File name:

3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d

Full analysis: https://app.any.run/tasks/457a0f25-c495-4215-bc43-7adcbf989b7c
Verdict: Malicious activity
Analysis date: November 06, 2023, 13:14:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

23AE20329174D44EBC8DBFA9891C6260

SHA1:

49ACBA812894444C634B034962D46F986E0257CF

SHA256:

3E23201E6C52470E73A92AF2DED12E6A5D1AD39538F41E762CA1C4B8D93C6D8D

SSDEEP:

6144:NSQRZorUfMaWCTHEvvm3F38kvIJUk1OxeLpR6bBp/dY:NSQRZdfMadHEIy6ndY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe (PID: 3212)

    • Runs injected code in another process

      • 3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe (PID: 3212)

    • Creates a writable file the system directory

      • sysprep.exe (PID: 3668)
      • dllhost.exe (PID: 3496)

    • Application was injected by another process

      • explorer.exe (PID: 1388)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1388)

    • Drops a system driver (possible attempt to evade defenses)

      • 3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe (PID: 3212)
      • sysprep.exe (PID: 3668)

  • INFO

    • The executable file from the user directory is run by the CMD process

      • 3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe (PID: 3212)

    • Checks supported languages

      • 3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe (PID: 3212)
      • wmpnscfg.exe (PID: 3832)

    • Checks transactions between databases Windows and Oracle

      • explorer.exe (PID: 1388)

    • Create files in a temporary directory

      • 3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe (PID: 3212)

    • Manual execution by a user

      • sysprep.exe (PID: 3612)
      • sysprep.exe (PID: 3668)

    • Drops the executable file immediately after the start

      • dllhost.exe (PID: 3496)
      • sysprep.exe (PID: 3668)

    • Reads the Internet Settings

      • explorer.exe (PID: 1388)

    • Creates files in the driver directory

      • sysprep.exe (PID: 3668)

    • Checks proxy server information

      • explorer.exe (PID: 1388)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3832)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:02:21 10:17:42+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 30208
InitializedDataSize: 20992
UninitializedDataSize: -
EntryPoint: 0x2a23
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject cmd.exe no specs 3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe no specs Copy/Move/Rename/Delete/Link Object no specs sysprep.exe no specs sysprep.exe explorer.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1388C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3212C:\Users\admin\AppData\Local\Temp\3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exeC:\Users\admin\AppData\Local\Temp\3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3416"C:\Windows\System32\cmd.exe" /k C:\Users\admin\AppData\Local\Temp\3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exeC:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3496C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3612"C:\Windows\System32\sysprep\sysprep.exe" C:\Users\admin\AppData\Local\Temp\fsflt.sys C:\Users\admin\AppData\Local\Temp\dnscli1.dllC:\Windows\System32\sysprep\sysprep.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Preparation Tool
Exit code:
3221226540
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\sysprep\sysprep.exe
c:\windows\system32\ntdll.dll
3668"C:\Windows\System32\sysprep\sysprep.exe" C:\Users\admin\AppData\Local\Temp\fsflt.sys C:\Users\admin\AppData\Local\Temp\dnscli1.dllC:\Windows\System32\sysprep\sysprep.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
System Preparation Tool
Exit code:
4294967227
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\sysprep\sysprep.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3832"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
305
Read events
283
Write events
19
Delete events
3

Modification events

(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D000000000200000000001066000000010000200000007F0C5AFCF1AE7F71286A81A9B86E67A7BE47980777E154AD953E683E2064784E000000000E8000000002000020000000C547D0854BEA52CCDED7859B79990A863903B335001ED826D40C3D8E323F237F30000000DF0FBC24E15CFF4FE438F74D8486DFB808CBF3EC9160BD0CF16731298F2800053F0DC9D2737FB85ABF81EDB882A089A94000000011BAC043EAAF96F8497DEE93A36C7829C97427DA018BC7750377DAC2CC3CE4D64139784732F789D57202D54D80C3AAC2B4B5EE990B65AEF23416199647916AD4
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
926BB327B310DA01
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecision
Value:
0
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadNetworkName
Value:
Network 3
(PID) Process:(1388) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
6
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
32123e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exeC:\Users\admin\AppData\Local\Temp\dnscli1.dllexecutable
MD5:D70F4E9D55698F69C5F63B1A2E1507EB
SHA256:471FBDC52B501DFE6275A32F89A8A6B02A2AA9A0E70937F5DE610B4185334668
32123e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exeC:\Users\admin\AppData\Local\Temp\fsflt.sysexecutable
MD5:A0F212FD0F103CA8BEAF8362F74903A2
SHA256:A50CB9CE1F01EA335C95870484903734BA9CD732E7B3DB16CD962878BAC3A767
3668sysprep.exeC:\Windows\System32\sysprep\Panther\diagerr.xmltext
MD5:D1E75542EC8D1B4851765A57AC63618E
SHA256:6C06BF950D0FE3476E020CD363EC0C8C9D4EE0FC89A24C50780C44E6453995C6
3668sysprep.exeC:\Windows\System32\sysprep\Panther\setupact.logtext
MD5:C7E8166F4E2BABD40E9EEAA07945213E
SHA256:20C1D25C97DD32BA942BFB49D70CA5E81DE7078BD939A1C78267170460B04099
3668sysprep.exeC:\Windows\system32\mypathcom\dnscli1.dllexecutable
MD5:D70F4E9D55698F69C5F63B1A2E1507EB
SHA256:471FBDC52B501DFE6275A32F89A8A6B02A2AA9A0E70937F5DE610B4185334668
3668sysprep.exeC:\Windows\system32\drivers\FsFlt.sysexecutable
MD5:A0F212FD0F103CA8BEAF8362F74903A2
SHA256:A50CB9CE1F01EA335C95870484903734BA9CD732E7B3DB16CD962878BAC3A767
3668sysprep.exeC:\Windows\System32\sysprep\Panther\diagwrn.xmltext
MD5:D1E75542EC8D1B4851765A57AC63618E
SHA256:6C06BF950D0FE3476E020CD363EC0C8C9D4EE0FC89A24C50780C44E6453995C6
32123e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d.exeC:\Users\admin\AppData\Local\Temp\dnshlp.dllexecutable
MD5:47C8EE205967108053582560930AE65C
SHA256:34BA2FD9C20C1A862E52F518FEFC13588466BA8651FA0A5867F0169F047A487A
3496dllhost.exeC:\Windows\System32\sysprep\CRYPTBASE.dllexecutable
MD5:47C8EE205967108053582560930AE65C
SHA256:34BA2FD9C20C1A862E52F518FEFC13588466BA8651FA0A5867F0169F047A487A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1388
explorer.exe
52.45.178.122:80
intelmeserver.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
intelmeserver.com
  • 52.45.178.122
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d