File name:

20240726@j.exe

Full analysis: https://app.any.run/tasks/f062fc3a-8b25-4f8d-93d8-8ab6d3383efb
Verdict: Malicious activity
Analysis date: July 27, 2024, 17:53:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
websocket
vmprotect
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

F5E1F0602042C8357905C474019A1889

SHA1:

45BCE2BFF3D905235BCD3B158A6761320D72A2C2

SHA256:

6A6AC7D5693B7016F07B60646C5DE9C503D4EE7F0676F0927742DF2E340A4E83

SSDEEP:

98304:fi2z1YmXJBwxiu33cseut7IizbYjB4kpMc8tX2sqmsTT4f0Yj5DSTfXE7qYjt7zx:K9Znc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 20240726@j.exe (PID: 7480)
      • cmd.exe (PID: 3188)
      • Client.exe (PID: 4808)

    • UAC/LUA settings modification

      • reg.exe (PID: 8144)

  • SUSPICIOUS

    • Mutex name with non-standard characters

      • 20240726@j.exe (PID: 7480)
      • Client.exe (PID: 4808)

    • Reads security settings of Internet Explorer

      • 20240726@j.exe (PID: 7480)
      • ShellExperienceHost.exe (PID: 7208)

    • Reads the date of Windows installation

      • 20240726@j.exe (PID: 7480)

    • Starts CMD.EXE for commands execution

      • 20240726@j.exe (PID: 7480)
      • Client.exe (PID: 4808)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3188)
      • 20240726@j.exe (PID: 7480)
      • Client.exe (PID: 4808)

    • Suspicious use of NETSH.EXE

      • 20240726@j.exe (PID: 7480)

    • Executing commands from a ".bat" file

      • 20240726@j.exe (PID: 7480)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 7268)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8064)

    • Connects to unusual port

      • Client.exe (PID: 4808)

    • There is functionality for communication over UDP network (YARA)

      • Client.exe (PID: 4808)

  • INFO

    • Creates files in the program directory

      • 20240726@j.exe (PID: 7480)
      • cmd.exe (PID: 3188)
      • Client.exe (PID: 4808)

    • Checks supported languages

      • 20240726@j.exe (PID: 7480)
      • ShellExperienceHost.exe (PID: 7208)
      • Client.exe (PID: 4808)

    • Process checks computer location settings

      • 20240726@j.exe (PID: 7480)

    • Reads the computer name

      • 20240726@j.exe (PID: 7480)
      • ShellExperienceHost.exe (PID: 7208)
      • Client.exe (PID: 4808)

    • Creates files or folders in the user directory

      • 20240726@j.exe (PID: 7480)

    • Reads CPU info

      • Client.exe (PID: 4808)

    • Attempting to connect via WebSocket

      • Client.exe (PID: 4808)

    • Reads security settings of Internet Explorer

      • mmc.exe (PID: 7192)

    • Checks proxy server information

      • slui.exe (PID: 5532)

    • Reads the software policy settings

      • slui.exe (PID: 5532)

    • VMProtect protector has been detected

      • Client.exe (PID: 4808)

    • UPX packer has been detected

      • Client.exe (PID: 4808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:26 13:29:22+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 9
CodeSize: 255488
InitializedDataSize: 5700608
UninitializedDataSize: -
EntryPoint: 0x2a718
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
21
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 20240726@j.exe cmd.exe no specs conhost.exe no specs ipconfig.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs shellexperiencehost.exe no specs cmd.exe conhost.exe no specs mmc.exe no specs THREAT client.exe cmd.exe no specs conhost.exe no specs ipconfig.exe no specs slui.exe 20240726@j.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3188"C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\ricka\v2E9L@j\v + C:\ProgramData\ricka\v2E9L@j\b C:\ProgramData\ricka\v2E9L@j\ClientModule.dllC:\Windows\System32\cmd.exe
20240726@j.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4808"C:\ProgramData\ricka\v2E9L@j\Client.exe" C:\ProgramData\ricka\v2E9L@j\Client.exe
mmc.exe
User:
admin
Company:
深圳市恒酷科技有限公司
Integrity Level:
HIGH
Description:
天舞吧视频聊天平台
Version:
5.0.1.1
Modules
Images
c:\programdata\ricka\v2e9l@j\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5532C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7192C:\WINDOWS\system32\mmc.exe -EmbeddingC:\Windows\System32\mmc.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7208"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
7268C:\WINDOWS\system32\cmd.exe /c ipconfig /allC:\Windows\SysWOW64\cmd.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7388"C:\Users\admin\AppData\Local\Temp\20240726@j.exe" C:\Users\admin\AppData\Local\Temp\20240726@j.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\20240726@j.exe
c:\windows\system32\ntdll.dll
7396ipconfig /allC:\Windows\SysWOW64\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
10 198
Read events
10 175
Write events
23
Delete events
0

Modification events

(PID) Process:(7480) 20240726@j.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7480) 20240726@j.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7480) 20240726@j.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7480) 20240726@j.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7480) 20240726@j.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(7480) 20240726@j.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(8124) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(8144) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(8168) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(7208) ShellExperienceHost.exeKey:\REGISTRY\A\{be528cfd-612d-511a-fe51-5be4db2468e1}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000F12217DD4DE0DA01
Executable files
7
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
748020240726@j.exeC:\ProgramData\ricka\v2E9L@j\PX.TXTbinary
MD5:3005E88FB7D55D32DA7C6F3C2A18498E
SHA256:FC30C532756489B3CCC5E2B0F61FF143AA4AB5E88F3869450618AD1A3D05B2A5
748020240726@j.exeC:\ProgramData\ricka\v2E9L@j\VMProtectSDK32.dllexecutable
MD5:460839680454DAA5DD1B8E83924D7A1E
SHA256:097FFB217EC1E2C305456BBB5822EB4F4C9DD19A6EF09816ED8AC7F19DA08C89
3188cmd.exeC:\ProgramData\ricka\v2E9L@j\ClientModule.dllexecutable
MD5:F5BA22F3EB817FD5C23DC5F114DCF79C
SHA256:40D913C97E44E647AE101A71651EDD16A13200B81E2ADC4D06213F15F334365E
748020240726@j.exeC:\ProgramData\ricka\v2E9L@j\vexecutable
MD5:8561FC9E2B037DA751152490A40A3CC7
SHA256:CCD67B5ABD5916BA66C2669AB443CCC1D9B583566C9786CB988BBBF06B3D5A44
748020240726@j.exeC:\ProgramData\ricka\v2E9L@j\bbinary
MD5:9D293F0C66F851D1A602F50DF683CD99
SHA256:3B22ECA15E2D63A8CB6F7950EA43F3DAEA2A07CEE67BA2AC1B71342B915154EA
748020240726@j.exeC:\Users\admin\AppData\Roaming\fcg4h.battext
MD5:30D6EB22D6AEEC10347239B17B023BF4
SHA256:659DF6B190A0B92FC34E3A4457B4A8D11A26A4CAF55DE64DFE79EB1276181F08
748020240726@j.exeC:\ProgramData\ricka\v2E9L@j\Client.exeexecutable
MD5:A13C4AFD2B44544D8950F167FE6E766A
SHA256:0A2E1C6A3D6DE252454795BD766E8040FC055A197539836686C71B8D2D320C2F
4808Client.exeC:\Users\admin\Videos\E652BE8@j\ClientModule.dllexecutable
MD5:F5BA22F3EB817FD5C23DC5F114DCF79C
SHA256:40D913C97E44E647AE101A71651EDD16A13200B81E2ADC4D06213F15F334365E
4808Client.exeC:\Users\admin\Videos\E652BE8@j\VMProtectSDK32.dllexecutable
MD5:460839680454DAA5DD1B8E83924D7A1E
SHA256:097FFB217EC1E2C305456BBB5822EB4F4C9DD19A6EF09816ED8AC7F19DA08C89
4808Client.exeC:\Users\admin\Videos\E652BE8@j\PX.TXTbinary
MD5:3005E88FB7D55D32DA7C6F3C2A18498E
SHA256:FC30C532756489B3CCC5E2B0F61FF143AA4AB5E88F3869450618AD1A3D05B2A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
43
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5864
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
4808
Client.exe
GET
101
143.92.61.34:15628
http://143.92.61.34:15628/\
unknown
unknown
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
92.123.104.6:443
www.bing.com
Akamai International B.V.
DE
unknown
3992
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted
4424
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4424
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 92.123.104.6
  • 92.123.104.31
  • 92.123.104.21
  • 92.123.104.34
  • 92.123.104.40
  • 92.123.104.11
  • 92.123.104.33
  • 92.123.104.19
  • 92.123.104.7
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
google.com
  • 142.251.140.14
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.75
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
4808
Client.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
4808
Client.exe
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
20240726@j.exe