File name:	Client-built.exe
Full analysis:	https://app.any.run/tasks/9fa3f640-5602-4a0c-9b1e-e31163cb4b04
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 18:11:14
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	crypto-regex
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	94CB0D9A2CA2D98BDC5BAA05546AB5F5
SHA1:	4040574E14C09F677F5A71E2E1839B6818A456D7
SHA256:	143EE58625E20C5A2CEB7ED937566F49A4FEE53B0594AC9C2529A948127A2BAB
SSDEEP:	98304:pwT4OP19cyFbLn40bMkdLDIW2gFyJ8K7SWYaoVJ3p3SAFLRuQfZqzaSdf+Z0KB8B:l

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2053:05:20 22:10:12+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	1939968
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x1db81e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.6.4.0
ProductVersionNumber:	1.6.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	-
FileVersion:	1.6.4
InternalName:	Client.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	Client.exe
ProductName:	-
ProductVersion:	1.6.4
AssemblyVersion:	1.6.4.0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
420	RUXIMICS.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.20:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.159.131:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
420	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.128:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	20.190.159.128:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
420	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
5944	MoUsoCoreWorker.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
420	RUXIMICS.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4224	Client-built.exe	193.161.193.99:24753	Slotmode1234567-24753.portmap.io	OOO Bitree Networks	RU	malicious

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.55.104.190 23.55.104.172 184.24.77.30 184.24.77.14 184.24.77.12 184.24.77.27 184.24.77.23 184.24.77.22 184.24.77.15 184.24.77.17 184.24.77.28	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
Slotmode1234567-24753.portmap.io	193.161.193.99	malicious
login.live.com	40.126.32.133 20.190.160.64 20.190.160.131 40.126.32.68 20.190.160.65 40.126.32.72 20.190.160.5 20.190.160.14	whitelisted
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2200	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)

General Info

Client-built.exe

94CB0D9A2CA2D98BDC5BAA05546AB5F5

4040574E14C09F677F5A71E2E1839B6818A456D7

143EE58625E20C5A2CEB7ED937566F49A4FEE53B0594AC9C2529A948127A2BAB

98304:pwT4OP19cyFbLn40bMkdLDIW2gFyJ8K7SWYaoVJ3p3SAFLRuQfZqzaSdf+Z0KB8B:l

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Potential Corporate Privacy Violation

Found regular expressions for crypto-addresses (YARA)

Connects to unusual port

There is functionality for taking screenshot (YARA)

INFO

Reads the computer name

Reads the machine GUID from the registry

Creates files in the program directory

Checks supported languages

Reads Environment values

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings