File name:

file

Full analysis: https://app.any.run/tasks/697245e8-f0cd-4603-a0cd-abc7b247b54f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 25, 2023, 12:15:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
smoke
miner
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

984A2C26647728678666B8308C8E3753

SHA1:

4468AB04DA59B497796DB5D70A99DDC37575639F

SHA256:

C99FE181F72E4484C5DE24D3EDD0E51641DCB8CD6F24FC2B2B05CE1EF2B4220D

SSDEEP:

393216:neKmPtm6NWb8dhJzKxtT0nKwLf9WytZiM2QFCUl2NQ2Jb8kQRzLC3Bmf9S/lJcOl:n/mPtub8kNiKwLvZiM2QIUsNQMb/6MmY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • toolspub2.exe (PID: 2688)
      • toolspub2.exe (PID: 944)
      • e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
      • setup.exe (PID: 1476)
      • Install.exe (PID: 2272)
      • setup.exe (PID: 2744)
      • kos3.exe (PID: 2944)
      • kos.exe (PID: 2228)
      • latestX.exe (PID: 2464)
      • tuc19.exe (PID: 2764)
      • tuc19.exe (PID: 2728)
      • latestX.exe (PID: 2956)
      • Install.exe (PID: 2896)
      • wDVDTools.exe (PID: 2320)
      • updater.exe (PID: 3000)
      • jsANlYK.exe (PID: 2388)
      • xozXlyY.exe (PID: 2284)
      • wDVDTools.exe (PID: 2988)

    • Drops the executable file immediately after the start

      • file.exe (PID: 2536)
      • setup.exe (PID: 1476)
      • kos3.exe (PID: 2944)
      • tuc19.exe (PID: 2764)
      • tuc19.exe (PID: 2728)
      • Install.exe (PID: 2272)
      • tuc19.tmp (PID: 2152)
      • wDVDTools.exe (PID: 2988)
      • Install.exe (PID: 2896)
      • latestX.exe (PID: 2956)
      • updater.exe (PID: 3000)
      • jsANlYK.exe (PID: 2388)
      • xozXlyY.exe (PID: 2284)

    • Loads dropped or rewritten executable

      • tuc19.tmp (PID: 2152)
      • rundll32.exe (PID: 796)

    • Application was injected by another process

      • explorer.exe (PID: 1944)

    • Runs injected code in another process

      • toolspub2.exe (PID: 2688)

    • Uses Task Scheduler to run other applications

      • tuc19.tmp (PID: 2152)
      • Install.exe (PID: 2896)
      • explorer.exe (PID: 1944)
      • jsANlYK.exe (PID: 2388)
      • xozXlyY.exe (PID: 2284)
      • rundll32.exe (PID: 796)

    • Run PowerShell with an invisible window

      • powershell.EXE (PID: 600)
      • powershell.EXE (PID: 2932)
      • powershell.EXE (PID: 2156)
      • powershell.EXE (PID: 1360)

    • SMOKE was detected

      • explorer.exe (PID: 1944)

    • Connects to the CnC server

      • explorer.exe (PID: 1944)

    • Adds path to the Windows Defender exclusion list

      • explorer.exe (PID: 1944)

    • Uses Task Scheduler to autorun other applications

      • powershell.exe (PID: 2164)
      • powershell.exe (PID: 1212)
      • xozXlyY.exe (PID: 2284)

    • Actions looks like stealing of personal data

      • jsANlYK.exe (PID: 2388)
      • xozXlyY.exe (PID: 2284)

    • Modifies hosts file to block updates

      • latestX.exe (PID: 2956)

    • Creates a writable file the system directory

      • jsANlYK.exe (PID: 2388)
      • powershell.exe (PID: 1912)
      • xozXlyY.exe (PID: 2284)

    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 2852)

    • Modifies files in the Chrome extension folder

      • xozXlyY.exe (PID: 2284)

    • Unusual connection from system programs

      • rundll32.exe (PID: 796)

    • Steals credentials from Web Browsers

      • xozXlyY.exe (PID: 2284)

  • SUSPICIOUS

    • Reads the Internet Settings

      • file.exe (PID: 2536)
      • kos3.exe (PID: 2944)
      • kos.exe (PID: 2228)
      • Install.exe (PID: 2896)
      • powershell.EXE (PID: 600)
      • powershell.exe (PID: 2540)
      • powershell.EXE (PID: 2932)
      • powershell.EXE (PID: 2156)
      • powershell.EXE (PID: 1360)

    • Application launched itself

      • toolspub2.exe (PID: 944)
      • explorer.exe (PID: 1944)

    • Drops 7-zip archiver for unpacking

      • file.exe (PID: 2536)
      • setup.exe (PID: 1476)

    • Starts itself from another location

      • setup.exe (PID: 1476)

    • Reads settings of System Certificates

      • kos.exe (PID: 2228)

    • Reads the Windows owner or organization settings

      • tuc19.tmp (PID: 2152)

    • Process drops legitimate windows executable

      • tuc19.tmp (PID: 2152)

    • Reads the BIOS version

      • Install.exe (PID: 2896)

    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 2660)
      • forfiles.exe (PID: 792)
      • explorer.exe (PID: 1944)
      • jsANlYK.exe (PID: 2388)
      • xozXlyY.exe (PID: 2284)

    • Found strings related to reading or modifying Windows Defender settings

      • forfiles.exe (PID: 792)
      • forfiles.exe (PID: 2660)
      • jsANlYK.exe (PID: 2388)
      • xozXlyY.exe (PID: 2284)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1628)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 2556)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 796)
      • cmd.exe (PID: 1788)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 2748)
      • cmd.exe (PID: 1764)
      • cmd.exe (PID: 2100)
      • cmd.exe (PID: 2868)
      • cmd.exe (PID: 920)
      • wscript.exe (PID: 2216)

    • The process executes via Task Scheduler

      • powershell.EXE (PID: 600)
      • updater.exe (PID: 3000)
      • jsANlYK.exe (PID: 2388)
      • powershell.EXE (PID: 2932)
      • powershell.EXE (PID: 2156)
      • powershell.EXE (PID: 1360)
      • xozXlyY.exe (PID: 2284)
      • rundll32.exe (PID: 2080)

    • Executes as Windows Service

      • raserver.exe (PID: 1764)
      • raserver.exe (PID: 2348)
      • raserver.exe (PID: 2560)
      • raserver.exe (PID: 2576)

    • Script adds exclusion path to Windows Defender

      • explorer.exe (PID: 1944)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 1392)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 1436)

    • Unusual connection from system programs

      • powershell.exe (PID: 1912)

    • Drops a system driver (possible attempt to evade defenses)

      • updater.exe (PID: 3000)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 1912)

    • Connects to unusual port

      • explorer.exe (PID: 1040)

    • Checks Windows Trust Settings

      • xozXlyY.exe (PID: 2284)

    • Starts POWERSHELL.EXE for commands execution

      • explorer.exe (PID: 1944)

  • INFO

    • Create files in a temporary directory

      • file.exe (PID: 2536)
      • setup.exe (PID: 1476)
      • Install.exe (PID: 2272)
      • kos3.exe (PID: 2944)
      • tuc19.exe (PID: 2764)
      • tuc19.exe (PID: 2728)
      • kos.exe (PID: 2228)
      • tuc19.tmp (PID: 2152)
      • wDVDTools.exe (PID: 2988)
      • Install.exe (PID: 2896)

    • Checks supported languages

      • file.exe (PID: 2536)
      • toolspub2.exe (PID: 2688)
      • toolspub2.exe (PID: 944)
      • e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
      • setup.exe (PID: 1476)
      • kos3.exe (PID: 2944)
      • Install.exe (PID: 2272)
      • tuc19.exe (PID: 2764)
      • tuc19.tmp (PID: 2160)
      • kos.exe (PID: 2228)
      • latestX.exe (PID: 2956)
      • tuc19.exe (PID: 2728)
      • tuc19.tmp (PID: 2152)
      • Install.exe (PID: 2896)
      • wDVDTools.exe (PID: 2988)
      • updater.exe (PID: 3000)
      • jsANlYK.exe (PID: 2388)
      • wDVDTools.exe (PID: 2320)
      • xozXlyY.exe (PID: 2284)

    • Reads the computer name

      • file.exe (PID: 2536)
      • kos3.exe (PID: 2944)
      • e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
      • kos.exe (PID: 2228)
      • tuc19.tmp (PID: 2160)
      • tuc19.tmp (PID: 2152)
      • Install.exe (PID: 2896)
      • wDVDTools.exe (PID: 2988)
      • xozXlyY.exe (PID: 2284)

    • Reads the machine GUID from the registry

      • e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2560)
      • kos.exe (PID: 2228)
      • Install.exe (PID: 2896)
      • xozXlyY.exe (PID: 2284)

    • Reads Environment values

      • kos.exe (PID: 2228)

    • Creates files in the program directory

      • tuc19.tmp (PID: 2152)
      • wDVDTools.exe (PID: 2988)
      • latestX.exe (PID: 2956)
      • updater.exe (PID: 3000)
      • wDVDTools.exe (PID: 2320)
      • xozXlyY.exe (PID: 2284)

    • Application was dropped or rewritten from another process

      • tuc19.tmp (PID: 2152)
      • tuc19.tmp (PID: 2160)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 1944)
      • xozXlyY.exe (PID: 2284)

    • Drops the executable file immediately after the start

      • explorer.exe (PID: 1944)

    • Process checks computer location settings

      • xozXlyY.exe (PID: 2284)

    • Reads the Internet Settings

      • explorer.exe (PID: 1944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
OriginalFileName: newumma.exe
LegalCopyright:
InternalName: newumma.exe
FileVersion: 1.0.0.0
FileDescription:
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x175849e
UninitializedDataSize: -
InitializedDataSize: 2048
CodeSize: 24471040
LinkerVersion: 11
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2023:10:25 09:50:21+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
313
Monitored processes
171
Malicious processes
25
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start start inject drop and start drop and start drop and start drop and start drop and start file.exe no specs toolspub2.exe no specs e0cbefcb1af40c7d4aff4aca26621a98.exe no specs toolspub2.exe no specs setup.exe no specs setup.exe kos3.exe no specs install.exe no specs latestx.exe no specs tuc19.exe no specs kos.exe tuc19.tmp no specs latestx.exe tuc19.exe tuc19.tmp no specs install.exe no specs forfiles.exe no specs forfiles.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs wdvdtools.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs wdvdtools.exe no specs #SMOKE explorer.exe schtasks.exe no specs schtasks.exe no specs raserver.exe no specs powershell.exe cmd.exe sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe powershell.exe powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs schtasks.exe no specs schtasks.exe updater.exe no specs jsanlyk.exe schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs raserver.exe no specs powershell.exe cmd.exe sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs powershell.exe cmd.exe powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs schtasks.exe no specs conhost.exe explorer.exe schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wscript.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs raserver.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs xozxlyy.exe schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs raserver.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe no specs rundll32.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
244schtasks /END /TN "ztlTbPYifermRZH"C:\Windows\SysWOW64\schtasks.exexozXlyY.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
276"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32C:\Windows\SysWOW64\reg.exewscript.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
280"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32C:\Windows\SysWOW64\reg.exewscript.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
364"C:\Windows\system32\schtasks.exe" /QueryC:\Windows\SysWOW64\schtasks.exetuc19.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll
364schtasks /run /I /tn "gaInVTyON"C:\Windows\SysWOW64\schtasks.exejsANlYK.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
364sc stop bits C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1062
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
364"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32C:\Windows\SysWOW64\reg.exewscript.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
460REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
568"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64C:\Windows\SysWOW64\reg.exewscript.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
572schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\qQUVJhS.xml" /RU "SYSTEM"C:\Windows\SysWOW64\schtasks.exexozXlyY.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\schtasks.exe
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
19 896
Read events
19 402
Write events
492
Delete events
2

Modification events

(PID) Process:(1944) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A00000000020000000000106600000001000020000000AED9F7A034803824C8B1E828E6ACF7A63C03C62037EFED43278AD26DABE640A1000000000E8000000002000020000000AB5403F7CEBF10DFE341ABEBBEE1A84444EBC55972843D61F9FD20F3F0EABE92B0000000FC067D59D0357C58872FB611AE92F67CAF2B1FDF280A6E076A7077808FDF9D6902A616185711F2BC394A2B6D44B08968CB658980494D87797413D932F0415C59BCEE2F408C91017ECA1A09CFF46B78A1DDEB7B1A1E3900CE68E46CBA92E3449C11FF6689058BD2FEA4CC617DA5D154EC67F4E85B3C7D41EDD704426CE486FED6952A1CDA27E0F58502A85DA834FC59F375E4A11757B352567CADFEF8F2BB497E437086EEA56B957D31DAA98C7F678CCB4000000048300250278A78A5D4898CA43F5197F9B50DF81CBC35B6CAA716E6F42642EECD0299AF2C0B69703D12B9CACBDB5AD7A7001D20D662BA32D05CD6D99A1234653A
(PID) Process:(1944) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:(2536) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2536) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2536) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2536) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2944) kos3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2944) kos3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2944) kos3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2944) kos3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
70
Suspicious files
102
Text files
149
Unknown types
0

Dropped files

PID
Process
Filename
Type
1476setup.exeC:\Users\admin\AppData\Local\Temp\7zSD2EB.tmp\Install.exeexecutable
MD5:6A77181784BC9E5A81ED1479BCEE7483
SHA256:38BAB577CF37ED54D75C3C16CFA5C0C76391B3C27E9E9C86EE547F156679F2A7
2536file.exeC:\Users\admin\AppData\Local\Temp\kos3.exeexecutable
MD5:0A0BBDD67AB1D3BEF2A839C05F274589
SHA256:BC9A89DA24B211F79EFDD6CBDE5D462BD0B90D1A84A74EF02F07C2F700777F30
1476setup.exeC:\Users\admin\AppData\Local\Temp\7zSD2EB.tmp\__data__\config.txtbinary
MD5:E1CFF5A9F9148F806FF3404AD4DC049D
SHA256:312A8266794FC52DB6D015D65323EAC6FDE356E25263531F52A2E185CB028AF1
2228kos.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2536file.exeC:\Users\admin\AppData\Local\Temp\latestX.exeexecutable
MD5:BAE29E49E8190BFBBF0D77FFAB8DE59D
SHA256:F91E4FF7811A5848561463D970C51870C9299A80117A89FB86A698B9F727DE87
2944kos3.exeC:\Users\admin\AppData\Local\Temp\kos.exeexecutable
MD5:AD91996E84FF27B44EF222822ACDB82E
SHA256:6E1853522AF7AE5B61A5E022619D901751073E8CC57908FEAAB72C69F536782D
2944kos3.exeC:\Users\admin\AppData\Local\Temp\tuc19.exeexecutable
MD5:891328887EA54C27B7C658C9C54D5100
SHA256:31E9F10A0FBEDBA52510F2F9DE19E20ED7DB93FD47B015F0AF50ACD73F133740
2152tuc19.tmpC:\Users\admin\AppData\Local\Temp\is-7U3VK.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
2152tuc19.tmpC:\Users\admin\AppData\Local\Temp\is-7U3VK.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2152tuc19.tmpC:\Users\admin\AppData\Local\Temp\is-7U3VK.tmp\_isetup\_setup64.tmpexecutable
MD5:4FF75F505FDDCC6A9AE62216446205D9
SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
17
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2228
kos.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0031c1358027126c
unknown
compressed
61.6 Kb
unknown
2284
xozXlyY.exe
GET
200
172.217.16.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
1912
powershell.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?231238660aacad68
unknown
compressed
4.66 Kb
unknown
2284
xozXlyY.exe
GET
200
23.212.210.158:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
2284
xozXlyY.exe
GET
200
172.217.16.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
2284
xozXlyY.exe
GET
200
195.138.255.24:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNr2eTXy%2BQSW0hFkl6dJQdtxg%3D%3D
unknown
der
503 b
unknown
1944
explorer.exe
POST
404
95.214.26.34:80
http://host-host-file8.com/
unknown
binary
7 b
unknown
2284
xozXlyY.exe
GET
200
172.217.16.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEDiqPgG5QpuyCQrl9PBuZos%3D
unknown
binary
471 b
unknown
796
rundll32.exe
POST
200
35.81.204.150:80
http://api4.check-data.xyz/api2/google_api_ifi
unknown
unknown
2284
xozXlyY.exe
GET
200
172.217.16.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGAy%2Fdiu84vFCW7%2FIayIdNI%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2228
kos.exe
148.251.234.93:443
iplogger.com
Hetzner Online GmbH
DE
unknown
2228
kos.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
1944
explorer.exe
95.214.26.34:80
host-host-file8.com
Enes Koken
US
unknown
1912
powershell.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
1040
explorer.exe
51.15.65.182:14433
xmr-eu1.nanopool.org
Online S.a.s.
NL
malicious
1040
explorer.exe
172.67.34.170:443
pastebin.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
iplogger.com
  • 148.251.234.93
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
host-file-host6.com
unknown
host-host-file8.com
  • 95.214.26.34
unknown
teredo.ipv6.microsoft.com
unknown
xmr-eu1.nanopool.org
  • 51.15.65.182
  • 51.68.143.81
  • 135.125.238.108
  • 51.15.193.130
  • 51.15.58.224
  • 163.172.154.142
  • 51.255.34.118
  • 212.47.253.124
  • 51.68.190.80
unknown
pastebin.com
  • 172.67.34.170
  • 104.20.67.143
  • 104.20.68.143
shared
service-domain.xyz
  • 3.80.150.121
unknown
x1.c.lencr.org
  • 23.212.210.158
whitelisted
r3.o.lencr.org
  • 195.138.255.24
  • 195.138.255.9
shared

Threats

PID
Process
Class
Message
324
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
2228
kos.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
1944
explorer.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
1944
explorer.exe
A Network Trojan was detected
ET MALWARE Suspected Smokeloader Activity (POST)
324
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
324
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz)
2284
xozXlyY.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
796
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
796
rundll32.exe
Misc activity
ET HUNTING Chrome/0 in User-Agent
1 ETPRO signatures available at the full report
No debug info