File name:

VeryFun.exe

Full analysis: https://app.any.run/tasks/97e1db2f-0eae-4eda-94f2-f5268df5cec2
Verdict: Malicious activity
Analysis date: November 22, 2024, 20:34:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

EF7B3C31BC127E64627EDD8B89B2AE54

SHA1:

310D606EC2F130013CC9D2F38A9CC13A2A34794A

SHA256:

8B04FDA4BEE1806587657DA6C6147D3E949AA7D11BE1EEFB8CD6EF0DBA76D387

SSDEEP:

49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8t:Js/4ibecELz/RkO6LF4hRq5GKHmBBYC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • VeryFun.exe (PID: 4528)

    • Application launched itself

      • ie4uinit.exe (PID: 4160)
      • setup.exe (PID: 6812)
      • setup.exe (PID: 5336)
      • setup.exe (PID: 6976)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 4328)

  • INFO

    • Manual execution by a user

      • WerFault.exe (PID: 6796)
      • setup.exe (PID: 6812)
      • ie4uinit.exe (PID: 4160)
      • chrmstp.exe (PID: 6068)
      • unregmp2.exe (PID: 6292)

    • UPX packer has been detected

      • VeryFun.exe (PID: 4528)
      • cmd.exe (PID: 1616)
      • cmd.exe (PID: 1448)

    • The process uses AutoIt

      • VeryFun.exe (PID: 4528)
      • cmd.exe (PID: 1616)
      • cmd.exe (PID: 1448)

    • Application launched itself

      • chrmstp.exe (PID: 6068)
      • chrmstp.exe (PID: 5564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:09:22 22:25:28+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 356352
InitializedDataSize: 2826240
UninitializedDataSize: 3354624
EntryPoint: 0x389de0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
24
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start veryfun.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs werfault.exe no specs cmd.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs cmd.exe no specs rundll32.exe no specs veryfun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1448"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1616"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3260"C:\Users\admin\Desktop\VeryFun.exe" C:\Users\admin\Desktop\VeryFun.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\veryfun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4160"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\System32\ie4uinit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
4328C:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\System32\ie4uinit.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
4528"C:\Users\admin\Desktop\VeryFun.exe" C:\Users\admin\Desktop\VeryFun.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\veryfun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4736C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\System32\rundll32.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4832"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x288,0x28c,0x290,0x1a4,0x140,0x7ff6ac3469a8,0x7ff6ac3469b4,0x7ff6ac3469c0C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
122.0.2365.59
5036"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff6ac3469a8,0x7ff6ac3469b4,0x7ff6ac3469c0C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
122.0.2365.59
5336"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --msedge --channel=stable --launch-msedge-after-unlock --verbose-logging --system-levelC:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
122.0.2365.59
Total events
179 625
Read events
160 574
Write events
19 051
Delete events
0

Modification events

(PID) Process:(4528) VeryFun.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management
Operation:writeName:LargePageMinimum
Value:
1
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\BTSNTSvc.exe\{CA109828-7CE7-40F4-AD73-C7575455A7D5}
Operation:writeName:Company
Value:
è,àLkõ[à-»üR’0&à ­¤à-ÞB‚²÷
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\BTSNTSvc.exe\{CA109828-7CE7-40F4-AD73-C7575455A7D5}
Operation:writeName:Internal Name
Value:
eDº„ìFgf&²¥_8ÏLÝð!¬÷{̶S,˜
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\BTSNTSvc.exe\{CA109828-7CE7-40F4-AD73-C7575455A7D5}
Operation:writeName:Maximum File Version
Value:
îíEÏ] 'ª­Z׸TؾÕÚÀF–õÁT’
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\BTSNTSvc.exe\{CA109828-7CE7-40F4-AD73-C7575455A7D5}
Operation:writeName:Minimum File Version
Value:
lµ) NÂíZŒ2%‹¡ÅØQŽ¼é/§3gãqÒ
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\BTSNTSvc.exe\{CA109828-7CE7-40F4-AD73-C7575455A7D5}
Operation:writeName:Product Name
Value:
'ŠYÚ«øWƒõ“›zS‡tûió¢˜ßR&
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\BTSNTSvc.exe\{CA109828-7CE7-40F4-AD73-C7575455A7D5}
Operation:writeName:Target Version
Value:
¶úÛñWÕãÄùƒ¸›%ׄþ¸ï’óñ°¢±
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\compeif.exe\{6AA1435F-1473-4A6D-B82A-1DD4E3A20E34}
Operation:writeName:Company
Value:
ZvÆŠå8v$ÉohFo}úÑåWD"”:­Î{
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\compeif.exe\{6AA1435F-1473-4A6D-B82A-1DD4E3A20E34}
Operation:writeName:Internal Name
Value:
>ïØÅOòð\jßžOf©¶Zϯì
(PID) Process:(1448) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\compeif.exe\{6AA1435F-1473-4A6D-B82A-1DD4E3A20E34}
Operation:writeName:Maximum File Version
Value:
„¯‰{ÕZÕž•0A¦ûÐ/è6?üŸä£ˆª
Executable files
2
Suspicious files
3
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
4160ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGIB589.tmpini
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
4160ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGIB58A.tmpini
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
6796setup.exeC:\Windows\Temp\MsEdgeCrashpad\throttle_store.dattext
MD5:9E4E94633B73F4A7680240A0FFD6CD2C
SHA256:41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
4160ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGIB578.tmptext
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
4160ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGIB5BB.tmptext
MD5:87BA1D52A05A8D4343356EB0C6279DE2
SHA256:564A351DB0AB9249751ECF3F5D03049A43BEB0F8F3B95A5B8AAE9A9F7D0C17FB
4160ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGIB59A.tmpini
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
4528VeryFun.exeC:\Windows\system.inibinary
MD5:AD7A3B5B654841E098EBCD82C6BF6AE9
SHA256:7237D29C49C1F1AAAD85D1EFC7EBE8F46D0B8BA42BEE7C2C8559B733614B1757
6976setup.exeC:\Users\admin\AppData\Local\Temp\msedge_installer.logtext
MD5:F6889112F2A8881B24645437EC20E114
SHA256:9FE3DD5071363A6E1F35B27DEB05CE85F0E2FDBC1F641CFD90A16171BC30CAC3
6068chrmstp.exeC:\Windows\Temp\Crashpad\settings.datbinary
MD5:15A1DB1A694E07613BAFC4DA7D0E2E9A
SHA256:B10B453EDADCABC06F13D5CEC9CC35670D494DD7A32EDF6BB701D3249206EBA7
6292unregmp2.exeC:\Users\admin\AppData\Local\Temp\wmsetup.logtext
MD5:D58AF95C4B2C95CBA031353690C39C0C
SHA256:B848B5B0DA7135A69F0B84C7127BC98F7947423AADC5B9DFB01891795C1F25B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
36
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.19.96.41:443
www.bing.com
Akamai International B.V.
DE
whitelisted
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2.19.246.123:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.164.43
  • 2.16.164.114
  • 2.16.164.9
  • 2.16.164.24
  • 2.16.164.49
  • 2.16.164.81
  • 2.16.164.51
  • 23.32.238.34
  • 23.32.238.43
  • 23.32.238.51
  • 23.32.238.50
  • 23.32.238.48
  • 23.32.238.26
  • 23.32.238.27
  • 2.19.198.194
  • 23.32.238.33
whitelisted
www.microsoft.com
  • 88.221.125.143
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.19.96.41
  • 2.19.96.40
  • 2.19.96.27
  • 2.19.96.58
  • 2.19.96.26
  • 2.19.96.19
  • 2.19.96.24
  • 2.19.96.64
  • 2.19.96.34
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.23
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.19.246.123
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VeryFun.exe