe (PID: 6344)
  - cmd.exe (PID: 1180)
  - cmd.exe (PID: 5384)
  - cmd.exe (PID: 920)
  - cmd.exe (PID: 2084)
  - cmd.exe (PID: 1628)
  - cmd.exe (PID: 3140)
  - cmd.exe (PID: 5064)
  - cmd.exe (PID: 5744)
  - cmd.exe (PID: 6768)
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 1324)
  - cmd.exe (PID: 2236)
  - cmd.exe (PID: 4212)
  - cmd.exe (PID: 6488)
  - cmd.exe (PID: 7020)
  - cmd.exe (PID: 208)
  - cmd.exe (PID: 2108)
  - cmd.exe (PID: 2432)
- The process verifies whether the antivirus software is installed
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - icacls.exe (PID: 1280)
  - icacls.exe (PID: 6388)
  - icacls.exe (PID: 5680)
  - icacls.exe (PID: 1240)
  - icacls.exe (PID: 1328)
  - icacls.exe (PID: 5668)
  - icacls.exe (PID: 5936)
  - icacls.exe (PID: 664)
  - icacls.exe (PID: 5576)
  - icacls.exe (PID: 5728)
  - icacls.exe (PID: 1300)
  - icacls.exe (PID: 2984)
  - icacls.exe (PID: 6372)
  - icacls.exe (PID: 7156)
  - icacls.exe (PID: 736)
  - icacls.exe (PID: 5736)
  - icacls.exe (PID: 5112)
  - icacls.exe (PID: 744)
  - icacls.exe (PID: 1244)
- Found strings related to reading or modifying Windows Defender settings
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Checks for external IP
  - svchost.exe (PID: 2196)
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Connects to unusual port
  - MicrosoftHost.exe (PID: 4004)
INFO
- Reads mouse settings
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - audiodg.exe (PID: 1228)
- The sample compiled with english language support
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - Packs.exe (PID: 5964)
- Checks supported languages
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - Packs.exe (PID: 5964)
  - AppHost.exe (PID: 4152)
  - audiodg.exe (PID: 1228)
  - MicrosoftHost.exe (PID: 4004)
- Creates files in the program directory
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - Packs.exe (PID: 5964)
- Reads the computer name
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - Packs.exe (PID: 5964)
  - audiodg.exe (PID: 1228)
  - MicrosoftHost.exe (PID: 4004)
- Checks proxy server information
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - audiodg.exe (PID: 1228)
- Create files in a temporary directory
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- The sample compiled with japanese language support
  - Packs.exe (PID: 5964)
- Creates files or folders in the user directory
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - audiodg.exe (PID: 1228)
- Reads the machine GUID from the registry
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - audiodg.exe (PID: 1228)
- The process uses AutoIt
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Reads product name
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Themida protector has been detected
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Reads Environment values
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Reads the software policy settings
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
- Attempting to use instant messaging service
  - svchost.exe (PID: 2196)
- Reads CPU info
  - c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe (PID: 2140)
  - audiodg.exe (PID: 1228)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:04:28 07:28:21+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.16
CodeSize:	734208
InitializedDataSize:	16238080
UninitializedDataSize:	-
EntryPoint:	0x17e5478
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	25.0.0.2025
ProductVersionNumber:	25.0.0.2025
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	COM Surrogate
FileVersion:	25.0.0.2025
InternalName:	dllhost.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	dllhost.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	25.0.0.2025

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

400

Monitored processes

268

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

C:\WINDOWS\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)

C:\Windows\System32\cmd.exe

—

c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

300

icacls "c:\Program Files\Transmission" /deny "admin":(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

664

icacls "C:\Program Files (x86)\AVG" /deny "admin":(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

668

C:\WINDOWS\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)

C:\Windows\System32\cmd.exe

—

c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

680

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

680

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

680

icacls "C:\Program Files\Process Hacker 2" /deny "admin":(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

736

icacls "C:\Program Files\Bitdefender Agent" /deny "admin":(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

744

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

744

icacls "C:\Program Files (x86)\Panda Security" /deny "admin":(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

6 224

Read events

6 218

Write events

Delete events

Modification events


(PID) Process:	(2140) c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2140) c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2140) c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1228) audiodg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1228) audiodg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1228) audiodg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	C:\Users\admin\AppData\Local\Temp\autFFED.tmp		executable
		MD5:EB03DB9CC7EC1E30171823523C5859B3	SHA256:3061ED1FF6063B4E82D2D835C6DEC87C755225995726DB0B812F9C613DB25020
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	C:\ProgramData\Setup\Packs.exe		executable
		MD5:EB03DB9CC7EC1E30171823523C5859B3	SHA256:3061ED1FF6063B4E82D2D835C6DEC87C755225995726DB0B812F9C613DB25020
5964	Packs.exe	C:\ProgramData\WindowsTask\audiodg.exe		executable
		MD5:0415EA19154DAF968C4080B9954C29E3	SHA256:5A497DB8CBF707BA0C5EAE9D92327AF234421FFF7A8075115F140D4DA1D6B8A7
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5	SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
5964	Packs.exe	C:\ProgramData\WindowsTask\MicrosoftHost.exe		executable
		MD5:7C4884F067E34D59C685665A7A8EB8DD	SHA256:12A209356DB82DC1FC47DA0A9A146096F6A9E7CD99E2EC71D513F394B57FC5F8
5964	Packs.exe	C:\ProgramData\WindowsTask\WinRing0x64.sys		executable
		MD5:0C0195C48B6B8582FA6F6373032118DA	SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:4A90329071AE30B759D279CCA342B0A6	SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\durum[1].htm		text
		MD5:98B3551BF4C678ADAC8CC65F4B892D1A	SHA256:19E284911F4377A5A64B40A4F5CD3D7D6F06358562C1322269C9424AFE8ACF9D
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	C:\Users\admin\AppData\Local\Temp\autB9C8.tmp		binary
		MD5:52B38C5025C2ECFA9A101E97CC48BFDF	SHA256:D35F48DF7A4B20E7213B9530A9401F52D8EEEF833EFD0836583A841835BAFDC1
1228	audiodg.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\list[2].txt		text
		MD5:F69C54FC9E97F4CC76749B0C0E077A16	SHA256:103D023B4235018CC1FD9D67FBE7BD77FF9F5B8D89A2958DF9B5D1E82C31463B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	GET	302	162.255.119.99:80	http://ftpsystem.xyz/magicx.html	unknown	—	—	malicious
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	GET	436	91.195.240.19:80	http://www.ftpsystem.xyz/magicx.html	unknown	—	—	malicious
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	GET	200	172.67.137.115:80	http://magicam.xyz/magicx/durum.html	unknown	—	—	unknown
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	GET	200	172.67.137.115:80	http://magicam.xyz/list.txt	unknown	—	—	unknown
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
856	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	GET	200	172.67.137.115:80	http://magicam.xyz/magicx/CX1.html	unknown	—	—	unknown
856	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1196	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	216.58.212.174	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.130 40.126.32.68 20.190.160.131 20.190.160.22 20.190.160.66 40.126.32.74 20.190.160.67 40.126.32.138 40.126.31.1 20.190.159.131 40.126.31.130 40.126.31.129 20.190.159.0 40.126.31.3 40.126.31.67 20.190.159.73	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
ftpsystem.xyz	162.255.119.99	malicious
www.ftpsystem.xyz	91.195.240.19	malicious
magicam.xyz	172.67.137.115 104.21.78.204	unknown

Threats

PID	Process	Class	Message
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	Misc activity	ET INFO Namecheap URL Forward
2196	svchost.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] IP Checker (iplogger .co)
2140	c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455.exe	A Network Trojan was detected	ET MALWARE System Information Being Sent in User-Agent
2196	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup

Add for printing

No debug info

General Info

c65ea1c461f9189510633ddd67c93ce23e84d4d81b56c8ca78553d0dec861455

608E6BC28C8DC492A1BBE983962B78FD

79DD9D133A4257E03127D31888E9E085ED8CBF59

C65EA1C461F9189510633DDD67C93CE23E84D4D81B56C8CA78553D0DEC861455

196608:51/kEaK0GvltOA7/g40GerP2o6w55IKsyLPuvfkSqlf1jm:5dkEaK0GjOAz9LWenw5hTykSef1jm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Vulnerable driver has been detected

MINER has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Process drops legitimate windows executable

Reads the BIOS version

Detected use of alternative data streams (AltDS)

Starts a Microsoft application from unusual location

Process uses IPCONFIG to clear DNS cache

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

The process creates files with name similar to system file names

Drops a system driver (possible attempt to evade defenses)

Uses ICACLS.EXE to modify access control lists

The process verifies whether the antivirus software is installed

Found strings related to reading or modifying Windows Defender settings

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Connects to unusual port

INFO

Reads mouse settings

The sample compiled with english language support

Checks supported languages

Creates files in the program directory

Reads the computer name

Checks proxy server information

Create files in a temporary directory

The sample compiled with japanese language support

Creates files or folders in the user directory

Reads the machine GUID from the registry

The process uses AutoIt

Reads product name

Themida protector has been detected

Reads Environment values

Reads the software policy settings

Attempting to use instant messaging service

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information