File name:

artmoney818rus64.exe

Full analysis: https://app.any.run/tasks/b00754d4-085e-4149-afd7-6f87b7a2fb21
Verdict: Malicious activity
Analysis date: July 24, 2024, 10:03:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

419863CD2CBE325DA030324409735378

SHA1:

6502CED6DD8A82F1F53CC24345AC7C1EB7E55EBA

SHA256:

934D6F63150C3592BB64947D2D47040E63B25B2269579B7BC589874BEE03F353

SSDEEP:

98304:wkOGyislRVDEm2KHV17G9BxJcjLWNtEBCbyiC8nJqM6UncDo9KRqL/UC1mHmg0Ft:OyP4PY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • artmoney818rus64.exe (PID: 1468)
      • artmoney818rus64.exe (PID: 3184)
      • artmoney818rus64.tmp (PID: 7148)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • artmoney818rus64.tmp (PID: 2472)

    • Executable content was dropped or overwritten

      • artmoney818rus64.exe (PID: 1468)
      • artmoney818rus64.exe (PID: 3184)
      • artmoney818rus64.tmp (PID: 7148)

    • Reads the date of Windows installation

      • artmoney818rus64.tmp (PID: 2472)

    • Process drops legitimate windows executable

      • artmoney818rus64.tmp (PID: 7148)

    • Reads the Windows owner or organization settings

      • artmoney818rus64.tmp (PID: 7148)

  • INFO

    • Checks supported languages

      • artmoney818rus64.exe (PID: 1468)
      • artmoney818rus64.tmp (PID: 2472)
      • artmoney818rus64.exe (PID: 3184)
      • am818.exe (PID: 836)
      • artmoney818rus64.tmp (PID: 7148)

    • Create files in a temporary directory

      • artmoney818rus64.exe (PID: 1468)
      • artmoney818rus64.exe (PID: 3184)
      • artmoney818rus64.tmp (PID: 7148)

    • Reads the computer name

      • artmoney818rus64.tmp (PID: 2472)
      • artmoney818rus64.tmp (PID: 7148)
      • am818.exe (PID: 836)

    • Creates a software uninstall entry

      • artmoney818rus64.tmp (PID: 7148)

    • Manual execution by a user

      • am818.exe (PID: 1108)
      • am818.exe (PID: 836)

    • Creates files in the program directory

      • artmoney818rus64.tmp (PID: 7148)

    • Checks proxy server information

      • slui.exe (PID: 4152)

    • Reads the software policy settings

      • slui.exe (PID: 4152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:07:09 07:58:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 65024
InitializedDataSize: 50688
UninitializedDataSize: -
EntryPoint: 0x113bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 8.1.8.1
ProductVersionNumber: 8.1.8.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: System SoftLab
FileDescription: ArtMoney SE v8.18
FileVersion: 8.18.1
LegalCopyright: Copyright © 1996-2024, System SoftLab
ProductName: ArtMoney SE
ProductVersion: 8.18.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start artmoney818rus64.exe artmoney818rus64.tmp no specs artmoney818rus64.exe artmoney818rus64.tmp slui.exe am818.exe no specs am818.exe no specs am818.exe

Process information

PID
CMD
Path
Indicators
Parent process
836"C:\Games\ArtMoney\am818.exe" C:\Games\ArtMoney\am818.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
1108"C:\Games\ArtMoney\am818.exe" C:\Games\ArtMoney\am818.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.0.0
1468"C:\Users\admin\Desktop\artmoney818rus64.exe" C:\Users\admin\Desktop\artmoney818rus64.exe
explorer.exe
User:
admin
Company:
System SoftLab
Integrity Level:
MEDIUM
Description:
ArtMoney SE v8.18
Exit code:
0
Version:
8.18.1
Modules
Images
c:\users\admin\desktop\artmoney818rus64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2472"C:\Users\admin\AppData\Local\Temp\is-0884Q.tmp\artmoney818rus64.tmp" /SL5="$B003E,3489359,116736,C:\Users\admin\Desktop\artmoney818rus64.exe" C:\Users\admin\AppData\Local\Temp\is-0884Q.tmp\artmoney818rus64.tmpartmoney818rus64.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3184"C:\Users\admin\Desktop\artmoney818rus64.exe" /SPAWNWND=$5004C /NOTIFYWND=$B003E C:\Users\admin\Desktop\artmoney818rus64.exe
artmoney818rus64.tmp
User:
admin
Company:
System SoftLab
Integrity Level:
HIGH
Description:
ArtMoney SE v8.18
Exit code:
0
Version:
8.18.1
4152C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
5692"c:\Games\ArtMoney\am818.exe"C:\Games\ArtMoney\am818.exeartmoney818rus64.tmp
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\games\artmoney\am818.exe
c:\windows\system32\ntdll.dll
7148"C:\Users\admin\AppData\Local\Temp\is-HJGKN.tmp\artmoney818rus64.tmp" /SL5="$3029C,3489359,116736,C:\Users\admin\Desktop\artmoney818rus64.exe" /SPAWNWND=$5004C /NOTIFYWND=$B003E C:\Users\admin\AppData\Local\Temp\is-HJGKN.tmp\artmoney818rus64.tmp
artmoney818rus64.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Total events
813
Read events
813
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
1
Text files
46
Unknown types
11

Dropped files

PID
Process
Filename
Type
7148artmoney818rus64.tmpC:\Games\ArtMoney\is-MQ118.tmpexecutable
MD5:7A383C69499478A6681CB9D0EF0B7B27
SHA256:744E870D523C329F7D7189C810647DA5B02CCC770C717C62A171CFBEB584FE91
7148artmoney818rus64.tmpC:\Users\admin\AppData\Local\Temp\is-290UD.tmp\_isetup\_setup64.tmpexecutable
MD5:526426126AE5D326D0A24706C77D8C5C
SHA256:B20A8D88C550981137ED831F2015F5F11517AEB649C29642D9D61DEA5EBC37D1
7148artmoney818rus64.tmpC:\Games\ArtMoney\Uninstall\is-DVKF7.tmpexecutable
MD5:72E532B83BDDE4963F4C71205D8DC8AE
SHA256:561E02D6EA5C3C78D70322D98A293B73AE9F52AA909146DB790A28727BF59443
7148artmoney818rus64.tmpC:\Games\ArtMoney\is-G8708.tmpexecutable
MD5:0BCAB4EFE492F734F27E0220FF18E40C
SHA256:3B01AA1032A13F72AF5D01946A9043A96D6E1637F6568B7FEA23384563602756
7148artmoney818rus64.tmpC:\Games\ArtMoney\is-51GBC.tmpexecutable
MD5:D2D936ABCF90E27F74E45ED9DEB8D305
SHA256:827BFE33964C712A16E43E7D8DFF952195F5324DED02F56D4A3076D11688BBA2
7148artmoney818rus64.tmpC:\Games\ArtMoney\Uninstall\unins000.exeexecutable
MD5:72E532B83BDDE4963F4C71205D8DC8AE
SHA256:561E02D6EA5C3C78D70322D98A293B73AE9F52AA909146DB790A28727BF59443
7148artmoney818rus64.tmpC:\Games\ArtMoney\am818.exeexecutable
MD5:4294C8E12D946D2F2D9659AC58B49796
SHA256:CA1C28DB5CD51C38615A3B66EEEC64F52085417B4F1476A42CB79595C8B3BD4D
7148artmoney818rus64.tmpC:\Games\ArtMoney\am818l32.dllexecutable
MD5:9B6167B663AF0649ED931397B5011517
SHA256:8A36673212E1468B3C0D93A0ABA01BD8C065DD9B6D9A5228C65427CF8C6F1574
7148artmoney818rus64.tmpC:\Games\ArtMoney\am818s.dllexecutable
MD5:0BCAB4EFE492F734F27E0220FF18E40C
SHA256:3B01AA1032A13F72AF5D01946A9043A96D6E1637F6568B7FEA23384563602756
7148artmoney818rus64.tmpC:\Games\ArtMoney\am818s32.dllexecutable
MD5:D2D936ABCF90E27F74E45ED9DEB8D305
SHA256:827BFE33964C712A16E43E7D8DFF952195F5324DED02F56D4A3076D11688BBA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
16
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
401
4.209.32.67:443
https://licensing.mp.microsoft.com/v7.0/licenses/content
unknown
binary
340 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4292
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4016
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.191:443
Akamai International B.V.
GB
unknown
4
System
192.168.100.255:138
whitelisted
239.255.255.250:1900
whitelisted
4204
svchost.exe
4.209.32.67:443
licensing.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4468
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
licensing.mp.microsoft.com
  • 4.209.32.67
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
artmoney818rus64.exe