File name:

N.exe

Full analysis: https://app.any.run/tasks/7f702652-4870-4371-88e7-95a6263cef28
Verdict: Malicious activity
Analysis date: December 14, 2024, 02:34:03
OS: Windows 10 Professional (build: 19045, 64 bit)
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

E77111873598D0B48E64B80EA1574570

SHA1:

53A24041F0A0ACD91F49681B7660EA8192778703

SHA256:

E113094D3B1A3B0D24829CD9961A52AF262E0724A7143DBDF673DDA1F6B62F59

SSDEEP:

98304:Ociw5mKmviADO1J922jxxIpve6DAq3AYmUI8LhXqeNjx4Z3+ghTUgRE8Q19vOtkb:/6q/8ss

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • N.exe (PID: 5988)

    • Potential Corporate Privacy Violation

      • N.exe (PID: 5988)

    • Connects to the server without a host name

      • N.exe (PID: 5988)

    • Connects to unusual port

      • N.exe (PID: 5988)

  • INFO

    • Creates files or folders in the user directory

      • N.exe (PID: 5988)

    • The sample compiled with english language support

      • N.exe (PID: 5988)

    • Reads CPU info

      • N.exe (PID: 5988)

    • Reads the computer name

      • N.exe (PID: 5988)

    • Checks proxy server information

      • N.exe (PID: 5988)

    • Checks supported languages

      • N.exe (PID: 5988)

    • Reads the machine GUID from the registry

      • N.exe (PID: 5988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (49.3)
.exe | Win64 Executable (generic) (32.7)
.dll | Win32 Dynamic Link Library (generic) (7.8)
.exe | Win32 Executable (generic) (5.3)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

Debugger: 0.0001
ProductVersion: É O TREM
ProductName: NTransformice By Choqetje - Best_dll
OriginalFileName: Choqe Capudo
LegalTrademarks: Choqe Lindão
Omarcareco: Cabeça de Lampada
InternalName: NTransformice By Choqetje - Best_dll0001
FileVersion: Ant lag / Leve NO IPS
FileDescription: NTransformice By Choqetje - Best_dll
CompanyName: NTransformice By Choqetje - Best_dll
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x3f693b
UninitializedDataSize: -
InitializedDataSize: 1312768
CodeSize: 4240384
LinkerVersion: 9
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2013:05:23 22:25:11+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start n.exe

Process information

PID
CMD
Path
Indicators
Parent process
5988"C:\Users\admin\AppData\Local\Temp\N.exe" C:\Users\admin\AppData\Local\Temp\N.exe
explorer.exe
User:
admin
Company:
NTransformice By Choqetje - Best_dll
Integrity Level:
MEDIUM
Description:
NTransformice By Choqetje - Best_dll
Version:
Ant lag / Leve NO IPS
Modules
Images
c:\users\admin\appdata\local\temp\n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
Total events
663
Read events
660
Write events
3
Delete events
0

Modification events

(PID) Process:(5988) N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5988) N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5988) N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
129
Text files
19
Unknown types
18

Dropped files

PID
Process
Filename
Type
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\go[1].pngimage
MD5:6CEF116F17733C6DE93308E481E11A2D
SHA256:B4C0561F8373FE2E09DEF5937D43C3008B020C433F58348DE80CE1B3ED957013
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\x_steam_[1].jpgimage
MD5:A0D24DC555F033F17E5F9286A2FCF5FD
SHA256:0FCD660C0A1906DE1B04AE251A7221B72887A30128E6AD49505A458E491926E4
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\c2[1].pngimage
MD5:A4EE4E9623E00CD0E1B6FF01A2BD5918
SHA256:EB5F5AB4196C685C6177EB100DD419CD8A0A14DFEF987CB1D5F6C2AA88C2C1C0
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\x_fourrures[1].swfswf
MD5:923FE5004B4E93C2C682A41CA016660C
SHA256:444203273A1B7B4CF77717EB7E6C09D0134C18302EF2CC95E2B76222EE1DD151
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2PLHS864\www.transformice.com\Transformice.swf\Transformice.solsol
MD5:F60AE77F2B51FA9E1872F55CBC6C8D97
SHA256:166319F7433A71838D0136F93C09A6C8630B79A812665DD055DFBF0183BFD7B0
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\c3[1].pngimage
MD5:52590DB6A0943C6132FAD50429D9F017
SHA256:2EB5C74531BE3B3F8AB8FD7DA16BAAC593A96A6C70915B57F3BEA3BD231B72FF
5988N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\c1[1].pngimage
MD5:015B1CF82756540E91CCAC1A4F0702CE
SHA256:67BCAEAF264573DB84F616D37F5D1F1E0D65807B0FCA8D06B9CF740B3EDBF4D7
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.transformice.com\settings.solbinary
MD5:04978BCD430EA2F1C6030A568424E21F
SHA256:F2F87E055CC2D3C756F28B00185A4A30DE3447B76A01B1431687EE80F478BEAA
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2PLHS864\www.transformice.com\Transformice.swf\Transformice.sxxsol
MD5:F60AE77F2B51FA9E1872F55CBC6C8D97
SHA256:166319F7433A71838D0136F93C09A6C8630B79A812665DD055DFBF0183BFD7B0
5988N.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.solbinary
MD5:257B2A4303BE82056B8788B57624BF88
SHA256:B36E861A7CCCE8377ED480FF1B7EEEBF30C7385D4BC8648D1A0B203F0B17C70B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
145
TCP/UDP connections
42
DNS requests
20
Threats
139

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/Transformice.swf?n=1734143648944
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_bibliotheques/x_fourrures2.swf?d=846.857?d=846
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/langues/tfm-de.gz?d=857
unknown
whitelisted
5988
N.exe
GET
404
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_connexion/null?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_connexion/x_steam_.jpg?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_bibliotheques/x_meli_costumes.swf?d=846.857?d=846
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_interface/c3.png?d=857
unknown
whitelisted
5988
N.exe
GET
200
51.75.128.119:80
http://www.transformice.com/images/x_transformice/x_interface/c1.png?d=857
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
1684
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5988
N.exe
51.75.128.119:80
www.transformice.com
OVH SAS
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.bing.com
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.160
  • 104.126.37.144
  • 104.126.37.161
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.transformice.com
  • 51.75.128.119
  • 54.37.233.52
  • 141.95.127.87
whitelisted
audio.atelier801.com
  • 212.47.246.230
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
138 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
N.exe