File name:

Netwrix_Account_Lockout_Examiner.exe

Full analysis: https://app.any.run/tasks/60e1008e-fcad-466d-b7b1-4aa8bcf2abcc
Verdict: Malicious activity
Analysis date: May 16, 2024, 17:14:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

9FC98474B06655DCB0A9A392C0D86537

SHA1:

7D8510018CE80B7C181B4A270ED558A9D510F9D1

SHA256:

51D7ACB2504C086B37390385106144F330A847A2685D894CD0F7BE88DB4EB06B

SSDEEP:

196608:JD/hDv/ZBwuaXrcTHSh41UvkZAc6Bug8u4jAhu3vVfDdPgBG:JTVX3T7THU06Bug8uKQu3JDAG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)

    • The process creates files with name similar to system file names

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)

    • Reads security settings of Internet Explorer

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)
      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Reads the Internet Settings

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)
      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Executable content was dropped or overwritten

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)

    • Checks Windows Trust Settings

      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Reads settings of System Certificates

      • Netwrix.ALE.Launcher.exe (PID: 2104)

  • INFO

    • Reads the computer name

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)
      • Netwrix.ALE.Launcher.exe (PID: 2104)
      • wmpnscfg.exe (PID: 312)

    • Creates files in the program directory

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)
      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Checks supported languages

      • Netwrix_Account_Lockout_Examiner.exe (PID: 3968)
      • Netwrix.ALE.Launcher.exe (PID: 2104)
      • wmpnscfg.exe (PID: 312)

    • Reads the machine GUID from the registry

      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Reads the software policy settings

      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Disables trace logs

      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Reads Environment values

      • Netwrix.ALE.Launcher.exe (PID: 2104)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:02 07:40:24+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 72192
InitializedDataSize: 55296
UninitializedDataSize: -
EntryPoint: 0xb4b5
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.2.217.0
ProductVersionNumber: 5.2.217.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Netwrix Account Lockout Examiner
InternalName: Netwrix Account Lockout Examiner.exe
OriginalFileName: Netwrix Account Lockout Examiner.exe
CompanyName: Netwrix Corporation
LegalCopyright: Copyright © 2020 Netwrix Corporation
ProductName: Netwrix Account Lockout Examiner
FileVersion: 5.2.217.0
ProductVersion: 5.2.217.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start netwrix_account_lockout_examiner.exe netwrix.ale.launcher.exe no specs netwrix.ale.launcher.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
312"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2104"C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe" C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe
Netwrix_Account_Lockout_Examiner.exe
User:
admin
Company:
Netwrix Corporation
Integrity Level:
HIGH
Description:
Netwrix Account Lockout Examiner
Version:
5.2.217.0
Modules
Images
c:\programdata\netwrix account lockout examiner\netwrix.ale.launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3968"C:\Users\admin\Downloads\Netwrix_Account_Lockout_Examiner.exe" C:\Users\admin\Downloads\Netwrix_Account_Lockout_Examiner.exe
explorer.exe
User:
admin
Company:
Netwrix Corporation
Integrity Level:
MEDIUM
Description:
Netwrix Account Lockout Examiner
Exit code:
0
Version:
5.2.217.0
Modules
Images
c:\users\admin\downloads\netwrix_account_lockout_examiner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3992"C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe" C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exeNetwrix_Account_Lockout_Examiner.exe
User:
admin
Company:
Netwrix Corporation
Integrity Level:
MEDIUM
Description:
Netwrix Account Lockout Examiner
Exit code:
3221226540
Version:
5.2.217.0
Modules
Images
c:\programdata\netwrix account lockout examiner\netwrix.ale.launcher.exe
c:\windows\system32\ntdll.dll
Total events
5 099
Read events
5 050
Write events
46
Delete events
3

Modification events

(PID) Process:(3968) Netwrix_Account_Lockout_Examiner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3968) Netwrix_Account_Lockout_Examiner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3968) Netwrix_Account_Lockout_Examiner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3968) Netwrix_Account_Lockout_Examiner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2104) Netwrix.ALE.Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2104) Netwrix.ALE.Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2104) Netwrix.ALE.Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2104) Netwrix.ALE.Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2104) Netwrix.ALE.Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2104) Netwrix.ALE.Launcher.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
Executable files
39
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Node.dllexecutable
MD5:82566C3F5E75E06ADBD5123DCCAFA46C
SHA256:AFC2E74682EB57089A0934623E5BD8021593D6CF1B6187733900694D57054C8D
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.ALE.UsageStatistics.dllexecutable
MD5:7E2DDD9FEA511F019735409E50640D3F
SHA256:B423B63532B6861055DE0576AAA6C6FE935026202791D93FB04D5B5BA67306A0
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Common.dllexecutable
MD5:9EFCB223C3AD4CF1DE0B3B5132A29D74
SHA256:3B76B5B322679D663AA49915CAEA99C5EC6474DBD149B074D27F0E18A23EC3B6
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.EF6.dllexecutable
MD5:7D4DE390307B9FFBF4E73DC8B81BE9F9
SHA256:C0FCB231810795D7540468D9C220A920F925284231DCE760185D9EAF9C12EA66
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.UsageStatisticsSender.dllexecutable
MD5:E88A75151A82C6970DD3A7CF3CEB883E
SHA256:352F3C563AE2307DA17E2F8F9CDFFF14AB15C987AB3E46B3B8F81C52F8D86AC5
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\ComponentsLib.dllexecutable
MD5:992A720A53AB664FDA95072622BE5A26
SHA256:280897AE054753FB60608C65BFF78D1EF3CBC89A2922F20491F9853044D0BD61
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\UsageStatistics.dbsqlite
MD5:53EB617D150F060B21FAD5DCA3BE7937
SHA256:1D216AE905B63B6FD36626E6F4C032717BE472C52B1F55F88725DFF96FF2E5D7
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\SQLite.Interop.dllexecutable
MD5:880E747B69607B7215308A8E4D257C1D
SHA256:F244A1AD9171B01B326064C8EBC1388F26D765060973A98D7D6BFFD701919E5E
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\DataLayer.dllexecutable
MD5:2815D58BEAD055278A3323E9783FE3B1
SHA256:9C3C55631DD968F186089DEBF9C1EADE90322B2DBDA13C987E0BBEC28FC4B258
3968Netwrix_Account_Lockout_Examiner.exeC:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\UsageStatisticsServer.dllexecutable
MD5:9524AF2C2C88A82A9495D5FEA7FDD3F9
SHA256:B4DC8F3F57346375BAD4F6E653DA9BA565C9A92485E33859BA616FA723EFFCB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
Netwrix.ALE.Launcher.exe
GET
301
52.203.22.18:80
http://updates.netwrix.com/aleVersion.xml
unknown
unknown
2104
Netwrix.ALE.Launcher.exe
GET
301
52.203.22.18:80
http://updates.netwrix.com/aleVersion.xml
unknown
unknown
2104
Netwrix.ALE.Launcher.exe
GET
301
52.203.22.18:80
http://updates.netwrix.com/aleVersion.xml
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
2104
Netwrix.ALE.Launcher.exe
52.203.22.18:80
updates.netwrix.com
AMAZON-AES
US
unknown
2104
Netwrix.ALE.Launcher.exe
52.203.22.18:443
updates.netwrix.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
updates.netwrix.com
  • 52.203.22.18
  • 54.88.91.231
unknown

Threats

No threats detected
Process
Message
Netwrix.ALE.Launcher.exe
Native library pre-loader is trying to load native SQLite library "C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Netwrix_Account_Lockout_Examiner.exe