File name:	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe
Full analysis:	https://app.any.run/tasks/366c8ab5-cba9-40d8-a004-2150dead4f3c
Verdict:	Malicious activity
Analysis date:	December 22, 2024, 16:24:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	5CA954C3CED923B9D6FDAFB1DF72C7E4
SHA1:	23F1B3C9654012785C6E4147E776C18C3B471EA0
SHA256:	19ABAF55340FF70009D0E622D28844A6159EAF0E449EDA55269CB8B5917B5634
SSDEEP:	1536:ukKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXPGCgtIKlW:u/Cdcibf2bRdvSrzlPGtRlW

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2003:08:06 18:34:23+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	7.1
CodeSize:	61440
InitializedDataSize:	20480
UninitializedDataSize:	-
EntryPoint:	0x11d0
OSVersion:	4
ImageVersion:	10
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Shell
Value: Explorer.exe "C:\recycled\SVCHOST.exe"
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:	write	Name:	UncheckedValue
Value: 1
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:	write	Name:	CheckedValue
Value: 1
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:	write	Name:	CheckedValue
Value: 0
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:	write	Name:	UncheckedValue
Value: 0
(PID) Process:	(6408) 19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value: 01000000000000001D377EF28D54DB01

PID	Process	Filename		Type
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Recycled\desktop.ini		text
		MD5:AD0B0B4416F06AF436328A3C12DC491B	SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Recycled\SPOOLSV.EXE		executable
		MD5:2CCBA2CF3EFF0BC3B98B9F1F59D27942	SHA256:CCFD03FD8E7F906155AB0072AEDEC870579ED372608F2622A89BEE52C2E9A681
6656	SPOOLSV.EXE	C:\Users\admin\AppData\Local\Temp\~DFAC5DE9C1A6288C81.TMP		binary
		MD5:45638515285B284998E3256870EFED0A	SHA256:F1DEC64C759D94C12FC3ECC6237C7402EFCE00370058AF86BFBBBBC3859167B1
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Recycled\CTFMON.EXE		executable
		MD5:79F62D3097399A7312ADB8DDF9208061	SHA256:52A3534FB732E4B66F408B93639E84EC719814D3A4F457E9D638F932C130A6D5
6464	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DF34EA2716A82E70D8.TMP		binary
		MD5:E71B95C80B2C12FB45260852FF807560	SHA256:73988D9C8B422111F74664272F16398ED92E46A41A45F3AC54875D5DE7B5D0CD
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Recycled\SVCHOST.EXE		executable
		MD5:48048D48F0B9970C86A38B6AA56BD013	SHA256:912AFD56E8EA6E28BE7477226AA61C7A267DC30F4D75117E44B4E405BE69DD67
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Recycled\SMSS.EXE		executable
		MD5:0788179D173422CC09F53DDCF8ED7013	SHA256:04F9B9223F30120EB7F929230D673DBC91286591D51E1166CCDFF55AF0125337
6636	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DF7737781ED5F17AE8.TMP		binary
		MD5:BE9F6D0A43BEF1CDE6D4123EBB6E0208	SHA256:D40795BE4607B2B59272BDBE4940E28973EA21B5B936A8986B398245F0D04B32
6408	19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe	C:\Users\admin\AppData\Local\Temp\~DFAFA84DAF6A3EBCBB.TMP		binary
		MD5:BFA4FEDB7FF4072B842161FFCCC7F762	SHA256:6A7C05FC01F0E159CBE3E537C5685EFC8E06DA84F5B4EDAC2AE78C4CAE51397C
6560	CTFMON.EXE	C:\Users\admin\AppData\Local\Temp\~DF6693C41BD67CA11D.TMP		binary
		MD5:103F7362C9C427FA801CBFCFDD9EBC82	SHA256:1CC081862B13F4B6A921816FFE724A2FCBFEC289E6057FD6259D5F80C6B22886

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.30:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	52.109.89.18:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	xml	178 Kb	whitelisted
—	—	GET	200	52.111.231.13:443	https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B58307C81-E4CC-4926-A470-B0EAD361F0AD%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D	unknown	text	542 b	whitelisted
—	—	GET	200	52.113.194.132:443	https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b58307C81-E4CC-4926-A470-B0EAD361F0AD%7d&LabMachine=false	unknown	binary	398 Kb	whitelisted
—	—	GET	200	184.24.77.20:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab	unknown	compressed	45.3 Kb	whitelisted
—	—	POST	200	20.189.173.5:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6880	WINWORD.EXE	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
www.bing.com	2.23.209.149 2.23.209.150 2.23.209.189 2.23.209.161 2.23.209.176 2.23.209.133 2.23.209.148 2.23.209.140 2.23.209.130	whitelisted
google.com	172.217.23.110	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.120	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
omex.cdn.office.net	2.22.242.130 2.22.242.90	whitelisted
ecs.office.com	52.113.194.132	whitelisted
messaging.lifecycle.office.com	52.111.231.13	whitelisted
self.events.data.microsoft.com	104.46.162.224 52.168.117.175	whitelisted

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

19abaf55340ff70009d0e622d28844a6159eaf0e449eda55269cb8b5917b5634.exe

5CA954C3CED923B9D6FDAFB1DF72C7E4

23F1B3C9654012785C6E4147E776C18C3B471EA0

19ABAF55340FF70009D0E622D28844A6159EAF0E449EDA55269CB8B5917B5634

1536:ukKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXPGCgtIKlW:u/Cdcibf2bRdvSrzlPGtRlW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the login/logoff helper path in the registry

SUSPICIOUS

Starts a Microsoft application from unusual location

Write to the desktop.ini file (may be used to cloak folders)

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Starts itself from another location

Application launched itself

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

INFO

Checks supported languages

Create files in a temporary directory

Failed to create an executable file in Windows directory

Reads the computer name

The process uses the downloaded file

Process checks computer location settings

Drops encrypted VBS script (Microsoft Script Encoder)

Sends debugging messages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings