File name:

ë.exe

Full analysis: https://app.any.run/tasks/4dd00d70-75c0-49c6-8a7e-375eb2576ede
Verdict: Malicious activity
Analysis date: April 20, 2024, 21:19:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

FA1FBE391E1D35CC0860D5D04720FA95

SHA1:

FE4FB440BCDAFFAEAA8A55CEA25AEC6A1CED6223

SHA256:

6035B7BA4A66BDA87BFDDB22E6F182C0D2F3479CAD5A36DD37ABC55EC3833D6C

SSDEEP:

24576:pryvLA0c21FJnBfkw+ZclYnmPoRc9QmwQ9RvfVY7:p2vLzVh+ZclYnmPoK9ZVvO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ë.exe (PID: 548)

    • Disables Windows Defender

      • reg.exe (PID: 452)

    • Changes the autorun value in the registry

      • MBRDestroy.exe (PID: 3244)

    • UAC/LUA settings modification

      • reg.exe (PID: 3808)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ë.exe (PID: 548)

    • Reads security settings of Internet Explorer

      • ë.exe (PID: 548)

    • The executable file from the user directory is run by the CMD process

      • MBRDestroy.exe (PID: 3244)
      • eeee.exe (PID: 2856)
      • melter.exe (PID: 2036)
      • INV.exe (PID: 3072)
      • lines.exe (PID: 1576)
      • glitch.exe (PID: 2432)

    • Executing commands from a ".bat" file

      • ë.exe (PID: 548)
      • cmd.exe (PID: 2416)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2416)

    • Reads the Internet Settings

      • ë.exe (PID: 548)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 3080)

    • Starts CMD.EXE for commands execution

      • ë.exe (PID: 548)
      • cmd.exe (PID: 2416)

    • The process executes VB scripts

      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 3080)

    • Application launched itself

      • cmd.exe (PID: 2416)

    • Probably fake Windows Update

      • schtasks.exe (PID: 3084)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 2784)
      • cmd.exe (PID: 3080)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2416)

  • INFO

    • Reads the computer name

      • ë.exe (PID: 548)
      • vlc.exe (PID: 2156)

    • Checks supported languages

      • ë.exe (PID: 548)
      • MBRDestroy.exe (PID: 3244)
      • eeee.exe (PID: 2856)
      • lines.exe (PID: 1576)
      • vlc.exe (PID: 2156)
      • INV.exe (PID: 3072)
      • melter.exe (PID: 2036)
      • vlc.exe (PID: 2908)
      • glitch.exe (PID: 2432)

    • Create files in a temporary directory

      • ë.exe (PID: 548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:08 13:12:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 823296
InitializedDataSize: 4096
UninitializedDataSize: 393216
EntryPoint: 0x1292a0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: ë
FileDescription: ë
FileVersion: 1,0,0,0
ProductName: ë
InternalName: ë
ProductVersion: 1,0,0,0
LegalCopyright: 2021
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
97
Monitored processes
46
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start ë.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mbrdestroy.exe bcdedit.exe no specs schtasks.exe no specs wscript.exe no specs cmd.exe no specs timeout.exe no specs vlc.exe timeout.exe no specs cmd.exe no specs eeee.exe no specs timeout.exe no specs timeout.exe no specs inv.exe no specs glitch.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs lines.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs melter.exe no specs taskkill.exe no specs taskkill.exe no specs wscript.exe no specs timeout.exe no specs vlc.exe timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs ë.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
452Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
548"C:\Users\admin\AppData\Local\Temp\ë.exe" C:\Users\admin\AppData\Local\Temp\ë.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ë.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
924"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\D790.tmp\m.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1028bcdedit /delete {current}C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1172timeout 5 /nobreakC:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1576lines.exe C:\Users\admin\AppData\Local\Temp\D790.tmp\lines.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\d790.tmp\lines.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1584timeout 6 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1796timeout 6 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1852timeout 6 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2036melter.exe C:\Users\admin\AppData\Local\Temp\D790.tmp\melter.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\d790.tmp\melter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
24 319
Read events
24 197
Write events
92
Delete events
30

Modification events

(PID) Process:(548) ë.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(548) ë.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(548) ë.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(548) ë.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3988) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(3808) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(452) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(3244) MBRDestroy.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Windows Update
Value:
(PID) Process:(3244) MBRDestroy.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Update
Value:
C:\Users\admin\AppData\Local\Temp\D790.tmp\MBRDestroy.exe
(PID) Process:(3244) MBRDestroy.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Windows Update
Value:
C:\Users\admin\AppData\Local\Temp\D790.tmp\MBRDestroy.exe
Executable files
6
Suspicious files
1
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3244MBRDestroy.exe\Device\Harddisk0\DR0
MD5:
SHA256:
2156vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini
MD5:
SHA256:
2156vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.gq2156
MD5:
SHA256:
548ë.exeC:\Users\admin\AppData\Local\Temp\D790.tmp\glitch.exeexecutable
MD5:47801F0CF73D320054676A56D0264EDB
SHA256:F25853B17EE25C1DF537CD39BA15A338B92B0812833E3A523AA2F90EFBF766E8
548ë.exeC:\Users\admin\AppData\Local\Temp\D790.tmp\e.battext
MD5:236707EF3C046A0867770F0522504CC0
SHA256:7EFD9B5B48715D79A30A5EC783CC111FA794C92FDE8365F34CEEA5759FB4C5CF
2156vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Hp2156ini
MD5:81E8396F21B806BC804A3696627AF7E1
SHA256:283A3DA5D46F06802D70BC49437BFEFD5BF608CB867788CA5E08323C683F8133
548ë.exeC:\Users\admin\AppData\Local\Temp\D790.tmp\glitchsound.mp3mp3
MD5:488B6E1536B1C43CBE9C9EA911D5A7DF
SHA256:B14A16F7A4B36525390F5471B250B130A22DE50032792D43E84A792BA516F828
2416cmd.exeC:\Users\admin\AppData\Local\Temp\D790.tmp\note.vbstext
MD5:A481693A2E4C670B6436AA07B557703E
SHA256:AF9A7717841CF75AE7BFD5E67FA958FA4D9663E2B50F0B43D26F6F814507D8DB
548ë.exeC:\Users\admin\AppData\Local\Temp\D790.tmp\lines.exeexecutable
MD5:50CAEEE44DC92A147CF95FD82EB6E299
SHA256:81B9A2E3E9EE39F05B585AD871696A946837FCF784D3D4ECD4B9CAEA16560A1E
548ë.exeC:\Users\admin\AppData\Local\Temp\D790.tmp\INV.exeexecutable
MD5:E079C468C9CAED494623DBF95E9CE5E8
SHA256:8E217CE5670AC1021FDB6101372F9322F7FF82481ECD9BADC104FF542E46128C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
vlc.exe
main libvlc debug: revision 3.0.11-0-gdc0c5ced72
vlc.exe
main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
vlc.exe
main libvlc debug: searching plug-in modules
vlc.exe
main libvlc debug: using multimedia timers as clock source
vlc.exe
main libvlc debug: min period: 1 ms, max period: 1000000 ms
vlc.exe
main libvlc debug: Copyright © 1996-2020 the VideoLAN team
vlc.exe
main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
vlc.exe
main libvlc debug: VLC media player - 3.0.11 Vetinari
vlc.exe
main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
vlc.exe
main libvlc error: stale plugins cache: modified C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ë.exe