File name:

BitPaymer.exe

Full analysis: https://app.any.run/tasks/0ebb54db-20c2-46d9-bab1-7dfbbe607d8d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 16, 2025, 00:22:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 8 sections
MD5:

998246BD0E51F9582B998CA514317C33

SHA1:

5A2D799AC4CCA8954FC117C7FB3E868F93C6F009

SHA256:

D693C33DD550529F3634E3C7E53D82DF70C9D4FBD0C339DBC1849ADA9E539EA2

SSDEEP:

1536:gXfhIH8nkVK++cGhvca9yvncV2bdL/SY4EUZqSu5PN:g6H8kVK+nGzEYKKPr0Su5F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • BitPaymer.exe (PID: 6584)
      • UOcVGt.exe (PID: 3672)
      • g4Jq.exe (PID: 5708)
      • wGXL.exe (PID: 4680)
      • eB1.exe (PID: 4968)
      • zST.exe (PID: 4760)
      • h8QAqu.exe (PID: 1944)
      • W7Ni.exe (PID: 5252)
      • jJlG3.exe (PID: 6540)
      • cqvB9r.exe (PID: 864)
      • CSvh.exe (PID: 2964)
      • yXdqqAr.exe (PID: 7032)

    • RANSOMWARE has been detected

      • sAQG0:exe (PID: 1564)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • BitPaymer.exe (PID: 6584)
      • RKK.exe (PID: 592)
      • UOcVGt.exe (PID: 3672)
      • F5SbZW.exe (PID: 3732)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • wGXL.exe (PID: 4680)
      • TgP8wYE.exe (PID: 4216)
      • eB1.exe (PID: 4968)
      • oMg.exe (PID: 6376)
      • zST.exe (PID: 4760)
      • rmMUxSu.exe (PID: 6124)
      • h8QAqu.exe (PID: 1944)
      • xpADo9q.exe (PID: 3836)
      • W7Ni.exe (PID: 5252)
      • 3nlC.exe (PID: 6224)
      • jJlG3.exe (PID: 6540)
      • jM10.exe (PID: 6344)
      • cqvB9r.exe (PID: 864)
      • uy8.exe (PID: 6772)
      • CSvh.exe (PID: 2964)
      • mBmytt.exe (PID: 5372)
      • yXdqqAr.exe (PID: 7032)
      • bUB7Yi.exe (PID: 3888)
      • bMLcy.exe (PID: 5720)
      • cji.exe (PID: 5644)

    • Reads security settings of Internet Explorer

      • BitPaymer.exe (PID: 6584)
      • UOcVGt.exe (PID: 3672)
      • g4Jq.exe (PID: 5708)
      • wGXL.exe (PID: 4680)
      • eB1.exe (PID: 4968)
      • zST.exe (PID: 4760)
      • h8QAqu.exe (PID: 1944)
      • W7Ni.exe (PID: 5252)
      • jJlG3.exe (PID: 6540)
      • cqvB9r.exe (PID: 864)
      • CSvh.exe (PID: 2964)
      • yXdqqAr.exe (PID: 7032)

    • Starts CMD.EXE for commands execution

      • BitPaymer.exe (PID: 6584)
      • UOcVGt.exe (PID: 3672)
      • g4Jq.exe (PID: 5708)
      • wGXL.exe (PID: 4680)
      • eB1.exe (PID: 4968)
      • zST.exe (PID: 4760)
      • h8QAqu.exe (PID: 1944)
      • W7Ni.exe (PID: 5252)
      • jJlG3.exe (PID: 6540)
      • cqvB9r.exe (PID: 864)
      • CSvh.exe (PID: 2964)
      • yXdqqAr.exe (PID: 7032)
      • cji.exe (PID: 5644)

    • Executable content was dropped or overwritten

      • BitPaymer.exe (PID: 6584)
      • RKK.exe (PID: 592)
      • UOcVGt.exe (PID: 3672)
      • F5SbZW.exe (PID: 3732)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • wGXL.exe (PID: 4680)
      • TgP8wYE.exe (PID: 4216)
      • eB1.exe (PID: 4968)
      • oMg.exe (PID: 6376)
      • zST.exe (PID: 4760)
      • rmMUxSu.exe (PID: 6124)
      • h8QAqu.exe (PID: 1944)
      • xpADo9q.exe (PID: 3836)
      • W7Ni.exe (PID: 5252)
      • 3nlC.exe (PID: 6224)
      • jJlG3.exe (PID: 6540)
      • jM10.exe (PID: 6344)
      • cqvB9r.exe (PID: 864)
      • uy8.exe (PID: 6772)
      • CSvh.exe (PID: 2964)
      • mBmytt.exe (PID: 5372)
      • yXdqqAr.exe (PID: 7032)
      • bUB7Yi.exe (PID: 3888)
      • cji.exe (PID: 5644)
      • bMLcy.exe (PID: 5720)

    • Detected use of alternative data streams (AltDS)

      • BitPaymer.exe (PID: 6584)
      • conhost.exe (PID: 4520)
      • lXR0:exe (PID: 5924)
      • RKK.exe (PID: 592)
      • conhost.exe (PID: 2276)
      • sAQG0:exe (PID: 1564)
      • conhost.exe (PID: 6612)
      • UOcVGt.exe (PID: 3672)
      • Fr6:exe (PID: 6160)
      • F5SbZW.exe (PID: 3732)
      • ARD:exe (PID: 5008)
      • conhost.exe (PID: 3588)
      • g4Jq.exe (PID: 5708)
      • conhost.exe (PID: 6688)
      • 5JKG9p:exe (PID: 4836)
      • N2rA.exe (PID: 4012)
      • conhost.exe (PID: 472)
      • UoqY:exe (PID: 4084)
      • wGXL.exe (PID: 4680)
      • conhost.exe (PID: 3624)
      • wIyF:exe (PID: 6536)
      • DeLS:exe (PID: 3980)
      • conhost.exe (PID: 3740)
      • TgP8wYE.exe (PID: 4216)
      • eB1.exe (PID: 4968)
      • conhost.exe (PID: 6672)
      • 1QExP8:exe (PID: 2232)
      • oMg.exe (PID: 6376)
      • C4a:exe (PID: 5764)
      • conhost.exe (PID: 1352)
      • zST.exe (PID: 4760)
      • conhost.exe (PID: 4460)
      • WiCYNy6:exe (PID: 2028)
      • rmMUxSu.exe (PID: 6124)
      • LkJIwu:exe (PID: 4688)
      • conhost.exe (PID: 3620)
      • h8QAqu.exe (PID: 1944)
      • G1z:exe (PID: 3752)
      • conhost.exe (PID: 7100)
      • xpADo9q.exe (PID: 3836)
      • conhost.exe (PID: 6732)
      • VL0l4kF:exe (PID: 4808)
      • W7Ni.exe (PID: 5252)
      • Q9izE:exe (PID: 4040)
      • conhost.exe (PID: 1472)
      • 3nlC.exe (PID: 6224)
      • conhost.exe (PID: 3724)
      • j42Uz:exe (PID: 7076)
      • jJlG3.exe (PID: 6540)
      • PU1xZ:exe (PID: 5060)
      • conhost.exe (PID: 4192)
      • jM10.exe (PID: 6344)
      • S6EtC:exe (PID: 2072)
      • conhost.exe (PID: 2708)
      • conhost.exe (PID: 2620)
      • uy8.exe (PID: 6772)
      • cqvB9r.exe (PID: 864)
      • rBFj:exe (PID: 3676)
      • conhost.exe (PID: 6796)
      • I9vwrT:exe (PID: 3720)
      • CSvh.exe (PID: 2964)
      • conhost.exe (PID: 3860)
      • XpWQn:exe (PID: 3488)
      • mBmytt.exe (PID: 5372)
      • LvKRcXE:exe (PID: 6828)
      • conhost.exe (PID: 2972)
      • yXdqqAr.exe (PID: 7032)
      • conhost.exe (PID: 3852)
      • OeE:exe (PID: 3480)
      • JPnHkIs:exe (PID: 1880)
      • conhost.exe (PID: 6172)
      • bUB7Yi.exe (PID: 3888)

    • Starts itself from another location

      • BitPaymer.exe (PID: 6584)
      • RKK.exe (PID: 592)
      • UOcVGt.exe (PID: 3672)
      • F5SbZW.exe (PID: 3732)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • wGXL.exe (PID: 4680)
      • TgP8wYE.exe (PID: 4216)
      • eB1.exe (PID: 4968)
      • oMg.exe (PID: 6376)
      • zST.exe (PID: 4760)
      • rmMUxSu.exe (PID: 6124)
      • h8QAqu.exe (PID: 1944)
      • xpADo9q.exe (PID: 3836)
      • W7Ni.exe (PID: 5252)
      • 3nlC.exe (PID: 6224)
      • jJlG3.exe (PID: 6540)
      • jM10.exe (PID: 6344)
      • cqvB9r.exe (PID: 864)
      • uy8.exe (PID: 6772)
      • CSvh.exe (PID: 2964)
      • mBmytt.exe (PID: 5372)
      • yXdqqAr.exe (PID: 7032)
      • bUB7Yi.exe (PID: 3888)
      • cji.exe (PID: 5644)
      • bMLcy.exe (PID: 5720)

    • Starts application with an unusual extension

      • BitPaymer.exe (PID: 6584)
      • RKK.exe (PID: 592)
      • UOcVGt.exe (PID: 3672)
      • F5SbZW.exe (PID: 3732)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • wGXL.exe (PID: 4680)
      • TgP8wYE.exe (PID: 4216)
      • eB1.exe (PID: 4968)
      • oMg.exe (PID: 6376)
      • zST.exe (PID: 4760)
      • rmMUxSu.exe (PID: 6124)
      • h8QAqu.exe (PID: 1944)
      • xpADo9q.exe (PID: 3836)
      • W7Ni.exe (PID: 5252)
      • 3nlC.exe (PID: 6224)
      • jJlG3.exe (PID: 6540)
      • jM10.exe (PID: 6344)
      • cqvB9r.exe (PID: 864)
      • uy8.exe (PID: 6772)
      • CSvh.exe (PID: 2964)
      • mBmytt.exe (PID: 5372)
      • yXdqqAr.exe (PID: 7032)
      • bUB7Yi.exe (PID: 3888)
      • cji.exe (PID: 5644)
      • bMLcy.exe (PID: 5720)

    • The executable file from the user directory is run by the CMD process

      • RKK.exe (PID: 592)
      • F5SbZW.exe (PID: 3732)
      • N2rA.exe (PID: 4012)
      • TgP8wYE.exe (PID: 4216)
      • oMg.exe (PID: 6376)
      • rmMUxSu.exe (PID: 6124)
      • xpADo9q.exe (PID: 3836)
      • 3nlC.exe (PID: 6224)
      • jM10.exe (PID: 6344)
      • uy8.exe (PID: 6772)
      • mBmytt.exe (PID: 5372)
      • bUB7Yi.exe (PID: 3888)
      • bMLcy.exe (PID: 5720)

    • Reads the date of Windows installation

      • lXR0:exe (PID: 5924)
      • sAQG0:exe (PID: 1564)
      • Fr6:exe (PID: 6160)
      • ARD:exe (PID: 5008)
      • 5JKG9p:exe (PID: 4836)
      • UoqY:exe (PID: 4084)
      • wIyF:exe (PID: 6536)
      • DeLS:exe (PID: 3980)
      • 1QExP8:exe (PID: 2232)
      • C4a:exe (PID: 5764)
      • WiCYNy6:exe (PID: 2028)
      • LkJIwu:exe (PID: 4688)
      • G1z:exe (PID: 3752)
      • VL0l4kF:exe (PID: 4808)
      • Q9izE:exe (PID: 4040)
      • j42Uz:exe (PID: 7076)
      • PU1xZ:exe (PID: 5060)
      • S6EtC:exe (PID: 2072)
      • rBFj:exe (PID: 3676)
      • I9vwrT:exe (PID: 3720)
      • XpWQn:exe (PID: 3488)
      • LvKRcXE:exe (PID: 6828)
      • OeE:exe (PID: 3480)
      • JPnHkIs:exe (PID: 1880)

    • Starts NET.EXE for network exploration

      • lXR0:exe (PID: 5924)
      • Fr6:exe (PID: 6160)
      • 5JKG9p:exe (PID: 4836)
      • WiCYNy6:exe (PID: 2028)
      • G1z:exe (PID: 3752)
      • wIyF:exe (PID: 6536)
      • 1QExP8:exe (PID: 2232)
      • Q9izE:exe (PID: 4040)
      • PU1xZ:exe (PID: 5060)
      • rBFj:exe (PID: 3676)
      • XpWQn:exe (PID: 3488)
      • OeE:exe (PID: 3480)
      • 8lyRE2u:exe (PID: 768)

    • Creates file in the systems drive root

      • sAQG0:exe (PID: 1564)

    • The process creates files with name similar to system file names

      • sAQG0:exe (PID: 1564)

  • INFO

    • Checks supported languages

      • BitPaymer.exe (PID: 6584)
      • lXR0:exe (PID: 5924)
      • RKK.exe (PID: 592)
      • sAQG0:exe (PID: 1564)
      • UOcVGt.exe (PID: 3672)
      • F5SbZW.exe (PID: 3732)
      • ARD:exe (PID: 5008)
      • Fr6:exe (PID: 6160)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • 5JKG9p:exe (PID: 4836)
      • UoqY:exe (PID: 4084)
      • wGXL.exe (PID: 4680)
      • wIyF:exe (PID: 6536)
      • TgP8wYE.exe (PID: 4216)
      • DeLS:exe (PID: 3980)
      • eB1.exe (PID: 4968)
      • 1QExP8:exe (PID: 2232)
      • oMg.exe (PID: 6376)
      • C4a:exe (PID: 5764)
      • WiCYNy6:exe (PID: 2028)
      • zST.exe (PID: 4760)
      • LkJIwu:exe (PID: 4688)
      • rmMUxSu.exe (PID: 6124)
      • G1z:exe (PID: 3752)
      • h8QAqu.exe (PID: 1944)
      • VL0l4kF:exe (PID: 4808)
      • xpADo9q.exe (PID: 3836)
      • W7Ni.exe (PID: 5252)
      • Q9izE:exe (PID: 4040)
      • 3nlC.exe (PID: 6224)
      • j42Uz:exe (PID: 7076)
      • jJlG3.exe (PID: 6540)
      • PU1xZ:exe (PID: 5060)
      • jM10.exe (PID: 6344)
      • S6EtC:exe (PID: 2072)
      • cqvB9r.exe (PID: 864)
      • rBFj:exe (PID: 3676)
      • uy8.exe (PID: 6772)
      • I9vwrT:exe (PID: 3720)
      • CSvh.exe (PID: 2964)
      • mBmytt.exe (PID: 5372)
      • XpWQn:exe (PID: 3488)
      • LvKRcXE:exe (PID: 6828)
      • yXdqqAr.exe (PID: 7032)
      • OeE:exe (PID: 3480)
      • cji.exe (PID: 5644)
      • JPnHkIs:exe (PID: 1880)
      • bUB7Yi.exe (PID: 3888)

    • The sample compiled with english language support

      • BitPaymer.exe (PID: 6584)
      • RKK.exe (PID: 592)
      • UOcVGt.exe (PID: 3672)
      • F5SbZW.exe (PID: 3732)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • wGXL.exe (PID: 4680)
      • TgP8wYE.exe (PID: 4216)
      • eB1.exe (PID: 4968)
      • oMg.exe (PID: 6376)
      • zST.exe (PID: 4760)
      • rmMUxSu.exe (PID: 6124)
      • h8QAqu.exe (PID: 1944)
      • xpADo9q.exe (PID: 3836)
      • 3nlC.exe (PID: 6224)
      • W7Ni.exe (PID: 5252)
      • jJlG3.exe (PID: 6540)
      • jM10.exe (PID: 6344)
      • cqvB9r.exe (PID: 864)
      • uy8.exe (PID: 6772)
      • CSvh.exe (PID: 2964)
      • mBmytt.exe (PID: 5372)
      • yXdqqAr.exe (PID: 7032)
      • bUB7Yi.exe (PID: 3888)
      • bMLcy.exe (PID: 5720)
      • cji.exe (PID: 5644)

    • Reads the machine GUID from the registry

      • BitPaymer.exe (PID: 6584)
      • lXR0:exe (PID: 5924)
      • sAQG0:exe (PID: 1564)
      • RKK.exe (PID: 592)
      • UOcVGt.exe (PID: 3672)
      • Fr6:exe (PID: 6160)
      • F5SbZW.exe (PID: 3732)
      • ARD:exe (PID: 5008)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • 5JKG9p:exe (PID: 4836)
      • UoqY:exe (PID: 4084)
      • wGXL.exe (PID: 4680)
      • TgP8wYE.exe (PID: 4216)
      • DeLS:exe (PID: 3980)
      • eB1.exe (PID: 4968)
      • wIyF:exe (PID: 6536)
      • oMg.exe (PID: 6376)
      • C4a:exe (PID: 5764)
      • 1QExP8:exe (PID: 2232)
      • zST.exe (PID: 4760)
      • rmMUxSu.exe (PID: 6124)
      • LkJIwu:exe (PID: 4688)
      • h8QAqu.exe (PID: 1944)
      • xpADo9q.exe (PID: 3836)
      • VL0l4kF:exe (PID: 4808)
      • W7Ni.exe (PID: 5252)
      • WiCYNy6:exe (PID: 2028)
      • G1z:exe (PID: 3752)
      • 3nlC.exe (PID: 6224)
      • Q9izE:exe (PID: 4040)
      • j42Uz:exe (PID: 7076)
      • jJlG3.exe (PID: 6540)
      • PU1xZ:exe (PID: 5060)
      • jM10.exe (PID: 6344)
      • S6EtC:exe (PID: 2072)
      • cqvB9r.exe (PID: 864)
      • uy8.exe (PID: 6772)
      • rBFj:exe (PID: 3676)
      • I9vwrT:exe (PID: 3720)
      • CSvh.exe (PID: 2964)
      • LvKRcXE:exe (PID: 6828)
      • yXdqqAr.exe (PID: 7032)
      • mBmytt.exe (PID: 5372)
      • XpWQn:exe (PID: 3488)
      • bUB7Yi.exe (PID: 3888)
      • OeE:exe (PID: 3480)
      • cji.exe (PID: 5644)
      • JPnHkIs:exe (PID: 1880)

    • Launching a file from a Registry key

      • BitPaymer.exe (PID: 6584)
      • UOcVGt.exe (PID: 3672)
      • g4Jq.exe (PID: 5708)
      • wGXL.exe (PID: 4680)
      • eB1.exe (PID: 4968)
      • zST.exe (PID: 4760)
      • h8QAqu.exe (PID: 1944)
      • W7Ni.exe (PID: 5252)
      • jJlG3.exe (PID: 6540)
      • cqvB9r.exe (PID: 864)
      • CSvh.exe (PID: 2964)
      • yXdqqAr.exe (PID: 7032)

    • Reads the computer name

      • BitPaymer.exe (PID: 6584)
      • lXR0:exe (PID: 5924)
      • sAQG0:exe (PID: 1564)
      • UOcVGt.exe (PID: 3672)
      • ARD:exe (PID: 5008)
      • Fr6:exe (PID: 6160)
      • g4Jq.exe (PID: 5708)
      • 5JKG9p:exe (PID: 4836)
      • UoqY:exe (PID: 4084)
      • wGXL.exe (PID: 4680)
      • DeLS:exe (PID: 3980)
      • wIyF:exe (PID: 6536)
      • eB1.exe (PID: 4968)
      • C4a:exe (PID: 5764)
      • 1QExP8:exe (PID: 2232)
      • zST.exe (PID: 4760)
      • WiCYNy6:exe (PID: 2028)
      • LkJIwu:exe (PID: 4688)
      • h8QAqu.exe (PID: 1944)
      • G1z:exe (PID: 3752)
      • VL0l4kF:exe (PID: 4808)
      • W7Ni.exe (PID: 5252)
      • Q9izE:exe (PID: 4040)
      • j42Uz:exe (PID: 7076)
      • jJlG3.exe (PID: 6540)
      • PU1xZ:exe (PID: 5060)
      • S6EtC:exe (PID: 2072)
      • cqvB9r.exe (PID: 864)
      • rBFj:exe (PID: 3676)
      • I9vwrT:exe (PID: 3720)
      • CSvh.exe (PID: 2964)
      • XpWQn:exe (PID: 3488)
      • LvKRcXE:exe (PID: 6828)
      • yXdqqAr.exe (PID: 7032)
      • OeE:exe (PID: 3480)
      • JPnHkIs:exe (PID: 1880)

    • Process checks computer location settings

      • BitPaymer.exe (PID: 6584)
      • UOcVGt.exe (PID: 3672)
      • g4Jq.exe (PID: 5708)
      • wGXL.exe (PID: 4680)
      • eB1.exe (PID: 4968)
      • zST.exe (PID: 4760)
      • h8QAqu.exe (PID: 1944)
      • W7Ni.exe (PID: 5252)
      • jJlG3.exe (PID: 6540)
      • cqvB9r.exe (PID: 864)
      • CSvh.exe (PID: 2964)
      • yXdqqAr.exe (PID: 7032)

    • Creates files or folders in the user directory

      • BitPaymer.exe (PID: 6584)
      • RKK.exe (PID: 592)
      • UOcVGt.exe (PID: 3672)
      • F5SbZW.exe (PID: 3732)
      • g4Jq.exe (PID: 5708)
      • N2rA.exe (PID: 4012)
      • wGXL.exe (PID: 4680)
      • TgP8wYE.exe (PID: 4216)
      • eB1.exe (PID: 4968)
      • oMg.exe (PID: 6376)
      • zST.exe (PID: 4760)
      • rmMUxSu.exe (PID: 6124)
      • h8QAqu.exe (PID: 1944)
      • xpADo9q.exe (PID: 3836)
      • W7Ni.exe (PID: 5252)
      • 3nlC.exe (PID: 6224)
      • jM10.exe (PID: 6344)
      • jJlG3.exe (PID: 6540)
      • cqvB9r.exe (PID: 864)
      • uy8.exe (PID: 6772)
      • CSvh.exe (PID: 2964)
      • mBmytt.exe (PID: 5372)
      • yXdqqAr.exe (PID: 7032)
      • bUB7Yi.exe (PID: 3888)
      • cji.exe (PID: 5644)

    • Manual execution by a user

      • UOcVGt.exe (PID: 3672)
      • g4Jq.exe (PID: 5708)
      • wGXL.exe (PID: 4680)
      • eB1.exe (PID: 4968)
      • zST.exe (PID: 4760)
      • h8QAqu.exe (PID: 1944)
      • W7Ni.exe (PID: 5252)
      • jJlG3.exe (PID: 6540)
      • cqvB9r.exe (PID: 864)
      • CSvh.exe (PID: 2964)
      • yXdqqAr.exe (PID: 7032)
      • cji.exe (PID: 5644)

    • Creates files in the program directory

      • sAQG0:exe (PID: 1564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:01 04:08:13+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 20480
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x1ee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows command line
FileVersionNumber: 10.0.10586.9
ProductVersionNumber: 10.0.10586.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: ApiSet Stub DLL
FileVersion: 10.0.10586.9 (th2_release.151110-1756)
InternalName: apisetstub
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: apisetstub
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.10586.9
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
288
Monitored processes
144
Malicious processes
87
Suspicious processes
2

Behavior graph

Click at the process to see the details
start bitpaymer.exe conhost.exe no specs cmd.exe conhost.exe no specs lxr0:exe no specs conhost.exe no specs rkk.exe net.exe no specs conhost.exe no specs THREAT saqg0:exe no specs conhost.exe no specs uocvgt.exe conhost.exe no specs cmd.exe conhost.exe no specs fr6:exe no specs conhost.exe no specs f5sbzw.exe ard:exe no specs conhost.exe no specs g4jq.exe conhost.exe no specs cmd.exe conhost.exe no specs n2ra.exe 5jkg9p:exe no specs conhost.exe no specs uoqy:exe no specs conhost.exe no specs wgxl.exe conhost.exe no specs net.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs wiyf:exe no specs conhost.exe no specs tgp8wye.exe dels:exe no specs conhost.exe no specs eb1.exe conhost.exe no specs cmd.exe conhost.exe no specs 1qexp8:exe no specs conhost.exe no specs omg.exe c4a:exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs zst.exe conhost.exe no specs cmd.exe conhost.exe no specs wicyny6:exe no specs conhost.exe no specs rmmuxsu.exe lkjiwu:exe no specs conhost.exe no specs h8qaqu.exe conhost.exe no specs cmd.exe conhost.exe no specs g1z:exe no specs conhost.exe no specs xpado9q.exe vl0l4kf:exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs w7ni.exe conhost.exe no specs cmd.exe conhost.exe no specs q9ize:exe no specs conhost.exe no specs 3nlc.exe net.exe no specs conhost.exe no specs j42uz:exe no specs conhost.exe no specs jjlg3.exe conhost.exe no specs cmd.exe conhost.exe no specs pu1xz:exe no specs conhost.exe no specs jm10.exe net.exe no specs conhost.exe no specs s6etc:exe no specs conhost.exe no specs cqvb9r.exe conhost.exe no specs cmd.exe conhost.exe no specs rbfj:exe no specs conhost.exe no specs uy8.exe net.exe no specs conhost.exe no specs i9vwrt:exe no specs conhost.exe no specs csvh.exe conhost.exe no specs cmd.exe conhost.exe no specs xpwqn:exe no specs conhost.exe no specs mbmytt.exe net.exe no specs conhost.exe no specs lvkrcxe:exe no specs conhost.exe no specs yxdqqar.exe conhost.exe no specs cmd.exe conhost.exe no specs oee:exe no specs conhost.exe no specs bub7yi.exe net.exe no specs conhost.exe no specs jpnhkis:exe no specs conhost.exe no specs cji.exe conhost.exe no specs cmd.exe conhost.exe no specs 8lyre2u:exe no specs conhost.exe no specs bmlcy.exe net.exe no specs conhost.exe no specs 8la28d:exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\WINDOWS\SysWOW64\cmd.exe" /c C:\Users\admin\AppData\Local\ffLISXr\N2rA.exe 2C:\Windows\SysWOW64\cmd.exe
g4Jq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execqvB9r.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUoqY:exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
592C:\Users\admin\AppData\Local\68e\RKK.exe 2C:\Users\admin\AppData\Local\68e\RKK.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\68e\rkk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
728"C:\WINDOWS\SysWOW64\cmd.exe" /c C:\Users\admin\AppData\Local\6g2Ir\oMg.exe 2C:\Windows\SysWOW64\cmd.exe
eB1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
760"C:\WINDOWS\SysWOW64\cmd.exe" /c C:\Users\admin\AppData\Local\reNEBHR\xpADo9q.exe 2C:\Windows\SysWOW64\cmd.exe
h8QAqu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
768C:\Users\admin\AppData\Local\8lyRE2u:exe 1 C:\Users\admin\AppData\Local\UIjT\cji.exeC:\Users\admin\AppData\Local\8lyRE2u:execji.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\8lyre2u:exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864C:\Users\admin\AppData\Local\xhj\cqvB9r.exeC:\Users\admin\AppData\Local\xhj\cqvB9r.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ApiSet Stub DLL
Exit code:
1
Version:
10.0.10586.9 (th2_release.151110-1756)
Modules
Images
c:\users\admin\appdata\local\xhj\cqvb9r.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
30 905
Read events
30 892
Write events
13
Delete events
0

Modification events

(PID) Process:(6584) BitPaymer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:axkWRDX7
Value:
C:\Users\admin\AppData\Local\292\UOcVGt.exe
(PID) Process:(3672) UOcVGt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:APDUrT96
Value:
C:\Users\admin\AppData\Local\Eure9\g4Jq.exe
(PID) Process:(5708) g4Jq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:cLWpNT1thdrZ
Value:
C:\Users\admin\AppData\Local\h9X3R\wGXL.exe
(PID) Process:(4680) wGXL.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rci0N815R
Value:
C:\Users\admin\AppData\Local\YiAk7\eB1.exe
(PID) Process:(4968) eB1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:rCpbPV
Value:
C:\Users\admin\AppData\Local\bAzT\zST.exe
(PID) Process:(4760) zST.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:obT5tnvl
Value:
C:\Users\admin\AppData\Local\qc0\h8QAqu.exe
(PID) Process:(1944) h8QAqu.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:FzWmzdxWQJ7M
Value:
C:\Users\admin\AppData\Local\hKWUUuX\W7Ni.exe
(PID) Process:(5252) W7Ni.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:NZKLZ
Value:
C:\Users\admin\AppData\Local\mCVPsOy\jJlG3.exe
(PID) Process:(6540) jJlG3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:DKiyHMVJdQSQES
Value:
C:\Users\admin\AppData\Local\xhj\cqvB9r.exe
(PID) Process:(864) cqvB9r.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:N1Rft
Value:
C:\Users\admin\AppData\Local\tUoXY\CSvh.exe
Executable files
27
Suspicious files
913
Text files
1 834
Unknown types
0

Dropped files

PID
Process
Filename
Type
1564sAQG0:exeC:\$WinREAgent\Rollback.xml.readme_txttext
MD5:51FAB08A170E3C398E696A5D36CDE259
SHA256:BAB1199A9B43D11429C79F0B15C7E8C8D61EC612ACA223AA66FD253EAB11F1CB
1564sAQG0:exeC:\$WinREAgent\Rollback.xml.lockedbinary
MD5:26E0F988FDAB0379DC9106C8FD25CC6A
SHA256:59310D38265FA6899FF044C399F7051531838EBE72A754E359C97051718F5C36
6584BitPaymer.exeC:\Users\admin\AppData\Local\68e\RKK.exeexecutable
MD5:BF821466700AD9F2F6F68639051215F3
SHA256:70A11D870295C5CEACB6AD0BD38A1F802DADF4A1F0F80585B2909DD351BA74E7
592RKK.exeC:\Users\admin\AppData\Local\sAQG0:exeexecutable
MD5:998246BD0E51F9582B998CA514317C33
SHA256:D693C33DD550529F3634E3C7E53D82DF70C9D4FBD0C339DBC1849ADA9E539EA2
1564sAQG0:exeC:\found.000\file00000002.chktext
MD5:76390D3429BA451F1E37DAAE6BC85B51
SHA256:31D694956DDCDB8B2D61EE7B91BEB5AF37CE0557B6CA44438D2C3CA9F96C56D9
1564sAQG0:exeC:\$WinREAgent\RollbackInfo.ini.lockedbinary
MD5:C12296B21BAD58C9A070F4711E627FAA
SHA256:DEC67B8DF309A9D9AB58A43A75B8BDEC7FA5A261B7CE18A779A28B9FB28A5467
6584BitPaymer.exeC:\Users\admin\AppData\Local\292\UOcVGt.exebinary
MD5:613F6189154B12964B7E5C0D5A44FF54
SHA256:08B3C74629F12DC05B353A63003F214D724CF440779D3C6D550CB3290038F51D
1564sAQG0:exeC:\$WinREAgent\RollbackInfo.initext
MD5:76390D3429BA451F1E37DAAE6BC85B51
SHA256:31D694956DDCDB8B2D61EE7B91BEB5AF37CE0557B6CA44438D2C3CA9F96C56D9
1564sAQG0:exeC:\$WinREAgent\Backup\location.txt.lockedbinary
MD5:53A42FB29E03EAC15785CE607CDBEED7
SHA256:89FB64DBA91F86CD205F650281487199A737EFC7E9445F382599BCBD73624F44
6584BitPaymer.exeC:\Users\admin\AppData\Local\lXR0:exeexecutable
MD5:998246BD0E51F9582B998CA514317C33
SHA256:D693C33DD550529F3634E3C7E53D82DF70C9D4FBD0C339DBC1849ADA9E539EA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
17
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6672
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.52.64.201
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BitPaymer.exe