Malware analysis 32dd776765476810f31febf445dcd096 Malicious activity

Add for printing

File name:	32dd776765476810f31febf445dcd096
Full analysis:	https://app.any.run/tasks/6d8c46ad-00b4-4960-984d-a212abcb43c2
Verdict:	Malicious activity
Analysis date:	December 19, 2023, 04:38:32
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5:	32DD776765476810F31FEBF445DCD096
SHA1:	ABE06E8B87C47BD667A33F48F435275633FF10FE
SHA256:	0EBD2A7571FCC8CCD6A521263D56B4ED710EBC9A137303C735BCF17843B4B832
SSDEEP:	196608:BfgDDfLMYXqEev3cob+R4bg3W7U/YsSI3OZnAAYFYNyUT0A6dRfK:uPVFev3Pb+IsWNsSI2aaNy6sdRfK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2180)
  - mscorsvw.exe (PID: 1852)
  - mscorsvw.exe (PID: 2532)
  - mscorsvw.exe (PID: 1776)
  - mscorsvw.exe (PID: 1368)
- Creates a writable file in the system directory
  - taskhost.exe (PID: 2096)
SUSPICIOUS
- Process drops legitimate windows executable
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2180)
  - mscorsvw.exe (PID: 1852)
  - mscorsvw.exe (PID: 2532)
  - mscorsvw.exe (PID: 1776)
  - mscorsvw.exe (PID: 1368)
- Starts CMD.EXE for commands execution
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Connects to unusual port
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Reads the Internet Settings
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Reads Microsoft Outlook installation path
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Reads Internet Explorer settings
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Executes as Windows Service
  - taskhost.exe (PID: 2096)
INFO
- Reads the machine GUID from the registry
  - mscorsvw.exe (PID: 1564)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 2740)
  - mscorsvw.exe (PID: 2980)
  - mscorsvw.exe (PID: 1360)
  - mscorsvw.exe (PID: 2180)
  - mscorsvw.exe (PID: 1456)
  - mscorsvw.exe (PID: 1852)
  - mscorsvw.exe (PID: 2988)
  - mscorsvw.exe (PID: 3044)
  - mscorsvw.exe (PID: 608)
  - mscorsvw.exe (PID: 2532)
  - mscorsvw.exe (PID: 1928)
  - mscorsvw.exe (PID: 2164)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 1776)
  - mscorsvw.exe (PID: 1884)
  - mscorsvw.exe (PID: 1120)
  - mscorsvw.exe (PID: 1368)
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Manual execution by a user
  - mscorsvw.exe (PID: 1564)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 2740)
  - mscorsvw.exe (PID: 2980)
  - mscorsvw.exe (PID: 2180)
  - mscorsvw.exe (PID: 1456)
  - mscorsvw.exe (PID: 1360)
  - mscorsvw.exe (PID: 3044)
  - mscorsvw.exe (PID: 2988)
  - mscorsvw.exe (PID: 2532)
  - mscorsvw.exe (PID: 608)
  - mscorsvw.exe (PID: 1852)
  - mscorsvw.exe (PID: 1928)
  - mscorsvw.exe (PID: 2164)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 1776)
  - mscorsvw.exe (PID: 1884)
  - mscorsvw.exe (PID: 1368)
  - mscorsvw.exe (PID: 1120)
  - 32dd776765476810f31febf445dcd096.exe (PID: 2460)
- Checks supported languages
  - mscorsvw.exe (PID: 1564)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 2740)
  - mscorsvw.exe (PID: 2980)
  - mscorsvw.exe (PID: 1360)
  - mscorsvw.exe (PID: 2180)
  - mscorsvw.exe (PID: 1456)
  - mscorsvw.exe (PID: 1852)
  - mscorsvw.exe (PID: 2988)
  - mscorsvw.exe (PID: 3044)
  - mscorsvw.exe (PID: 608)
  - mscorsvw.exe (PID: 1928)
  - mscorsvw.exe (PID: 2164)
  - mscorsvw.exe (PID: 1776)
  - mscorsvw.exe (PID: 2532)
  - mscorsvw.exe (PID: 1884)
  - mscorsvw.exe (PID: 1120)
  - mscorsvw.exe (PID: 1368)
  - mscorsvw.exe (PID: 2252)
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Reads the computer name
  - mscorsvw.exe (PID: 1564)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 2740)
  - mscorsvw.exe (PID: 2980)
  - mscorsvw.exe (PID: 1360)
  - mscorsvw.exe (PID: 2180)
  - mscorsvw.exe (PID: 1456)
  - mscorsvw.exe (PID: 1852)
  - mscorsvw.exe (PID: 2988)
  - mscorsvw.exe (PID: 3044)
  - mscorsvw.exe (PID: 608)
  - mscorsvw.exe (PID: 1928)
  - mscorsvw.exe (PID: 2164)
  - mscorsvw.exe (PID: 2532)
  - mscorsvw.exe (PID: 1120)
  - mscorsvw.exe (PID: 1776)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 1884)
  - mscorsvw.exe (PID: 1368)
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Create files in a temporary directory
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Checks proxy server information
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)
- Creates files or folders in the user directory
  - 32dd776765476810f31febf445dcd096.exe (PID: 2760)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:26 16:43:32+01:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1257472
InitializedDataSize:	25063424
UninitializedDataSize:	-
EntryPoint:	0x1000
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

273

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 280 -NGENProcess 23c -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

608

cmd /c del "C:\Users\admin\AppData\Local\Temp\*.dll"

C:\Windows\SysWOW64\cmd.exe

—

32dd776765476810f31febf445dcd096.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 194 -NGENProcess 278 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

1304

cmd /c del "C:\Users\admin\AppData\Local\Temp\*d776765476810f31febf445dcd096.exe"

C:\Windows\SysWOW64\cmd.exe

—

32dd776765476810f31febf445dcd096.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 28c -NGENProcess 2a0 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

1456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 258 -NGENProcess 288 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

1564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

1776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 27c -NGENProcess 23c -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

1852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

mscorsvw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

Add for printing

Total events

2 805

Read events

2 793

Write events

Delete events

Modification events


(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000C5000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2760) 32dd776765476810f31febf445dcd096.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2532	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Routing\57f2eb187fbbfe1f1ab405edafb08a29\System.Web.Routing.ni.dll		executable
		MD5:9EB6FD95BFDAD59B8C779EEE7B9710EB	SHA256:D92E7E731834A9F9C00FC66496BE3689413E24A8A28CEE1ACAAA5300B19E6930
2840	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.4961ff77#\7fb3a26ab21674e1e682d3f633a524c1\System.Web.Entity.Design.ni.dll		executable
		MD5:488150E5451B971B7AD192877706D1AD	SHA256:621EA82FBF7F4989854434D8E588B6CB24589646CE7D3C0C44FE54B4A0B7C348
2532	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Routing\57f2eb187fbbfe1f1ab405edafb08a29\System.Web.Routing.ni.dll.aux.tmp		binary
		MD5:E9B4F3678C7D4F9D6D9624666F66F160	SHA256:7594DD39B7F2585E5E33589BA73E36E684749BF46174BB29306CA3FEEBFCC3AC
2180	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\1e6861aeb297c08ccefa17d23416d1b3\System.Web.Extensions.Design.ni.dll		executable
		MD5:8670930B956311B6D4C9777D005047E4	SHA256:DFB677C0ED423DEF3FCA660A44AA8149AA9D3675FE2942061EC975D03DE6F9F6
2180	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\1e6861aeb297c08ccefa17d23416d1b3\System.Web.Extensions.Design.ni.dll.aux		binary
		MD5:BECD4EFC5391D24CB2F5ED7C3E9B3157	SHA256:BB29AEF3828B505E4CEF64319A5D5A0CCBA7E1E4A901D0FE8FE5280EBF766578
1852	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Mobile\bba235befc5106f3f07e0930960d5a71\System.Web.Mobile.ni.dll.aux		binary
		MD5:F01E86CC073989C35C338E9AB628EE0B	SHA256:4D6D0E59AB2C2C35658F567B1D71AFE423A66BC7F14BF7B93D744BE32F397A2A
1852	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Mobile\bba235befc5106f3f07e0930960d5a71\System.Web.Mobile.ni.dll.aux.tmp		binary
		MD5:F01E86CC073989C35C338E9AB628EE0B	SHA256:4D6D0E59AB2C2C35658F567B1D71AFE423A66BC7F14BF7B93D744BE32F397A2A
2532	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Routing\57f2eb187fbbfe1f1ab405edafb08a29\System.Web.Routing.ni.dll.aux		binary
		MD5:E9B4F3678C7D4F9D6D9624666F66F160	SHA256:7594DD39B7F2585E5E33589BA73E36E684749BF46174BB29306CA3FEEBFCC3AC
2840	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.4961ff77#\7fb3a26ab21674e1e682d3f633a524c1\System.Web.Entity.Design.ni.dll.aux		binary
		MD5:1FB6610FD1C92607720887D56C6BB630	SHA256:9460A4DE874DCF7EA7CBBAA45D20A956C2947F12EA86E6B3835F10EA2BDDD12C
2180	mscorsvw.exe	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\1e6861aeb297c08ccefa17d23416d1b3\System.Web.Extensions.Design.ni.dll.aux.tmp		pgc
		MD5:BECD4EFC5391D24CB2F5ED7C3E9B3157	SHA256:BB29AEF3828B505E4CEF64319A5D5A0CCBA7E1E4A901D0FE8FE5280EBF766578

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2760	32dd776765476810f31febf445dcd096.exe	GET	200	188.114.96.3:80	http://www.htdlq.com/bmd.txt	unknown	text	1.22 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1220	svchost.exe	239.255.255.250:3702	—	—	—	whitelisted
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2760	32dd776765476810f31febf445dcd096.exe	188.114.96.3:80	www.htdlq.com	CLOUDFLARENET	NL	unknown
2760	32dd776765476810f31febf445dcd096.exe	154.222.224.99:7000	a.0qsf.com	STARCLOUD GLOBAL PTE., LTD.	SC	unknown
2760	32dd776765476810f31febf445dcd096.exe	140.210.19.174:2699	—	CHINATELECOM JiangSu YangZhou IDC networkdescr: YangZhouJiangsu Province, P.R.China.	CN	unknown

DNS requests

Domain	IP	Reputation
www.htdlq.com	188.114.96.3 188.114.97.3	unknown
a.0qsf.com	154.222.224.99	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

32dd776765476810f31febf445dcd096

32DD776765476810F31FEBF445DCD096

ABE06E8B87C47BD667A33F48F435275633FF10FE

0EBD2A7571FCC8CCD6A521263D56B4ED710EBC9A137303C735BCF17843B4B832

196608:BfgDDfLMYXqEev3cob+R4bg3W7U/YsSI3OZnAAYFYNyUT0A6dRfK:uPVFev3Pb+IsWNsSI2aaNy6sdRfK

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

SUSPICIOUS

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Connects to unusual port

Reads the Internet Settings

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Executes as Windows Service

INFO

Reads the machine GUID from the registry

Manual execution by a user

Checks supported languages

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings