File name:

STFC_installer.exe

Full analysis: https://app.any.run/tasks/f194d38b-6f4c-4b30-9bdb-323d092758f6
Verdict: Malicious activity
Analysis date: June 21, 2024, 14:32:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2A9D8511F98E1E91756813EC92081733

SHA1:

D8C8A9351D34D31B0B57E7DAEC74B9D56811A9C7

SHA256:

56667379189728A6D026F928BA67417BAEB0AE3ED6627E726EC62FA719DDF551

SSDEEP:

6144:8VGdx6xqsMbmJuOnhAImphVgWt9svIZzORQHKcS4rzmAEwKcC6icRQglsV:wwMnhAzphVgksvIZzOR9XARKcCwQj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • STFC_installer.exe (PID: 3196)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • STFC_installer.exe (PID: 3196)

    • Reads the Internet Settings

      • STFC_installer.exe (PID: 3196)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • STFC_installer.exe (PID: 3196)

    • Reads security settings of Internet Explorer

      • STFC_installer.exe (PID: 3196)

    • The process creates files with name similar to system file names

      • STFC_installer.exe (PID: 3196)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 3256)
      • STFC_installer.exe (PID: 3196)
      • wmpnscfg.exe (PID: 2080)

    • Checks supported languages

      • STFC_installer.exe (PID: 3196)
      • wmpnscfg.exe (PID: 3256)
      • wmpnscfg.exe (PID: 2080)

    • Checks proxy server information

      • STFC_installer.exe (PID: 3196)

    • Reads the machine GUID from the registry

      • STFC_installer.exe (PID: 3196)

    • Create files in a temporary directory

      • STFC_installer.exe (PID: 3196)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start stfc_installer.exe wmpnscfg.exe no specs wmpnscfg.exe no specs stfc_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2080"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3196"C:\Users\admin\AppData\Local\Temp\STFC_installer.exe" C:\Users\admin\AppData\Local\Temp\STFC_installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\stfc_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3256"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3416"C:\Users\admin\AppData\Local\Temp\STFC_installer.exe" C:\Users\admin\AppData\Local\Temp\STFC_installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\stfc_installer.exe
c:\windows\system32\ntdll.dll
Total events
2 904
Read events
2 861
Write events
34
Delete events
9

Modification events

(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3196) STFC_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
5
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsvEB28.tmp\LangDLL.dllexecutable
MD5:3DD80DFF583544514EEB3A5ED851A519
SHA256:86CFF5EACA76C49F924CB123D242FDCFD45AB99C4B638D3B8F4A8CFB1970AB5B
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsvEB28.tmp\modern-header.bmpimage
MD5:940C56737BF9BB69CE7A31C623D4E87A
SHA256:766A893FE962AEFD27C574CB05F25CF895D3FC70A00DB5A6FA73D573F571AEFC
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsvEB28.tmp\INetC.dllexecutable
MD5:40D7ECA32B2F4D29DB98715DD45BFAC5
SHA256:85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsvEB28.tmp\nsisFile.dllexecutable
MD5:B7D0D765C151D235165823B48554E442
SHA256:A820A32E5CE89E3E336AFC71AA1BF42A357EC542C2BC6E50C6255C1333812587
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsvEB28.tmp\System.dllexecutable
MD5:75ED96254FBF894E42058062B4B4F0D1
SHA256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsvEB28.tmp\nsJSON.dllexecutable
MD5:F4D89D9A2A3E2F164AEA3E93864905C9
SHA256:64B3EFDF3DE54E338D4DB96B549A7BDB7237BB88A82A0A63AEF570327A78A6FB
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsvEB28.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsiAEB9.tmpimage
MD5:986C177D3D8EF9C2C9EA5D73DD417E23
SHA256:7FAFD0A5A6E160EEF02E09AF5A47C01CB0D5125094EE45DD3C5ED7995A931AB5
3196STFC_installer.exeC:\Users\admin\AppData\Local\Temp\nsy7DD4.tmpimage
MD5:986C177D3D8EF9C2C9EA5D73DD417E23
SHA256:7FAFD0A5A6E160EEF02E09AF5A47C01CB0D5125094EE45DD3C5ED7995A931AB5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
STFC_installer.exe