File name:

BN2FDA.tmp.exe

Full analysis: https://app.any.run/tasks/0ef23fd2-bad3-4c46-9ed0-ea5fcf6f9b98
Verdict: Malicious activity
Analysis date: April 29, 2025, 10:37:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

E2C221A343F316B43E50A802F5DFA067

SHA1:

5D05A6AA89287B245E50BD279AA3F307E9F91DD3

SHA256:

220C3EA724B1EC9CA2095B67F359035512FCEBB7B8C32EA8298BE030A82E97B1

SSDEEP:

3072:6FuKUGW1g5ljGUvHHZK6TXLmHO/FkYStbWSMj9jiPsIBIAJLUULRg0j4kWR3kUBe:6FuKEgXyqgEKFYdS29ePsIVhruR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • explorer.exe (PID: 5376)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • explorer.exe (PID: 5376)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 5376)

  • INFO

    • The sample compiled with english language support

      • BN2FDA.tmp.exe (PID: 496)

    • Checks supported languages

      • BN2FDA.tmp.exe (PID: 496)

    • Checks proxy server information

      • explorer.exe (PID: 5376)
      • slui.exe (PID: 6740)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5376)

    • Reads the software policy settings

      • slui.exe (PID: 1764)
      • slui.exe (PID: 6740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Clipper DOS Executable (19.1)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:11:30 21:54:56+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 1.228
CodeSize: 128000
InitializedDataSize: 22016
UninitializedDataSize: -
EntryPoint: 0x1902b
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.5.0
ProductVersionNumber: 4.0.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Waves Audio Ltd.
FileVersion: 4.0.5.0
InternalName: MaxxAudioMeters.exe
LegalCopyright: (c) Waves Audio Ltd. All rights reserved.
OriginalFileName: MaxxAudioMeters.exe
ProductName: MaxxAudioMeters
ProductVersion: 4.0.5.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bn2fda.tmp.exe no specs explorer.exe sppextcomobj.exe no specs slui.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Local\Temp\BN2FDA.tmp.exe" C:\Users\admin\AppData\Local\Temp\BN2FDA.tmp.exeexplorer.exe
User:
admin
Company:
Waves Audio Ltd.
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.0.5.0
Modules
Images
c:\users\admin\appdata\local\temp\bn2fda.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1764"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5376explorer.exeC:\Windows\SysWOW64\explorer.exe
BN2FDA.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
6668C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 428
Read events
7 425
Write events
3
Delete events
0

Modification events

(PID) Process:(5376) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5376) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5376) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
118
DNS requests
18
Threats
174

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
5376
explorer.exe
POST
404
49.13.77.253:80
http://withuldsinspar.com/bdk/gate.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5376
explorer.exe
49.13.77.253:80
withuldsinspar.com
Hetzner Online GmbH
DE
malicious
5496
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
withuldsinspar.com
  • 49.13.77.253
malicious
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.130
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.0
  • 40.126.31.69
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
  • 2a01:111:f100:9001::1761:914d
whitelisted
18.31.95.13.in-addr.arpa
unknown
d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
5376
explorer.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
5376
explorer.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
5376
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
5376
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
5376
explorer.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
5376
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
5376
explorer.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
5376
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
5376
explorer.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
5376
explorer.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BN2FDA.tmp.exe