File name:

ee.exe

Full analysis: https://app.any.run/tasks/45aadecf-33ca-4ab3-be83-c4b1f837fd75
Verdict: Malicious activity
Analysis date: November 19, 2024, 23:41:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

90155053BE360A7D687C603E584C1A03

SHA1:

837AB6C8C2F0522F4100BCC3D1843616BB836455

SHA256:

B4389989629E53EA5126B8F2F27A7E5B999DAD7C84DAB662AB4DDBA385C9529A

SSDEEP:

12288:RAg720eiO3u6Y0ZZCLvwwxBZ58mVq6AS5H8T1g720eiO3u6Y0ZZCLvwwxBZ58mVV:RAgK05N6bSWgK05N6bS3GRvz7rjg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • GWFPInstaller.exe (PID: 5660)
      • install_driver.exe (PID: 7208)

    • Registers / Runs the DLL via REGSVR32.EXE

      • GWClient.exe (PID: 7296)
      • GWClient.exe (PID: 7840)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • ee.exe (PID: 5832)
      • rundll32.exe (PID: 3040)
      • rundll32.exe (PID: 6864)
      • msiexec.exe (PID: 6028)
      • rundll32.exe (PID: 1820)
      • rundll32.exe (PID: 7332)
      • rundll32.exe (PID: 7916)
      • GWClient.exe (PID: 7840)
      • cmd.exe (PID: 8120)
      • rundll32.exe (PID: 4164)
      • GWW.exe (PID: 5416)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2680)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6692)
      • GWProxy.exe (PID: 6784)
      • GWClient.exe (PID: 7296)
      • GWProxy.exe (PID: 6884)
      • GWClient.exe (PID: 7840)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 3040)
      • rundll32.exe (PID: 6864)
      • rundll32.exe (PID: 7332)
      • rundll32.exe (PID: 6896)
      • rundll32.exe (PID: 2876)
      • rundll32.exe (PID: 1820)
      • install_driver.exe (PID: 1920)
      • GWProxy.exe (PID: 6884)
      • rundll32.exe (PID: 7916)

    • Executing commands from a ".bat" file

      • msiexec.exe (PID: 6028)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6432)

    • Drops 7-zip archiver for unpacking

      • msiexec.exe (PID: 6432)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 6432)
      • install_driver.exe (PID: 1920)
      • GWProxy.exe (PID: 6884)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6432)

    • Suspicious use of NETSH.EXE

      • msiexec.exe (PID: 6028)
      • GWClient.exe (PID: 7840)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 8100)
      • cmd.exe (PID: 7524)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 8032)
      • cmd.exe (PID: 5100)
      • cmd.exe (PID: 8052)
      • cmd.exe (PID: 6420)
      • cmd.exe (PID: 3888)
      • cmd.exe (PID: 8152)
      • cmd.exe (PID: 5300)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 8172)
      • cmd.exe (PID: 1144)
      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 6388)
      • cmd.exe (PID: 4528)
      • cmd.exe (PID: 204)
      • cmd.exe (PID: 5600)
      • cmd.exe (PID: 7240)
      • cmd.exe (PID: 756)
      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 1224)
      • cmd.exe (PID: 6792)
      • cmd.exe (PID: 5152)
      • cmd.exe (PID: 5092)
      • cmd.exe (PID: 2680)
      • cmd.exe (PID: 5492)
      • cmd.exe (PID: 6692)
      • cmd.exe (PID: 4548)
      • cmd.exe (PID: 4136)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 8052)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • GWClient.exe (PID: 7840)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 1468)
      • cmd.exe (PID: 8156)

    • Application launched itself

      • cmd.exe (PID: 8120)

    • Process uses IPCONFIG to get network configuration information

      • cmd.exe (PID: 7624)
      • cmd.exe (PID: 5300)
      • cmd.exe (PID: 5300)
      • cmd.exe (PID: 5792)
      • cmd.exe (PID: 3060)

  • INFO

    • Checks supported languages

      • ee.exe (PID: 5832)

    • Reads the machine GUID from the registry

      • ee.exe (PID: 5832)

    • Reads the computer name

      • ee.exe (PID: 5832)

    • Reads product name

      • ee.exe (PID: 5832)

    • Reads Environment values

      • ee.exe (PID: 5832)

    • Creates a new folder

      • cmd.exe (PID: 2680)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 712)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6372)
      • msiexec.exe (PID: 6472)
      • msiexec.exe (PID: 6432)

    • Manages system restore points

      • SrTasks.exe (PID: 7052)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 6432)

    • Application launched itself

      • firefox.exe (PID: 5236)
      • firefox.exe (PID: 1516)

    • Manual execution by a user

      • firefox.exe (PID: 5236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2092:11:27 06:17:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 897024
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0xdceb6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.9
ProductVersionNumber: 1.0.0.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: WindowsFormsApp2
FileVersion: 1.0.0.9
InternalName: eSafeInstaller2.exe
LegalCopyright: Copyright © 2019
LegalTrademarks: -
OriginalFileName: eSafeInstaller2.exe
ProductName: WindowsFormsApp2
ProductVersion: 1.0.0.9
AssemblyVersion: 1.0.0.9
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
444
Monitored processes
310
Malicious processes
6
Suspicious processes
8

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
188C:\WINDOWS\system32\cmd.exe /c netstat -ano | findstr 6884 | find /i "close_w" /cC:\Windows\SysWOW64\cmd.exeGWClient.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
204C:\WINDOWS\system32\cmd.exe /c netstat -ano | findstr 6884 | find /i "close_w" /cC:\Windows\SysWOW64\cmd.exeGWClient.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
244netstat -ano C:\Windows\SysWOW64\NETSTAT.EXEcmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
372\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
492\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540netstat -ano C:\Windows\SysWOW64\NETSTAT.EXEcmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
544"C:\Program Files (x86)\Guardware\Integrity Management\ScreenDPI.exe"C:\Program Files (x86)\Guardware\Integrity Management\ScreenDPI.exeGWW.exe
User:
admin
Company:
Guardware Ltd
Integrity Level:
MEDIUM
Description:
ScreenDPI
Exit code:
0
Version:
4.4.1.1
544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
7 110
Read events
7 063
Write events
38
Delete events
9

Modification events

(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5832) ee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ee_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
213
Suspicious files
211
Text files
242
Unknown types
9

Dropped files

PID
Process
Filename
Type
5832ee.exeC:\temp\client.msi
MD5:
SHA256:
6372msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:4302AC33571A665623F83CAA83E9D7B7
SHA256:85D864FDF43320E3535AD37F3D946A3BD648DF66622CBBCB079B976ABFA7FF41
6372msiexec.exeC:\Users\admin\AppData\Local\Temp\MSID58D.tmpexecutable
MD5:8CD9EF9A1737B4847B00710591773AB0
SHA256:DE3BE64F9CF8438A2B4085FDE6AF3B27B7A3C8947B9C0DA05F434339B2CAA791
6372msiexec.exeC:\Users\admin\AppData\Local\Temp\MSID793.tmpexecutable
MD5:299A5EA38CE4DE5BECC23FA49B758B81
SHA256:776122C362D76A51C847382ACCCD4FE07612018C3420D6748F330190FFE6CB14
2680cmd.exeC:\temp\RegKey.bintext
MD5:CE88482E996665EA0E6EF369AF5858B3
SHA256:B47751DA21AC1F6EB61EAF5CE281BAEE0870322258A2B974E661A7C5AB89139F
5344cmd.exeC:\temp\mac_address.bintext
MD5:13C777A917C5F5F6D72060E3BD3BB810
SHA256:A368D4F007575CFF675972FDA6FC3A314A4862BAC9DC3EFE6499B96DE410464D
6372msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:C6B24A3A01D12F94647B0B5C7B9D800E
SHA256:43B3EC95DDB5D5200D47EBF78EF57952721FC5D03AC240B540857296A75068D8
6432msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6432msiexec.exeC:\Windows\Installer\f232e.msi
MD5:
SHA256:
6372msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:2234A2DA0C7BA427C516A7BA532BE7F4
SHA256:A7C433170BEB0D6D06D2B3E12790688C320E911D1217EC0EB90C6D46A28A5ABB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
114
TCP/UDP connections
152
DNS requests
119
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
312 b
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6372
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
US
binary
471 b
whitelisted
6372
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
US
binary
727 b
whitelisted
6372
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAgILwPElpfkoY%2BvNMUCRGA%3D
US
binary
727 b
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
418 b
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4932
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
544
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 216.58.212.174
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.176
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.154
  • 104.126.37.145
  • 104.126.37.171
  • 104.126.37.186
  • 104.126.37.130
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
vm14.esafeglobal.com
  • 84.22.190.112
unknown
login.live.com
  • 20.190.159.71
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ee.exe