File name:	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe
Full analysis:	https://app.any.run/tasks/366c8ab5-cba9-40d8-a004-2150dead4f3c
Verdict:	Malicious activity
Analysis date:	December 22, 2024, 16:24:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	5CA954C3CED923B9D6FDAFB1DF72C7E4
SHA1:	23F1B3C9654012785C6E4147E776C18C3B471EA0
SHA256:	19ABAF55340FF70009D0E622D28844A6159EAF0E449EDA55269CB8B5917B5634
SSDEEP:	1536:ukKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXPGCgtIKlW:u/Cdcibf2bRdvSrzlPGtRlW

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2003:08:06 18:34:23+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	7.1
CodeSize:	61440
InitializedDataSize:	20480
UninitializedDataSize:	-
EntryPoint:	0x11d0
OSVersion:	4
ImageVersion:	10
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Shell
Value: Explorer.exe "C:\recycled\SVCHOST.exe"
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:	write	Name:	UncheckedValue
Value: 1
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:	write	Name:	CheckedValue
Value: 1
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:	write	Name:	CheckedValue
Value: 0
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:	write	Name:	UncheckedValue
Value: 0
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value: 01000000000000001D377EF28D54DB01

PID	Process	Filename		Type
6464	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DF34EA2716A82E70D8.TMP		binary
		MD5:E71B95C80B2C12FB45260852FF807560	SHA256:73988D9C8B422111F74664272F16398ED92E46A41A45F3AC54875D5DE7B5D0CD
6484	SPOOLSV.EXE	C:\Users\admin\AppData\Local\Temp\~DF1920F7B9B4BC56EB.TMP		binary
		MD5:12A1686DA396B00DD1C7B14AA3ECBAD8	SHA256:578CA66002DF984D48471E90957F7198341ED1FF15B13524C1A988E43A7183F9
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Recycled\SMSS.EXE		executable
		MD5:0788179D173422CC09F53DDCF8ED7013	SHA256:04F9B9223F30120EB7F929230D673DBC91286591D51E1166CCDFF55AF0125337
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Recycled\SPOOLSV.EXE		executable
		MD5:2CCBA2CF3EFF0BC3B98B9F1F59D27942	SHA256:CCFD03FD8E7F906155AB0072AEDEC870579ED372608F2622A89BEE52C2E9A681
6560	CTFMON.EXE	C:\Users\admin\AppData\Local\Temp\~DF6693C41BD67CA11D.TMP		binary
		MD5:103F7362C9C427FA801CBFCFDD9EBC82	SHA256:1CC081862B13F4B6A921816FFE724A2FCBFEC289E6057FD6259D5F80C6B22886
6436	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DF03783C5CDA91DF74.TMP		binary
		MD5:8EA0FDE237E7F470E5EC8FA5ED284C77	SHA256:6EF8BAAAE3B8CADE539DCC9415FB9B58EB22ADF71FA8825092A3AB64A4E07C14
6880	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:B7983CF69CDDF1C2E4C458B16FD8A76A	SHA256:3DE7FA708B38DDC8B3A55E377180A4076CA54F935625596689678FA958703F4F
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Users\admin\Desktop\19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.doc		text
		MD5:EC46F4C503E1400C6B495C6C8727F3BB	SHA256:9285E8C74C035B665E089C205513F8AF2F55560F3A3CCB7793CE3CC2A6F1325A
6636	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DF7737781ED5F17AE8.TMP		binary
		MD5:BE9F6D0A43BEF1CDE6D4123EBB6E0208	SHA256:D40795BE4607B2B59272BDBE4940E28973EA21B5B936A8986B398245F0D04B32
6680	CTFMON.EXE	C:\Users\admin\AppData\Local\Temp\~DFA74C9D5D1187C296.TMP		binary
		MD5:B1E3767886165D9DB0D1E634850F37B2	SHA256:FCEAE3031D6D1580E9B2BEDC10DE157073E6F5E893A556BE1D00071858588487

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.30:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	184.24.77.4:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab	unknown	compressed	34.6 Kb	whitelisted
—	—	POST	200	20.189.173.24:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	whitelisted
—	—	POST	200	20.189.173.5:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	whitelisted
—	—	GET	200	184.24.77.20:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab	unknown	compressed	45.3 Kb	whitelisted
—	—	GET	200	184.24.77.4:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab	unknown	compressed	31.0 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6880	WINWORD.EXE	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
www.bing.com	2.23.209.149 2.23.209.150 2.23.209.189 2.23.209.161 2.23.209.176 2.23.209.133 2.23.209.148 2.23.209.140 2.23.209.130	whitelisted
google.com	172.217.23.110	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.120	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
omex.cdn.office.net	2.22.242.130 2.22.242.90	whitelisted
ecs.office.com	52.113.194.132	whitelisted
messaging.lifecycle.office.com	52.111.231.13	whitelisted
self.events.data.microsoft.com	104.46.162.224 52.168.117.175	whitelisted

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe

5CA954C3CED923B9D6FDAFB1DF72C7E4

23F1B3C9654012785C6E4147E776C18C3B471EA0

19ABAF55340FF70009D0E622D28844A6159EAF0E449EDA55269CB8B5917B5634

1536:ukKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXPGCgtIKlW:u/Cdcibf2bRdvSrzlPGtRlW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the login/logoff helper path in the registry

SUSPICIOUS

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Starts itself from another location

Write to the desktop.ini file (may be used to cloak folders)

The process creates files with name similar to system file names

Application launched itself

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

INFO

Checks supported languages

Create files in a temporary directory

Failed to create an executable file in Windows directory

The process uses the downloaded file

Reads the computer name

Process checks computer location settings

Sends debugging messages

Drops encrypted VBS script (Microsoft Script Encoder)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings