File name:

payload.exe

Full analysis: https://app.any.run/tasks/75f33bb7-5fd4-46f5-949d-d5c3c730bb6b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 19:31:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
auto
generic
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

66BA415D640ADF7691A55A9BB42AC6C4

SHA1:

19EE95A015707262B2E8C3761D98161F04BAE54C

SHA256:

92348F164C1E42EC1F531D66BEA76D65AED9F6BD4187000C0BAF92EDD3050FB5

SSDEEP:

98304:mLGX1t60IUNgyNqOUeckDPXF3JQqy906tDp01qp1Q2Q5CldkIz3TcLK27K4t4il1:jB96or8Ffne5hU/gUPb1tHD/r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • runas.exe (PID: 2168)

    • Actions looks like stealing of personal data

      • payload.exe (PID: 2368)

    • Writes a file to the Word startup folder

      • payload.exe (PID: 2368)

    • Starts CMD.EXE for self-deleting

      • payload.exe (PID: 2368)

    • Modifies files in the Chrome extension folder

      • payload.exe (PID: 2368)

  • SUSPICIOUS

    • Starts another process probably with elevated privileges via RUNAS.EXE

      • runas.exe (PID: 2168)

    • Reads browser cookies

      • payload.exe (PID: 2368)

    • Changes the desktop background image

      • payload.exe (PID: 2368)

    • Reads the Internet Settings

      • payload.exe (PID: 2368)

    • Reads security settings of Internet Explorer

      • payload.exe (PID: 2368)

    • Starts CMD.EXE for commands execution

      • payload.exe (PID: 2368)

    • Hides command output

      • cmd.exe (PID: 3104)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3104)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3104)

    • Likely accesses (executes) a file from the Public directory

      • notepad.exe (PID: 2356)

  • INFO

    • Checks supported languages

      • payload.exe (PID: 2368)

    • Reads the machine GUID from the registry

      • payload.exe (PID: 2368)

    • Reads the computer name

      • payload.exe (PID: 2368)

    • Creates files in the program directory

      • payload.exe (PID: 2368)

    • Creates files or folders in the user directory

      • payload.exe (PID: 2368)

    • Manual execution by a user

      • notepad.exe (PID: 2356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:14 16:39:32+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 22016
InitializedDataSize: 6144
UninitializedDataSize: -
EntryPoint: 0x6d9409
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start runas.exe no specs payload.exe cmd.exe no specs taskkill.exe no specs ping.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156taskkill /t /f /im "payload.exe" C:\Windows\System32\taskkill.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2168"C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\payload.exeC:\Windows\System32\runas.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2356"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HELP_READ_ME.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2368C:\Users\admin\Desktop\payload.exeC:\Users\admin\Desktop\payload.exe
runas.exe
User:
Administrator
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\payload.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2516ping -n 1 127.0.0.1 C:\Windows\System32\PING.EXEcmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3104"C:\Windows\System32\cmd.exe" cmd.exe /d /c taskkill /t /f /im "payload.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\admin\Desktop\payload.exe" > NULC:\Windows\System32\cmd.exepayload.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
972
Read events
958
Write events
8
Delete events
6

Modification events

(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Software\Decryption\RSAKeys
Operation:writeName:PublicKey
Value:
0602000000A4000052534131000800000100010085DC02CC4FECEAAACECDBAA9C8E82829B356229F0ABF4B8D151A0292E3DBAC5CF64F437CC9CE8551869478A359F3A41D6951D59155766254B0D58EA64020C08D86CC62AF6845340411043E4D72D5BF1E61491FDC2EEC8AB5AC9FA2C70CB65FEF954195190C5FB6016B68BFBE8D989F4ED5B9FDB90399D14E56FAA72FE51ED4720282FE7954D6356E1C37D92B7D86837E10BBF227F729814C376CA8B424765AA3ADB7AF927FA6146D2BA00233A11775B238EE262EF7ADF1DD031761038C720BF5EB0FF81E798DE692B8C4190A46C7B5FCBB565210FA51693C99A4B8216515FCE850A71002F572ADAB5F946DF668AF25A3BB75C7F41642CC6A2E54358E9C9109B0
(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Software\Decryption\RSAKeys
Operation:writeName:EncryptedKey
Value:
A7028BFC4188768284E3E39B5A4D9352BCAE211E9EB7BB91659DC342148171B8B69DC7F2DF8E3085F86FFC496B2B7A9EF208441B48F563EF5B97D7DDEAFE7AA2AF4F2C5C4FC034DD01333E28CDFF065C952D03C55AA85BFCADBDFDA027FD63A890FB9007FD4DB8340E54AB5958C7EDF8D51547F1886042C7CC2A1187229BD1FBFFE02AE5C00D7B73E0B29DC37E1CF653AC737C1D24598823176B835ED494EE8C5AEC52416BE6A226942B061E7661DE7D9ACC1EFD2AD6599AF528ABC7D2F817D9874192CD090B706EF09A50DEEAF1BF0F87737F440E899BF36D4B798589BCA9361F5D9B9E4D262C263C6D289CFBB0B31836DF12B2169C89A0BE724610F49EAEA6501C16B7F9ACB7DA63F602651D9233589E0A6CC116628FA79A3C4B62FFD50D5304C8683C84A4A558BFE5C4B842BB5E25ADEC0DD988E754C3E925E324DF90CE1EA24562E067972ACB4A68ADA0DA3E3E91F0FFACAE860825E70614C76E0032C8832B212156388CC3D6D365F874C55E36473B66E9907E2A90D3A7480A1929E3BEA4E0C7DC19217F6863C757F8B0457CE46DCDD5C133235EA2760F92CE7C103F4A47553BDB1CCE5AB6FF3DADD078AFD98C3F6D9A3FB2F0D7C70DEB39775D86AED863036D80A87598EB5A017F76823FD9DAD9410F724EAE5CBD227EA60BB1FC0192E3C622B8ADDBD3FB6C1F29F5A43C17ED9C555FAD903FEBC91402D7F1ED99ACA3BF93AAC94CED66A223CA179BB1929CA2F0F0622D40E1427BB4009593BB9B27573C47B04D1927674434BD8BAFA54B3A786AFFF2452D5C9A1AF9B46CBC11CD79A6CE7081D4AE961B738AA710110AA093D92D48FC96D0B5200F1F8C9FC107FFEE5CB754C9DD5D6D054F1C67B94700349CBB4F560169FC0AA3AC7CB2E2800317893C0A26535631CFA1A389D19B962E708A42AA9A585253BB4CAC7F6E663F8D3532FF9AF679692B382EF4CCEED41592E04D1DB252AB200B10625460B9864F09EEECCF773B79BDFF10D1CE5E20D74A5C2915D1AFC8E3063F27D535EE55C9F26870E92E883C568122C8734B2359FE98F84CAC466072D87957EEFB5E5E4062620C4CA36DAD5252A791FA4770593947A7F62A3FCFBC2EC80090D7C001F1E80C5940AD999EF5659DAA0D1430D85F5D0FE0934EB1B207EE5F86DA608DBE0F201D3D919DFACF19FA7C61CE7DFFD7EF3A1F756F3E81DE8B9A5805E99FC0CC42D902148F21B961E9CF236E397ABFF45DA79606A33EB60BE51BC1B4DC4202487EBF3818D52513D70B6FD0A07BE9DD93F2B0DCAFCEEB0BE1B4529B389223246CA284F7AA9BE71C9B33F7CE5FE7127E68923BDA1E1103A26EBD85598081850C4D81AE992CDD33A87EF39D6BB27D9073C1B8ABDC00ABBAC64A4FBBE6202BD28F3D291A6F69BA62435B9203235BEA5CC0022FCCF54B80F14B42D586A00671BA4F5206C25BDACE7048A1210DAE677FBA99A332CF8157B275776D85B5CE57B2B89E2FEBCDB45F2CA5BC45E9929CFA900AD6A4B8A1B00AAB2AE3F2B36BC95500AEC4C5C43C81A30731853EC6D764BE96E4E9FB0E9D3366DD4B5D981EA3E09D21A01C145FAFF485D164BFA1C0C5027083D7B49C5809259DBA76AA6CF6A6D0FF16D2BE9B32A405098297018738814F21371D3244BAA604F44A0C5687027EBD9A243FC83746C8239D7C382EC09AE6D895897169D075774536F0A462DFE279A04C474691C5BF40863265ADD4E428A5931B9C3CE1ECC459AD93C4D8CF016F3480E71F770FED6EE968601DF6C111C84FA5DEAE7BC3CBB2E62A53B6BC721E333A7331D2984B09F924AED6F6B127D215
(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:WallpaperStyle
Value:
0
(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:TileWallpaper
Value:
0
(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:ProxyBypass
Value:
(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:IntranetName
Value:
(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2368) payload.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2368) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:ProxyBypass
Value:
(PID) Process:(2368) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:IntranetName
Value:
Executable files
11
Suspicious files
4 212
Text files
1 301
Unknown types
0

Dropped files

PID
Process
Filename
Type
2368payload.exeC:\ProgramData\Microsoft\Crypto\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\Users\Public\Favorites\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\ProgramData\Microsoft\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\Recovery\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\ProgramData\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\PerfLogs\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\Users\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\Users\Administrator\AppData\Local\Temp\enc.binbinary
MD5:52D5584BD9D886D7DADE241186540872
SHA256:96FEF25EDB478733EE5CB02AB2ADCAA457F4B516FC634C0DCF1B507F4EC7F11A
2368payload.exeC:\ProgramData\Adobe\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
2368payload.exeC:\PerfLogs\Admin\HELP_READ_ME.txttext
MD5:BC7BFE0989016E1A9B78C8A5F0AA80BB
SHA256:4EA3C64CF6AC1AED21C4CD4A8F9E71129A07367FBFB209A8CD88AEFFA0C10EFD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
payload.exe