File name:

GUI Booter.exe

Full analysis: https://app.any.run/tasks/68ca6aa0-6bfa-416a-a9d3-ed80148adb37
Verdict: Malicious activity
Analysis date: May 28, 2024, 21:32:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

195EEE3A17EEAE2A95C4FCF2B322A87A

SHA1:

4951EC19C7CE49F4D1D4ADF624A3C3C9AA9BFB6D

SHA256:

DD5B17CF26747F663D39FBE22F52562134F350CEF57C7BD067BDA4BD65CE1130

SSDEEP:

24576:ESmom6rniFDyYWZCNk/ww1pfz8YG86FI:nmom4niFDy3YNk/ww1pfz8YG86

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GUI Booter.exe (PID: 3976)

  • SUSPICIOUS

    • Reads the Internet Settings

      • GUI Booter.exe (PID: 3976)

    • Reads security settings of Internet Explorer

      • GUI Booter.exe (PID: 3976)

    • Reads Microsoft Outlook installation path

      • GUI Booter.exe (PID: 3976)

    • Reads settings of System Certificates

      • GUI Booter.exe (PID: 3976)

    • Checks Windows Trust Settings

      • GUI Booter.exe (PID: 3976)

    • Adds/modifies Windows certificates

      • GUI Booter.exe (PID: 3976)

    • Reads Internet Explorer settings

      • GUI Booter.exe (PID: 3976)

    • Process requests binary or script from the Internet

      • GUI Booter.exe (PID: 3976)

  • INFO

    • Reads the computer name

      • GUI Booter.exe (PID: 3976)
      • wmpnscfg.exe (PID: 116)

    • Checks supported languages

      • GUI Booter.exe (PID: 3976)
      • wmpnscfg.exe (PID: 116)

    • Reads the machine GUID from the registry

      • GUI Booter.exe (PID: 3976)

    • Checks proxy server information

      • GUI Booter.exe (PID: 3976)

    • Creates files or folders in the user directory

      • GUI Booter.exe (PID: 3976)

    • Reads the software policy settings

      • GUI Booter.exe (PID: 3976)

    • Create files in a temporary directory

      • GUI Booter.exe (PID: 3976)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 116)

    • Reads Environment values

      • GUI Booter.exe (PID: 3976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:08:10 13:23:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 475648
InitializedDataSize: 33792
UninitializedDataSize: -
EntryPoint: 0x761f2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: MC22 Booter
FileVersion: 1.0.0.0
InternalName: GUI Booter.exe
LegalCopyright: Copyright © 2014
OriginalFileName: GUI Booter.exe
ProductName: GUI_Booter
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gui booter.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3976"C:\Users\admin\AppData\Local\Temp\GUI Booter.exe" C:\Users\admin\AppData\Local\Temp\GUI Booter.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MC22 Booter
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gui booter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
9 355
Read events
9 275
Write events
50
Delete events
30

Modification events

(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3976) GUI Booter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
0
Suspicious files
29
Text files
18
Unknown types
7

Dropped files

PID
Process
Filename
Type
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:F980DA371BBDC64D59E72D2A392AD915
SHA256:86658A40808E738A82902B1D4B2E953AE538A2295186735FA15A6F98717DECD5
3976GUI Booter.exeC:\Users\admin\AppData\Local\Temp\Tar4CBB.tmpbinary
MD5:4EA6026CF93EC6338144661BF1202CD1
SHA256:8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:75BAC94FE96BF38E24C7ED4C2CAE3AE8
SHA256:F0BB7C352C626AD99BD89ED9D61E80440470703730EA62A35B616F2444CCB52C
3976GUI Booter.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\look-magnifying-glass[1].svgimage
MD5:91BE8BB57512787AEA2A3765FD9850A5
SHA256:51CF6CE31001DD4D93E4C6B873F734F64522948A804F75D03104C1DD8A95D616
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:F191EF3038D2D80156E74733621B7B01
SHA256:350DDC7F26BAFE91F484D762A296137466FBA16BBB3AB1A6F9C6486B5D6C62D1
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_E7AFBAB1045CF53D322BC26D3E9BEB05binary
MD5:A363B0D450131AAFF77AFB1C525E407C
SHA256:6B9AC133617C1BE6C95B847CDE0A5E3F63711FF310EE8008CF7A48C88E6DC62E
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464der
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
3976GUI Booter.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:C1032AF3CBFA68F1633FAFE1523AE41D
SHA256:7401DA563D1780EC4547677A59854AEF7480F3C55BA91609BD1D8B0AD9ACF69D
3976GUI Booter.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HURH6Z8N.txttext
MD5:7A367D8E2DD3A9CEA279E83DFFB1FD61
SHA256:D77793D6B4F6082E047902E3E83A2DC314FAA8DFB946416D9D5AC5C710EFE777
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
34
DNS requests
28
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
GUI Booter.exe
GET
302
188.114.96.3:80
http://adf.ly/lV9r7
unknown
unknown
3976
GUI Booter.exe
GET
200
23.32.157.52:80
http://x2.c.lencr.org/
unknown
unknown
3976
GUI Booter.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r1.crl
unknown
unknown
3976
GUI Booter.exe
GET
200
142.250.181.227:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEFN0GMctzh9JCixyqAdciXg%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
108.138.2.173:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
unknown
3976
GUI Booter.exe
GET
200
142.250.181.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDagtTzijfQygpxbaMj5XVC
unknown
unknown
3976
GUI Booter.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2f209f4c903930da
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3976
GUI Booter.exe
162.125.65.15:443
dl.dropboxusercontent.com
DROPBOX
NL
unknown
3976
GUI Booter.exe
188.114.96.3:80
adf.ly
CLOUDFLARENET
NL
unknown
3976
GUI Booter.exe
104.26.15.247:443
publisher.linkvertise.com
CLOUDFLARENET
US
unknown
3976
GUI Booter.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3976
GUI Booter.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3976
GUI Booter.exe
142.250.181.227:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3976
GUI Booter.exe
172.67.217.63:443
direct-link.net
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
adf.ly
  • 188.114.96.3
  • 188.114.97.3
shared
dl.dropboxusercontent.com
  • 162.125.65.15
shared
publisher.linkvertise.com
  • 104.26.15.247
  • 172.67.69.167
  • 104.26.14.247
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.pki.goog
  • 142.250.181.227
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
direct-link.net
  • 172.67.217.63
  • 104.21.61.249
unknown
assets.dropbox.com
  • 52.222.236.76
  • 52.222.236.19
  • 52.222.236.37
  • 52.222.236.51
whitelisted
cfl.dropboxstatic.com
  • 104.16.99.29
  • 104.16.100.29
shared
x1.c.lencr.org
  • 23.32.157.52
whitelisted

Threats

PID
Process
Class
Message
3976
GUI Booter.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GUI Booter.exe