File name:

BNE80.tmp.exe

Full analysis: https://app.any.run/tasks/2a4a8c9d-dccc-4a11-9716-f984855224f9
Verdict: Malicious activity
Analysis date: April 29, 2025, 10:42:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

6DC3D05CA2705275032578FE5D71A1AF

SHA1:

722B32DEA2F6C59633F5E2D6EC24CF0FF4416B56

SHA256:

2798928B07527108872BDE33079BE1F6A712FDFCD73316798B6725F922A91169

SSDEEP:

3072:Zz1C5NyqIfucwPNqk8jeM/FgQtMy56JirRWzmQM1RjSUtT6:R1YNyqIfucwP7MJ+/JOWzmL1V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • explorer.exe (PID: 7472)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • explorer.exe (PID: 7472)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 7472)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7472)

    • The sample compiled with english language support

      • BNE80.tmp.exe (PID: 7452)

    • Checks supported languages

      • BNE80.tmp.exe (PID: 7452)

    • Checks proxy server information

      • explorer.exe (PID: 7472)
      • slui.exe (PID: 7268)

    • Reads the software policy settings

      • slui.exe (PID: 7592)
      • slui.exe (PID: 7268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Clipper DOS Executable (19.1)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:12:31 01:25:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 111616
InitializedDataSize: 62976
UninitializedDataSize: -
EntryPoint: 0x93fa
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.5.0
ProductVersionNumber: 4.0.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Waves Audio Ltd.
FileVersion: 4.0.5.0
InternalName: MaxxAudioMeters.exe
LegalCopyright: (c) Waves Audio Ltd. All rights reserved.
OriginalFileName: MaxxAudioMeters.exe
ProductName: MaxxAudioMeters
ProductVersion: 4.0.5.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bne80.tmp.exe no specs explorer.exe sppextcomobj.exe no specs slui.exe slui.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6112"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6148"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6540\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7268C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7452"C:\Users\admin\AppData\Local\Temp\BNE80.tmp.exe" C:\Users\admin\AppData\Local\Temp\BNE80.tmp.exeexplorer.exe
User:
admin
Company:
Waves Audio Ltd.
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.0.5.0
Modules
Images
c:\users\admin\appdata\local\temp\bne80.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7472explorer.exeC:\Windows\SysWOW64\explorer.exe
BNE80.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
7560C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7592"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 502
Read events
7 499
Write events
3
Delete events
0

Modification events

(PID) Process:(7472) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7472) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7472) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
136
DNS requests
20
Threats
162

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
7472
explorer.exe
POST
404
49.13.77.253:80
http://taltorsletfor.com/bdk/gate.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7472
explorer.exe
49.13.77.253:80
taltorsletfor.com
Hetzner Online GmbH
DE
malicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
8084
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
taltorsletfor.com
  • 49.13.77.253
malicious
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.2
  • 20.190.159.71
  • 40.126.31.131
  • 20.190.159.0
  • 20.190.159.130
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
  • 2603:1030:800:5::bfee:a08d
whitelisted
15.164.165.52.in-addr.arpa
unknown
d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
Malware Command and Control Activity Detected
ET MALWARE Zbot POST Request to C2
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BNE80.tmp.exe