File name:	2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe
Full analysis:	https://app.any.run/tasks/9e57a5e0-caa4-4f6c-a4ab-9355f78c94b7
Verdict:	Malicious activity
Analysis date:	May 19, 2024, 21:09:54
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	00992FD8D299EE5026503F4AEE06E340
SHA1:	90D3547CFCF202C24644D437FEF9B81E071867E2
SHA256:	2575493220598C4387F938B4254B58E356B13DA101C1F1B7BA98EAD9965E8646
SSDEEP:	1536:okKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXLGCgtIKlL:o/Cdcibf2bRdvSrzlLGtRlL

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	10
OSVersion:	4
EntryPoint:	0x11d0
UninitializedDataSize:	-
InitializedDataSize:	20480
CodeSize:	61440
LinkerVersion:	7.1
PEType:	PE32
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp:	2003:08:06 18:34:23+00:00
MachineType:	Intel 386 or later, and compatibles


(PID) Process:	(6476) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6476) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6476) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6476) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	Key:	HKEY_CLASSES_ROOT\*
Operation:	write	Name:	QuickTip
Value: prop:Type;Size
(PID) Process:	(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	Key:	HKEY_CLASSES_ROOT\*
Operation:	write	Name:	TileInfo
Value: prop:Type;Size

PID	Process	Filename		Type
6476	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V5XQQQ1DZGH2FPHO222U.temp		—
		MD5:—	SHA256:—
7144	CTFMON.EXE	C:\Users\admin\AppData\Local\Temp\~DF295B2BC617E3E2D0.TMP		—
		MD5:—	SHA256:—
6476	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1139d9.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6892	2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	C:\Recycled\CTFMON.EXE		executable
		MD5:BB048DE2416F8C8BA00FB585FBA06073	SHA256:A7B88801128426E15ACB2D7BC787301B647E69C14D5CEFF2B7C40ED1B6BEA71F
7048	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DFE68FAE5F2D44B9AF.TMP		binary
		MD5:E7358D3B3B250A87328EC947A411071D	SHA256:B1E087173C329CABEF353EF74EC9EE71A7C4DC499BA533500CD03113505E847C
6476	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:0803563FB8DAC27D61BDF00031CD6D09	SHA256:C9A1D1E6F6E5CF733029CD4D66772E8C51F73B4E167E4E1C4F850A6F1FBC0581
6892	2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	C:\Recycled\SVCHOST.EXE		executable
		MD5:2BC3A51D81D651C8716F105CAEC8CB91	SHA256:306B83B65E5808AF1E398E0E78FFD8D007AAB29F46E0CBEE5223A61F8F144D0A
6892	2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe		executable
		MD5:1E0D349A570E5F0CB9403B2DB3398D10	SHA256:3FAC9EFB91A11063403C05D8A9ED83DB3686C598952D58D8B1BFEE13ED60A3C8
6892	2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe	C:\Recycled\desktop.ini		ini
		MD5:AD0B0B4416F06AF436328A3C12DC491B	SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
6476	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lt5o41yu.11o.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4264	svchost.exe	GET	200	23.214.95.215:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
1324	RUXIMICS.exe	GET	200	23.48.10.36:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.214.95.215:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.48.10.36:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
1324	RUXIMICS.exe	GET	200	23.214.95.215:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
4264	svchost.exe	GET	200	23.48.10.36:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
4704	WINWORD.EXE	GET	200	52.113.194.132:443	https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bB9479A2B-457E-4C95-AF00-B26CE521D60E%7d&LabMachine=false	unknown	tss	375 Kb	—
4704	WINWORD.EXE	GET	200	52.111.236.4:443	https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BB9479A2B-457E-4C95-AF00-B26CE521D60E%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D	unknown	text	542 b	—
4704	WINWORD.EXE	GET	200	23.214.95.207:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp01840907.cab	unknown	compressed	42.6 Kb	—
4704	WINWORD.EXE	GET	200	23.214.95.207:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab	unknown	compressed	32.8 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4364	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4264	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1324	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5140	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4264	svchost.exe	23.214.95.215:80	crl.microsoft.com	AKAMAI-AS	BR	unknown
1324	RUXIMICS.exe	23.214.95.215:80	crl.microsoft.com	AKAMAI-AS	BR	unknown
5140	MoUsoCoreWorker.exe	23.214.95.215:80	crl.microsoft.com	AKAMAI-AS	BR	unknown
4264	svchost.exe	23.48.10.36:80	www.microsoft.com	Akamai International B.V.	US	unknown
1324	RUXIMICS.exe	23.48.10.36:80	www.microsoft.com	Akamai International B.V.	US	unknown
5140	MoUsoCoreWorker.exe	23.48.10.36:80	www.microsoft.com	Akamai International B.V.	US	unknown

Domain	IP	Reputation
crl.microsoft.com	23.214.95.215 23.214.95.196	whitelisted
www.microsoft.com	23.48.10.36	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
omex.cdn.office.net	23.214.95.215 23.214.95.213	whitelisted
ecs.office.com	52.113.194.132	whitelisted
messaging.lifecycle.office.com	52.111.236.4	whitelisted
self.events.data.microsoft.com	20.189.173.1 52.168.117.168	whitelisted
metadata.templates.cdn.office.net	23.212.62.219 23.212.62.204	unknown
binaries.templates.cdn.office.net	23.214.95.207 23.214.95.200	whitelisted

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe

00992FD8D299EE5026503F4AEE06E340

90D3547CFCF202C24644D437FEF9B81E071867E2

2575493220598C4387F938B4254B58E356B13DA101C1F1B7BA98EAD9965E8646

1536:okKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXLGCgtIKlL:o/Cdcibf2bRdvSrzlLGtRlL

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes appearance of the Explorer extensions

Changes the login/logoff helper path in the registry

SUSPICIOUS

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Write to the desktop.ini file (may be used to cloak folders)

Starts itself from another location

Application launched itself

Reads the date of Windows installation

Process requests binary or script from the Internet

Reads security settings of Internet Explorer

INFO

Checks supported languages

Create files in a temporary directory

Creates files in the program directory

Reads the computer name

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings