Malware analysis 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe Malicious activity

Add for printing

File name:	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe
Full analysis:	https://app.any.run/tasks/fa284177-b737-44b4-b70b-0c01073a910e
Verdict:	Malicious activity
Analysis date:	March 06, 2024, 14:36:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	9BAE6D3AFB22E8F8C8ABA60F652D55EC
SHA1:	9D909C53191DAD75C84C75067594BD470CF34DAC
SHA256:	1E66433493D9AAD550A2FEBE2433BD117129E968B055841C7AE1997369AC0511
SSDEEP:	24576:veZ/rztJZi66lnBNl20zkjTgPwjZalalCvOKUKmH8XW1:vM/rztJZi66lnBNl20zkjTgPwjZalal7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
SUSPICIOUS
- Executes application which crashes
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- The process checks if it is being run in the virtual environment
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
INFO
- Checks supported languages
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Checks proxy server information
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
  - WerFault.exe (PID: 5660)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 5660)
- Reads the machine GUID from the registry
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Reads the computer name
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Reads Environment values
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Reads the software policy settings
  - WerFault.exe (PID: 5660)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.5)
.dll	\|	Win32 Dynamic Link Library (generic) (13.6)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:02:23 16:20:28+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	441856
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0xb8860
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1504

"C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe"

C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2128

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

4620

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5344

"C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe"

C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

5660

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5344 -s 1768

C:\Windows\SysWOW64\WerFault.exe

1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1081 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

6 924

Read events

6 870

Write events

Delete events

Modification events


(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
Operation:	write	Name:	CreatingCommand
Value: C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5344 -s 1768
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
Operation:	write	Name:	CreatingModule
Value: C:\WINDOWS\SYSTEM32\aepic.dll
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Operation:	write	Name:	AmiHivePermissionsCorrect
Value: 1
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Operation:	write	Name:	AmiHiveOwnerCorrect
Value: 1
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	PendingFileRenameOperations
Value: \??\C:\WINDOWS\AppCompat\Programs\Amcache.hve.tmp
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Operation:	write	Name:	AmiOverridePath
Value: C:\WINDOWS\AppCompat\Programs\Amcache.hve.tmp
(PID) Process:	(5660) WerFault.exe	Key:	\REGISTRY\A\{06e17f17-4859-d8ff-dbb3-32b3066dadde}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(5660) WerFault.exe	Key:	\REGISTRY\A\{06e17f17-4859-d8ff-dbb3-32b3066dadde}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5660) WerFault.exe	Key:	\REGISTRY\A\{06e17f17-4859-d8ff-dbb3-32b3066dadde}\Root\InventoryApplicationFile
Operation:	write	Name:	ProviderSyncId
Value: {7248a47a-2e3b-4058-a102-29bf178e2400}

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5660	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_BLDKKXZWX3CK2JDG_2a79d9ef4fd88c562998e466b6ef5b773649685_a03d2668_d13f7cbd-5f42-4bb8-b885-6c5c9144b7e9\Report.wer		—
		MD5:—	SHA256:—
5660	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe.5344.dmp		—
		MD5:—	SHA256:—
5660	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER47CB.tmp.WERInternalMetadata.xml		xml
		MD5:7E481A9D3B50A26CA93631D27C0C57E7	SHA256:D0CA18947309B7EEF7F8A4FE5EA57DDBD5B887624AD818214A86476743DF04EA
5660	WerFault.exe	C:\WINDOWS\AppCompat\Programs\Amcache.hve.tmp		hiv
		MD5:C1183B8065C2DD3FB2A4DB1CFA520B0D	SHA256:E463CE0690BF102D4702184187C0DB53FEFF97D1A8149ED0CFEF8DCE34BE3581
5660	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER471E.tmp.dmp		binary
		MD5:40660062A75F3F45A2AE25C645FE836A	SHA256:B2253B67DC0BCDCC7D6D57A78B66F09770DDA2D10DCC1CD4B7A19CCBB86A9661
5660	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER47EB.tmp.xml		xml
		MD5:1E40D87AF29D644C0637D10451F8A558	SHA256:C56AA7D72E76DB0E165D3F6E906A224C925D44D7556AAB3F3279391100206081
5660	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:76DAED5BA8474A1978C74FB7B00485E2	SHA256:F519CDFBB6C6D8C9E60054A79C7DA3422F2822C7687376A1CB5C2DBEC2F74968
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	C:\Users\admin\AppData\Local\Temp\System Components 0a.txt		text
		MD5:204F8525B15C9FB7B6B02706939CF9E3	SHA256:C1365FD3516ABBFA2C0B9E4AAEF514AD97D7DAEE9F9370C073CBE75EB7E0FD92
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	C:\Users\admin\AppData\Local\Temp\Running Services 5e.txt		text
		MD5:F45602DA80880331A970B9A174BA1E89	SHA256:C7063B77AD04C9518E7F8743E62683EDB74D0C0B381BA4CB9ECC5D93F327B918
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	C:\Users\admin\AppData\Local\Temp\Installed Programs fc.txt		text
		MD5:9FE3E9FBA5C9F39C7C244BD808A9777F	SHA256:6FD5F361A1FEAA428050DA60111432F85E03ED3D7571D5B86CEC3C77296C9D10

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5660	WerFault.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.01 Kb	unknown
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	POST	520	104.21.10.249:80	http://cauth.pythaxprivate.net/api/handler.php?type=init	unknown	text	15 b	unknown
6904	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.01 Kb	unknown
4492	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	unknown	binary	471 b	unknown
1268	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	313 b	unknown
—	—	GET	200	72.246.169.163:80	http://x1.c.lencr.org/	unknown	binary	717 b	unknown
5928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
5660	WerFault.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	binary	814 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	unknown
6904	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5928	svchost.exe	20.190.159.73:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6896	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3848	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
5928	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5660	WerFault.exe	52.168.117.173:443	umwatson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5660	WerFault.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5660	WerFault.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
ocsp.digicert.com	192.229.221.95	whitelisted
umwatson.events.data.microsoft.com	52.168.117.173	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
cauth.pythaxprivate.net	104.21.10.249 172.67.164.216	malicious
www.bing.com	92.122.215.56 92.122.215.74 92.122.215.65 92.122.215.55 92.122.215.72 92.122.215.58 92.122.215.57 92.122.215.60 92.122.215.98	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
—	—	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
—	—	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
—	—	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

Add for printing

Process	Message
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

General Info

1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

9BAE6D3AFB22E8F8C8ABA60F652D55EC

9D909C53191DAD75C84C75067594BD470CF34DAC

1E66433493D9AAD550A2FEBE2433BD117129E968B055841C7AE1997369AC0511

24576:veZ/rztJZi66lnBNl20zkjTgPwjZalalCvOKUKmH8XW1:vM/rztJZi66lnBNl20zkjTgPwjZalal7

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executes application which crashes

The process checks if it is being run in the virtual environment

INFO

Checks supported languages

Checks proxy server information

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the computer name

Reads Environment values

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings