File name:

N.exe

Full analysis: https://app.any.run/tasks/7f702652-4870-4371-88e7-95a6263cef28
Verdict: Malicious activity
Analysis date: December 14, 2024, 02:34:03
OS: Windows 10 Professional (build: 19045, 64 bit)
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

E77111873598D0B48E64B80EA1574570

SHA1:

53A24041F0A0ACD91F49681B7660EA8192778703

SHA256:

E113094D3B1A3B0D24829CD9961A52AF262E0724A7143DBDF673DDA1F6B62F59

SSDEEP:

98304:Ociw5mKmviADO1J922jxxIpve6DAq3AYmUI8LhXqeNjx4Z3+ghTUgRE8Q19vOtkb:/6q/8ss

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • N.exe (PID: 5988)

    • Potential Corporate Privacy Violation

      • N.exe (PID: 5988)

    • Connects to unusual port

      • N.exe (PID: 5988)

    • Connects to the server without a host name

      • N.exe (PID: 5988)

  • INFO

    • The sample compiled with english language support

      • N.exe (PID: 5988)

    • Checks proxy server information

      • N.exe (PID: 5988)

    • Reads the computer name

      • N.exe (PID: 5988)

    • Reads the machine GUID from the registry

      • N.exe (PID: 5988)

    • Reads CPU info

      • N.exe (PID: 5988)

    • Checks supported languages

      • N.exe (PID: 5988)

    • Creates files or folders in the user directory

      • N.exe (PID: 5988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (49.3)
.exe | Win64 Executable (generic) (32.7)
.dll | Win32 Dynamic Link Library (generic) (7.8)
.exe | Win32 Executable (generic) (5.3)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:05:23 22:25:11+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 4240384
InitializedDataSize: 1312768
UninitializedDataSize: -
EntryPoint: 0x3f693b
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NTransformice By Choqetje - Best_dll
FileDescription: NTransformice By Choqetje - Best_dll
FileVersion: Ant lag / Leve NO IPS
InternalName: NTransformice By Choqetje - Best_dll0001
Omarcareco: Cabeça de Lampada
LegalTrademarks: Choqe Lindão
OriginalFileName: Choqe Capudo
ProductName: NTransformice By Choqetje - Best_dll
ProductVersion: É O TREM
Debugger: 0.0001
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start n.exe

Process information

PID
CMD
Path
Indicators
Parent process
5988"C:\Users\admin\AppData\Local\Temp\N.exe" C:\Users\admin\AppData\Local\Temp\N.exe
explorer.exe
User:
admin
Company:
NTransformice By Choqetje - Best_dll
Integrity Level:
MEDIUM
Description:
NTransformice By Choqetje - Best_dll
Version:
Ant lag / Leve NO IPS
Modules
Images
c:\users\admin\appdata\local\temp\n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
Total events
663
Read events
660
Write events
3
Delete events
0

Modification events

(PID) Process:(5988) N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5988) N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5988) N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
129
Text files
19
Unknown types
18

Dropped files

PID
Process
Filename
Type
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\x_steam_[1].jpgimage
MD5:A0D24DC555F033F17E5F9286A2FCF5FD
SHA256:0FCD660C0A1906DE1B04AE251A7221B72887A30128E6AD49505A458E491926E4
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Transformice[1].swfswf
MD5:C261A0FAB22126B4D242A4321472657F
SHA256:66348532E007860742FA528E2D1071146F3540466C85D5308E64724D3DD6C59A
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\c2[1].pngimage
MD5:A4EE4E9623E00CD0E1B6FF01A2BD5918
SHA256:EB5F5AB4196C685C6177EB100DD419CD8A0A14DFEF987CB1D5F6C2AA88C2C1C0
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\go[1].pngimage
MD5:6CEF116F17733C6DE93308E481E11A2D
SHA256:B4C0561F8373FE2E09DEF5937D43C3008B020C433F58348DE80CE1B3ED957013
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\c1[1].pngimage
MD5:015B1CF82756540E91CCAC1A4F0702CE
SHA256:67BCAEAF264573DB84F616D37F5D1F1E0D65807B0FCA8D06B9CF740B3EDBF4D7
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2PLHS864\www.transformice.com\Transformice.swf\Transformice.sxxsol
MD5:F60AE77F2B51FA9E1872F55CBC6C8D97
SHA256:166319F7433A71838D0136F93C09A6C8630B79A812665DD055DFBF0183BFD7B0
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.transformice.com\settings.sxxsol
MD5:04978BCD430EA2F1C6030A568424E21F
SHA256:F2F87E055CC2D3C756F28B00185A4A30DE3447B76A01B1431687EE80F478BEAA
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\tfm-de[1].gzpz
MD5:BF2E135FFED8EC2EF14A3E89E6D98FB4
SHA256:BE5C87844D37FA6D76587AF7B5340FE4BBFDF61DF0B9CE931DA96F418277C3CD
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.transformice.com\settings.solbinary
MD5:04978BCD430EA2F1C6030A568424E21F
SHA256:F2F87E055CC2D3C756F28B00185A4A30DE3447B76A01B1431687EE80F478BEAA
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2PLHS864\www.transformice.com\Transformice.swf\Transformice.solsol
MD5:F60AE77F2B51FA9E1872F55CBC6C8D97
SHA256:166319F7433A71838D0136F93C09A6C8630B79A812665DD055DFBF0183BFD7B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
145
TCP/UDP connections
42
DNS requests
20
Threats
139

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_interface/go.png?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/Transformice.swf?n=1734143648944
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_interface/c3.png?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_interface/c1.png?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_interface/c2.png?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_connexion/x_steam_.jpg?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_bibliotheques/x_fourrures.swf?d=846.857?d=846
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
1684
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5988
N.exe
51.75.128.119:80
www.transformice.com
OVH SAS
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.bing.com
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.160
  • 104.126.37.144
  • 104.126.37.161
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.transformice.com
  • 51.75.128.119
  • 54.37.233.52
  • 141.95.127.87
whitelisted
audio.atelier801.com
  • 212.47.246.230
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted

Threats

PID
Process
Class
Message
5988
N.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
138 ETPRO signatures available at the full report
No debug info