Malware analysis file Malicious activity | ANY.RUN

Add for printing

File name:	file
Full analysis:	https://app.any.run/tasks/697245e8-f0cd-4603-a0cd-abc7b247b54f
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Malware Trends Tracker >>>
Analysis date:	October 25, 2023, 12:15:48
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	loader smoke miner
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	984A2C26647728678666B8308C8E3753
SHA1:	4468AB04DA59B497796DB5D70A99DDC37575639F
SHA256:	C99FE181F72E4484C5DE24D3EDD0E51641DCB8CD6F24FC2B2B05CE1EF2B4220D
SSDEEP:	393216:neKmPtm6NWb8dhJzKxtT0nKwLf9WytZiM2QFCUl2NQ2Jb8kQRzLC3Bmf9S/lJcOl:n/mPtub8kNiKwLvZiM2QIUsNQMb/6MmY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - file.exe (PID: 2536)
  - tuc19.exe (PID: 2764)
  - kos3.exe (PID: 2944)
  - tuc19.exe (PID: 2728)
  - Install.exe (PID: 2272)
  - tuc19.tmp (PID: 2152)
  - wDVDTools.exe (PID: 2988)
  - Install.exe (PID: 2896)
  - setup.exe (PID: 1476)
  - latestX.exe (PID: 2956)
  - updater.exe (PID: 3000)
  - jsANlYK.exe (PID: 2388)
  - xozXlyY.exe (PID: 2284)
- Application was dropped or rewritten from another process
  - toolspub2.exe (PID: 2688)
  - toolspub2.exe (PID: 944)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
  - setup.exe (PID: 1476)
  - setup.exe (PID: 2744)
  - Install.exe (PID: 2272)
  - kos3.exe (PID: 2944)
  - kos.exe (PID: 2228)
  - tuc19.exe (PID: 2764)
  - latestX.exe (PID: 2464)
  - tuc19.exe (PID: 2728)
  - latestX.exe (PID: 2956)
  - Install.exe (PID: 2896)
  - wDVDTools.exe (PID: 2320)
  - wDVDTools.exe (PID: 2988)
  - jsANlYK.exe (PID: 2388)
  - updater.exe (PID: 3000)
  - xozXlyY.exe (PID: 2284)
- Loads dropped or rewritten executable
  - tuc19.tmp (PID: 2152)
  - rundll32.exe (PID: 796)
- Uses Task Scheduler to run other applications
  - tuc19.tmp (PID: 2152)
  - Install.exe (PID: 2896)
  - jsANlYK.exe (PID: 2388)
  - explorer.exe (PID: 1944)
  - xozXlyY.exe (PID: 2284)
  - rundll32.exe (PID: 796)
- Runs injected code in another process
  - toolspub2.exe (PID: 2688)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 600)
  - powershell.EXE (PID: 2932)
  - powershell.EXE (PID: 2156)
  - powershell.EXE (PID: 1360)
- Connects to the CnC server
  - explorer.exe (PID: 1944)
- SMOKE was detected
  - explorer.exe (PID: 1944)
- Adds path to the Windows Defender exclusion list
  - explorer.exe (PID: 1944)
- Uses Task Scheduler to autorun other applications
  - powershell.exe (PID: 2164)
  - powershell.exe (PID: 1212)
  - xozXlyY.exe (PID: 2284)
- Creates a writable file the system directory
  - jsANlYK.exe (PID: 2388)
  - powershell.exe (PID: 1912)
  - xozXlyY.exe (PID: 2284)
- Modifies hosts file to block updates
  - latestX.exe (PID: 2956)
- Modifies exclusions in Windows Defender
  - reg.exe (PID: 2852)
- Steals credentials from Web Browsers
  - xozXlyY.exe (PID: 2284)
- Modifies files in the Chrome extension folder
  - xozXlyY.exe (PID: 2284)
- Unusual connection from system programs
  - rundll32.exe (PID: 796)
- Actions looks like stealing of personal data
  - jsANlYK.exe (PID: 2388)
  - xozXlyY.exe (PID: 2284)
SUSPICIOUS
- Reads the Internet Settings
  - file.exe (PID: 2536)
  - kos3.exe (PID: 2944)
  - kos.exe (PID: 2228)
  - Install.exe (PID: 2896)
  - powershell.EXE (PID: 600)
  - powershell.exe (PID: 2540)
  - powershell.EXE (PID: 2932)
  - powershell.EXE (PID: 2156)
  - powershell.EXE (PID: 1360)
- Application launched itself
  - toolspub2.exe (PID: 944)
  - explorer.exe (PID: 1944)
- Drops 7-zip archiver for unpacking
  - file.exe (PID: 2536)
  - setup.exe (PID: 1476)
- Starts itself from another location
  - setup.exe (PID: 1476)
- Reads the Windows owner or organization settings
  - tuc19.tmp (PID: 2152)
- Reads settings of System Certificates
  - kos.exe (PID: 2228)
- Process drops legitimate windows executable
  - tuc19.tmp (PID: 2152)
- Reads the BIOS version
  - Install.exe (PID: 2896)
- Starts CMD.EXE for commands execution
  - forfiles.exe (PID: 2660)
  - forfiles.exe (PID: 792)
  - explorer.exe (PID: 1944)
  - jsANlYK.exe (PID: 2388)
  - xozXlyY.exe (PID: 2284)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 2660)
  - forfiles.exe (PID: 792)
  - jsANlYK.exe (PID: 2388)
  - xozXlyY.exe (PID: 2284)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2240)
  - cmd.exe (PID: 1628)
  - cmd.exe (PID: 936)
  - cmd.exe (PID: 2556)
  - cmd.exe (PID: 2344)
  - cmd.exe (PID: 2748)
  - cmd.exe (PID: 796)
  - wscript.exe (PID: 2216)
  - cmd.exe (PID: 2340)
  - cmd.exe (PID: 1788)
  - cmd.exe (PID: 2988)
  - cmd.exe (PID: 1764)
  - cmd.exe (PID: 2100)
  - cmd.exe (PID: 920)
  - cmd.exe (PID: 2868)
- The process executes via Task Scheduler
  - powershell.EXE (PID: 600)
  - jsANlYK.exe (PID: 2388)
  - updater.exe (PID: 3000)
  - powershell.EXE (PID: 2932)
  - powershell.EXE (PID: 2156)
  - powershell.EXE (PID: 1360)
  - xozXlyY.exe (PID: 2284)
  - rundll32.exe (PID: 2080)
- Script adds exclusion path to Windows Defender
  - explorer.exe (PID: 1944)
- Executes as Windows Service
  - raserver.exe (PID: 1764)
  - raserver.exe (PID: 2348)
  - raserver.exe (PID: 2560)
  - raserver.exe (PID: 2576)
- Starts POWERSHELL.EXE for commands execution
  - explorer.exe (PID: 1944)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2420)
  - cmd.exe (PID: 1436)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 2640)
  - cmd.exe (PID: 1392)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 3000)
- The Powershell connects to the Internet
  - powershell.exe (PID: 1912)
- Unusual connection from system programs
  - powershell.exe (PID: 1912)
- Connects to unusual port
  - explorer.exe (PID: 1040)
- Checks Windows Trust Settings
  - xozXlyY.exe (PID: 2284)
INFO
- Reads the computer name
  - file.exe (PID: 2536)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
  - kos3.exe (PID: 2944)
  - kos.exe (PID: 2228)
  - tuc19.tmp (PID: 2160)
  - tuc19.tmp (PID: 2152)
  - Install.exe (PID: 2896)
  - wDVDTools.exe (PID: 2988)
  - xozXlyY.exe (PID: 2284)
- Checks supported languages
  - file.exe (PID: 2536)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
  - toolspub2.exe (PID: 944)
  - toolspub2.exe (PID: 2688)
  - setup.exe (PID: 1476)
  - kos3.exe (PID: 2944)
  - Install.exe (PID: 2272)
  - tuc19.exe (PID: 2764)
  - tuc19.tmp (PID: 2160)
  - kos.exe (PID: 2228)
  - latestX.exe (PID: 2956)
  - tuc19.exe (PID: 2728)
  - tuc19.tmp (PID: 2152)
  - Install.exe (PID: 2896)
  - wDVDTools.exe (PID: 2988)
  - wDVDTools.exe (PID: 2320)
  - jsANlYK.exe (PID: 2388)
  - updater.exe (PID: 3000)
  - xozXlyY.exe (PID: 2284)
- Create files in a temporary directory
  - file.exe (PID: 2536)
  - setup.exe (PID: 1476)
  - kos3.exe (PID: 2944)
  - tuc19.exe (PID: 2764)
  - Install.exe (PID: 2272)
  - tuc19.exe (PID: 2728)
  - tuc19.tmp (PID: 2152)
  - kos.exe (PID: 2228)
  - wDVDTools.exe (PID: 2988)
  - Install.exe (PID: 2896)
- Reads Environment values
  - kos.exe (PID: 2228)
- Reads the machine GUID from the registry
  - kos.exe (PID: 2228)
  - Install.exe (PID: 2896)
  - e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
  - xozXlyY.exe (PID: 2284)
- Creates files in the program directory
  - tuc19.tmp (PID: 2152)
  - wDVDTools.exe (PID: 2988)
  - latestX.exe (PID: 2956)
  - updater.exe (PID: 3000)
  - wDVDTools.exe (PID: 2320)
  - xozXlyY.exe (PID: 2284)
- Application was dropped or rewritten from another process
  - tuc19.tmp (PID: 2152)
  - tuc19.tmp (PID: 2160)
- Creates files or folders in the user directory
  - explorer.exe (PID: 1944)
  - xozXlyY.exe (PID: 2284)
- Drops the executable file immediately after the start
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)
- Process checks computer location settings
  - xozXlyY.exe (PID: 2284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

AssemblyVersion:	1.0.0.0
ProductVersion:	1.0.0.0
OriginalFileName:	newumma.exe
LegalCopyright:
InternalName:	newumma.exe
FileVersion:	1.0.0.0
FileDescription:
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	1.0.0.0
FileVersionNumber:	1.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x175849e
UninitializedDataSize:	-
InitializedDataSize:	2048
CodeSize:	24471040
LinkerVersion:	11
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2023:10:25 09:50:21+00:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

313

Monitored processes

171

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

244

schtasks /END /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

—

xozXlyY.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

276

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

280

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

364

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\schtasks.exe

—

tuc19.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll

364

schtasks /run /I /tn "gaInVTyON"

C:\Windows\SysWOW64\schtasks.exe

—

jsANlYK.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

364

sc stop bits

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1062

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

364

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

460

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

568

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

wscript.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

572

schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\qQUVJhS.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

—

xozXlyY.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\schtasks.exe
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

19 896

Read events

19 402

Write events

492

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A00000000020000000000106600000001000020000000AED9F7A034803824C8B1E828E6ACF7A63C03C62037EFED43278AD26DABE640A1000000000E8000000002000020000000AB5403F7CEBF10DFE341ABEBBEE1A84444EBC55972843D61F9FD20F3F0EABE92B0000000FC067D59D0357C58872FB611AE92F67CAF2B1FDF280A6E076A7077808FDF9D6902A616185711F2BC394A2B6D44B08968CB658980494D87797413D932F0415C59BCEE2F408C91017ECA1A09CFF46B78A1DDEB7B1A1E3900CE68E46CBA92E3449C11FF6689058BD2FEA4CC617DA5D154EC67F4E85B3C7D41EDD704426CE486FED6952A1CDA27E0F58502A85DA834FC59F375E4A11757B352567CADFEF8F2BB497E437086EEA56B957D31DAA98C7F678CCB4000000048300250278A78A5D4898CA43F5197F9B50DF81CBC35B6CAA716E6F42642EECD0299AF2C0B69703D12B9CACBDB5AD7A7001D20D662BA32D05CD6D99A1234653A
(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(2536) file.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2536) file.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2536) file.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2536) file.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2944) kos3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2944) kos3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2944) kos3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2944) kos3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

102

Text files

149

Unknown types

Dropped files

PID	Process	Filename		Type
2536	file.exe	C:\Users\admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe		executable
		MD5:C7C7E44C612D5FC9E64FB6A970D39B2E	SHA256:B902FC4E86DC3A11173F35442E1756D7A01367057175B6E171461A4B50103423
2536	file.exe	C:\Users\admin\AppData\Local\Temp\kos3.exe		executable
		MD5:0A0BBDD67AB1D3BEF2A839C05F274589	SHA256:BC9A89DA24B211F79EFDD6CBDE5D462BD0B90D1A84A74EF02F07C2F700777F30
1476	setup.exe	C:\Users\admin\AppData\Local\Temp\7zSD2EB.tmp\Install.exe		executable
		MD5:6A77181784BC9E5A81ED1479BCEE7483	SHA256:38BAB577CF37ED54D75C3C16CFA5C0C76391B3C27E9E9C86EE547F156679F2A7
2944	kos3.exe	C:\Users\admin\AppData\Local\Temp\tuc19.exe		executable
		MD5:891328887EA54C27B7C658C9C54D5100	SHA256:31E9F10A0FBEDBA52510F2F9DE19E20ED7DB93FD47B015F0AF50ACD73F133740
2536	file.exe	C:\Users\admin\AppData\Local\Temp\latestX.exe		executable
		MD5:BAE29E49E8190BFBBF0D77FFAB8DE59D	SHA256:F91E4FF7811A5848561463D970C51870C9299A80117A89FB86A698B9F727DE87
2944	kos3.exe	C:\Users\admin\AppData\Local\Temp\kos.exe		executable
		MD5:AD91996E84FF27B44EF222822ACDB82E	SHA256:6E1853522AF7AE5B61A5E022619D901751073E8CC57908FEAAB72C69F536782D
2536	file.exe	C:\Users\admin\AppData\Local\Temp\toolspub2.exe		executable
		MD5:87AC1BE8D34235DBBABD2511FD756CEE	SHA256:285BC704D0816043E28BC96CA418BFBE012751294D12AE2E16C2252B9747046E
2536	file.exe	C:\Users\admin\AppData\Local\Temp\setup.exe		executable
		MD5:CAC360E5FB18E8F135B7008CB478E15A	SHA256:E8689F69DD3D0A3BD5F6E4B3A85251583C4B3B1DBF03E0C30C6CF0048E6532F8
2764	tuc19.exe	C:\Users\admin\AppData\Local\Temp\is-OK0BM.tmp\tuc19.tmp		executable
		MD5:E416B5593EF10377E8EDC748CA6F2527	SHA256:A7E400B62721851753EC6453E7EB3A5DF4797149CFA1D3B0BF9DB0A837863EB0
2728	tuc19.exe	C:\Users\admin\AppData\Local\Temp\is-VG95G.tmp\tuc19.tmp		executable
		MD5:E416B5593EF10377E8EDC748CA6F2527	SHA256:A7E400B62721851753EC6453E7EB3A5DF4797149CFA1D3B0BF9DB0A837863EB0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2228	kos.exe	GET	200	209.197.3.8:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0031c1358027126c	unknown	compressed	61.6 Kb	unknown
2284	xozXlyY.exe	GET	200	195.138.255.24:80	http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNr2eTXy%2BQSW0hFkl6dJQdtxg%3D%3D	unknown	der	503 b	unknown
2284	xozXlyY.exe	GET	200	23.212.210.158:80	http://x1.c.lencr.org/	unknown	binary	717 b	unknown
1912	powershell.exe	GET	200	209.197.3.8:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?231238660aacad68	unknown	compressed	4.66 Kb	unknown
2284	xozXlyY.exe	GET	200	172.217.16.195:80	http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGAy%2Fdiu84vFCW7%2FIayIdNI%3D	unknown	binary	471 b	unknown
2284	xozXlyY.exe	GET	200	172.217.16.195:80	http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEDiqPgG5QpuyCQrl9PBuZos%3D	unknown	binary	471 b	unknown
796	rundll32.exe	POST	200	35.81.204.150:80	http://api4.check-data.xyz/api2/google_api_ifi	unknown	—	—	unknown
2284	xozXlyY.exe	GET	200	172.217.16.195:80	http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEEDR55jX3XXDCQ4aVQR1Q8Q%3D	unknown	binary	471 b	unknown
2284	xozXlyY.exe	GET	200	172.217.16.195:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D	unknown	binary	724 b	unknown
2284	xozXlyY.exe	GET	200	172.217.16.195:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	binary	1.41 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2228	kos.exe	148.251.234.93:443	iplogger.com	Hetzner Online GmbH	DE	unknown
2228	kos.exe	209.197.3.8:80	ctldl.windowsupdate.com	STACKPATH-CDN	US	whitelisted
1944	explorer.exe	95.214.26.34:80	host-host-file8.com	Enes Koken	US	unknown
1912	powershell.exe	209.197.3.8:80	ctldl.windowsupdate.com	STACKPATH-CDN	US	whitelisted
1040	explorer.exe	51.15.65.182:14433	xmr-eu1.nanopool.org	Online S.a.s.	NL	malicious
1040	explorer.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
iplogger.com	148.251.234.93	shared
ctldl.windowsupdate.com	209.197.3.8	whitelisted
host-file-host6.com	—	unknown
host-host-file8.com	95.214.26.34	unknown
teredo.ipv6.microsoft.com	—	unknown
xmr-eu1.nanopool.org	51.15.65.182 51.68.143.81 135.125.238.108 51.15.193.130 51.15.58.224 163.172.154.142 51.255.34.118 212.47.253.124 51.68.190.80	unknown
pastebin.com	172.67.34.170 104.20.67.143 104.20.68.143	shared
service-domain.xyz	3.80.150.121	unknown
x1.c.lencr.org	23.212.210.158	whitelisted
r3.o.lencr.org	195.138.255.24 195.138.255.9	shared

Threats

PID	Process	Class	Message
324	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
2228	kos.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
1944	explorer.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
1944	explorer.exe	A Network Trojan was detected	ET MALWARE Suspected Smokeloader Activity (POST)
324	svchost.exe	Potential Corporate Privacy Violation	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
324	svchost.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz)
2284	xozXlyY.exe	Potentially Bad Traffic	ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
796	rundll32.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
796	rundll32.exe	Misc activity	ET HUNTING Chrome/0 in User-Agent

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

file

984A2C26647728678666B8308C8E3753

4468AB04DA59B497796DB5D70A99DDC37575639F

C99FE181F72E4484C5DE24D3EDD0E51641DCB8CD6F24FC2B2B05CE1EF2B4220D

393216:neKmPtm6NWb8dhJzKxtT0nKwLf9WytZiM2QFCUl2NQ2Jb8kQRzLC3Bmf9S/lJcOl:n/mPtub8kNiKwLvZiM2QIUsNQMb/6MmY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Uses Task Scheduler to run other applications

Runs injected code in another process

Application was injected by another process

Run PowerShell with an invisible window

Connects to the CnC server

SMOKE was detected

Adds path to the Windows Defender exclusion list

Uses Task Scheduler to autorun other applications

Creates a writable file the system directory

Modifies hosts file to block updates

Modifies exclusions in Windows Defender

Steals credentials from Web Browsers

Modifies files in the Chrome extension folder

Unusual connection from system programs

Actions looks like stealing of personal data

SUSPICIOUS

Reads the Internet Settings

Application launched itself

Drops 7-zip archiver for unpacking

Starts itself from another location

Reads the Windows owner or organization settings

Reads settings of System Certificates

Process drops legitimate windows executable

Reads the BIOS version

Starts CMD.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

Uses REG/REGEDIT.EXE to modify registry

The process executes via Task Scheduler

Script adds exclusion path to Windows Defender

Executes as Windows Service

Starts POWERSHELL.EXE for commands execution

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Drops a system driver (possible attempt to evade defenses)

The Powershell connects to the Internet

Unusual connection from system programs

Connects to unusual port

Checks Windows Trust Settings

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads Environment values

Reads the machine GUID from the registry

Creates files in the program directory

Application was dropped or rewritten from another process

Creates files or folders in the user directory

Drops the executable file immediately after the start

Reads the Internet Settings

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules