File name:	a440a5597de165566eeb12b8808ef88ad5fa2a04a6a4fef51b1793499d8e7b26.bin
Full analysis:	https://app.any.run/tasks/3ea4bc90-c9d0-4f44-93a4-b7ea4c926df3
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 17:26:06
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 10 sections
MD5:	FE3C84D9A1572F22F3498E19E48669E0
SHA1:	FBC96222ED826A0BF753AC68AA841562A48CDFF7
SHA256:	A440A5597DE165566EEB12B8808EF88AD5FA2A04A6A4FEF51B1793499D8E7B26
SSDEEP:	98304:EtA8CkNzyGuFvfqJSjV7cZpFItXyENaPlUBI5uMNNPBsg5mlaf2b+T4+TdMI7U/f:E5n1n

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:06:20 16:12:18+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	434688
InitializedDataSize:	99328
UninitializedDataSize:	-
EntryPoint:	0x457c0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	10.0.19041.3636
ProductVersionNumber:	10.0.19041.3636
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Sxs Tracing Tool
FileVersion:	10.0.19041.3636 (WinBuild.160101.0800)
InternalName:	sxstrace.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	sxstrace.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.3636


(PID) Process:	(316) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RGZVVRNE
Value: C:\Users\admin\AppData\Roaming\avrthmriomco\upgngcodhcfv.exe
(PID) Process:	(984) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RGZVVRNE
Value: C:\Users\admin\AppData\Roaming\avrthmriomco\upgngcodhcfv.exe
(PID) Process:	(6492) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RGZVVRNE
Value: C:\Users\admin\AppData\Roaming\avrthmriomco\upgngcodhcfv.exe

PID	Process	Filename		Type
6360	a440a5597de165566eeb12b8808ef88ad5fa2a04a6a4fef51b1793499d8e7b26.bin.exe	C:\Users\admin\AppData\Roaming\avrthmriomco\upgngcodhcfv.exe		executable
		MD5:FE3C84D9A1572F22F3498E19E48669E0	SHA256:A440A5597DE165566EEB12B8808EF88AD5FA2A04A6A4FEF51B1793499D8E7B26

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	184.24.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	13.85.23.206:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
2228	RUXIMICS.exe	GET	200	184.24.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2228	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	POST	200	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	GET	200	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	compressed	23.9 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2228	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	184.24.77.22:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.22:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2228	RUXIMICS.exe	184.24.77.22:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	184.24.77.22 184.24.77.27 184.24.77.6 184.24.77.23 184.24.77.30 184.24.77.28 184.24.77.38 184.24.77.37 184.24.77.24 23.55.104.172 23.55.104.190	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
login.live.com	20.190.159.128 40.126.31.2 20.190.159.4 40.126.31.3 20.190.159.130 40.126.31.129 40.126.31.73 40.126.31.0	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.250	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

a440a5597de165566eeb12b8808ef88ad5fa2a04a6a4fef51b1793499d8e7b26.bin

FE3C84D9A1572F22F3498E19E48669E0

FBC96222ED826A0BF753AC68AA841562A48CDFF7

A440A5597DE165566EEB12B8808EF88AD5FA2A04A6A4FEF51B1793499D8E7B26

98304:EtA8CkNzyGuFvfqJSjV7cZpFItXyENaPlUBI5uMNNPBsg5mlaf2b+T4+TdMI7U/f:E5n1n

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

Executable content was dropped or overwritten

Starts itself from another location

INFO

The sample compiled with english language support

Checks supported languages

Launching a file from a Registry key

Creates files or folders in the user directory

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings