File name:	9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0
Full analysis:	https://app.any.run/tasks/83e1785a-2d7e-4917-bd38-299eac2e4709
Verdict:	Malicious activity
Analysis date:	November 15, 2024, 13:06:12
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	2D96E4C716EB0CF915026ED8A7D01AF0
SHA1:	8D793F2EC2B319B9AB4D7D6F12275D15C4C73F88
SHA256:	9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0
SSDEEP:	6144:KcGHcbt3OZx9qnGkMQQtbFMO1rWa3NnoyQ77sUGQtygfo:1ocb8qYFZ1P9noJ0Udy+o

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:05:01 08:50:32+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12.1
CodeSize:	102400
InitializedDataSize:	208896
UninitializedDataSize:	-
EntryPoint:	0x5907
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	3.7.2150.1013
ProductVersionNumber:	3.7.2150.1013
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Python Software Foundation
FileDescription:	Python
FileVersion:	3.7.2
InternalName:	Python Console
LegalCopyright:	Copyright © 2001-2016 Python Software Foundation. Copyright © 2000 BeOpen.com. Copyright © 1995-2001 CNRI. Copyright © 1991-1995 SMC.
OriginalFileName:	python.exe
ProductName:	Python
ProductVersion:	3.7.2


(PID) Process:	(6392) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	HelpTopic
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(6392) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	LinkedHelpTopics
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(6392) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	HelpTopic
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(6392) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	LinkedHelpTopics
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(7120) 8SPPDJ~1:bin	Key:	HKEY_CLASSES_ROOT\MSCFile\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7120) 8SPPDJ~1:bin	Key:	HKEY_CLASSES_ROOT\MSCFile\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7120) 8SPPDJ~1:bin	Key:	HKEY_CLASSES_ROOT\MSCFile\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7120) 8SPPDJ~1:bin	Key:	HKEY_CLASSES_ROOT\MSCFile
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
2236	9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe	C:\Users\admin\AppData\Roaming\8SPPDJ~1		—
		MD5:—	SHA256:—
7120	8SPPDJ~1:bin	C:\Users\admin\AppData\Local\Temp\Wetil.cmd		text
		MD5:6A0761CA89149B069A4AB6BBA8F5E5B9	SHA256:6E73CBD17F3FD4C62E37FC56C55588F60CC1114E61AF10ECCF7CAAFDF233B642
6392	mmc.exe	C:\Users\admin\AppData\Local\Microsoft\Event Viewer\RecentViews		binary
		MD5:785FB8E1B562E2FCC8C0C0C6572EE3D7	SHA256:5607B57C3C58070F54B8F68FA22808F9AD14C60BBF05F00DA92A162585C3C562
6392	mmc.exe	C:\Users\admin\AppData\Roaming\Microsoft\MMC\eventvwr		xml
		MD5:C4AEFE383AD08188E19D2FBDDC3DAB20	SHA256:3BC5CEBD617E62A939F8434A594F2D8CD30E65EC2EB25FD912F154ABC04CFFC5
7120	8SPPDJ~1:bin	C:\Users\admin\AppData\Roaming\0vCBjfNuOQE7kX\IBCSMG~1.EXE		binary
		MD5:EB64CE3425E22FA5ED09FC9FB9C9887C	SHA256:3566E15AD2073FCEE9DE878C7FC49F30AAA28D29D8CEBCDF75585700A19D3C46
2236	9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe	C:\Users\admin\AppData\Roaming\8SPPDJ~1:bin		executable
		MD5:2D96E4C716EB0CF915026ED8A7D01AF0	SHA256:9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0
6392	mmc.exe	C:\Users\admin\AppData\Local\Microsoft\Event Viewer\Settings.Xml		text
		MD5:884320A9B8F018F309F5A96107133F89	SHA256:50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted

Domain	IP	Reputation
www.bing.com	—	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.142	whitelisted
dns.msftncsi.com	131.107.255.255	whitelisted

Process	Message
mmc.exe	ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe	ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe	ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe	ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe	Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
mmc.exe	Getting next publisher from enum failed-259-No more data is available
mmc.exe	Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
mmc.exe	ExpandNode:After EventsNode:InsertChildren CountOfChildren = 5
mmc.exe	PublisherMetadataKeywordName failed for not providing enough memory. Trying with the correct memory -122-The data area passed to a system call is too small
mmc.exe	PublisherMetadataKeywordName failed for not providing enough memory. Trying with the correct memory -122-The data area passed to a system call is too small

General Info

9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0

2D96E4C716EB0CF915026ED8A7D01AF0

8D793F2EC2B319B9AB4D7D6F12275D15C4C73F88

9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0

6144:KcGHcbt3OZx9qnGkMQQtbFMO1rWa3NnoyQ77sUGQtygfo:1ocb8qYFZ1P9noJ0Udy+o

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Detected use of alternative data streams (AltDS)

Executable content was dropped or overwritten

Starts itself from another location

Starts application with an unusual extension

Reads security settings of Internet Explorer

INFO

Process checks whether UAC notifications are on

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Create files in a temporary directory

The process uses the downloaded file

Sends debugging messages

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings