File name:

Client.exe

Full analysis: https://app.any.run/tasks/29470a76-7d3d-4849-b9ec-d3a8e474d26e
Verdict: Malicious activity
Threats:

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Malware Trends Tracker     >>>
Analysis date: November 04, 2023, 20:12:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
lockbit
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2B9A1B7A5E13B8672655D0A09CE50217

SHA1:

2B62DBB4EDBC5460BB42E790CA1A4BA7A4821362

SHA256:

F6C559C031B7B16B1EDF34B38E74B6BF3A7106CA34881D7F5C63B8E0D7AC3694

SSDEEP:

3072:sr85CS8+cKuGcaYYPhZyK0aGp0vH+rUTftHool3G+Ehgi3M1SBJhGvlfb9FDh5a7:k9S87iZOaGpWHSkhaYKJhq346VzQ3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • Client.exe (PID: 3828)

    • Steals credentials from Web Browsers

      • Client.exe (PID: 3828)

    • Drops the executable file immediately after the start

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3828)

    • [YARA] LockBit is detected

      • Client.exe (PID: 3828)

    • Creates a writable file the system directory

      • Client.exe (PID: 3828)
      • printfilterpipelinesvc.exe (PID: 2196)

    • Actions looks like stealing of personal data

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3828)

    • Known privilege escalation attack

      • dllhost.exe (PID: 3584)

  • SUSPICIOUS

    • Application launched itself

      • Client.exe (PID: 3204)
      • Client.exe (PID: 3844)

    • Reads the Internet Settings

      • Client.exe (PID: 3440)
      • C1E9.tmp (PID: 2056)
      • ONENOTE.EXE (PID: 1608)
      • rundll32.exe (PID: 3076)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Client.exe (PID: 3828)

    • Creates files like ransomware instruction

      • Client.exe (PID: 3828)

    • Reads browser cookies

      • Client.exe (PID: 3828)

    • Changes the desktop background image

      • Client.exe (PID: 3828)

    • Starts application with an unusual extension

      • Client.exe (PID: 3828)

    • Starts CMD.EXE for commands execution

      • C1E9.tmp (PID: 2056)

    • Reads security settings of Internet Explorer

      • ONENOTE.EXE (PID: 1608)

    • Reads settings of System Certificates

      • ONENOTE.EXE (PID: 1608)

    • Checks Windows Trust Settings

      • ONENOTE.EXE (PID: 1608)

  • INFO

    • Reads the computer name

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3484)
      • Client.exe (PID: 3204)
      • Client.exe (PID: 3828)
      • ONENOTE.EXE (PID: 1608)
      • C1E9.tmp (PID: 2056)
      • wmpnscfg.exe (PID: 1088)
      • wmpnscfg.exe (PID: 3556)
      • Client.exe (PID: 3844)

    • Create files in a temporary directory

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3828)
      • ONENOTE.EXE (PID: 1608)

    • Checks supported languages

      • Client.exe (PID: 3844)
      • Client.exe (PID: 3484)
      • Client.exe (PID: 3204)
      • Client.exe (PID: 3440)
      • wmpnscfg.exe (PID: 3556)
      • Client.exe (PID: 3828)
      • ONENOTE.EXE (PID: 1608)
      • C1E9.tmp (PID: 2056)
      • ONENOTEM.EXE (PID: 1836)
      • wmpnscfg.exe (PID: 1088)

    • Reads the machine GUID from the registry

      • Client.exe (PID: 3484)
      • Client.exe (PID: 3204)
      • Client.exe (PID: 3844)
      • Client.exe (PID: 3828)
      • ONENOTE.EXE (PID: 1608)
      • wmpnscfg.exe (PID: 3556)
      • wmpnscfg.exe (PID: 1088)

    • Checks transactions between databases Windows and Oracle

      • Client.exe (PID: 3484)

    • Creates files in the program directory

      • Client.exe (PID: 3828)

    • Creates files or folders in the user directory

      • Client.exe (PID: 3828)
      • printfilterpipelinesvc.exe (PID: 2196)
      • ONENOTE.EXE (PID: 1608)

    • Reads Environment values

      • ONENOTE.EXE (PID: 1608)

    • Dropped object may contain TOR URL's

      • Client.exe (PID: 3828)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1088)
      • rundll32.exe (PID: 3076)
      • wmpnscfg.exe (PID: 3556)
      • notepad.exe (PID: 2692)
      • rundll32.exe (PID: 956)

    • Checks proxy server information

      • ONENOTE.EXE (PID: 1608)

    • Reads Microsoft Office registry keys

      • ONENOTE.EXE (PID: 1608)

    • Application launched itself

      • msedge.exe (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
37
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start client.exe client.exe no specs client.exe no specs CMSTPLUA no specs wmpnscfg.exe no specs client.exe no specs #LOCKBIT client.exe printfilterpipelinesvc.exe no specs c1e9.tmp no specs onenote.exe cmd.exe no specs onenotem.exe no specs wmpnscfg.exe no specs rundll32.exe no specs notepad.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3900 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
780"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4244 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
900"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3332 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
956"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\joinmsn.png.TdGeIqAUnC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
984"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~2\C1E9.tmp >> NULC:\Windows\System32\cmd.exeC1E9.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1088"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
1528"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4244 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
1608/insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{46BCBC9D-B8B1-4CC2-BD6A-28A0D2A35D18}.xps" 133436024234110000C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE
printfilterpipelinesvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneNote
Exit code:
0
Version:
14.0.6022.1000
1836/tsrC:\Program Files\Microsoft Office\Office14\ONENOTEM.EXEONENOTE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneNote Quick Launcher
Exit code:
0
Version:
14.0.6015.1000
2056"C:\ProgramData\C1E9.tmp"C:\ProgramData\C1E9.tmpClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
66
Suspicious files
1 511
Text files
982
Unknown types
0

Dropped files

PID
Process
Filename
Type
3440Client.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3440Client.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3440Client.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\ose.exeexecutable
MD5:58B58875A50A0D8B5E7BE7D6AC685164
SHA256:2A0AA0763FDEF9C38C5DD4D50703F0C7E27F4903C139804EC75E55F8388139AE
3440Client.exeC:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3440Client.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exeexecutable
MD5:566ED4F62FDC96F175AFEDD811FA0370
SHA256:E17CD94C08FC0E001A49F43A0801CEA4625FB9AEE211B6DFEBEBEC446C21F460
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
34
DNS requests
43
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3140
msedge.exe
GET
302
2.19.246.123:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=TdGeIqAUn
unknown
unknown
3140
msedge.exe
GET
301
2.16.164.123:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=TdGeIqAUn
unknown
unknown
1608
ONENOTE.EXE
GET
200
67.27.234.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0456d18720ece402
unknown
compressed
4.66 Kb
unknown
1608
ONENOTE.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
1608
ONENOTE.EXE
13.107.42.12:443
docs.live.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1608
ONENOTE.EXE
67.27.234.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
1608
ONENOTE.EXE
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3140
msedge.exe
2.19.96.107:443
www.bing.com
unknown
3148
msedge.exe
239.255.255.250:1900
whitelisted
3140
msedge.exe
2.19.246.123:80
go.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
docs.live.net
  • 13.107.42.12
whitelisted
ctldl.windowsupdate.com
  • 67.27.234.126
  • 8.253.95.249
  • 8.241.11.254
  • 67.27.233.254
  • 67.27.159.126
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.19.246.123
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
nav-edge.smartscreen.microsoft.com
  • 20.105.95.163
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
shell.windows.com
  • 2.16.164.123
  • 2.16.164.16
whitelisted
data-edge.smartscreen.microsoft.com
  • 20.105.95.163
whitelisted
www.bing.com
  • 2.19.96.107
  • 2.19.96.83
  • 2.19.96.120
  • 2.19.96.128
  • 2.19.96.82
  • 2.19.96.90
  • 2.19.96.123
  • 2.19.96.88
  • 2.19.96.91
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Client.exe