File name:

GUI Booter.exe

Full analysis: https://app.any.run/tasks/68ca6aa0-6bfa-416a-a9d3-ed80148adb37
Verdict: Malicious activity
Analysis date: May 28, 2024, 21:32:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

195EEE3A17EEAE2A95C4FCF2B322A87A

SHA1:

4951EC19C7CE49F4D1D4ADF624A3C3C9AA9BFB6D

SHA256:

DD5B17CF26747F663D39FBE22F52562134F350CEF57C7BD067BDA4BD65CE1130

SSDEEP:

24576:ESmom6rniFDyYWZCNk/ww1pfz8YG86FI:nmom4niFDy3YNk/ww1pfz8YG86

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GUI Booter.exe (PID: 3976)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • GUI Booter.exe (PID: 3976)

    • Reads the Internet Settings

      • GUI Booter.exe (PID: 3976)

    • Reads security settings of Internet Explorer

      • GUI Booter.exe (PID: 3976)

    • Reads Microsoft Outlook installation path

      • GUI Booter.exe (PID: 3976)

    • Reads settings of System Certificates

      • GUI Booter.exe (PID: 3976)

    • Checks Windows Trust Settings

      • GUI Booter.exe (PID: 3976)

    • Reads Internet Explorer settings

      • GUI Booter.exe (PID: 3976)

    • Adds/modifies Windows certificates

      • GUI Booter.exe (PID: 3976)

  • INFO

    • Creates files or folders in the user directory

      • GUI Booter.exe (PID: 3976)

    • Create files in a temporary directory

      • GUI Booter.exe (PID: 3976)

    • Checks supported languages

      • wmpnscfg.exe (PID: 116)
      • GUI Booter.exe (PID: 3976)

    • Reads the computer name

      • wmpnscfg.exe (PID: 116)
      • GUI Booter.exe (PID: 3976)

    • Reads Environment values

      • GUI Booter.exe (PID: 3976)

    • Checks proxy server information

      • GUI Booter.exe (PID: 3976)

    • Reads the machine GUID from the registry

      • GUI Booter.exe (PID: 3976)

    • Reads the software policy settings

      • GUI Booter.exe (PID: 3976)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:08:10 13:23:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 475648
InitializedDataSize: 33792
UninitializedDataSize: -
EntryPoint: 0x761f2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: MC22 Booter
FileVersion: 1.0.0.0
InternalName: GUI Booter.exe
LegalCopyright: Copyright © 2014
OriginalFileName: GUI Booter.exe
ProductName: GUI_Booter
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gui booter.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3976"C:\Users\admin\AppData\Local\Temp\GUI Booter.exe" C:\Users\admin\AppData\Local\Temp\GUI Booter.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MC22 Booter
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gui booter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
9 355
Read events
9 275
Write events
50
Delete events
30

Modification events

(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
0
Suspicious files
29
Text files
18
Unknown types
7

Dropped files

PID
Process
Filename
Type
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:75BAC94FE96BF38E24C7ED4C2CAE3AE8
SHA256:F0BB7C352C626AD99BD89ED9D61E80440470703730EA62A35B616F2444CCB52C
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:F980DA371BBDC64D59E72D2A392AD915
SHA256:86658A40808E738A82902B1D4B2E953AE538A2295186735FA15A6F98717DECD5
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:A1F741931C704C2D8E0B4A8B52F9A4D6
SHA256:475A9E26A7D2D71CFEE1D577F9BB7E342CF25AC90F73911DA1F7D32D44A1D020
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:C1032AF3CBFA68F1633FAFE1523AE41D
SHA256:7401DA563D1780EC4547677A59854AEF7480F3C55BA91609BD1D8B0AD9ACF69D
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_E7AFBAB1045CF53D322BC26D3E9BEB05der
MD5:14F5A9C6DDAAB1D2A481DF24E31C4201
SHA256:60C0D3BCFF3F9D8600310C4C5ED3A799BC439A9148432468580BDF0240893CD1
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3976GUI Booter.exeC:\Users\admin\AppData\Local\Temp\Cab4CBA.tmpcompressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:121A139E9FA4FD3BBDC8D29AF3F31D56
SHA256:DE8D82B503310586A1C851B00D16CF8D7059842C5B90BCDC906BA886E4FBE7AE
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
3976GUI Booter.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\look-magnifying-glass[1].svgimage
MD5:91BE8BB57512787AEA2A3765FD9850A5
SHA256:51CF6CE31001DD4D93E4C6B873F734F64522948A804F75D03104C1DD8A95D616
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
34
DNS requests
28
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
GUI Booter.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2f209f4c903930da
unknown
unknown
3976
GUI Booter.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA7zMlmFlmqbb5WJwfB6vlk%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
23.32.157.52:80
http://x2.c.lencr.org/
unknown
unknown
3976
GUI Booter.exe
GET
200
23.32.157.52:80
http://x1.c.lencr.org/
unknown
unknown
3976
GUI Booter.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r1.crl
unknown
unknown
3976
GUI Booter.exe
GET
200
108.138.2.173:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
142.250.181.227:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEFN0GMctzh9JCixyqAdciXg%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3976
GUI Booter.exe
162.125.65.15:443
dl.dropboxusercontent.com
DROPBOX
NL
unknown
3976
GUI Booter.exe
188.114.96.3:80
adf.ly
CLOUDFLARENET
NL
unknown
3976
GUI Booter.exe
104.26.15.247:443
publisher.linkvertise.com
CLOUDFLARENET
US
unknown
3976
GUI Booter.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3976
GUI Booter.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3976
GUI Booter.exe
142.250.181.227:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3976
GUI Booter.exe
172.67.217.63:443
direct-link.net
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
adf.ly
  • 188.114.96.3
  • 188.114.97.3
shared
dl.dropboxusercontent.com
  • 162.125.65.15
shared
publisher.linkvertise.com
  • 104.26.15.247
  • 172.67.69.167
  • 104.26.14.247
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.pki.goog
  • 142.250.181.227
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
direct-link.net
  • 172.67.217.63
  • 104.21.61.249
unknown
assets.dropbox.com
  • 52.222.236.76
  • 52.222.236.19
  • 52.222.236.37
  • 52.222.236.51
whitelisted
cfl.dropboxstatic.com
  • 104.16.99.29
  • 104.16.100.29
shared
x1.c.lencr.org
  • 23.32.157.52
whitelisted

Threats

PID
Process
Class
Message
3976
GUI Booter.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GUI Booter.exe