download:

/legendary99999/dfbadfbadfbfda/releases/download/vzsdfcasD/LatelyStated.exe

Full analysis: https://app.any.run/tasks/cacd9fde-056a-4931-b604-2dad9c179d89
Verdict: Malicious activity
Analysis date: May 17, 2025, 01:49:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
telegram
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

BBB2FADD18B94C71DABDCF9ABE2F60A2

SHA1:

670E9C5EA1A94ED71F91908CB4EB76C8F80EA15A

SHA256:

52C976140A7B016BCC8978BE4D5A887A86E6B454AAE7DCE95ED15628D3326EB3

SSDEEP:

49152:rQhd5vsLJDH2a0zVy4nfKw+OQGQjYXCShNxvIeKPAVsoAP9jjH4yXCT0iag2Aofa:sKFD4zE4nfKLGQjyC4vw7PA2oAP9/Cgo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Sugar.com (PID: 4120)

  • SUSPICIOUS

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1088)

    • Starts CMD.EXE for commands execution

      • LatelyStated.exe (PID: 5868)
      • cmd.exe (PID: 1088)

    • Reads security settings of Internet Explorer

      • LatelyStated.exe (PID: 5868)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1088)

    • Application launched itself

      • cmd.exe (PID: 1088)

    • Executing commands from a ".bat" file

      • LatelyStated.exe (PID: 5868)

    • Get information on the list of running processes

      • cmd.exe (PID: 1088)

    • The executable file from the user directory is run by the CMD process

      • Sugar.com (PID: 4120)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1088)

    • There is functionality for taking screenshot (YARA)

      • Sugar.com (PID: 4120)
      • LatelyStated.exe (PID: 5868)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Sugar.com (PID: 4120)

  • INFO

    • Checks supported languages

      • Sugar.com (PID: 4120)
      • LatelyStated.exe (PID: 5868)
      • extrac32.exe (PID: 668)

    • Reads mouse settings

      • Sugar.com (PID: 4120)

    • Reads the computer name

      • extrac32.exe (PID: 668)
      • LatelyStated.exe (PID: 5868)
      • Sugar.com (PID: 4120)

    • Create files in a temporary directory

      • extrac32.exe (PID: 668)
      • LatelyStated.exe (PID: 5868)

    • Process checks computer location settings

      • LatelyStated.exe (PID: 5868)

    • Creates a new folder

      • cmd.exe (PID: 6476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start latelystated.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs sugar.com choice.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
668extrac32 /Y /E Theoretical.ppamC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
976findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1088"C:\WINDOWS\System32\cmd.exe" /c copy Loan.ppam Loan.ppam.bat & Loan.ppam.batC:\Windows\SysWOW64\cmd.exeLatelyStated.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1628tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2420C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2616cmd /c copy /b 829811\Sugar.com + Jose + Trials + Ideal + Advertiser + Report + Bumper + Container + Widespread + Likely 829811\Sugar.comC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3300tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4040"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4120Sugar.com T C:\Users\admin\AppData\Local\Temp\829811\Sugar.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\829811\sugar.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
1 966
Read events
1 966
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
668extrac32.exeC:\Users\admin\AppData\Local\Temp\Containerbinary
MD5:7265041104ADC240DD7D3FF825E06CDB
SHA256:51B16AAA5079ACBD66099314F4C7C2DE53D076E035CA712F4B3FD28AD9E262F5
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Warnings.ppambinary
MD5:042540C134F3F9A7A557D3C2A6E75B28
SHA256:A91C6EF6AFA7C3D8789A891765A5811354B645D04F0484F1688590AD8CCB90E9
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Heat.ppambinary
MD5:7EBBCEB6811F536B0DE6B437334B895F
SHA256:66E8203389E62D2C615C26DB6DACEA5A8488A9603709FA7A37EBA7BFE72881CC
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Smith.ppambinary
MD5:B030A73FB93754D1F240F663D2F6E3FF
SHA256:A33417D5BC3DBCCB5E1D1A03910069D9C2ECAFB677D4223AF9E4615416FD666D
5868LatelyStated.exeC:\Users\admin\AppData\Local\Temp\Loan.ppamtext
MD5:2E093DA83603089EE51291BA69DD863B
SHA256:12268F9DF45FC10DAA58CF6BCCCD0847ED4F5A9285C33EFA95DB9BB758F0E541
668extrac32.exeC:\Users\admin\AppData\Local\Temp\Idealbinary
MD5:14BF68D6EB3BBD0AD817FB55B9362F9A
SHA256:096E01EC7AB22C45BFC21690C6E3E08B0623771EA534C70687C8C3C776D563C6
668extrac32.exeC:\Users\admin\AppData\Local\Temp\Bumperbinary
MD5:1CCA2949B68376922E1A304D9508444F
SHA256:79CD97E2E56A911937F8F1BF45945142AC86C48A8BAE1F13A1C432AB6F340AFF
668extrac32.exeC:\Users\admin\AppData\Local\Temp\Josebinary
MD5:5EDC0349146AC52892758D9A1CE8779D
SHA256:27F8D06BCC4FBEC8668AF41B9977E3380D254667345CEAC371BEB431722B3E66
1088cmd.exeC:\Users\admin\AppData\Local\Temp\Loan.ppam.battext
MD5:2E093DA83603089EE51291BA69DD863B
SHA256:12268F9DF45FC10DAA58CF6BCCCD0847ED4F5A9285C33EFA95DB9BB758F0E541
668extrac32.exeC:\Users\admin\AppData\Local\Temp\Trialsbinary
MD5:70CE46FACEF468DDCF2CA5DBDB0E6C54
SHA256:1C0A0E5F0C9AC141F58B6B09EC90A992A7931F9F727A8D11ECE9F262E89051B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
86.124.128.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
976
RUXIMICS.exe
GET
200
86.124.128.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
86.124.128.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
976
RUXIMICS.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
104.81.99.218:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6388
SIHClient.exe
GET
200
92.122.17.157:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
976
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
86.124.128.145:80
crl.microsoft.com
RCS & RDS
RO
whitelisted
976
RUXIMICS.exe
86.124.128.145:80
crl.microsoft.com
RCS & RDS
RO
whitelisted
2104
svchost.exe
86.124.128.145:80
crl.microsoft.com
RCS & RDS
RO
whitelisted
2104
svchost.exe
92.122.17.157:80
www.microsoft.com
AKAMAI-AS
RO
whitelisted
5496
MoUsoCoreWorker.exe
92.122.17.157:80
www.microsoft.com
AKAMAI-AS
RO
whitelisted
976
RUXIMICS.exe
92.122.17.157:80
www.microsoft.com
AKAMAI-AS
RO
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.180.238
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 86.124.128.145
whitelisted
www.microsoft.com
  • 92.122.17.157
whitelisted
client.wns.windows.com
  • 20.199.120.182
whitelisted
login.live.com
  • 20.190.177.82
whitelisted
ocsp.digicert.com
  • 104.81.99.218
whitelisted
goItfCRIeuAaUkQLpI.goItfCRIeuAaUkQLpI
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
4120
Sugar.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/legendary99999/dfbadfbadfbfda/releases/download/vzsdfcasD/LatelyStated.exe