File name:

i-BMTMDMv1.4.exe

Full analysis: https://app.any.run/tasks/b67aee19-f62f-4000-a999-a581636b6c12
Verdict: Malicious activity
Analysis date: March 17, 2025, 02:07:25
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

7203C703FF0E363665678A8B48CE6BC1

SHA1:

BB7EDC979670C64531EF44CA68000763E2EFFB2E

SHA256:

2A58FD33F333FD7E161D3B475032C19EA3BAA6D87F1B016869F8F91A6EF48A7A

SSDEEP:

393216:gJmL4ZSW68mbpoHP9cZGmcvcm2uW+xhxb12TYEr7rv:om8ZBrDmcvJdjhxx2Nr7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • i-BMTMDMv1.4.exe (PID: 4480)

    • Executable content was dropped or overwritten

      • i-BMTMDMv1.4.exe (PID: 4480)

    • Process drops legitimate windows executable

      • i-BMTMDMv1.4.exe (PID: 4480)

    • Reads security settings of Internet Explorer

      • i-BMTMDMv1.4.exe (PID: 4480)
      • i-BMT MDM.exe (PID: 5948)

    • Reads the Internet Settings

      • i-BMTMDMv1.4.exe (PID: 4480)
      • i-BMT MDM.exe (PID: 5948)

    • Reads settings of System Certificates

      • i-BMT MDM.exe (PID: 5948)

    • There is functionality for taking screenshot (YARA)

      • i-BMT MDM.exe (PID: 5948)

  • INFO

    • Creates files in the program directory

      • i-BMTMDMv1.4.exe (PID: 4480)

    • Reads the computer name

      • i-BMTMDMv1.4.exe (PID: 4480)
      • i-BMT MDM.exe (PID: 5948)

    • The sample compiled with english language support

      • i-BMTMDMv1.4.exe (PID: 4480)

    • Checks supported languages

      • i-BMTMDMv1.4.exe (PID: 4480)
      • i-BMT MDM.exe (PID: 5948)
      • ideviceinfo.exe (PID: 5928)

    • Reads the machine GUID from the registry

      • i-BMT MDM.exe (PID: 5948)

    • Disables trace logs

      • i-BMT MDM.exe (PID: 5948)

    • Checks proxy server information

      • i-BMT MDM.exe (PID: 5948)

    • Reads the software policy settings

      • i-BMT MDM.exe (PID: 5948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 107520
InitializedDataSize: 285184
UninitializedDataSize: -
EntryPoint: 0x1a238
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.0
ProductVersionNumber: 1.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: bmtmdm
FileVersion: 1.4.0.0
InternalName: i-BMT MDM.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: i-BMT MDM.exe
ProductName: bmtmdm
ProductVersion: 1.4.0.0
AssemblyVersion: 1.4.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
104
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start i-bmtmdmv1.4.exe i-bmt mdm.exe ideviceinfo.exe no specs conhost.exe no specs i-bmtmdmv1.4.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeideviceinfo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1076"C:\Users\admin\Desktop\i-BMTMDMv1.4.exe" C:\Users\admin\Desktop\i-BMTMDMv1.4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
bmtmdm
Exit code:
3221226540
Version:
1.4.0.0
Modules
Images
c:\users\admin\desktop\i-bmtmdmv1.4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4480"C:\Users\admin\Desktop\i-BMTMDMv1.4.exe" C:\Users\admin\Desktop\i-BMTMDMv1.4.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
bmtmdm
Version:
1.4.0.0
Modules
Images
c:\users\admin\desktop\i-bmtmdmv1.4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5928"C:\ProgramData\43f7cc1d/files/ideviceinfo.exe"C:\ProgramData\43f7cc1d\files\ideviceinfo.exei-BMT MDM.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\programdata\43f7cc1d\files\ideviceinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\programdata\43f7cc1d\files\imobiledevice.dll
c:\programdata\43f7cc1d\files\getopt.dll
c:\programdata\43f7cc1d\files\plist.dll
c:\programdata\43f7cc1d\files\vcruntime140.dll
5948"C:\ProgramData\43f7cc1d\i-BMT MDM.exe" C:\ProgramData\43f7cc1d\i-BMT MDM.exe
i-BMTMDMv1.4.exe
User:
admin
Integrity Level:
HIGH
Description:
bmtmdm
Version:
1.4.0.0
Modules
Images
c:\programdata\43f7cc1d\i-bmt mdm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
Total events
4 104
Read events
4 074
Write events
30
Delete events
0

Modification events

(PID) Process:(4480) i-BMTMDMv1.4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4480) i-BMTMDMv1.4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4480) i-BMTMDMv1.4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4480) i-BMTMDMv1.4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5948) i-BMT MDM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\i-BMT MDM_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5948) i-BMT MDM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\i-BMT MDM_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5948) i-BMT MDM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\i-BMT MDM_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5948) i-BMT MDM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\i-BMT MDM_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5948) i-BMT MDM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\i-BMT MDM_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5948) i-BMT MDM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\i-BMT MDM_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
136
Suspicious files
11
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\EasyHttp.dllexecutable
MD5:B9565595F5CFA8252113045EE58C6C23
SHA256:8B58D6316D584CAAC75A6E42D8FE10EDD487BE65660BE3EC5AD052AC466D0264
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\bz2.dllexecutable
MD5:4811FFA767191513A35B889E3B162241
SHA256:65EA387636C06133B02E3F6B9C776FEB2DA851C89D6796CFA172C79BC43DF319
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\com.apple.purplebuddy.plistbinary
MD5:1EBD827269728E15CAEA34A2BCE762EA
SHA256:C43157470B15963125473A5F2A3F17972332320A7912EBF6C0664EB732E4B8AD
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\bash.exeexecutable
MD5:32275787C7C51D2310B8FE2FACF2A935
SHA256:744343E01351BA92E365B7E24EEDD4ED18ED3EBE26E68C69D9B5E324FE64A1B5
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\awk.exeexecutable
MD5:850A4DEE8799BC92FC454AA7EB75B926
SHA256:6DAD72258006DC40A68C8C4B3841387198071CB833E843E01BCFA7FED72A0766
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\cat.exeexecutable
MD5:B3B5C6023C35EFBC288C13C125DD6ADA
SHA256:3BAE261D556F4B89C4883B07F9F9632A6495FBFDFFA507C1326007E77C20D9BB
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\getopt.dllexecutable
MD5:F37A855C8608F79C192A11FAC7BB1683
SHA256:77191BF2E4640204FCC363896220B2EF81BFF27D15DDCCE39C54B65392382FCE
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\BMTbinary
MD5:334A76C2015BDFD3952D68800C95C790
SHA256:F0B9690E24FA67BBC3888EAA75E43E5EC30B540DAC30E986BC36F7CA0586D4BC
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\grep.exeexecutable
MD5:F24BC2D00BF6E890DEC9F601C54A3852
SHA256:85FBE3AB7224873AA4C96021E64DA95960D84747601D97CBC56C68ECA18E9F82
4480i-BMTMDMv1.4.exeC:\ProgramData\43f7cc1d\files\ideviceactivation.exeexecutable
MD5:AD1A92967E35AA1FB65FAC73F7FC0C7E
SHA256:7F2B6A2302F6EC1397F1DB78EBDDF3767B56C78096BB9971B4B5E896BF7A210A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
18
DNS requests
13
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2412
MoUsoCoreWorker.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?09a568330712e269
unknown
whitelisted
GET
200
88.221.110.147:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
HEAD
200
23.212.222.21:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?2efe063e74f19306
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?95ffe5009287b7a1
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?15028c5fe99424fd
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c3dcf37796d7e1e6
unknown
whitelisted
GET
200
23.212.222.21:443
https://fs.microsoft.com/fs/windows/config.json
unknown
binary
55 b
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
200
88.223.84.190:443
https://reseller.bmt-pro.com/api/update_mdm.php?versi=2202
unknown
text
10 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
88.221.110.147:80
Akamai International B.V.
DE
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2412
MoUsoCoreWorker.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3640
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
2864
smartscreen.exe
4.175.223.124:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1696
svchost.exe
23.60.203.209:443
fs.microsoft.com
AKAMAI-AS
DE
whitelisted
5948
i-BMT MDM.exe
88.223.84.190:443
reseller.bmt-pro.com
UAB INIT
LT
unknown
5948
i-BMT MDM.exe
184.31.84.172:443
statici.icloud.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.17
  • 20.190.160.22
  • 40.126.32.74
  • 20.190.160.4
  • 20.190.160.128
  • 20.190.160.14
  • 40.126.32.136
  • 40.126.31.130
  • 20.190.159.130
  • 20.190.159.129
  • 40.126.31.131
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.64
whitelisted
checkappexec.microsoft.com
  • 4.175.223.124
whitelisted
fs.microsoft.com
  • 23.60.203.209
whitelisted
reseller.bmt-pro.com
  • 88.223.84.190
unknown
statici.icloud.com
  • 184.31.84.172
whitelisted
www.apple.com
  • 23.192.152.196
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
i-BMTMDMv1.4.exe