File name:	4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe
Full analysis:	https://app.any.run/tasks/255d6285-99af-47fa-aeea-dc8ee2c0a979
Verdict:	Malicious activity
Analysis date:	February 15, 2025, 23:43:59
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	AE6330D29B5B2B867AEB2FB6B1F1605B
SHA1:	689651BBCF762EB25624F2D71389724C69C4FB5E
SHA256:	4E97A2E80DE2C1B4F3E228D97E0875EE3A8C806AA8578201559466AA5708B0DE
SSDEEP:	768:vXvEV9LcQm/JQe7laODTbiasD6h5Nz5/8cLcxb5YCgEGInKR2S/:v0kiepdDSasufb0cIGCgtIKl/

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2003:08:06 18:34:23+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	7.1
CodeSize:	61440
InitializedDataSize:	20480
UninitializedDataSize:	-
EntryPoint:	0x15001
OSVersion:	4
ImageVersion:	10
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6436) CTFMON.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6436) CTFMON.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6436) CTFMON.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6436) CTFMON.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6356) SPOOLSV.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Shell
Value: Explorer.exe "C:\recycled\SVCHOST.exe"
(PID) Process:	(6356) SPOOLSV.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:	write	Name:	UncheckedValue
Value: 1
(PID) Process:	(6356) SPOOLSV.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:	write	Name:	CheckedValue
Value: 1
(PID) Process:	(6356) SPOOLSV.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:	write	Name:	CheckedValue
Value: 0
(PID) Process:	(6356) SPOOLSV.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:	write	Name:	UncheckedValue
Value: 0
(PID) Process:	(6304) SVCHOST.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Shell
Value: Explorer.exe "C:\recycled\SVCHOST.exe"

PID	Process	Filename		Type
6276	4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe	C:\Recycled\desktop.ini		text
		MD5:AD0B0B4416F06AF436328A3C12DC491B	SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
6276	4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe	C:\Recycled\SVCHOST.EXE		executable
		MD5:D8F668463C4A4918F412F395DEE88A96	SHA256:565F1E1FE25FE8B1A8DA959312EECFD4468F5E0E21D68CAA3EBA389683F3151A
6276	4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe	C:\Recycled\SPOOLSV.EXE		executable
		MD5:69F8BB5936656D59FE359AED4256E7BF	SHA256:44326CB1367D4EDDF01CD48EFA0F6E211D06A083AFA66A91EA99D699D91E41D0
6276	4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe	C:\Recycled\CTFMON.EXE		executable
		MD5:A1856756C6EBDE806933D8DB14C39C70	SHA256:A881B37E3AD13730E2EFFA51BFA18869E82C4602051BB41DCD2DDAC3C0C585DC
6412	SPOOLSV.EXE	C:\Users\admin\AppData\Local\Temp\~DF62FACBBE3B380F12.TMP		binary
		MD5:0FEC9D9A6C0BC24C2075585B1EFBD08C	SHA256:DF3A5F8922CCBD9AF75F703B7A6861FE849CBAC4A8B609E35EBEAD67D03E98AB
6276	4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe	C:\Users\admin\AppData\Local\Temp\Flu Burung.txt		text
		MD5:1A1DCE35D60D2C70CA8894954FD5D384	SHA256:2661C05273F33EFA4B7FAA6ED8A6F7E69A13AD86077F69EE285ECE9CBA57E44C
6276	4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe	C:\Recycled\SMSS.EXE		executable
		MD5:457D5DE82B8AC41671BF3628BD8DA00A	SHA256:3D3701B5753FB4B0ADE47DFAFA6FA693DA2027F560BB5DE47180EE598EC07309
6336	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DF9A18FEE80799C81C.TMP		binary
		MD5:743D846801D9EF57A70A8E21A2C574B8	SHA256:465572809EF3D0DA833FDBBC9DB5EE5747E3331EE732F6839973F5DA802B5BE4
6392	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DF307F592468E5AAED.TMP		binary
		MD5:E5B40DCFF3DD7B181E580C8F5A5A9301	SHA256:8A112D1A93AD143B143AC30D0AC76568C21D3558650A665781EDE8C67014CF6C
6304	SVCHOST.EXE	C:\Users\admin\AppData\Local\Temp\~DFF57CA1D5AB55B596.TMP		binary
		MD5:5C3D36C13D75F8D6120774C43D45EC8D	SHA256:2D197469942404A0E4E3B565DDAD4E5A8F2C25F16EED40150C0FD437BDB8893C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2164	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1344	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1344	RUXIMICS.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2164	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.50.131.87:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	314 Kb	whitelisted
—	—	GET	200	184.24.77.4:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp0309043001.cab	unknown	compressed	300 Kb	whitelisted
—	—	GET	200	184.24.77.20:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab	unknown	compressed	30.8 Kb	whitelisted
—	—	GET	200	184.24.77.20:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab	unknown	compressed	31.0 Kb	whitelisted
—	—	GET	200	2.17.100.210:443	https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.16026&gtype=0%2C1%2C2%2C5%2C	unknown	xml	10.7 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2164	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.129:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1344	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2164	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6712	WINWORD.EXE	52.109.32.97:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
1344	RUXIMICS.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2164	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
www.bing.com	104.126.37.129 104.126.37.136 104.126.37.176	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143 23.48.23.173 23.48.23.164 2.16.164.72 2.16.164.120	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
www.microsoft.com	184.30.21.171 23.219.150.101	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
omex.cdn.office.net	23.50.131.86 23.50.131.87	whitelisted
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
messaging.lifecycle.office.com	52.111.243.12	whitelisted
self.events.data.microsoft.com	20.189.173.4 20.189.173.15	whitelisted

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe

AE6330D29B5B2B867AEB2FB6B1F1605B

689651BBCF762EB25624F2D71389724C69C4FB5E

4E97A2E80DE2C1B4F3E228D97E0875EE3A8C806AA8578201559466AA5708B0DE

768:vXvEV9LcQm/JQe7laODTbiasD6h5Nz5/8cLcxb5YCgEGInKR2S/:v0kiepdDSasufb0cIGCgtIKl/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the login/logoff helper path in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Application launched itself

The process creates files with name similar to system file names

Write to the desktop.ini file (may be used to cloak folders)

Starts itself from another location

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

INFO

Failed to create an executable file in Windows directory

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings