Malware analysis 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe Malicious activity

Add for printing

File name:	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe
Full analysis:	https://app.any.run/tasks/fa284177-b737-44b4-b70b-0c01073a910e
Verdict:	Malicious activity
Analysis date:	March 06, 2024, 14:36:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	9BAE6D3AFB22E8F8C8ABA60F652D55EC
SHA1:	9D909C53191DAD75C84C75067594BD470CF34DAC
SHA256:	1E66433493D9AAD550A2FEBE2433BD117129E968B055841C7AE1997369AC0511
SSDEEP:	24576:veZ/rztJZi66lnBNl20zkjTgPwjZalalCvOKUKmH8XW1:vM/rztJZi66lnBNl20zkjTgPwjZalal7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
SUSPICIOUS
- Executes application which crashes
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- The process checks if it is being run in the virtual environment
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
INFO
- Checks supported languages
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Reads the computer name
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Checks proxy server information
  - WerFault.exe (PID: 5660)
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Reads the software policy settings
  - WerFault.exe (PID: 5660)
- Reads the machine GUID from the registry
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 5660)
- Reads Environment values
  - 1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe (PID: 5344)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.5)
.dll	\|	Win32 Dynamic Link Library (generic) (13.6)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:02:23 16:20:28+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	441856
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0xb8860
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1504

"C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe"

C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2128

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

4620

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5344

"C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe"

C:\Users\admin\AppData\Local\Temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

5660

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5344 -s 1768

C:\Windows\SysWOW64\WerFault.exe

1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1081 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

6 924

Read events

6 870

Write events

Delete events

Modification events


(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
Operation:	write	Name:	CreatingCommand
Value: C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5344 -s 1768
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
Operation:	write	Name:	CreatingModule
Value: C:\WINDOWS\SYSTEM32\aepic.dll
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Operation:	write	Name:	AmiHivePermissionsCorrect
Value: 1
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Operation:	write	Name:	AmiHiveOwnerCorrect
Value: 1
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	PendingFileRenameOperations
Value: \??\C:\WINDOWS\AppCompat\Programs\Amcache.hve.tmp
(PID) Process:	(5660) WerFault.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Operation:	write	Name:	AmiOverridePath
Value: C:\WINDOWS\AppCompat\Programs\Amcache.hve.tmp
(PID) Process:	(5660) WerFault.exe	Key:	\REGISTRY\A\{06e17f17-4859-d8ff-dbb3-32b3066dadde}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(5660) WerFault.exe	Key:	\REGISTRY\A\{06e17f17-4859-d8ff-dbb3-32b3066dadde}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5660) WerFault.exe	Key:	\REGISTRY\A\{06e17f17-4859-d8ff-dbb3-32b3066dadde}\Root\InventoryApplicationFile
Operation:	write	Name:	ProviderSyncId
Value: {7248a47a-2e3b-4058-a102-29bf178e2400}

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5660	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_BLDKKXZWX3CK2JDG_2a79d9ef4fd88c562998e466b6ef5b773649685_a03d2668_d13f7cbd-5f42-4bb8-b885-6c5c9144b7e9\Report.wer		—
		MD5:—	SHA256:—
5660	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe.5344.dmp		—
		MD5:—	SHA256:—
5660	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER471E.tmp.dmp		binary
		MD5:40660062A75F3F45A2AE25C645FE836A	SHA256:B2253B67DC0BCDCC7D6D57A78B66F09770DDA2D10DCC1CD4B7A19CCBB86A9661
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe.log		text
		MD5:8827795F95812BB921789902E8A16477	SHA256:84A3072F2C5F52C25E9A87539201B3201AD1CB061E4A9A3D943DEB85E47B6E99
5660	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER47EB.tmp.xml		xml
		MD5:1E40D87AF29D644C0637D10451F8A558	SHA256:C56AA7D72E76DB0E165D3F6E906A224C925D44D7556AAB3F3279391100206081
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	C:\Users\admin\AppData\Local\Temp\Running Processes 53.txt		text
		MD5:AEC131FAF399BB59A0E4EFCC627492A8	SHA256:7902F0FEF5A8161853BFB098D37CD3A4A0FDD9E1A8568FB3F848025FB23D5D30
5660	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785		binary
		MD5:FE7C7BD6FB8E09B893382BCF7515E984	SHA256:375069944A918EB3FA6BF9B2732C7CFA90B66CCC7567DA3745A8BF9ACB6542CA
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	C:\Users\admin\AppData\Local\Temp\SPOILER_cb.png		image
		MD5:8DB3B15330D42119971E3019B4A4FD90	SHA256:F7547334C207E24AD5723ACB1F0C43ABA9569DBCB09EF5A2304D07C0E035FC01
5660	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785		binary
		MD5:F9067921340874891DCA43F5AF84D883	SHA256:7A24E5F86878964A9BA59E4427A2669A921D51F8060A9B538D88F4A9FA45E551
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	C:\Users\admin\AppData\Local\Temp\System Components 0a.txt		text
		MD5:204F8525B15C9FB7B6B02706939CF9E3	SHA256:C1365FD3516ABBFA2C0B9E4AAEF514AD97D7DAEE9F9370C073CBE75EB7E0FD92

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	—
5660	WerFault.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.01 Kb	—
5660	WerFault.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	binary	814 b	—
6904	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.01 Kb	—
5344	1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	POST	520	104.21.10.249:80	http://cauth.pythaxprivate.net/api/handler.php?type=init	unknown	text	15 b	—
1268	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	313 b	—
4492	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	unknown	binary	471 b	—
—	—	GET	200	72.246.169.163:80	http://x1.c.lencr.org/	unknown	binary	717 b	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	unknown
6904	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5928	svchost.exe	20.190.159.73:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6896	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3848	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	unknown
5928	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
5660	WerFault.exe	52.168.117.173:443	umwatson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5660	WerFault.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5660	WerFault.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	unknown

DNS requests

Domain	IP	Reputation
ocsp.digicert.com	192.229.221.95	unknown
umwatson.events.data.microsoft.com	52.168.117.173	unknown
crl.microsoft.com	23.216.77.28 23.216.77.6	unknown
www.microsoft.com	88.221.169.152	unknown
settings-win.data.microsoft.com	51.104.136.2	unknown
cauth.pythaxprivate.net	104.21.10.249 172.67.164.216	unknown
www.bing.com	92.122.215.56 92.122.215.74 92.122.215.65 92.122.215.55 92.122.215.72 92.122.215.58 92.122.215.57 92.122.215.60 92.122.215.98	unknown
arc.msn.com	20.223.35.26	unknown
slscr.update.microsoft.com	20.12.23.50	unknown
fe3cr.delivery.mp.microsoft.com	20.3.187.198	unknown

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
—	—	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
—	—	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
—	—	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

Add for printing

Process	Message
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

General Info

1e66433493d9aad550a2febe2433bd117129e968b055841c7ae1997369ac0511.exe

9BAE6D3AFB22E8F8C8ABA60F652D55EC

9D909C53191DAD75C84C75067594BD470CF34DAC

1E66433493D9AAD550A2FEBE2433BD117129E968B055841C7AE1997369AC0511

24576:veZ/rztJZi66lnBNl20zkjTgPwjZalalCvOKUKmH8XW1:vM/rztJZi66lnBNl20zkjTgPwjZalal7

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executes application which crashes

The process checks if it is being run in the virtual environment

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings