File name:	iniuria.exe
Full analysis:	https://app.any.run/tasks/efceb94d-3601-4862-8407-936ec568e24a
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 11:23:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	pastebin crypto-regex auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	33FBB1624D14946309AE3425636DE4C2
SHA1:	8E05B21739090E70BDF32AC578B85B3177B5CC5C
SHA256:	D77E2B0CDB76C0EB4F202A9DC24E9C75D2FE10BCEE3478C7C51308056F17FDF3
SSDEEP:	49152:UshnVpJywQLi4OPLh9cy5Fbze8n4KnAiv0WUkiZyJOLK7JsW7MaIpVJZPh7VgOSb:IwT4OP19cyFbLn4MAiKpyJ8K7SWYaoVn

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2086:03:13 23:40:41+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	1620480
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x18d85e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.6.0.0
ProductVersionNumber:	1.6.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	-
FileVersion:	1.6.0
InternalName:	Client.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	Client.exe
ProductName:	-
ProductVersion:	1.6.0
AssemblyVersion:	1.6.0.0


(PID) Process:	(1184) iniuria.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Pulsar Client Startup
Value: "C:\Users\admin\AppData\Roaming\SubDir\Client.exe"
(PID) Process:	(4976) Client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Pulsar Client Startup
Value: "C:\Users\admin\AppData\Roaming\SubDir\Client.exe"
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4976) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

PID	Process	Filename		Type
1184	iniuria.exe	C:\Users\admin\AppData\Roaming\SubDir\Client.exe		executable
		MD5:33FBB1624D14946309AE3425636DE4C2	SHA256:D77E2B0CDB76C0EB4F202A9DC24E9C75D2FE10BCEE3478C7C51308056F17FDF3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5072	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5072	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4976	Client.exe	104.22.69.199:443	pastebin.com	CLOUDFLARENET	—	whitelisted
4976	Client.exe	147.185.221.26:3690	clothing-lucia.gl.at.ply.gg	PLAYIT-GG	US	malicious
5072	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
5072	SIHClient.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5072	SIHClient.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5072	SIHClient.exe	20.242.39.171:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.185.142	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
pastebin.com	104.22.69.199 104.22.68.199 172.67.25.94	whitelisted
clothing-lucia.gl.at.ply.gg	147.185.221.26	unknown
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
2196	svchost.exe	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
2196	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)

General Info

iniuria.exe

33FBB1624D14946309AE3425636DE4C2

8E05B21739090E70BDF32AC578B85B3177B5CC5C

D77E2B0CDB76C0EB4F202A9DC24E9C75D2FE10BCEE3478C7C51308056F17FDF3

49152:UshnVpJywQLi4OPLh9cy5Fbze8n4KnAiv0WUkiZyJOLK7JsW7MaIpVJZPh7VgOSb:IwT4OP19cyFbLn4MAiKpyJ8K7SWYaoVn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Found regular expressions for crypto-addresses (YARA)

Connects to unusual port

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the computer name

Reads Environment values

Auto-launch of the file from Registry key

Checks proxy server information

Disables trace logs

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings