File name:

SysInternals[1].exe

Full analysis: https://app.any.run/tasks/be63d445-97b6-40fd-ae05-9816c1e404dd
Verdict: Malicious activity
Analysis date: January 04, 2024, 07:29:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

D1A27B871A86C5371215F71885862CFF

SHA1:

FA1002B02FC5551E075EC44BB4FF9CC13D563DCF

SHA256:

72E6D1728A546C2F3EE32C063ED09FA6BA8C46AC33B0DD2E354087C1AD26EF48

SSDEEP:

384:2N8wZM3bOjP2p7INtIBPEyEr/urrrDp7VbbFaDrrrfOqvspSDwGmU/IQGFETP:2N8wZMG2p7INwDo9wGd/S6TP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • SysInternals[1].exe (PID: 2040)

    • Checks Windows Trust Settings

      • SysInternals[1].exe (PID: 2040)

    • Reads settings of System Certificates

      • SysInternals[1].exe (PID: 2040)

    • Starts CMD.EXE for commands execution

      • SysInternals[1].exe (PID: 2040)

    • Reads security settings of Internet Explorer

      • SysInternals[1].exe (PID: 2040)

  • INFO

    • Reads the computer name

      • SysInternals[1].exe (PID: 2040)

    • Checks supported languages

      • SysInternals[1].exe (PID: 2040)

    • Checks proxy server information

      • SysInternals[1].exe (PID: 2040)

    • Reads the machine GUID from the registry

      • SysInternals[1].exe (PID: 2040)

    • Drops the executable file immediately after the start

      • SysInternals[1].exe (PID: 2040)

    • Creates files or folders in the user directory

      • SysInternals[1].exe (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:18 20:09:04+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.24
CodeSize: 4096
InitializedDataSize: 53248
UninitializedDataSize: -
EntryPoint: 0x1483
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 2.0.0.1
ProductVersionNumber: 2.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: SysInternals, Inc.
FileDescription: SysInternals Suite Downloader
FileVersion: 2.0.0.1
InternalName: SysInternals.exe
LegalCopyright: Copyright (C) 2020
OriginalFileName: SysInternals.exe
ProductName: SysInternals Suite Downloader
ProductVersion: 2.0.0.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sysinternals[1].exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1608"C:\Windows\System32\cmd.exe" /C c:\Windows\vmtoolsIO.exe -install && net start VMwareIOHelperService && sc config VMwareIOHelperService start= autoC:\Windows\System32\cmd.exeSysInternals[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2040"C:\Users\admin\AppData\Local\Temp\SysInternals[1].exe" C:\Users\admin\AppData\Local\Temp\SysInternals[1].exe
explorer.exe
User:
admin
Company:
SysInternals, Inc.
Integrity Level:
MEDIUM
Description:
SysInternals Suite Downloader
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\sysinternals[1].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
3 641
Read events
3 602
Write events
39
Delete events
0

Modification events

(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2040) SysInternals[1].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
0
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040SysInternals[1].exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Hex2Dec[1].zipcompressed
MD5:A8EA74C54DE2A885530A4BFFDEE761B7
SHA256:88B4D4DC34855C0171A53B12A626F349E3F72FB4F07EDB4FEA906AD02D42DAB8
2040SysInternals[1].exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\LSC94546.txttext
MD5:5894618B838A071F2C7F2993500DDD6D
SHA256:862FE776B99E4BCF54872E53BCFDEEDAC84D83FD54053B2FBD7BD9851369D5A1
2040SysInternals[1].exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\SNVS0BVC.txttext
MD5:9BCADF2A16218C588C3241AF61A50AEB
SHA256:B6D29456341BB6E0ED8DA68FD194F1F8172103AB7EC5A66F61BFD994554A71E5
2040SysInternals[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2040SysInternals[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:0D087361FC8ACF6D56F533377106E0A7
SHA256:3A28348110311D1DBE0D5B8608DC66151E09B7E49BBB4D0A703773D731C83685
2040SysInternals[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\16280E6FC79D9D4E1842E666383C9869_A65A852766F529558A3A0E882FB2B3A9binary
MD5:795953A2504C3085CA52C56119970D7A
SHA256:C3D4EF8E45E1B91B5880257BB8EA1A9B4BA8683E3BBF3A1675F9C011DD40ADD6
2040SysInternals[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\16280E6FC79D9D4E1842E666383C9869_A65A852766F529558A3A0E882FB2B3A9binary
MD5:46ADE4DD8CEB8FA0A6EBA73CA60E75FE
SHA256:B3A4152A3C0A57FDD5E706BFBBBF852598FDA34509EB315FB0BFEEBF0B5B331A
2040SysInternals[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:946F14962ABF388761E22C3E8999000E
SHA256:D84341823DFE8A6455DDF0449872D0366EAE8EE5FABDAB91FB4A7EFC36BD7639
2040SysInternals[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:59E29215514B5EFADC81D661C7E7D656
SHA256:F6B7453209CEA3B161E9143B225F857FF72C1CB53B648A69D122BAF52870B0B7
2040SysInternals[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_D84AA834FA79E192D6B55D4ECAAD497Fbinary
MD5:7684C4BACCE7CF6802B20094298695DC
SHA256:05BC29BADD3A1A42A8AF90F61011E67B647F831EAA3716DE110642F960BAD9EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
15
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2040
SysInternals[1].exe
GET
302
142.250.185.68:80
http://www.google.com/
unknown
html
396 b
unknown
2040
SysInternals[1].exe
GET
429
142.250.185.68:80
http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS11q0kGMi82awGIjDvJiAlUvBZv2pcerep3ks36GhPQtb2CfXhYo7imnBYTLR3DlAvvshFR3Rz1mwFpiYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
unknown
html
2.98 Kb
unknown
2040
SysInternals[1].exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?65c6d7bded09c2b4
unknown
compressed
4.66 Kb
unknown
2040
SysInternals[1].exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAFSnug2jwtdcrpDPi2Opi0%3D
unknown
binary
314 b
unknown
2040
SysInternals[1].exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRlkT5W%2BtMH%2Bxv1CiAFsstRTacrLwQUcuCWoVHqMAxYtfUZq5p8zZdVEC4CEzMAAAIuWwG3GJku0kUAAAAAAi4%3D
unknown
binary
973 b
unknown
2040
SysInternals[1].exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
304
23.216.77.72:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1b8fee253118cbef
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2040
SysInternals[1].exe
142.250.185.68:80
www.google.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2040
SysInternals[1].exe
23.212.219.86:443
docs.microsoft.com
AKAMAI-AS
AU
unknown
2040
SysInternals[1].exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2040
SysInternals[1].exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2040
SysInternals[1].exe
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2040
SysInternals[1].exe
23.52.121.26:443
learn.microsoft.com
AKAMAI-AS
DE
unknown
2040
SysInternals[1].exe
152.199.19.160:443
download.sysinternals.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.185.68
whitelisted
docs.microsoft.com
  • 23.212.219.86
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 23.216.77.72
  • 23.216.77.66
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
learn.microsoft.com
  • 23.52.121.26
whitelisted
www.malware430.com
unknown
download.sysinternals.com
  • 152.199.19.160
whitelisted

Threats

PID
Process
Class
Message
2040
SysInternals[1].exe
A Network Trojan was detected
ET HUNTING Suspicious UA (^IE[ds])
2040
SysInternals[1].exe
A Network Trojan was detected
ET HUNTING Suspicious UA (^IE[ds])
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SysInternals[1].exe