Malware analysis 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe Malicious activity

Add for printing

File name:	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe
Full analysis:	https://app.any.run/tasks/79e24c23-6817-491a-bf26-505edca1050c
Verdict:	Malicious activity
Analysis date:	June 05, 2024, 00:34:37
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	E31CB2F51EBBCC98CA9F51645727EB00
SHA1:	21AAAEEF4C596DDD52828C90B5B589492B29852F
SHA256:	9A69333EA5E1C25E41D44EE7CF4437174EDE831051A3F02E3AC657290065C6A7
SSDEEP:	98304:/JG1nKmXGvFWD9F9xmrNivSSIkfKTzzbv/NbEJg487E6bNdRHNjotMFSatbmmsOP:Emv9LI/qgKpLhAyBuN+0fpo6aKO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6368)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6368)
- Reads the date of Windows installation
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6368)
- Application launched itself
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6368)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6536)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
- Executes as Windows Service
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6612)
- Executable content was dropped or overwritten
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
INFO
- Checks supported languages
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6368)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6536)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6612)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6712)
- Reads the computer name
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6368)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6536)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6612)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6712)
- Process checks computer location settings
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6368)
- Creates files in the program directory
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6536)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6712)
- Creates files or folders in the user directory
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
- Reads CPU info
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)
- Reads the machine GUID from the registry
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6536)
  - 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe (PID: 6668)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (87.1)
.exe	\|	Generic Win/DOS Executable (6.4)
.exe	\|	DOS Executable Generic (6.4)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2022:06:09 10:29:38+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	13553664
InitializedDataSize:	139264
UninitializedDataSize:	23891968
EntryPoint:	0x23b6470
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.0.2.47613
ProductVersionNumber:	1.0.2.47613
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Shanghai Best Oray Information Technology Co., Ltd.
FileDescription:	Sunlogin Lite64
FileVersion:	1.0.2.47613
InternalName:	SunloginClient
LegalCopyright:	Shanghai Best Oray Information Technology Co., Ltd.
OriginalFileName:	SunloginClient.exe
ProductName:	Sunlogin Lite64
ProductVersion:	1,0,2,47613

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

128

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6368

"C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe"

C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

explorer.exe

User:

admin

Company:

Shanghai Best Oray Information Technology Co., Ltd.

Integrity Level:

MEDIUM

Description:

Sunlogin Lite64

Exit code:

Version:

1.0.2.47613

Modules

Images
c:\users\admin\appdata\local\temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6536

"C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe"

C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

User:

admin

Company:

Shanghai Best Oray Information Technology Co., Ltd.

Integrity Level:

HIGH

Description:

Sunlogin Lite64

Version:

1.0.2.47613

Modules

Images
c:\users\admin\appdata\local\temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6612

C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe --mod=servicesvc

C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

services.exe

User:

SYSTEM

Company:

Shanghai Best Oray Information Technology Co., Ltd.

Integrity Level:

SYSTEM

Description:

Sunlogin Lite64

Exit code:

Version:

1.0.2.47613

Modules

Images
c:\users\admin\appdata\local\temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\comdlg32.dll

6668

"C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe" --mod=service

C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

User:

admin

Company:

Shanghai Best Oray Information Technology Co., Ltd.

Integrity Level:

HIGH

Description:

Sunlogin Lite64

Version:

1.0.2.47613

Modules

Images
c:\users\admin\appdata\local\temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6712

C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe --mod=watch --pid=6668

C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

User:

admin

Company:

Shanghai Best Oray Information Technology Co., Ltd.

Integrity Level:

HIGH

Description:

Sunlogin Lite64

Version:

1.0.2.47613

Modules

Images
c:\users\admin\appdata\local\temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

5 230

Read events

5 219

Write events

Delete events

Modification events


(PID) Process:	(6368) 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6368) 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6368) 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6368) 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6536) 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sl-lite
Operation:	write	Name:	URL Protocol
Value: C:\Users\admin\AppData\Local\Temp\9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe
(PID) Process:	(6536) 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Oray\SunLogin\SunloginClient
Operation:	write	Name:	GreenService
Value: SunloginService123611185
(PID) Process:	(6536) 9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Oray\SunLogin\SunloginClient
Operation:	delete value	Name:	GreenService
Value: SunloginService123611185

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6536	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	C:\ProgramData\Oray\SunloginClient\sensors\distinct		text
		MD5:D09F7ECDA3D2C5F9E51F94A1DF6937F5	SHA256:1AB47FB84BB379613359C06BB00BC7DEFC95C663104CD0D228F0FE853581E86F
6668	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	C:\Users\admin\AppData\Roaming\Oray\SunloginClientLite\sys_lite_config.ini		text
		MD5:93A6B57DB1AECC0F780EE7D5CC7DD2DA	SHA256:F2081B8AF2FC613196B8F00CC3D3B98D13F35B08F574136C2F115833000282B4
6668	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	C:\Users\admin\AppData\Roaming\Oray\SunloginClientLite\agent\DesktopAgent.exe		executable
		MD5:1AE547F19FE674E0584E3FAC5E64296A	SHA256:62834E0BA10438848EEC041BAE4B1350023FDB39605F16B598FF6F281E9C1799
6668	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	C:\ProgramData\Oray\SunloginClientLite\config.ini		text
		MD5:BA9290E5FAB7C871F78AEC752759C503	SHA256:03331608D0BF847CA0E83ED74145A585B87A15F859040F33CA336B60758AD1D7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4856	svchost.exe	GET	200	23.53.41.248:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
4856	svchost.exe	GET	200	23.48.10.36:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
1608	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
400	SIHClient.exe	GET	200	23.48.10.36:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
400	SIHClient.exe	GET	200	23.48.10.36:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
2908	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
7164	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1744	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5140	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	239.255.255.250:1900	—	—	—	unknown
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	255.255.255.255:5656	—	—	—	unknown
6668	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	47.111.169.221:443	slapi.oray.net	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
6536	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	114.215.189.130:443	ddns.oray.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
6668	9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	47.96.229.23:443	rc10-fc02.oray.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
4856	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4856	svchost.exe	23.53.41.248:80	crl.microsoft.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
slapi.oray.net	47.111.169.221 47.111.107.239	unknown
rc10-fc02.oray.com	47.96.229.23 116.62.21.65	unknown
ddns.oray.com	114.215.189.130 114.215.199.192	unknown
settings-win.data.microsoft.com	40.127.240.158	whitelisted
crl.microsoft.com	23.53.41.248 23.53.42.18	whitelisted
www.microsoft.com	23.48.10.36	whitelisted
sl-log.oray.net	47.97.183.66 120.26.160.74 47.97.162.230 47.97.106.171 121.41.32.171 121.199.72.21 47.97.186.100 121.40.118.44	unknown
pubsub02.oray.net	47.98.140.171 47.97.126.85 47.97.111.19 47.97.156.111 112.124.6.10 101.37.148.156 112.124.32.90 118.31.13.204 118.31.34.42	unknown
login.live.com	40.126.32.76 20.190.160.14 20.190.160.17 20.190.160.22 40.126.32.68 40.126.32.72 40.126.32.134 40.126.32.133	whitelisted
go.microsoft.com	23.54.45.211	whitelisted

Threats

No threats detected

Add for printing

Process	Message
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6372] 2024-06-05 00:34:49.880 - Info - [dpi] DPIAwareness set 2 success.
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6372] 2024-06-05 00:34:49.880 = Debug = [select_tracker] run ok
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6372] 2024-06-05 00:34:49.880 = Debug = [select_tracker] run ok
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6372] 2024-06-05 00:34:49.880 = Debug = [select_tracker] run ok
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6400] 2024-06-05 00:34:49.880 = Debug = [thread] set thread name Thread-6400 4e8ebd10 / 6400
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6372] 2024-06-05 00:34:49.880 = Debug = [select_tracker] run ok
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6396] 2024-06-05 00:34:49.880 = Debug = [thread] set thread name Thread-6396 4e8eb770 / 6396
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6404] 2024-06-05 00:34:49.896 = Debug = [thread] set thread name Thread-6404 4e8eb230 / 6404
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6372] 2024-06-05 00:34:50.154 - Info - config path: ð¸ˆNÂ
9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe	[6556] 2024-06-05 00:34:51.000 = Debug = [thread] set thread name Thread-6556 5073a5a0 / 6556

General Info

9a69333ea5e1c25e41d44ee7cf4437174ede831051a3f02e3ac657290065c6a7.exe

E31CB2F51EBBCC98CA9F51645727EB00

21AAAEEF4C596DDD52828C90B5B589492B29852F

9A69333EA5E1C25E41D44EE7CF4437174EDE831051A3F02E3AC657290065C6A7

98304:/JG1nKmXGvFWD9F9xmrNivSSIkfKTzzbv/NbEJg487E6bNdRHNjotMFSatbmmsOP:Emv9LI/qgKpLhAyBuN+0fpo6aKO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Executes as Windows Service

Executable content was dropped or overwritten

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Creates files or folders in the user directory

Reads CPU info

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings