File name:

StraightMls.exe

Full analysis: https://app.any.run/tasks/fba613ee-7fb4-46da-a5f7-dbc6498bee64
Verdict: Malicious activity
Analysis date: November 14, 2024, 10:31:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

52C7EA6862E0B1BCAE99044A17A96457

SHA1:

7EED8C35403D6F70F8F284359E436B163FD81392

SHA256:

903344B8CDBFC5C4B2F1625255EB99E3D8757B210D3C8664862FD780A5AF4835

SSDEEP:

98304:ZrKBfxfDH1IM/AnF//seAv0vklT7qk9S0qrsi6:k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Horses.pif (PID: 4348)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • StraightMls.exe (PID: 6568)

    • Executing commands from ".cmd" file

      • StraightMls.exe (PID: 6568)

    • Starts CMD.EXE for commands execution

      • StraightMls.exe (PID: 6568)
      • cmd.exe (PID: 6640)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6640)

    • Application launched itself

      • cmd.exe (PID: 6640)

    • Get information on the list of running processes

      • cmd.exe (PID: 6640)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 6640)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6640)

    • The executable file from the user directory is run by the CMD process

      • Horses.pif (PID: 4348)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 6640)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6640)

  • INFO

    • Create files in a temporary directory

      • StraightMls.exe (PID: 6568)

    • Checks supported languages

      • StraightMls.exe (PID: 6568)
      • Horses.pif (PID: 4348)

    • Process checks computer location settings

      • StraightMls.exe (PID: 6568)

    • The process uses the downloaded file

      • StraightMls.exe (PID: 6568)

    • Reads the computer name

      • StraightMls.exe (PID: 6568)
      • Horses.pif (PID: 4348)

    • Creates a new folder

      • cmd.exe (PID: 6804)

    • Reads mouse settings

      • Horses.pif (PID: 4348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 604160
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start straightmls.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs horses.pif choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428findstr /V "EfLatitudeStrengtheningBasic" Communist C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2708findstr /I "wrsa opssvc" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2928cmd /c copy /b ..\Mai + ..\Correlation + ..\Sustained + ..\Purposes + ..\Void + ..\Studio + ..\Conferences i C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4348Horses.pif i C:\Users\admin\AppData\Local\Temp\47690\Horses.pif
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 3
Modules
Images
c:\users\admin\appdata\local\temp\47690\horses.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
5516choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5652findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6044tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6240tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6568"C:\Users\admin\AppData\Local\Temp\StraightMls.exe" C:\Users\admin\AppData\Local\Temp\StraightMls.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\straightmls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6640"C:\Windows\System32\cmd.exe" /c copy Lands Lands.cmd & Lands.cmdC:\Windows\SysWOW64\cmd.exe
StraightMls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 097
Read events
1 097
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Maibinary
MD5:9B3511C6AF5F20DB72C6624618F1917C
SHA256:F571C3154CDD41D2FD6315B45E82426C93DBF54ECDBB7542C1E0D1D3203E2482
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Purposesbinary
MD5:836E33117C9E365309DCD54D72EEC368
SHA256:B19131045ABF56FFD7B8A6727230458098FB31F5636AC0012E731B7293026B58
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Contractingbinary
MD5:0C5212D676D21F531FFCAFEC9E52B86D
SHA256:E1D1853CEE2D930B9D7E4B6EC0046D625ACBC0A7D21E200F91AE177C6A16906F
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Conferencesbinary
MD5:BCE26B152D2BAB055BEAD6F7D0CA397D
SHA256:73E8D4CFECB488B76F3B5607A7100C31E73734A8CC951966DA1D5F2B3FE3B097
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Voidbinary
MD5:F35AFC0F5740F2BC4DBEDB76F32C5EC9
SHA256:F10369056EF36C055B032C5E79E354C68F02E8EB1A9F8BEC38EA2E4E8DBE214F
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Studiobinary
MD5:7F50E145F22058785A1C7807C211A149
SHA256:3EC290AC9F1C6BB770F63DD3AC6EC6A1E2E848C09E85039F1275D35A1F1B0FD3
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Correlationbinary
MD5:A0E744C12091614479FA3968B8B20721
SHA256:F832EEEBDC0036D90A11C44EC646DB5F5BD11AE87AB633B07185F2C52995C03F
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Communistbinary
MD5:DA39126FEDAD42A34ADB3EE8F339234D
SHA256:77C919541FC0FF7257A59529211A1010DFB988C59114BA573BEF97163D0A6723
6568StraightMls.exeC:\Users\admin\AppData\Local\Temp\Sustainedbinary
MD5:0A1DC210622FA5452E57F471163666E2
SHA256:006086059857CB6E91FD02BCA274735A875698DE6799C69942D4F7646BB68949
6640cmd.exeC:\Users\admin\AppData\Local\Temp\47690\Horses.pifexecutable
MD5:A9428EC0A9FFCCBF943A384BAE6ABC85
SHA256:6EB46C39B269BD7C62214106344014EC9EC773ADB4C138E39D6AA865FFB3BD80
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
42
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6384
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3648
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3648
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6316
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5640
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
2.23.209.136:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6384
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6384
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4360
SearchApp.exe
104.126.37.130:443
th.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.209.136
  • 2.23.209.156
  • 2.23.209.141
  • 2.23.209.143
  • 2.23.209.154
  • 2.23.209.149
  • 2.23.209.137
  • 2.23.209.150
  • 2.23.209.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 172.217.16.142
whitelisted
dKLUEBhbuOanqlcVZRtai.dKLUEBhbuOanqlcVZRtai
unknown
login.live.com
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.133
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.76
whitelisted
th.bing.com
  • 104.126.37.130
  • 104.126.37.123
  • 104.126.37.179
  • 104.126.37.184
  • 104.126.37.185
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.176
  • 104.126.37.136
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
bed-cobweb.cyou
  • 104.21.50.44
  • 172.67.200.190
unknown
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
StraightMls.exe