File name:

orange.exe

Full analysis: https://app.any.run/tasks/a75e141f-3d8c-4651-a182-6a411411731a
Verdict: Malicious activity
Analysis date: October 22, 2023, 00:18:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FB1569B5A3266444D676E5F82D6BAC85

SHA1:

F0D76B3806E58AE5363A78DCC62B5E27A90A7ECF

SHA256:

5B7228947B256F36BD98DDE1622799CDA8F7A7AA0F3196ABA08200FE8439DFEE

SSDEEP:

768:OIVlbMb8fL1YwirvVmcWXhi+I661D/wlzPDruLDTB:OsiADEtLWxSHh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • orange.exe (PID: 1824)

    • Creates a writable file the system directory

      • orange.exe (PID: 1824)

  • SUSPICIOUS

    • Reads the Internet Settings

      • orange.exe (PID: 1824)

    • Connects to unusual port

      • orange.exe (PID: 1824)

  • INFO

    • Create files in a temporary directory

      • orange.exe (PID: 1824)

    • Creates files or folders in the user directory

      • orange.exe (PID: 1824)

    • Checks supported languages

      • orange.exe (PID: 1824)

    • Checks proxy server information

      • orange.exe (PID: 1824)

    • Reads the computer name

      • orange.exe (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0xac09
UninitializedDataSize: -
InitializedDataSize: 512
CodeSize: 41472
LinkerVersion: 7
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2004:01:27 11:22:58+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start orange.exe

Process information

PID
CMD
Path
Indicators
Parent process
1824"C:\Users\admin\AppData\Local\Temp\orange.exe" C:\Users\admin\AppData\Local\Temp\orange.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\orange.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
249
Read events
247
Write events
2
Delete events
0

Modification events

(PID) Process:(1824) orange.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1824) orange.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000056010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
1
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1824orange.exeC:\Users\admin\AppData\Local\VirtualStore\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
1824orange.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\System32\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
1824orange.exeC:\Users\admin\AppData\Local\Temp\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
1824orange.exeC:\Users\admin\AppData\Local\Temp\intrenat.exeexecutable
MD5:FB1569B5A3266444D676E5F82D6BAC85
SHA256:5B7228947B256F36BD98DDE1622799CDA8F7A7AA0F3196ABA08200FE8439DFEE
1824orange.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
1824orange.exeC:\Users\admin\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6 889
TCP/UDP connections
8 555
DNS requests
1
Threats
1 918

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
1824
orange.exe
GET
200
184.30.21.171:80
http://www.microsoft.com:80/
DE
html
1020 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1824
orange.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
whitelisted
1824
orange.exe
181.217.155.1:3127
Claro NXT Telecomunicacoes Ltda
BR
unknown
1824
orange.exe
44.134.148.1:3127
UCSD
US
unknown
1824
orange.exe
209.182.150.1:3127
US
unknown
1824
orange.exe
214.108.126.1:3127
DNIC-ASBLK-00721-00726
US
unknown
1824
orange.exe
18.77.243.1:3127
US
unknown
2656
svchost.exe
239.255.255.250:1900
whitelisted
1824
orange.exe
6.47.2.1:3127
DNIC-AS-00749
US
unknown
1824
orange.exe
175.229.70.1:3127
Korea Telecom
KR
unknown

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
1824
orange.exe
Misc activity
ET POLICY Microsoft user-agent automated process response to automated request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
orange.exe