File name:

fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe

Full analysis: https://app.any.run/tasks/c981e3fa-74a4-4ce9-a49b-e5ead6dbb8ba
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: February 02, 2025, 17:17:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
johnnie
backdoor
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

B70AA6E991B42E78A1D733F79BE471C5

SHA1:

AFDD255AF75EBC2F8F2FEDF62A3488EC170C72C0

SHA256:

FE7243DC134D131DEC74C5DD59F6C62E506F2BC5161E75430F9E14F64D8FD8AD

SSDEEP:

6144:lXqVs6VCP7VhRtCPoHDARle+RLl+Up5j+axib7j:lXMszVhaPG0leQLl+Up5j1ib7j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 5308)

    • JOHNNIE mutex has been found

      • winupdt.exe (PID: 1804)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2928)
      • cmd.exe (PID: 5872)
      • cmd.exe (PID: 4672)
      • cmd.exe (PID: 4052)
      • cmd.exe (PID: 5788)

    • Reads security settings of Internet Explorer

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)

    • Executing commands from a ".bat" file

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)

    • Starts CMD.EXE for commands execution

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)
      • winupdt.exe (PID: 1804)

    • Probably fake Windows Update

      • reg.exe (PID: 5308)
      • winupdt.exe (PID: 4592)
      • winupdt.exe (PID: 1804)
      • reg.exe (PID: 5920)
      • reg.exe (PID: 5432)
      • cmd.exe (PID: 4672)
      • cmd.exe (PID: 5788)

    • Probably fake Windows Update file has been dropped

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)
      • winupdt.exe (PID: 1804)

    • Executable content was dropped or overwritten

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)
      • winupdt.exe (PID: 1804)

    • Starts itself from another location

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)

    • Application launched itself

      • winupdt.exe (PID: 4592)

    • There is functionality for taking screenshot (YARA)

      • winupdt.exe (PID: 1804)

  • INFO

    • Checks supported languages

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)
      • winupdt.exe (PID: 4592)
      • winupdt.exe (PID: 1804)

    • Reads the computer name

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)
      • winupdt.exe (PID: 4592)
      • winupdt.exe (PID: 1804)

    • The sample compiled with english language support

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)
      • winupdt.exe (PID: 1804)

    • Create files in a temporary directory

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)

    • Process checks computer location settings

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)

    • Creates files or folders in the user directory

      • fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe (PID: 4740)
      • winupdt.exe (PID: 1804)

    • UPX packer has been detected

      • winupdt.exe (PID: 1804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (47.7)
.exe | Win64 Executable (generic) (16)
.exe | UPX compressed Win32 Executable (15.7)
.exe | Win32 EXE Yoda's Crypter (15.4)
.exe | Win32 Executable (generic) (2.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:02:26 02:03:02+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 315392
InitializedDataSize: 4096
UninitializedDataSize: 1318912
EntryPoint: 0x10c4
OSVersion: 4
ImageVersion: 31.9
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 31.9.0.7
ProductVersionNumber: 31.9.0.7
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: NYWZLFQEC
CompanyName: CITIUPIBA
FileDescription: VWTLUHEKD
ProductName: ROMSBFGEA
FileVersion: 31.09.0007
ProductVersion: 31.09.0007
InternalName: hyaogec
OriginalFileName: hyaogec.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
19
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe cmd.exe no specs conhost.exe no specs reg.exe winupdt.exe no specs #JOHNNIE winupdt.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1476REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804"C:\Users\admin\AppData\Roaming\Windows Update\winupdt.exe"C:\Users\admin\AppData\Roaming\Windows Update\winupdt.exe
winupdt.exe
User:
admin
Company:
CITIUPIBA
Integrity Level:
MEDIUM
Description:
VWTLUHEKD
Version:
31.09.0007
Modules
Images
c:\users\admin\appdata\roaming\windows update\winupdt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2928C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\reXVQ.bat" "C:\Windows\SysWOW64\cmd.exefe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3032REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4052cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /fC:\Windows\SysWOW64\cmd.exewinupdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4592"C:\Users\admin\AppData\Roaming\Windows Update\winupdt.exe" C:\Users\admin\AppData\Roaming\Windows Update\winupdt.exefe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe
User:
admin
Company:
CITIUPIBA
Integrity Level:
MEDIUM
Description:
VWTLUHEKD
Exit code:
0
Version:
31.09.0007
Modules
Images
c:\users\admin\appdata\roaming\windows update\winupdt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4672cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /fC:\Windows\SysWOW64\cmd.exewinupdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 023
Read events
1 020
Write events
3
Delete events
0

Modification events

(PID) Process:(5308) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Window Updates
Value:
C:\Users\admin\AppData\Roaming\Windows Update\winupdt.exe
(PID) Process:(1804) winupdt.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\SrvID\ID
Operation:writeName:DZ85WJDHN3
Value:
Dark Eye
(PID) Process:(1804) winupdt.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\INSTALL\DATE
Operation:writeName:DZ85WJDHN3
Value:
February 2, 2025
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4740fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exeC:\Users\admin\AppData\Local\Temp\reXVQ.txttext
MD5:7C0DA86D75FAC7AAA6A8B6739493B7BD
SHA256:3930401762D7F33C0170FC296A6AE3BAE549239FDDF048042E24A31C8987B2A4
1804winupdt.exeC:\Users\admin\AppData\Roaming\data.dattext
MD5:ED20C2DD10F6C8B4C00B81A673BA9998
SHA256:F417AF7B97644BB5626DAF2123EEAAD8EF066064F3220B20300E5346A60E6DC5
1804winupdt.exeC:\Users\admin\AppData\Roaming\Windows Updater.exeexecutable
MD5:8446D7C191E2F97AE4A440AA57F5D2CB
SHA256:90BEAD742C95D3D15BF79FFF5893F2432A0AA878D4C70FD981E37D9A9398F93B
4740fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exeC:\Users\admin\AppData\Roaming\Windows Update\winupdt.exeexecutable
MD5:8446D7C191E2F97AE4A440AA57F5D2CB
SHA256:90BEAD742C95D3D15BF79FFF5893F2432A0AA878D4C70FD981E37D9A9398F93B
4740fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exeC:\Users\admin\AppData\Local\Temp\reXVQ.battext
MD5:7C0DA86D75FAC7AAA6A8B6739493B7BD
SHA256:3930401762D7F33C0170FC296A6AE3BAE549239FDDF048042E24A31C8987B2A4
4740fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exeC:\Users\admin\AppData\Roaming\Windows Update\winupdt.txtexecutable
MD5:B70AA6E991B42E78A1D733F79BE471C5
SHA256:FE7243DC134D131DEC74C5DD59F6C62E506F2BC5161E75430F9E14F64D8FD8AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
19
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.78.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
95.101.78.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2736
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2736
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.28:443
www.bing.com
Akamai International B.V.
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
95.101.78.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
95.101.78.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2736
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 92.123.104.28
  • 92.123.104.41
  • 92.123.104.35
  • 92.123.104.40
  • 92.123.104.32
  • 92.123.104.37
  • 92.123.104.38
  • 92.123.104.27
  • 92.123.104.34
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 95.101.78.32
  • 95.101.78.42
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
havefunnuke.servequake.com
unknown
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.servequake .com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fe7243dc134d131dec74c5dd59f6c62e506f2bc5161e75430f9e14f64d8fd8ad.exe