File name:

CXK-NMSL V3.3.15.exe

Full analysis: https://app.any.run/tasks/1124955f-e61c-49a4-b5bd-61ecdcbed307
Verdict: Malicious activity
Analysis date: November 10, 2024, 19:44:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

F88969F9AC259B022FC461DE66EB4229

SHA1:

6F352468FF647651EFA25F2762B278412EDA9239

SHA256:

C819B0EDBC48C5CB6B1FD3A16B80549CEFB12AE333A250D59C3B25ED018008B8

SSDEEP:

98304:8lNZ/ToyuYH3fwnJPev0JXD4BnDKSrITHUZOtkkLtMcskDNTQtj3kOlsfHupIZh7:3UnZjDpAPDaB2pQe9T21m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • xls.exe (PID: 6324)

    • Renames files like ransomware

      • cmd.exe (PID: 6236)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • cmd.exe (PID: 6236)

    • Reads security settings of Internet Explorer

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • Starts CMD.EXE for commands execution

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)
      • mshta.exe (PID: 3952)
      • cmd.exe (PID: 4292)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 5084)

    • Executable content was dropped or overwritten

      • xls.exe (PID: 6324)
      • certutil.exe (PID: 6692)
      • cmd.exe (PID: 6236)

    • Executing commands from a ".bat" file

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)
      • cmd.exe (PID: 4292)
      • mshta.exe (PID: 3952)

    • The executable file from the user directory is run by the CMD process

      • xls.exe (PID: 6324)

    • Application launched itself

      • cmd.exe (PID: 4292)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 3952)

  • INFO

    • Checks supported languages

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • xls.exe (PID: 6324)

    • Create files in a temporary directory

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • certutil.exe (PID: 6692)
      • xls.exe (PID: 6324)

    • Process checks computer location settings

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • Reads the computer name

      • CXK-NMSL V3.3.15.exe (PID: 5516)

    • The process uses the downloaded file

      • CXK-NMSL V3.3.15.exe (PID: 5516)
      • mshta.exe (PID: 3952)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3952)

    • Checks proxy server information

      • mshta.exe (PID: 3952)

    • Creates files or folders in the user directory

      • xls.exe (PID: 6324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:10:04 15:12:31+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 69632
InitializedDataSize: 4096
UninitializedDataSize: 69632
EntryPoint: 0x22140
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 16.4.0.0
ProductVersionNumber: 16.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 16.04
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2016 Igor Pavlov
OriginalFileName: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 16.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
173
Monitored processes
44
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cxk-nmsl v3.3.15.exe cmd.exe no specs conhost.exe no specs certutil.exe xls.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs cmd.exe conhost.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs sppextcomobj.exe no specs slui.exe no specs cxk-nmsl v3.3.15.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1572certutil -encode "melife.png.cxkdata" "melife.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1744certutil -encode "Database1.accdb.cxkdata" "Database1.accdb.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1768\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exexls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2376certutil -encode "ujuly.png.cxkdata" "ujuly.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3028certutil -encode "justposts.rtf.cxkdata" "justposts.rtf.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3104certutil -encode "CXK-NMSL V3.3.15.exe.cxkdata" "CXK-NMSL V3.3.15.exe.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3600certutil -encode "artistsshall.png.cxkdata" "artistsshall.png.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3620certutil -encode "Desktop.lnk.cxkdata" "Desktop.lnk.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3700certutil -encode "Bing.url.cxkdata" "Bing.url.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3764certutil -encode "acceptedshe.rtf.cxkdata" "acceptedshe.rtf.cxk_nmsl"C:\Windows\SysWOW64\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 064
Read events
3 056
Write events
8
Delete events
0

Modification events

(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:(6692) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL
(PID) Process:(3952) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(3952) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3952) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
3
Suspicious files
4
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
5516CXK-NMSL V3.3.15.exeC:\Users\admin\AppData\Local\Temp\7zSC8511AC8\xls.bat
MD5:
SHA256:
6324xls.exeC:\Users\admin\AppData\Roaming\CXK-NMSL\CXK-NMSL.bat
MD5:
SHA256:
3104certutil.exeC:\Users\admin\Desktop\CXK-NMSL V3.3.15.exe.cxk_nmsl
MD5:
SHA256:
6324xls.exeC:\Users\admin\AppData\Roaming\CXK-NMSL\fuze.battext
MD5:0B8842E301EB2249A2C842B336B99104
SHA256:96C6A0418CA13678A789D651E32198BDF674D49BC02B8EDF821CFC7F752F1303
6236cmd.exeC:\Users\admin\Desktop\systemsettings.rtf.cxkdatatext
MD5:F32EA1B3BA6785B3C74B4A9EBE63FE87
SHA256:7C8A09C83C0A1F03D5399AA790ED790FFC38EF2833A40E0D2F1AB62A23A3D1AC
6236cmd.exeC:\Users\admin\Desktop\acceptedshe.rtf.cxkdatatext
MD5:C1D4727AD2328CB2339EB204F0BC9363
SHA256:01ADC09F410F922F06C4F7D328724BC0DDD5F7629C0B01099B5824768862722C
6236cmd.exeC:\Users\admin\Desktop\horsenumber.rtf.cxkdatatext
MD5:CF059700E4AC1DB0F4B97BA2C015BBE9
SHA256:5B0AA44F9B88A583BC2837FA165C987340E2A63388E1DFD5F023B967C8A7C509
6236cmd.exeC:\Users\admin\Desktop\justposts.rtf.cxkdatatext
MD5:4AA194810BBA65AF6AE1F8AFC4D5DE37
SHA256:96DB512E3D42F17376A8A08C2019A52A8E35DEB3BEB86626A201C25BE5167624
4236certutil.exeC:\Users\admin\Desktop\aboutproduct.jpg.cxk_nmsltext
MD5:63CCD80F5AC3831AC1FF2B65BBE4CEFB
SHA256:21B9FB26BBD73A796F3CAC1C4BB277E509C216B52715BBEBADFECBFD169F8102
6324xls.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartMBR.battext
MD5:4B6705078CC834AC06CF5BF14F325DB8
SHA256:5D1E638A00005EEF0272D04E7A143926247696D576FF6A9DD2F08CBC6C0A4AEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
40
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
192.168.100.255:138
whitelisted
2.16.110.146:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.110.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
23.52.121.103:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.bing.com
  • 2.16.110.146
  • 2.16.110.145
  • 2.16.110.154
  • 2.16.110.155
  • 2.16.110.168
  • 2.16.110.153
  • 2.16.110.160
  • 2.16.110.162
  • 2.16.110.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.74
whitelisted
th.bing.com
  • 2.16.110.145
  • 2.16.110.136
  • 2.16.110.153
  • 2.16.110.130
  • 2.16.110.138
  • 2.16.110.146
  • 2.16.110.121
  • 2.16.110.144
  • 2.16.110.123
whitelisted
go.microsoft.com
  • 23.52.121.103
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CXK-NMSL V3.3.15.exe