File name:

appFile.exe

Full analysis: https://app.any.run/tasks/ea0ac242-68a2-453b-bee3-bb8b569ff50a
Verdict: Malicious activity
Analysis date: January 10, 2025, 10:20:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

8E9470197062CC090F733B985F2DE5D4

SHA1:

D99FA5C8EE7EDB80FFCDF6E777B43E08D5456103

SHA256:

ABA80A73B34A6FEE80168217A4642F618AADD7F97803BB57242025068DA3CE7B

SSDEEP:

196608:RuXHPUc60m47SPRJi/JekWuUXLFBN9b1ahAHTWeQ2gfnJWGIlNFt:RGSn1aIenGv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Gui.com (PID: 6992)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • appFile.exe (PID: 6596)

    • Executing commands from ".cmd" file

      • appFile.exe (PID: 6596)

    • Starts CMD.EXE for commands execution

      • appFile.exe (PID: 6596)
      • cmd.exe (PID: 6652)

    • Get information on the list of running processes

      • cmd.exe (PID: 6652)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6652)

    • Application launched itself

      • cmd.exe (PID: 6652)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6652)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6652)

    • The executable file from the user directory is run by the CMD process

      • Gui.com (PID: 6992)

  • INFO

    • Reads the computer name

      • appFile.exe (PID: 6596)
      • extrac32.exe (PID: 6896)
      • Gui.com (PID: 6992)

    • Creates files or folders in the user directory

      • appFile.exe (PID: 6596)
      • extrac32.exe (PID: 6896)

    • Checks supported languages

      • appFile.exe (PID: 6596)
      • extrac32.exe (PID: 6896)
      • Gui.com (PID: 6992)

    • Process checks computer location settings

      • appFile.exe (PID: 6596)

    • Creates a new folder

      • cmd.exe (PID: 6876)

    • Reads the software policy settings

      • Gui.com (PID: 6992)

    • Reads the machine GUID from the registry

      • Gui.com (PID: 6992)

    • Reads mouse settings

      • Gui.com (PID: 6992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (78.4)
.exe | Win32 EXE PECompact compressed (generic) (3.8)
.exe | Win32 Executable MS Visual C++ (generic) (2.8)
.exe | Win64 Executable (generic) (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:09:26 13:21:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 653312
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start appfile.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs gui.com choice.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6596"C:\Users\admin\Desktop\appFile.exe" C:\Users\admin\Desktop\appFile.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\appfile.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6652"C:\Windows\System32\cmd.exe" /c move Ips Ips.cmd & Ips.cmdC:\Windows\SysWOW64\cmd.exeappFile.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6720findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6820tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6828findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6876cmd /c md 473587C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6896extrac32 /Y /E MetallicC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 901
Read events
3 901
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6896extrac32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Sailingbinary
MD5:90E084E0DE9BC06DB48F8C4A44968105
SHA256:B4CDB99602323867A974A3B51484F3C315F9A626B5C883EFD10E0E6B0ABA7A3B
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Documentationbinary
MD5:1DE34608491DC72C7F881263715BD4A5
SHA256:9B19FDF73FC6AD05386046165AF5E0721535A31BEA395669E80CB4F7184E6FEF
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Fruitbinary
MD5:9167A8A49DC18E63DF8F7173C2DA5094
SHA256:DCC1D1F61FB4F61B18B05E45B92BA7522FE555FC2D016F58697B574FD99DE2DE
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Ipstext
MD5:932E77F4346C15FB44476F3DC340F1BE
SHA256:76AF347FAAED4C3C1D3AD41F6BA88573AE236242720E6CBC0E4844DCBE656664
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Civilbinary
MD5:88328166A2AB03B661C74B7CFD2D122B
SHA256:F32E0AA35B7EAD1C1F80E489ABA078FCFEFA335CC29D8F85A17D60BC9BF1D10C
6896extrac32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Continentbinary
MD5:F46AE2EC08211D846EEF8A6D25EE6EBE
SHA256:D47F9A1E03327FEA4A1832413331FC958D31D52F1ED2C32DAC107C00149BD6A2
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Scottishbinary
MD5:62C6267C11124D4BD67EF8EA7ABAEC49
SHA256:6E8F52129C2B395F1FD5A9C0138F0520C7B5EE67FE6D1C2058F6206403968927
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Activationbinary
MD5:418A3987063563ADE43EB93166FD252F
SHA256:E6381B1FFDE5768E5EB3CDB56DC8CDD0222252632812BF0E9017BC45B4FC6B59
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Metalliccompressed
MD5:E424E02D117BDBE845A8E681B6C37350
SHA256:7D6DEF57BBCB39B1DC0A7868C642ECF78CFC03528E64DD663252D2058A2FFC46
6652cmd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Ips.cmdtext
MD5:932E77F4346C15FB44476F3DC340F1BE
SHA256:76AF347FAAED4C3C1D3AD41F6BA88573AE236242720E6CBC0E4844DCBE656664
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
92.122.104.90:443
https://steamcommunity.com/profiles/76561199724331900
unknown
html
25.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6992
Gui.com
92.122.104.90:443
steamcommunity.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.152
  • 2.16.204.151
  • 2.16.204.147
  • 2.16.204.155
  • 2.16.204.149
  • 2.16.204.158
  • 2.16.204.153
  • 2.16.204.157
  • 2.16.204.143
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
jdvjdvWSlp.jdvjdvWSlp
unknown
breathauthorit.cyou
unknown
soundtappysk.shop
malicious
femalsabler.shop
malicious
apporholis.shop
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
appFile.exe