File name:

din.exe

Full analysis: https://app.any.run/tasks/5ad91303-17a1-413a-b8ba-bf41509ee4b8
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 27, 2024, 06:11:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
telegram
phishing
stealer
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

CE76B7CDA29A7EA80917E5844A7FCA42

SHA1:

C9A7EEB65056F6743B3A43CA0A7010743003191F

SHA256:

88BCED6D92559B9EA1974FD4329868E68C104EB58A976D65B9DF8AF32BBD2400

SSDEEP:

49152:YJQdT6LdMACVy6hULHf/4Y2UsSoFsu2jw9B3aFtaUtd3z2BJowi0oo05O3mOu7zw:YJXCRUru75FQxt7d3Kzi0oTA3mT7zH6R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • din.exe (PID: 5532)

    • AutoIt loader has been detected (YARA)

      • Centered.com (PID: 6160)

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • Centered.com (PID: 6160)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • din.exe (PID: 5532)
      • Centered.com (PID: 6160)

    • Get information on the list of running processes

      • cmd.exe (PID: 4548)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4548)

    • Executing commands from ".cmd" file

      • din.exe (PID: 5532)

    • Application launched itself

      • cmd.exe (PID: 4548)

    • Starts CMD.EXE for commands execution

      • din.exe (PID: 5532)
      • cmd.exe (PID: 4548)

    • The executable file from the user directory is run by the CMD process

      • Centered.com (PID: 6160)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4548)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 4548)

    • Checks Windows Trust Settings

      • Centered.com (PID: 6160)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Centered.com (PID: 6160)

  • INFO

    • Reads the computer name

      • din.exe (PID: 5532)
      • Centered.com (PID: 6160)

    • The process uses the downloaded file

      • din.exe (PID: 5532)

    • Checks supported languages

      • din.exe (PID: 5532)
      • Centered.com (PID: 6160)

    • Process checks computer location settings

      • din.exe (PID: 5532)

    • Create files in a temporary directory

      • din.exe (PID: 5532)

    • Creates a new folder

      • cmd.exe (PID: 5472)

    • Reads mouse settings

      • Centered.com (PID: 6160)

    • Checks proxy server information

      • Centered.com (PID: 6160)

    • Reads the software policy settings

      • Centered.com (PID: 6160)

    • Reads the machine GUID from the registry

      • Centered.com (PID: 6160)

    • Creates files in the program directory

      • Centered.com (PID: 6160)

    • Creates files or folders in the user directory

      • Centered.com (PID: 6160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:20:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29696
InitializedDataSize: 857088
UninitializedDataSize: 16896
EntryPoint: 0x38af
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start din.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs centered.com choice.exe no specs #PHISHING svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3188cmd /c copy /b ..\Gc + ..\Large + ..\Rights + ..\Becomes I C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3544findstr /V "cache" Bulgaria C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4076findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4548"C:\Windows\System32\cmd.exe" /c copy Appreciated Appreciated.cmd & Appreciated.cmdC:\Windows\SysWOW64\cmd.exedin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5392findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5472cmd /c md 322891C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5532"C:\Users\admin\AppData\Local\Temp\din.exe" C:\Users\admin\AppData\Local\Temp\din.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\din.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
1 378
Read events
1 375
Write events
3
Delete events
0

Modification events

(PID) Process:(6160) Centered.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6160) Centered.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6160) Centered.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
19
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5532din.exeC:\Users\admin\AppData\Local\Temp\Becomesbinary
MD5:6D7407741F7BC4D14B1A165CAE065EAE
SHA256:5AF440AFD27D24086571B7F38985B3F3B53B1EBF9C726F247A498AB59AC0EB52
5532din.exeC:\Users\admin\AppData\Local\Temp\Changingbinary
MD5:20B321CDCBBDDE96DBA00A2FBD8D5E19
SHA256:8A2872987492498E61CFD5AED3C742340D0952FF7F059496F068D1CB834EE085
5532din.exeC:\Users\admin\AppData\Local\Temp\Gcbinary
MD5:3D808EB22EF8125F2977E8C9DEE7CBF4
SHA256:D30DF2A6AF6CF7E41C9BDEDAA5F2EF26D8A5B60E083084BD346552B5FF9C8B67
5532din.exeC:\Users\admin\AppData\Local\Temp\Bulgariabinary
MD5:1D5C9309802807FDA7F567C0EB99C511
SHA256:B3D39CC1EBF070F3EAC4C6922A64E4B689D527FDC98D4D8B005BB1E54636ACD0
5532din.exeC:\Users\admin\AppData\Local\Temp\Prizesbinary
MD5:3E942AAC4A2AE891334E575E5C56AF2D
SHA256:AE3AB1F2DA012D59FF620AF33313879A0F1A2EBB2E6E4CA2B0FDE7E2D8917CAA
5532din.exeC:\Users\admin\AppData\Local\Temp\Durablebinary
MD5:BAFBC57F3FCA9279969C3A70BA3D398F
SHA256:FFBD3D0228613665949DA7051EDF3ADFEB9E603C10FE071C26FF42D3A95D1F98
5532din.exeC:\Users\admin\AppData\Local\Temp\Activatedbinary
MD5:87BB88EBBC24DD6F13DE197D0F6A7862
SHA256:06A470E2DAD7EADF779865990F9AC593D396CED7103FBB8BF81EB52FAC2A94EB
5532din.exeC:\Users\admin\AppData\Local\Temp\Largebinary
MD5:53303EE3BA975E2C0410A9FBD20C9021
SHA256:6BA931FF62297ADEC1C996CC673572B10B908F617E4ECD9125AC83B9D8D68ACF
5532din.exeC:\Users\admin\AppData\Local\Temp\Dumbgmc
MD5:C2A985269513E29FDF2CBBDA266EDAD2
SHA256:966D083F627920AB66704DE4EBF30D86F97DAB9E39376D2FFD52B2526531BEE3
5532din.exeC:\Users\admin\AppData\Local\Temp\Appreciatedtext
MD5:9B1C1B91D5DD7CD249DFC18C83265CAD
SHA256:256DAB2DE8F31FD3B6DDEC1D1CA49A79BBD8DE0EC9997256169E35C22BFCB477
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
42
DNS requests
22
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.10.249.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6676
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5548
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6160
Centered.com
GET
200
2.16.202.121:80
http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D
unknown
whitelisted
6676
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2892
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5564
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.10.249.17:80
crl.microsoft.com
Akamai International B.V.
CH
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.10.249.17
  • 23.10.249.24
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.130
  • 2.23.209.189
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.75
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
jCkYzqqYDalcEKzOzlTGtPWyRfbt.jCkYzqqYDalcEKzOzlTGtPWyRfbt
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
6160
Centered.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
2192
svchost.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (bijutr .shop)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
din.exe