File name:

Flex.3.17.3.exe

Full analysis: https://app.any.run/tasks/5a77c292-0bc4-4711-b50e-6ea97b7f1a67
Verdict: Malicious activity
Analysis date: October 27, 2023, 10:52:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

20B4AFA85F600B18B07AB2DD264F79C3

SHA1:

8C304CAE4AC7554591007452FB302B7F374C9917

SHA256:

58C7F69DD8FB68BA0F98831CB4D39C683FA9E04FDF7B38F21BDB5C631053CAAE

SSDEEP:

49152:E61ghHeUxhpTgIm/OcDv9n6utD3YVR89644o4HCN7cwwK/sZtDs8ZByR+bH4g1LB:E61iHt8IMOcDd68rYmYCN7D/0JrByS5V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Flex.3.17.3.exe (PID: 2752)
      • Flex.Client.exe (PID: 3400)

    • Drops the executable file immediately after the start

      • Flex.3.17.3.exe (PID: 2752)

    • Application was dropped or rewritten from another process

      • Flex.Client.exe (PID: 3400)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Flex.3.17.3.exe (PID: 2752)

    • The process creates files with name similar to system file names

      • Flex.3.17.3.exe (PID: 2752)

    • Process drops legitimate windows executable

      • Flex.3.17.3.exe (PID: 2752)

    • Reads the Internet Settings

      • Flex.3.17.3.exe (PID: 2752)
      • Flex.Client.exe (PID: 3400)

    • Reads settings of System Certificates

      • Flex.Client.exe (PID: 3400)

  • INFO

    • Checks supported languages

      • Flex.3.17.3.exe (PID: 2752)
      • Flex.Client.exe (PID: 3400)

    • Reads the computer name

      • Flex.3.17.3.exe (PID: 2752)
      • Flex.Client.exe (PID: 3400)

    • Create files in a temporary directory

      • Flex.3.17.3.exe (PID: 2752)
      • Flex.Client.exe (PID: 3400)

    • Creates files or folders in the user directory

      • Flex.3.17.3.exe (PID: 2752)
      • Flex.Client.exe (PID: 3400)

    • Reads Environment values

      • Flex.Client.exe (PID: 3400)

    • Reads the machine GUID from the registry

      • Flex.Client.exe (PID: 3400)

    • Manual execution by a user

      • taskmgr.exe (PID: 3424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 04:57:45+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25600
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x320c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start flex.3.17.3.exe no specs flex.client.exe wisptis.exe no specs wisptis.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2752"C:\Users\admin\AppData\Local\Temp\Flex.3.17.3.exe" C:\Users\admin\AppData\Local\Temp\Flex.3.17.3.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\flex.3.17.3.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3304"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exe
Flex.Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
24
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3400"C:\Users\admin\AppData\Local\Arcanic\ITX Flex\Flex.Client.exe" C:\Users\admin\AppData\Local\Arcanic\ITX Flex\Flex.Client.exe
Flex.3.17.3.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Flex
Exit code:
0
Version:
3.17.3.0
Modules
Images
c:\users\admin\appdata\local\arcanic\itx flex\flex.client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3424"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
3504"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exeFlex.Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
Total events
5 700
Read events
5 670
Write events
30
Delete events
0

Modification events

(PID) Process:(2752) Flex.3.17.3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2752) Flex.3.17.3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2752) Flex.3.17.3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2752) Flex.3.17.3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3400) Flex.Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(3400) Flex.Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3400) Flex.Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3400) Flex.Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3400) Flex.Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3304) wisptis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Flex.Client.exe
Executable files
23
Suspicious files
8
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Temp\nsjAFE6.tmp\modern-wizard.bmpimage
MD5:6412E234568653B252AD7E4F5C85447D
SHA256:8A8A570EDE642B185280E8E3E27E92A5AF200038597ED39F9DB5C59A41E84142
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Temp\nsjAFE6.tmp\System.dllexecutable
MD5:B0C77267F13B2F87C084FD86EF51CCFC
SHA256:A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Temp\nsjAFE6.tmp\nsDialogs.dllexecutable
MD5:EAC1C3707970FE7C71B2D760C34763FA
SHA256:062C75AD650548750564FFD7AEF8CD553773B5C26CAE7F25A5749B13165194E3
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Arcanic\ITX Flex\Castle.Core.dllexecutable
MD5:29E9BE2F8BEA5D7923CD906C1F2B9464
SHA256:27D72253A5F37D971D7BC7341ABEEFACEC2CCDC3A305B297248C9791C678FAA9
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Arcanic\ITX Flex\Arcanic.ITX.Flex.WebserviceClient.dllexecutable
MD5:D648C6EB9F0582D52320C90F5A75D900
SHA256:7F0CA23C11029AAC5745B4C8017E6F91BD8CFD65C5E4E141CAD47F4426208B70
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Arcanic\ITX Flex\GalaSoft.MvvmLight.dllexecutable
MD5:B349A5C9165CBB8663F82C31F9402D35
SHA256:60FFBD8A891ACBE1ADBE79D320806A32AE826575F5218A51379FFC83F03F62A7
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Arcanic\ITX Flex\Castle.Windsor.dllexecutable
MD5:70CBF64FCF7F6E94CA94969FD405735E
SHA256:EDF88D8A5D154700F53243547F9503E3F67F40EF324FEF2B96DA99D91339A069
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Arcanic\ITX Flex\Flex.Client.HtmlXamlConverter.dllexecutable
MD5:40B8B11190D90C97AC6137FCD1EF48DD
SHA256:70908A690C93EA91F1B441B405DCA4084136F84FA9184CA187BDC19F57566EB0
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Arcanic\ITX Flex\GalaSoft.MvvmLight.Extras.dllexecutable
MD5:43312122AF66A3E99CF2F9C597012C22
SHA256:8E248E95E6DC65317AF9CAAF6A43091D5CB75FD1302BAE0A49DEA821FA21DC8E
2752Flex.3.17.3.exeC:\Users\admin\AppData\Local\Arcanic\ITX Flex\Grabber.Core.dllexecutable
MD5:AEDF6D80F823A02CB693DBB4B3B7273D
SHA256:BAE6C7C109E40642DC6CD82EEA557EA05EDBC072AC88E7ED0B67057CCBCAAE8B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3400
Flex.Client.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cea11e295b0381a5
unknown
compressed
61.6 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3400
Flex.Client.exe
130.225.88.180:443
itxflex.arcanic.dk
Danish network for Research and Education
DK
unknown
3400
Flex.Client.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted

DNS requests

Domain
IP
Reputation
itxflex.arcanic.dk
  • 130.225.88.180
unknown
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Flex.3.17.3.exe