File name:

Init.exe

Full analysis: https://app.any.run/tasks/caf76339-2bc0-4723-9f31-b840c68a92c8
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 16, 2024, 21:12:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
arch-doc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 6 sections
MD5:

B06AC7307D9317F49EC409DC2BBE5EB2

SHA1:

13D6D272AF20BE819BE7666B2F11E391F2C16C66

SHA256:

0D722A7D5453A919BC699736A13177DEBBA514FEAA96FF6F464E8D3EEF571131

SSDEEP:

49152:bd0ph3yQV3Xrnxh1cjg/fkLh06KH4DQl8colaAZTqLktzo/42Suw2Gk4PH:bd0ph3yQVrbOjgf6qlt472Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • rundll32.exe (PID: 6208)

    • Actions looks like stealing of personal data

      • rundll32.exe (PID: 6208)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain Windows Installer data

      • rundll32.exe (PID: 6208)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6268)

    • Uses WMIC.EXE to obtain computer system information

      • rundll32.exe (PID: 6208)

    • Uses WMIC.EXE to obtain a list of video controllers

      • rundll32.exe (PID: 6208)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6632)

    • Uses WMIC.EXE to obtain CPU information

      • rundll32.exe (PID: 6208)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6804)

    • Uses WMIC.EXE to obtain operating system information

      • rundll32.exe (PID: 6208)

    • Checks for external IP

      • rundll32.exe (PID: 6208)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 6208)

    • Connects to unusual port

      • rundll32.exe (PID: 6208)

  • INFO

    • The sample compiled with polish language support

      • rundll32.exe (PID: 6208)

    • Reads the software policy settings

      • rundll32.exe (PID: 6208)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6268)
      • WMIC.exe (PID: 6516)
      • WMIC.exe (PID: 6632)
      • WMIC.exe (PID: 6712)
      • WMIC.exe (PID: 6804)
      • notepad.exe (PID: 7104)

    • Create files in a temporary directory

      • rundll32.exe (PID: 6208)

    • Manual execution by a user

      • notepad.exe (PID: 7104)

    • Creates files or folders in the user directory

      • rundll32.exe (PID: 6208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:26 20:49:23+00:00
ImageFileCharacteristics: Executable, Large address aware, DLL
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 1291264
InitializedDataSize: 260096
UninitializedDataSize: -
EntryPoint: 0x12cb84
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.3.7
ProductVersionNumber: 1.3.3.7
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Polish
CharacterSet: Unicode
CompanyName: Golb Company
FileDescription: Golb Company
FileVersion: 1.3.3.7
InternalName: Golb Company
LegalCopyright: Copyright (C) 2024
OriginalFileName: w nosie pustka słychać szmery.dll
ProductName: Internal Ghost Client
ProductVersion: 1.3.3.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3640C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6208"C:\WINDOWS\System32\rundll32.exe" C:\Users\admin\Desktop\Init.exe.dll, #1C:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
4294964242
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6268wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6516wmic computersystem get totalphysicalmemoryC:\Windows\System32\wbem\WMIC.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6528\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6632wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712wmic cpu get NameC:\Windows\System32\wbem\WMIC.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 641
Read events
1 641
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
15
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6208rundll32.exeC:\Users\admin\AppData\Local\Temp\History\Firefox History.txttext
MD5:02E065C167CD2076553C1FE55F7E6327
SHA256:CAFC8175FE68BD27C36EEA9B0579C94DC396B6239503E1265D3412F26C7C7431
6208rundll32.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6208rundll32.exeC:\Users\admin\AppData\Local\Temp\dqw01dad.pngimage
MD5:D2A67FB7B10779C29FFA82102919ED0B
SHA256:C29CF84D3FD44C2307D3376FFC791382F7F5E350AA2DB38B48CB9119142E5C4C
6208rundll32.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\places.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6208rundll32.exeC:\Users\admin\AppData\Local\Temp\XbkmYijY.jsontext
MD5:B0A543427AD72DFF0C047E92F3F132E1
SHA256:A8BE03E83C947FC1249BB14AC2CDC8BE4838C0912175CD761E9954C8268DA11D
6208rundll32.exeC:\Users\admin\AppData\Local\Temp\admin-Follow.ghostcompressed
MD5:3DC294FC8CCC02CF61F803B5BE70CC0E
SHA256:64ACE1417FB646FF3FC8897C50818A4B724FC7060935D104672DC00A03A1A3DD
6208rundll32.exeC:\Users\admin\AppData\Local\Temp\History\Edge History.txttext
MD5:57DE30B8AF3C17709D22B6C9733A377A
SHA256:9A988CF01516FA2AC19C99D5D153D0BF00209EB33D946A5B05B4A884ABF57C36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
47
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6208
rundll32.exe
GET
200
87.98.150.247:40053
http://87.98.150.247:40053/dqw3udn9uwhfu?xaowdo0adm=b0e1689eec6d82651289a0bd37c9af150f23e3256bc61a1eec330e36ad5c7de2.json
unknown
unknown
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2744
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2744
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6208
rundll32.exe
POST
200
87.98.150.247:40053
http://87.98.150.247:40053/001
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.7:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4536
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.143
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.52.120.96
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 92.123.104.7
  • 92.123.104.31
  • 92.123.104.23
  • 92.123.104.26
  • 92.123.104.12
  • 92.123.104.19
  • 92.123.104.21
  • 92.123.104.30
  • 92.123.104.17
  • 92.123.104.29
  • 92.123.104.20
  • 92.123.104.35
  • 92.123.104.33
  • 92.123.104.27
  • 92.123.104.36
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
api64.ipify.org
  • 104.237.62.213
  • 173.231.16.77
unknown
login.live.com
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.69
  • 40.126.31.71
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6208
rundll32.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Init.exe