File name:

put.exe

Full analysis: https://app.any.run/tasks/09ae8b2f-fa56-4eac-82c6-d8a87f7fa333
Verdict: Malicious activity
Analysis date: July 26, 2025, 13:55:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

2E98AEC22A48EDC913491B6E86358726

SHA1:

707B9D26006B2790C02B90FC87EF3A06C05FB04C

SHA256:

45436CC79A1D4416FEE06EDF2A4CA0B7550DB6C5A3C5F91E9D4A19A5C73BD07D

SSDEEP:

98304:4tB7lsKu9tCrBYbZ9NjIbsPyrgFAl16Ek6F3KGPMOvJDNbMCGeVX0Q3/4Zm5oOzV:x4It/IffkOrKTvPdYL80

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • put.exe (PID: 6256)
      • NPHrIfiP.exe (PID: 1236)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • put.exe (PID: 6256)

    • Executes application which crashes

      • put.exe (PID: 6256)
      • NPHrIfiP.exe (PID: 1236)

    • Executable content was dropped or overwritten

      • put.exe (PID: 6256)

    • Connects to unusual port

      • explorer.exe (PID: 3488)

  • INFO

    • Checks supported languages

      • put.exe (PID: 6256)
      • NPHrIfiP.exe (PID: 1236)

    • Creates files or folders in the user directory

      • put.exe (PID: 6256)
      • WerFault.exe (PID: 2696)
      • WerFault.exe (PID: 4708)

    • Checks proxy server information

      • WerFault.exe (PID: 2696)
      • WerFault.exe (PID: 4708)
      • slui.exe (PID: 5744)

    • Launching a file from a Registry key

      • put.exe (PID: 6256)
      • NPHrIfiP.exe (PID: 1236)

    • Reads the software policy settings

      • WerFault.exe (PID: 2696)
      • slui.exe (PID: 5744)
      • WerFault.exe (PID: 4708)

    • Manual execution by a user

      • NPHrIfiP.exe (PID: 1236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:04:28 11:38:20+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 82944
InitializedDataSize: 3525632
UninitializedDataSize: -
EntryPoint: 0x121cf
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.3.30
ProductVersionNumber: 0.0.3.30
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: printerdriverforwindows.com
FileDescription: created by https://www.printerdriverforwindows.com
LegalCopyright: Copyright (c) 2006-2018
ProductName: canon lbp2900b
ProductVersion: R1.50 Ver.3.30
FileVersion: R1.50 Ver.3.30
CompiledBy: Compiled by SFXMaker
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
7
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start put.exe explorer.exe werfault.exe nphrifip.exe slui.exe explorer.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1236C:\Users\admin\AppData\Roaming\2tFyKqgaha\NPHrIfiP.exeC:\Users\admin\AppData\Roaming\2tFyKqgaha\NPHrIfiP.exe
explorer.exe
User:
admin
Company:
printerdriverforwindows.com
Integrity Level:
MEDIUM
Description:
created by https://www.printerdriverforwindows.com
Exit code:
3221225501
Version:
R1.50 Ver.3.30
Modules
Images
c:\users\admin\appdata\roaming\2tfykqgaha\nphrifip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2696C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6256 -s 704C:\Windows\SysWOW64\WerFault.exe
put.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3488explorer.exeC:\Windows\SysWOW64\explorer.exe
put.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
4708C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1236 -s 608C:\Windows\SysWOW64\WerFault.exe
NPHrIfiP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4944explorer.exeC:\Windows\SysWOW64\explorer.exeNPHrIfiP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
2
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
5744C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6256"C:\Users\admin\Desktop\put.exe" C:\Users\admin\Desktop\put.exe
explorer.exe
User:
admin
Company:
printerdriverforwindows.com
Integrity Level:
MEDIUM
Description:
created by https://www.printerdriverforwindows.com
Exit code:
3221225501
Version:
R1.50 Ver.3.30
Modules
Images
c:\users\admin\desktop\put.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
16 081
Read events
16 079
Write events
2
Delete events
0

Modification events

(PID) Process:(6256) put.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:C:\Users\admin\AppData\Roaming\2tFyKqgaha\NPHrIfiP.exe
Value:
C:\Users\admin\AppData\Roaming\2tFyKqgaha\NPHrIfiP.exe
(PID) Process:(1236) NPHrIfiP.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:C:\Users\admin\AppData\Roaming\2tFyKqgaha\NPHrIfiP.exe
Value:
C:\Users\admin\AppData\Roaming\2tFyKqgaha\NPHrIfiP.exe
Executable files
1
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2696WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_put.exe_1a1bacbf4a6850823851ccd95f55d894d32dc4e_67c1016e_880b9fe7-598f-4198-b007-50df0c53c647\Report.wer
MD5:
SHA256:
4708WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NPHrIfiP.exe_abfc594953d94fcf69e37119f8274cb779852c_dd7bb0ef_bd209960-4b8d-4e24-9218-4e09a7abba4e\Report.wer
MD5:
SHA256:
2696WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER44B1.tmp.WERInternalMetadata.xmlxml
MD5:E7DC761432872F390C899881C1EF7263
SHA256:2209C05244F35869636AC388DCF4996C5A302A5FA319ACEEB0CD63584748F952
4708WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERB0C9.tmp.WERInternalMetadata.xmlxml
MD5:36C60BA90FDE973D3B56FBEBD13269BF
SHA256:7EB2CD3854B4566DD743E9827D71E19899B0F2FC04F3881F9563B7224AA5D97D
2696WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER44F0.tmp.xmlxml
MD5:03105011B53FA70300C428A8E3C0FA89
SHA256:1418BB7EC371C68B071E63AFD7A96087D0B9678A352306D52FC5E5D471B4B5C4
2696WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\put.exe.6256.dmpbinary
MD5:F56FCC64E55BB3AA34D1751C177B120E
SHA256:91F77639558011DB3DA08911848EAF93BD6FE95A42B1FD2F16DAD7BCAC6E75BD
2696WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER4462.tmp.dmpbinary
MD5:6CA40938D12985AAD18A4B00714F9FD4
SHA256:F3460B96CBA325C9222B897B6380C4A5B7314FBAC1B7F3F8453E90B9045EAB1E
4708WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\NPHrIfiP.exe.1236.dmpbinary
MD5:581B959D3267D0AA0A9A789E460A0DD9
SHA256:C81619C51BC3AE79A4D478D92FF335B15C95BD3E67B64010C313F921B9254762
4708WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERB0D9.tmp.xmlxml
MD5:ADAACF81BF5CC835022466B8EBDABD0B
SHA256:0783A99976FBC11ADA980585F5B9D53E513ECF0A38DA78505F9E36A275D1D0EC
4708WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERB07A.tmp.dmpbinary
MD5:568FF8145F01F3118088260B34E8B9D1
SHA256:B0A9FDBB4C7475F6584DF100EA4ACB6A5FCA1E852E36D1D00FD2B9D3F21BE4E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
27
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3944
RUXIMICS.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3944
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.16.252.233:80
http://x1.c.lencr.org/
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3944
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3944
RUXIMICS.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
watson.events.data.microsoft.com
  • 135.234.160.246
  • 135.233.45.222
whitelisted
vpn-vds22.eleos.pro
  • 10.37.13.22
unknown
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
x1.c.lencr.org
  • 2.16.252.233
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
put.exe