File name:

appFile.exe

Full analysis: https://app.any.run/tasks/ea0ac242-68a2-453b-bee3-bb8b569ff50a
Verdict: Malicious activity
Analysis date: January 10, 2025, 10:20:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

8E9470197062CC090F733B985F2DE5D4

SHA1:

D99FA5C8EE7EDB80FFCDF6E777B43E08D5456103

SHA256:

ABA80A73B34A6FEE80168217A4642F618AADD7F97803BB57242025068DA3CE7B

SSDEEP:

196608:RuXHPUc60m47SPRJi/JekWuUXLFBN9b1ahAHTWeQ2gfnJWGIlNFt:RGSn1aIenGv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Gui.com (PID: 6992)

  • SUSPICIOUS

    • Get information on the list of running processes

      • cmd.exe (PID: 6652)

    • Reads security settings of Internet Explorer

      • appFile.exe (PID: 6596)

    • Application launched itself

      • cmd.exe (PID: 6652)

    • Executing commands from ".cmd" file

      • appFile.exe (PID: 6596)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6652)

    • Starts CMD.EXE for commands execution

      • appFile.exe (PID: 6596)
      • cmd.exe (PID: 6652)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6652)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6652)

    • The executable file from the user directory is run by the CMD process

      • Gui.com (PID: 6992)

  • INFO

    • Reads the computer name

      • appFile.exe (PID: 6596)
      • extrac32.exe (PID: 6896)
      • Gui.com (PID: 6992)

    • Creates files or folders in the user directory

      • appFile.exe (PID: 6596)
      • extrac32.exe (PID: 6896)

    • Checks supported languages

      • appFile.exe (PID: 6596)
      • extrac32.exe (PID: 6896)
      • Gui.com (PID: 6992)

    • Process checks computer location settings

      • appFile.exe (PID: 6596)

    • Creates a new folder

      • cmd.exe (PID: 6876)

    • Reads mouse settings

      • Gui.com (PID: 6992)

    • Reads the software policy settings

      • Gui.com (PID: 6992)

    • Reads the machine GUID from the registry

      • Gui.com (PID: 6992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (78.4)
.exe | Win32 EXE PECompact compressed (generic) (3.8)
.exe | Win32 Executable MS Visual C++ (generic) (2.8)
.exe | Win64 Executable (generic) (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:09:26 13:21:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 653312
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start appfile.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs gui.com choice.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6596"C:\Users\admin\Desktop\appFile.exe" C:\Users\admin\Desktop\appFile.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\appfile.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6652"C:\Windows\System32\cmd.exe" /c move Ips Ips.cmd & Ips.cmdC:\Windows\SysWOW64\cmd.exeappFile.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6720findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6820tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6828findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6876cmd /c md 473587C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6896extrac32 /Y /E MetallicC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 901
Read events
3 901
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Activationbinary
MD5:418A3987063563ADE43EB93166FD252F
SHA256:E6381B1FFDE5768E5EB3CDB56DC8CDD0222252632812BF0E9017BC45B4FC6B59
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Encodingbinary
MD5:7EE2D94557987DBEAC1A8BF414206F63
SHA256:A1422DC69D1537BAAC01678C2EF2A2CF3DB3F8B0B3283AF06BAA71991E7CA051
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Metalliccompressed
MD5:E424E02D117BDBE845A8E681B6C37350
SHA256:7D6DEF57BBCB39B1DC0A7868C642ECF78CFC03528E64DD663252D2058A2FFC46
6896extrac32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Continentbinary
MD5:F46AE2EC08211D846EEF8A6D25EE6EBE
SHA256:D47F9A1E03327FEA4A1832413331FC958D31D52F1ED2C32DAC107C00149BD6A2
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Civilbinary
MD5:88328166A2AB03B661C74B7CFD2D122B
SHA256:F32E0AA35B7EAD1C1F80E489ABA078FCFEFA335CC29D8F85A17D60BC9BF1D10C
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Cleanbinary
MD5:937588E2A4494E4A0F9912023FCE07F6
SHA256:9F95F6F88724EC7BC32B16A5C97B2AD8C0D24BFD0DC0A429010FF9B0B298F8F5
6896extrac32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Membranebinary
MD5:1E44BC506DA7439E081DEA2498280469
SHA256:74B6145C337C2508753EFA7AF2312C4B44BDA64BB061FBE57326726FAC25421A
6896extrac32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Wabinary
MD5:20C2516CEDEDF0815E04EDA1597593DE
SHA256:C091F708383DC2F43B5F2C5E871E4F2A4EF57F4E515D26FA7759A1B56D096FFA
6596appFile.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Ipstext
MD5:932E77F4346C15FB44476F3DC340F1BE
SHA256:76AF347FAAED4C3C1D3AD41F6BA88573AE236242720E6CBC0E4844DCBE656664
6896extrac32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Jdbinary
MD5:A7567F196E671F96671B95BFAB15FA57
SHA256:2408D1FBCE48E5F54483F9C4C1B33A8C063F49F522268AC1FE6D6D67E8FD7BEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
92.122.104.90:443
https://steamcommunity.com/profiles/76561199724331900
unknown
html
25.1 Kb
whitelisted
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6992
Gui.com
92.122.104.90:443
steamcommunity.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.152
  • 2.16.204.151
  • 2.16.204.147
  • 2.16.204.155
  • 2.16.204.149
  • 2.16.204.158
  • 2.16.204.153
  • 2.16.204.157
  • 2.16.204.143
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
jdvjdvWSlp.jdvjdvWSlp
unknown
breathauthorit.cyou
unknown
soundtappysk.shop
malicious
femalsabler.shop
malicious
apporholis.shop
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
appFile.exe