File name:

Program.exe

Full analysis: https://app.any.run/tasks/0d90b2c5-e09a-40d8-a0cd-2ab7c05ea939
Verdict: Malicious activity
Analysis date: April 04, 2026, 01:12:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
api-base64
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

1A5C77399D7296F2603E0D494E9F5D04

SHA1:

065350563ED55C00F42FF5EA5854A17CA12A1A31

SHA256:

CD3EB945DA27817307A866CCA604040DAE11AB0C6CDBBB960A44A2F9B5B1BBCD

SSDEEP:

384:dFFWxTQkuF28vaPQX4hQt++++++LNrHtd5RwUYrnnnGEnxEfusHzFi3XyUTHj2Cc:zz+AlohWtdHJGnnnGExVsqxrSTdBWY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Program.exe (PID: 5196)

    • Create files in the Startup directory

      • Program.exe (PID: 5196)

  • SUSPICIOUS

    • Starts application from unusual location

      • Program.exe (PID: 5196)

    • Executable content was dropped or overwritten

      • Program.exe (PID: 5196)

    • Creates scheduled task with ONLOGON parameter

      • Program.exe (PID: 5196)

    • Reads the date of Windows installation

      • Program.exe (PID: 5196)

    • Start notepad (likely ransomware note)

      • Program.exe (PID: 5196)

  • INFO

    • Reads the computer name

      • Program.exe (PID: 5196)

    • Checks supported languages

      • Program.exe (PID: 5196)

    • Launching a file from a Registry key

      • Program.exe (PID: 5196)

    • Create files in a temporary directory

      • Program.exe (PID: 5196)

    • Reads the machine GUID from the registry

      • Program.exe (PID: 5196)

    • Reads Environment values

      • Program.exe (PID: 5196)

    • Disables trace logs

      • Program.exe (PID: 5196)

    • Launching a file from the Startup directory

      • Program.exe (PID: 5196)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • Program.exe (PID: 5196)

    • Creates files or folders in the user directory

      • Program.exe (PID: 5196)

    • Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

      • Program.exe (PID: 5196)

    • Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')

      • Program.exe (PID: 5196)

    • Reads security settings of Internet Explorer

      • Program.exe (PID: 5196)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • Program.exe (PID: 5196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (70.7)
.scr | Windows screen saver (12.6)
.dll | Win32 Dynamic Link Library (generic) (6.3)
.exe | Win32 Executable (generic) (4.3)
.exe | Win16/32 Executable Delphi generic (2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:04:04 01:12:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 33280
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xa12e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: Program.exe
LegalCopyright:
OriginalFileName: Program.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start program.exe schtasks.exe no specs conhost.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2524"schtasks" /create /tn "SysUpdateTask" /tr "C:\Users\admin\AppData\Local\Temp\Program.exe" /sc onlogon /fC:\Windows\System32\schtasks.exeProgram.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5196"C:\Users\admin\AppData\Local\Temp\Program.exe" C:\Users\admin\AppData\Local\Temp\Program.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\program.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7660"C:\Windows\System32\notepad.exe" C:\Windows\System32\notepad.exeProgram.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
1 791
Read events
1 774
Write events
17
Delete events
0

Modification events

(PID) Process:(5196) Program.exeKey:HKEY_CURRENT_USER\SOFTWARE\WannaCry
Operation:writeName:infected
Value:
1
(PID) Process:(5196) Program.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MalwareSimulation
Value:
C:\Users\admin\AppData\Local\Temp\Program.exe
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5196) Program.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Program_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
3
Suspicious files
1
Text files
0
Unknown types
429

Dropped files

PID
Process
Filename
Type
5196Program.exeC:\Users\admin\Desktop\eicar.txtbinary
MD5:44D88612FEA8A8F36DE82E1278ABB02F
SHA256:275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
5196Program.exeC:\Users\admin\Documents\invoice_1.pdfbinary
MD5:536E1AC4E1C0ED8F8C97C0911B83837F
SHA256:40FE98647B334B4FCE2DEBC1331036EEDEAC8E245B48C28521E90DB6B8D60678
5196Program.exeC:\Users\admin\Documents\invoice_3.pdfbinary
MD5:536E1AC4E1C0ED8F8C97C0911B83837F
SHA256:40FE98647B334B4FCE2DEBC1331036EEDEAC8E245B48C28521E90DB6B8D60678
5196Program.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_3.pdfbinary
MD5:536E1AC4E1C0ED8F8C97C0911B83837F
SHA256:40FE98647B334B4FCE2DEBC1331036EEDEAC8E245B48C28521E90DB6B8D60678
5196Program.exeC:\Users\admin\Desktop\eicar.combinary
MD5:44D88612FEA8A8F36DE82E1278ABB02F
SHA256:275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
5196Program.exeC:\Users\admin\Desktop\README_WANNACRY.txtbinary
MD5:2508B3ADC605A8E0799D7FD4EF355B9B
SHA256:ECBD424C4943F6ED37DD8E3F09ECAC5EEA47BB961C735716DCBB5000B4BBCB64
5196Program.exeC:\Users\admin\Desktop\invoice_1.pdfbinary
MD5:536E1AC4E1C0ED8F8C97C0911B83837F
SHA256:40FE98647B334B4FCE2DEBC1331036EEDEAC8E245B48C28521E90DB6B8D60678
5196Program.exeC:\Users\admin\AppData\Local\Temp\invoice_1.pdfbinary
MD5:536E1AC4E1C0ED8F8C97C0911B83837F
SHA256:40FE98647B334B4FCE2DEBC1331036EEDEAC8E245B48C28521E90DB6B8D60678
5196Program.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_1.pdfbinary
MD5:536E1AC4E1C0ED8F8C97C0911B83837F
SHA256:40FE98647B334B4FCE2DEBC1331036EEDEAC8E245B48C28521E90DB6B8D60678
5196Program.exeC:\Users\admin\Desktop\invoice_2.pdfbinary
MD5:536E1AC4E1C0ED8F8C97C0911B83837F
SHA256:40FE98647B334B4FCE2DEBC1331036EEDEAC8E245B48C28521E90DB6B8D60678
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
30
DNS requests
21
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
1788
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
1788
SIHClient.exe
GET
200
74.179.77.164:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
1788
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
1788
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5196
Program.exe
POST
104.18.5.83:443
https://xoilaczzqipxt.tv/api/log
US
unknown
7784
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
203 b
whitelisted
5196
Program.exe
POST
104.18.5.83:443
https://xoilaczzqipxt.tv/api/log
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7784
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5532
SearchApp.exe
2.16.204.161:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5196
Program.exe
104.18.5.83:443
xoilaczzqipxt.tv
CLOUDFLARENET
US
whitelisted
7784
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7784
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7784
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.16.204.161
  • 2.16.204.141
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.251.110.113
  • 142.251.110.102
  • 142.251.110.101
  • 142.251.110.100
  • 142.251.110.138
  • 142.251.110.139
whitelisted
xoilaczzqipxt.tv
  • 104.18.5.83
  • 104.18.4.83
unknown
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted

Threats

PID
Process
Class
Message
5196
Program.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
7784
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Program.exe