File name:

ZZZZ.exe

Full analysis: https://app.any.run/tasks/28374412-ab08-482c-a5de-671294eb1b1e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 11, 2023, 03:28:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

010855A8B5AB33998312B263A89B0277

SHA1:

12F1E6C574D51F9877F312BB51D3EA8B62033966

SHA256:

1FDF339ED3BEDA9B55BCA4BECF1CDB4305877ED4D97F4BD3DA6C815474D31DFC

SSDEEP:

98304:iuRUwHyLntPOpHs68L5Y8y+MTDJOTo8OUc4JHq+U4ZtaPAcV7F8/7oqGOmUPQMaK:fG/vuSz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ZZZZ.exe (PID: 3428)
      • RtkBtManServ.exe (PID: 2896)

  • SUSPICIOUS

    • Reads the Internet Settings

      • ZZZZ.exe (PID: 3428)

  • INFO

    • Checks supported languages

      • ZZZZ.exe (PID: 3428)
      • RtkBtManServ.exe (PID: 2896)
      • wmpnscfg.exe (PID: 3516)

    • Reads the computer name

      • ZZZZ.exe (PID: 3428)
      • RtkBtManServ.exe (PID: 2896)
      • wmpnscfg.exe (PID: 3516)

    • Reads the machine GUID from the registry

      • ZZZZ.exe (PID: 3428)
      • RtkBtManServ.exe (PID: 2896)
      • wmpnscfg.exe (PID: 3516)

    • Create files in a temporary directory

      • ZZZZ.exe (PID: 3428)
      • RtkBtManServ.exe (PID: 2896)

    • Reads Environment values

      • RtkBtManServ.exe (PID: 2896)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (32.4)
.exe | InstallShield setup (19)
.exe | Win64 Executable (generic) (12.2)
.exe | UPX compressed Win32 Executable (11.9)
.exe | Win32 EXE Yoda's Crypter (11.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:11 04:26:56+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 4680704
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x478a6e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Obfuscated Name.exe
LegalCopyright:
OriginalFileName: Obfuscated Name.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zzzz.exe no specs rtkbtmanserv.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6wQR8sZd8SczlbsJtYKrcu1rESJdyEDgdjhhFBrE3Esg5Ukr5/xJcUSgFlUr6Rh1TjELjxTyTceFWHj5UKWnOvsFQcK5hfD1CcNGAH09bYh7sUalwuexSOUKFvlB1l1cw=C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe
ZZZZ.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RtkBtManServ
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rtkbtmanserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3428"C:\Users\admin\AppData\Local\Temp\ZZZZ.exe" C:\Users\admin\AppData\Local\Temp\ZZZZ.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\zzzz.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3516"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
830
Read events
819
Write events
8
Delete events
3

Modification events

(PID) Process:(3428) ZZZZ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3428) ZZZZ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3428) ZZZZ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3428) ZZZZ.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3516) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{6A8F3452-E663-4CC5-B608-CBAFEDEBC312}\{839FE3AB-018C-4ADE-8F20-23464A234C77}
Operation:delete keyName:(default)
Value:
(PID) Process:(3516) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{6A8F3452-E663-4CC5-B608-CBAFEDEBC312}
Operation:delete keyName:(default)
Value:
(PID) Process:(3516) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{250BA96C-01F6-47F9-BA15-A830C0915FB0}
Operation:delete keyName:(default)
Value:
Executable files
7
Suspicious files
19
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\bfsvc.cfgtext
MD5:51C9E864182413F35B76D42D435DF261
SHA256:E6C5C674268A865DB840AFD3764CD498BDFD8FE677C5193D662ABBE64D68975B
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\xwizard.exeexecutable
MD5:DF991217F1CFADD9ACFA56F878DA5EE7
SHA256:DEB1246347CE88E8CDD63A233A64BC2090B839F2D933A3097A2FD8FD913C4112
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\winhlp32.exeexecutable
MD5:A776E68F497C996788B406A3DC5089EB
SHA256:071E26DDF5323DD9ED6671BCDE89DF73D78BAC2336070E6CB9E3E4B93BDE78D1
3428ZZZZ.exeC:\Users\admin\AppData\Local\Temp\RtkBtManServ.exeexecutable
MD5:3405F654559010CA2AE38D786389F0F1
SHA256:BC1364D8E68F515F9F35A6B41C11A649B1F514302EB01812C68C9A95A3198B30
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\bfsvc.exeexecutable
MD5:899D3ED011EB58459B8A4FC2B81F0924
SHA256:5E3F311AE67F046B56435067BCDD39FBF836FA0421FBC8C8B0E43E8E47524954
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\xwizard.cfgtext
MD5:AE8EED5A6B1470AEC0E7FECE8B0669EF
SHA256:3F6CA2BC068C8436044DAAB867F8FF8F75060048B29882CB2AC9FDEF1800DF9E
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\hh.exeexecutable
MD5:4D4C98ECA32B14AEB074DB34CD0881E4
SHA256:4182172A01BDFC08C5CF7E8652F7D9D81858345A770E2B6B507840E4C1C7764F
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\costura.discord webhook.dll.compressedbinary
MD5:F999480EC537EC2126251977CBF8F4E3
SHA256:84E5C3EAC27895AB23B9F827F9B259F5A1277D4A7F1930D04638FBF47AD4D2CE
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\costura.bouncycastle.crypto.dll.compressedbinary
MD5:891A7BA65F8AA91C477E29A2FBD3DF36
SHA256:7A5ECDDEFB79248179900E0F8A601FE7A5E41116B158450F21CA33695DFB492A
2896RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\splwow64.exeexecutable
MD5:0D8360781E488E250587A17FBEFA646C
SHA256:EBFF7D07EFDA7245192CE6ECD7767578152B515B510C887CA2880A2566071F64
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
3464
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 104.208.16.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ZZZZ.exe