File name:

41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e

Full analysis: https://app.any.run/tasks/29b06d4a-0e9e-4121-bffc-2df978c701c3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 11:18:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

AE4480B56F9D73EB8C56869426E7683B

SHA1:

BAF1B253DE7F436E4606A5BA2179C8EDC212177D

SHA256:

41DE8EF61C5A21D20A5482C02FBC2F531EEC0B22D306CC7EBFA1411F0A7ECF1E

SSDEEP:

6144:Iwvwawr6rcnYS/EUboJ1iZhfJ0QhL/QCNd1w:BAI4G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables the LogOff the Start menu

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Disables the Shutdown in the Start menu

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Disables the Find the Start menu

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Disables the Run the Start menu

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Actions looks like stealing of personal data

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Steals credentials from Web Browsers

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Changes image file execution options

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Changes the desktop background image

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Creates or modifies Windows services

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Deletes system .NET executable

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

  • INFO

    • Reads the computer name

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Reads the machine GUID from the registry

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Checks supported languages

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • The sample compiled with english language support

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe (PID: 716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:14 09:09:12+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.41
CodeSize: 99840
InitializedDataSize: 107008
UninitializedDataSize: -
EntryPoint: 0x17f05
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 114.514.1919.810
ProductVersionNumber: 114.514.1919.810
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: 水龙危险运营 Zoey
FileDescription: I'm a Destructive GDI Malware called Pentoxide. Open me if you want to destroy your pc.
FileVersion: 114.514.1919.810
InternalName: Pentoxide.exe
LegalCopyright: Copyright (C) 2024 水龙危险运营 Zoey, All rights reserved.
OriginalFileName: Pentoxide.exe
ProductName: PentoxideDestructive
ProductVersion: Release1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe no specs 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe

Process information

PID
CMD
Path
Indicators
Parent process
4576"C:\Users\admin\Desktop\41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe" C:\Users\admin\Desktop\41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeexplorer.exe
User:
admin
Company:
水龙危险运营 Zoey
Integrity Level:
MEDIUM
Description:
I'm a Destructive GDI Malware called Pentoxide. Open me if you want to destroy your pc.
Exit code:
3221226540
Version:
114.514.1919.810
Modules
Images
c:\users\admin\desktop\41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
716"C:\Users\admin\Desktop\41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe" C:\Users\admin\Desktop\41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe
explorer.exe
User:
admin
Company:
水龙危险运营 Zoey
Integrity Level:
HIGH
Description:
I'm a Destructive GDI Malware called Pentoxide. Open me if you want to destroy your pc.
Version:
114.514.1919.810
Modules
Images
c:\users\admin\desktop\41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
467
Read events
257
Write events
210
Delete events
0

Modification events

(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
Operation:writeName:UpperFilters
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}
Operation:writeName:UpperFilters
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}
Operation:writeName:UpperFilters
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}
Operation:writeName:UpperFilters
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{53487c23-680f-4585-acc3-1f10d6777e82}
Operation:writeName:UpperFilters
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk
Operation:writeName:ImagePath
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbdclass
Operation:writeName:ImagePath
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mouclass
Operation:writeName:ImagePath
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr
Operation:writeName:ImagePath
Value:
Pentoxide
(PID) Process:(716) 41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:LogPixels
Value:
21000
Executable files
0
Suspicious files
1
Text files
1 274
Unknown types
0

Dropped files

PID
Process
Filename
Type
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\210NHf8Hk4UXih2nwqwDDGqaBlU68nPU9991ELt8bUrm7OVxbTtext
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\8KF6z1A7niYZ5k1XOs32v664VyH8B581kXVNd414E09E2V00S8text
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\ubhf0cN8uwPhESvBXjmKuesN865eFVsUFqXkOEO46eTpS56WELtext
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\8X5c3dxZ8lj5Gabj0Y438A2JdPtM3FS9fpb8C2vV6FHzgQZ250text
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\96MIwd31kB7GyUS178s7ke3He3q7cm4dLSL9p12MfycAq6FNpFtext
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\GsVNjXmVr9yd9I8st45Fman8Z6Vm56SG362Kt74zh6i7u982G0text
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\qX2s2QBzDBtY93j5VpWSZw395sdOenpp0E3Kqal400CnuGFO3Ztext
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\YwuSR2bWSzo4X7tLKfw6Tz762wo7f0C3K07Zw9Vu5Xxvjc5O02text
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\9362JYn976G4n93D5vLd0gQEb4XsuQ2YdafN33rlw6gds1ZOXGtext
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
71641de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e.exeC:\3ZxVRmv5W7qGF702622yxxn0e1v2AH5tt8sBSZgmUnb0f7i364text
MD5:AD7AE03F4E15AD13FE26D2CCAB73AD6E
SHA256:877C573A1FEE1AFBF65DC0D834598C2EB256720DF962468D96292525B2F52D23
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
15
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
524
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
524
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
204
104.126.37.160:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
524
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
524
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
524
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.160
  • 2.23.209.181
  • 2.23.209.177
  • 2.23.209.176
whitelisted
self.events.data.microsoft.com
  • 104.208.16.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
41de8ef61c5a21d20a5482c02fbc2f531eec0b22d306cc7ebfa1411f0a7ecf1e