File name:	in.exe
Full analysis:	https://app.any.run/tasks/f1b81053-a258-45f6-b13c-a40a3cb07cc0
Verdict:	Malicious activity
Analysis date:	July 20, 2024, 20:30:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	9C048FFDE580EA3E0F890A63AE2249C2
SHA1:	CEE91EA1321E83EDD305945224F611B6A5900A41
SHA256:	E70F64A374E1784942C771940F07F08CDEE78144F2135BF1665557D1FCEE0F16
SSDEEP:	49152:6AZUXbnbcIm/NSekcsE3ciNaUsqhsxTY+:bZUXbnbcIm/NSekcsE3ciNaU5s

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:06:26 19:39:54+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.39
CodeSize:	1670656
InitializedDataSize:	456192
UninitializedDataSize:	-
EntryPoint:	0xc499e
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Filename		Type
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\InstallSqlState.sql		text
		MD5:5455E04BD4519A417B95630567897DD6	SHA256:3877F089AC05150C23D40E4BB0097CBF47FBF3BFDF6624905951F4FF4F5D990D
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\UninstallRoles.sql		text
		MD5:7F951807474AB140AD39889BB3606958	SHA256:E9A498542CF09C423568EEA05D582C1337DE28E1CAB21E9BF5017B7045F5677D
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\UninstallSqlStateTemplate.sql		text
		MD5:738AC3DAF1A1CAF913613FEE905615F1	SHA256:04E7227B71D44EDE4C1645890D427A6A8B371336B54D4B54D239A5B428CDBAAD
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\InstallPersonalization.sql		text
		MD5:3969AC1663F4BE759B4DE35981F5DDCE	SHA256:602120924E30E1CF17E1E44CD627D4B263DDF45E27A1C98544E99AFE0C65E03A
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\UninstallPersistSqlState.sql		text
		MD5:EBD3EBDCAE391B0098D795A084AC38F2	SHA256:7B35F634C8096D607E8832FE4179E9E30A740BDC2641A55BB98F956E9E6DBDDA
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\UninstallCommon.sql		text
		MD5:00D434D9B7C7742CA71113B8C9FB4435	SHA256:F5808EFECAFDCC4C2CB850F72A15BE613C6CA05CCC05C40A8536C58FEC105F0B
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\SqlPersistenceService_Schema.sql		text
		MD5:D00C40DB639234DF15A1F210D11798A5	SHA256:5366B7A700272D90FB67A77A2815DB2CA70D6B2E1863AD99D7D2CDCBABF75846
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\InstallSqlStateTemplate.sql		text
		MD5:CC70B7258A6139FA927CE8DA5436BEF4	SHA256:5820FE72835736CB0C0E079E4C2094963E4C362D352F66FF3F54BBE74346CD0F
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\InstallRoles.sql		text
		MD5:94D2A9EDABAE7B4741D21177CA582B30	SHA256:4FEAD44947E1645C98411B7646FB85CAF35D5136A7C3055C8C75472B236AA146
1668	in.exe	C:\Users\admin\AppData\Roaming\htdocs\SqlPersistenceProviderLogic.sql		text
		MD5:0A32007C351D22641EB0602FE6A8E385	SHA256:19226E3301AEAC3C749764CA15E04A62D1CC06A131088ABF5C1AE0786864E569

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	GET	200	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	GET	200	20.242.39.171:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	unknown
—	—	GET	200	20.12.23.50:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	unknown
—	—	GET	200	104.126.37.176:443	https://www.bing.com/client/config?cc=US&setlang=en-US	unknown	binary	2.15 Kb	unknown
—	—	POST	—	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	—	—	unknown
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	unknown
—	—	POST	—	40.126.32.133:443	https://login.live.com/RST2.srf	unknown	—	—	unknown
—	—	GET	200	20.223.35.26:443	https://fd.api.iris.microsoft.com/v4/api/selection?&asid=37CAC9FDF19846BD879DB04A65D45F55&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&arch=AMD64&chassis=1&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19045.4046&dinst=1661339444&dmret=0&flightbranch=&flightring=Retail&icluc=0&localid=w%3AAC7699B0-48EA-FD22-C8DC-06A02098A0F0&oem=DELL&osbranch=vb_release&oslocale=en-US&osret=1&ossku=Professional&osskuid=48&prccn=4&prccs=3094&prcmf=AuthenticAMD&procm=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&ram=4096&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=15.3&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=260281&frdsk=218542&lo=3612270&tsu=1002800	unknown	binary	102 b	unknown
—	—	POST	401	4.209.32.67:443	https://licensing.mp.microsoft.com/v7.0/licenses/content	unknown	binary	340 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4716	svchost.exe	40.126.32.133:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5620	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
7856	svchost.exe	4.209.32.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
8056	backgroundTaskHost.exe	104.126.37.145:443	www.bing.com	Akamai International B.V.	DE	unknown
2760	svchost.exe	40.113.103.199:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5620	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3400	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
login.live.com	40.126.32.133 20.190.160.20 40.126.32.134 40.126.32.74 20.190.160.14 20.190.160.22 40.126.32.140 40.126.32.76	whitelisted
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.186.174	whitelisted
www.bing.com	104.126.37.145 104.126.37.136 104.126.37.139 104.126.37.185 104.126.37.130 104.126.37.131 104.126.37.155 104.126.37.163 104.126.37.176	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
arc.msn.com	20.103.156.88	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

General Info

in.exe

9C048FFDE580EA3E0F890A63AE2249C2

CEE91EA1321E83EDD305945224F611B6A5900A41

E70F64A374E1784942C771940F07F08CDEE78144F2135BF1665557D1FCEE0F16

49152:6AZUXbnbcIm/NSekcsE3ciNaUsqhsxTY+:bZUXbnbcIm/NSekcsE3ciNaU5s

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

SUSPICIOUS

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings