download:

/legendary99999/dfbadfbadfbfda/releases/download/vzsdfcasD/LatelyStated.exe

Full analysis: https://app.any.run/tasks/cacd9fde-056a-4931-b604-2dad9c179d89
Verdict: Malicious activity
Analysis date: May 17, 2025, 01:49:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
telegram
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

BBB2FADD18B94C71DABDCF9ABE2F60A2

SHA1:

670E9C5EA1A94ED71F91908CB4EB76C8F80EA15A

SHA256:

52C976140A7B016BCC8978BE4D5A887A86E6B454AAE7DCE95ED15628D3326EB3

SSDEEP:

49152:rQhd5vsLJDH2a0zVy4nfKw+OQGQjYXCShNxvIeKPAVsoAP9jjH4yXCT0iag2Aofa:sKFD4zE4nfKLGQjyC4vw7PA2oAP9/Cgo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Sugar.com (PID: 4120)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 1088)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1088)

    • The executable file from the user directory is run by the CMD process

      • Sugar.com (PID: 4120)

    • Reads security settings of Internet Explorer

      • LatelyStated.exe (PID: 5868)

    • Starts CMD.EXE for commands execution

      • LatelyStated.exe (PID: 5868)
      • cmd.exe (PID: 1088)

    • Executing commands from a ".bat" file

      • LatelyStated.exe (PID: 5868)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1088)

    • Get information on the list of running processes

      • cmd.exe (PID: 1088)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Sugar.com (PID: 4120)

    • There is functionality for taking screenshot (YARA)

      • Sugar.com (PID: 4120)
      • LatelyStated.exe (PID: 5868)

    • Application launched itself

      • cmd.exe (PID: 1088)

  • INFO

    • Reads the computer name

      • LatelyStated.exe (PID: 5868)
      • Sugar.com (PID: 4120)
      • extrac32.exe (PID: 668)

    • Reads mouse settings

      • Sugar.com (PID: 4120)

    • Checks supported languages

      • Sugar.com (PID: 4120)
      • LatelyStated.exe (PID: 5868)
      • extrac32.exe (PID: 668)

    • Process checks computer location settings

      • LatelyStated.exe (PID: 5868)

    • Create files in a temporary directory

      • LatelyStated.exe (PID: 5868)
      • extrac32.exe (PID: 668)

    • Creates a new folder

      • cmd.exe (PID: 6476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start latelystated.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs sugar.com choice.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
668extrac32 /Y /E Theoretical.ppamC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
976findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1088"C:\WINDOWS\System32\cmd.exe" /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.batC:\Windows\SysWOW64\cmd.exeLatelyStated.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1628tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2420C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2616cmd /c copy /b 829811\Sugar.com + Jose + Trials + Ideal + Advertiser + Report + Bumper + Container + Widespread + Likely 829811\Sugar.comC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3300tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4040"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4120Sugar.com T C:\Users\admin\AppData\Local\Temp\829811\Sugar.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\829811\sugar.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
1 966
Read events
1 966
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\French.ppambinary
MD5:35908130B0B3DB18E0FCA426A8E0A4E7
SHA256:E0E0D91CBF4C1485FAFBA4364968F93FA5D3E5FE5EEB990A5215BEF0B2F88148
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Floors.ppambinary
MD5:F886E031682D2866DE3BCCEFE12AA590
SHA256:94E5DA7A304E5947ABF9DD6FC5381CEF45DE807CB81EFB6088B93049B5B7A413
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Collector.ppambinary
MD5:DFDBD0A46FDB623B82CA8DB0ABDCEC47
SHA256:E31DC775DF0BCE89AD01558C3B7986F9C1AE1D3B5999A127F85E9ED52D2974E8
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Soma.ppambinary
MD5:DCDF7501CBF92B80BD32FD8719EB2969
SHA256:CF3E7EF6EEA430531EF4AF7DC18B32C5F6EEE266F9F017F3F336EDF85F8BFF07
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Warnings.ppambinary
MD5:042540C134F3F9A7A557D3C2A6E75B28
SHA256:A91C6EF6AFA7C3D8789A891765A5811354B645D04F0484F1688590AD8CCB90E9
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Smith.ppambinary
MD5:B030A73FB93754D1F240F663D2F6E3FF
SHA256:A33417D5BC3DBCCB5E1D1A03910069D9C2ECAFB677D4223AF9E4615416FD666D
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Theoretical.ppamcompressed
MD5:29252E8CA05141BE2B7CB54091489902
SHA256:F39248657B16CAAAEAF1F4D21E3492AAD695A5372E92343EB1DDAFE20F716426
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Loan.ppamtext
MD5:2E093DA83603089EE51291BA69DD863B
SHA256:12268F9DF45FC10DAA58CF6BCCCD0847ED4F5A9285C33EFA95DB9BB758F0E541
668extrac32.exeC:\Users\admin\AppData\Local\Temp\Josebinary
MD5:5EDC0349146AC52892758D9A1CE8779D
SHA256:27F8D06BCC4FBEC8668AF41B9977E3380D254667345CEAC371BEB431722B3E66
668extrac32.exeC:\Users\admin\AppData\Local\Temp\Advertiserbinary
MD5:51E7E932A8304A5CBADE19469AC65FEA
SHA256:A7E0354F4F85BDC992C4CB1D9AD82B2B9727D457FC7CB51A8AFF5886FF6F017C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
86.124.128.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
976
RUXIMICS.exe
GET
200
86.124.128.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
86.124.128.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
104.81.99.218:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
976
RUXIMICS.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
976
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
86.124.128.145:80
crl.microsoft.com
RCS & RDS
RO
whitelisted
976
RUXIMICS.exe
86.124.128.145:80
crl.microsoft.com
RCS & RDS
RO
whitelisted
2104
svchost.exe
86.124.128.145:80
crl.microsoft.com
RCS & RDS
RO
whitelisted
2104
svchost.exe
92.122.17.157:80
www.microsoft.com
AKAMAI-AS
RO
whitelisted
5496
MoUsoCoreWorker.exe
92.122.17.157:80
www.microsoft.com
AKAMAI-AS
RO
whitelisted
976
RUXIMICS.exe
92.122.17.157:80
www.microsoft.com
AKAMAI-AS
RO
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.180.238
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 86.124.128.145
whitelisted
www.microsoft.com
  • 92.122.17.157
whitelisted
client.wns.windows.com
  • 20.199.120.182
whitelisted
login.live.com
  • 20.190.177.82
whitelisted
ocsp.digicert.com
  • 104.81.99.218
whitelisted
goItfCRIeuAaUkQLpI.goItfCRIeuAaUkQLpI
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
4120
Sugar.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/legendary99999/dfbadfbadfbfda/releases/download/vzsdfcasD/LatelyStated.exe