| File name: | pcF.exe |
| Full analysis: | https://app.any.run/tasks/b3d8fe76-3018-4d45-aaa7-d9fdee602f9f |
| Verdict: | Malicious activity |
| Analysis date: | May 21, 2024, 20:51:07 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5: | C936C44B913D54157CFBC730235EFC23 |
| SHA1: | 71C6F34AD6660FE036CEE51D543C8ABED032A0FD |
| SHA256: | E1B45BC86089789854CC5D2DD288412A1FEC939C5CBD6033492ED0F5A97C87AE |
| SSDEEP: | 98304:CZBpdruOW5JTJ8CJOXz3286fu5qf93lU3uozJbJchda6i+YlTy4Cnu7DTBzpSlrp:S2N |
MALICIOUS
Drops the executable file immediately after the start
- pcF.exe (PID: 3968)
Changes the autorun value in the registry
- pcF.exe (PID: 3968)
SUSPICIOUS
Reads the Internet Settings
- pcF.exe (PID: 3968)
Reads security settings of Internet Explorer
- pcF.exe (PID: 3968)
INFO
Checks supported languages
- pcF.exe (PID: 3968)
Reads the computer name
- pcF.exe (PID: 3968)
Reads product name
- pcF.exe (PID: 3968)
Creates files or folders in the user directory
- pcF.exe (PID: 3968)
Reads Environment values
- pcF.exe (PID: 3968)
Reads the machine GUID from the registry
- pcF.exe (PID: 3968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .scr | | | Windows screen saver (60.5) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (20.8) |
| .exe | | | Generic Win/DOS Executable (9.2) |
| .exe | | | DOS Executable Generic (9.2) |
| .vxd | | | VXD Driver (0.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:11:19 17:51:17+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 5 |
| CodeSize: | 5222400 |
| InitializedDataSize: | 970752 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x28d4 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 4.8.1.0 |
| ProductVersionNumber: | 4.8.1.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | FBS |
| FileDescription: | Windows System Informer |
| FileVersion: | 4.8.1.0 |
| InternalName: | Windows System Informer |
| LegalCopyright: | Copyright (C) 2015-2023 - Fhinck Business Solutions |
| LegalTrademarks: | Fhinck Business Solutions |
| OriginalFileName: | pcF.exe |
| ProgramID: | com.fhinck.pcF |
| ProductName: | Push to Optimization - Agent - 22.0 |
| ProductVersion: | 4.8.1.0 |
Total processes
56
Monitored processes
11
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 588 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "WinMainF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 748 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "wdF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 764 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "NetSendF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1432 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "pcF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1628 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "syscommF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2024 | "C:\Windows\System32\schtasks.exe" /create /tn "wdF loader for ADMIN" /tr "'C:\Users\admin\AppData\Local\Temp\wdF.exe'" /sc minute /mo 5 | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2108 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "WinMainF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3968 | "C:\Users\admin\AppData\Local\Temp\pcF.exe" | C:\Users\admin\AppData\Local\Temp\pcF.exe | explorer.exe | ||||||||||||
User: admin Company: FBS Integrity Level: MEDIUM Description: Windows System Informer Version: 4.8.1.0 Modules
| |||||||||||||||
| 4004 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "pcF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4044 | "C:\Windows\System32\schtasks.exe" /delete /f /tn "syscommF loader for ADMIN" | C:\Windows\System32\schtasks.exe | — | pcF.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 486
Read events
2 475
Write events
11
Delete events
0
Modification events
| (PID) Process: | (3968) pcF.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3968) pcF.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3968) pcF.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3968) pcF.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3968) pcF.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | pcF |
Value: "C:\Users\admin\AppData\Local\Temp\pcF.exe" | |||
| (PID) Process: | (3968) pcF.exe | Key: | HKEY_CURRENT_USER\Software\Fnk\Config\784BFE15 |
| Operation: | write | Name: | F57B491D |
Value: de6c5/iz3gbD6wnC5kZoIKzdLCKUgxyu2Ie1P5UuLBIulT/02HIWmw== | |||
| (PID) Process: | (3968) pcF.exe | Key: | HKEY_CURRENT_USER\Software\Fnk\Config\5453AAAA |
| Operation: | write | Name: | D820938E |
Value: zhVI5u8D/5qfMvK7MXzbPQ== | |||
Executable files
0
Suspicious files
0
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3968 | pcF.exe | C:\Users\admin\AppData\Local\Fnk\pcF\_temp_\request_ip_admin@user-pc.txt | text | |
MD5:B298224D8B0B609CD6B6FD6550899D1F | SHA256:143E84A39C4203704D3BC5EABBCAABAF2DED6605E9C1B2C7726BDE0B0355397D | |||
| 3968 | pcF.exe | C:\Users\admin\AppData\Local\Fnk\pcF\_temp_\request_config_admin@user-pc.txt | text | |
MD5:3867F2BA830B8F7AB227F569AB8CF88C | SHA256:141F7FD66478E5E346D62AF0817FA040430933AC58BEC2F14BD77CB2DF2EC258 | |||
| 3968 | pcF.exe | C:\Users\admin\AppData\Local\Fnk\pcF\_log_\pcF[2024052121]{admin}(user-pc).lfnk | text | |
MD5:FF4D7595DC551698A588AE2288AF8905 | SHA256:62A38FBF6453D9F626A204E71ABA0151982235745BB2E6083D52DA354EB2FFAD | |||
| 3968 | pcF.exe | C:\Users\admin\AppData\Local\Fnk\pcF\_data_\#3(1)[0521215]admin@user-pc.ufnk | text | |
MD5:C96B1CA3C70CA42FA16C19F7DB8DEECF | SHA256:8495B91B93A4ADBE1406D073D02C6D17003FBD83150B36D0D0BFF19FED6AC5B6 | |||
| 3968 | pcF.exe | C:\Users\admin\AppData\Local\Fnk\pcF\_data_\_snd_\#3(1)[0521215]admin@user-pc.ufnk | text | |
MD5:271532669556F62C9B7D628B1492E173 | SHA256:491139B3274FD3B9E85CD2B7D977AFB4113EAA77FE8CCFE0F8098F7544A3AA7F | |||
| 3968 | pcF.exe | C:\Users\admin\AppData\Local\Fnk\pcF\_temp_\request_tasklist_admin@user-pc.txt | text | |
MD5:73BB32E35522047093B05E309422AD92 | SHA256:0AE327F0F95ADF95C4FEC625853F400238CE9D5C85EB2E5DD48A7493CE705907 | |||
| 3968 | pcF.exe | C:\Users\admin\AppData\Local\Fnk\pcF\_temp_\request_geo_admin@user-pc.txt | text | |
MD5:4B8AF1111547A2EDA57CDBF6EDF9BC5A | SHA256:90883221BBC0F602321EC30F44F633464004AC88C8C96FADD5BBE9AFE29A1385 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |