File name:

myfile.exe

Full analysis: https://app.any.run/tasks/7b47b862-c456-4e06-939d-82af757153fc
Verdict: Malicious activity
Analysis date: January 08, 2024, 12:52:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

E57D1405893F48BACAD8ACFC6E0F677E

SHA1:

E799C03E455AA0F6E2A12A7017EEA97C24CBAF09

SHA256:

FFEE1DD5823819F07E78A39B77EC50A6E2ACE983352134647155A52CA58FD44D

SSDEEP:

12288:0A0SEiGBzz3nKAiQ7GcwqxYfMmXnAA/TYw3f:0AKiGBzz3njj7GcwiYkmXnAA7Ywv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • itxos.exe (PID: 1404)

    • Scans artifacts that could help determine the target

      • WinMail.exe (PID: 1392)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • WinMail.exe (PID: 1392)

    • Reads Microsoft Outlook installation path

      • WinMail.exe (PID: 1392)

    • Reads the Internet Settings

      • WinMail.exe (PID: 1392)

    • Detected use of alternative data streams (AltDS)

      • WinMail.exe (PID: 1392)

    • Checks Windows Trust Settings

      • WinMail.exe (PID: 1392)

    • Reads security settings of Internet Explorer

      • WinMail.exe (PID: 1392)

    • Reads settings of System Certificates

      • WinMail.exe (PID: 1392)

    • Executing commands from a ".bat" file

      • myfile.exe (PID: 124)

    • Starts CMD.EXE for commands execution

      • myfile.exe (PID: 124)

  • INFO

    • Checks supported languages

      • itxos.exe (PID: 1404)
      • myfile.exe (PID: 124)
      • WinMail.exe (PID: 1392)

    • Reads the computer name

      • myfile.exe (PID: 124)
      • itxos.exe (PID: 1404)
      • WinMail.exe (PID: 1392)

    • Drops the executable file immediately after the start

      • myfile.exe (PID: 124)
      • WinMail.exe (PID: 1392)

    • Application was injected by another process

      • taskeng.exe (PID: 300)
      • dwm.exe (PID: 612)

    • Creates files or folders in the user directory

      • myfile.exe (PID: 124)
      • WinMail.exe (PID: 1392)

    • Reads the machine GUID from the registry

      • myfile.exe (PID: 124)
      • WinMail.exe (PID: 1392)

    • Checks proxy server information

      • WinMail.exe (PID: 1392)

    • Create files in a temporary directory

      • WinMail.exe (PID: 1392)
      • myfile.exe (PID: 124)

    • Manual execution by a user

      • cmd.exe (PID: 1844)

    • Drops a self-deleting batch file

      • myfile.exe (PID: 124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:01:23 19:05:57+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 4.22
CodeSize: 4608
InitializedDataSize: 301056
UninitializedDataSize: -
EntryPoint: 0x11ae
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject inject myfile.exe no specs itxos.exe no specs taskeng.exe dwm.exe winmail.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\myfile.exe" C:\Users\admin\AppData\Local\Temp\myfile.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\myfile.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ipsmsnap.dll
300taskeng.exe {CE1452CD-5E82-4DCD-B0CC-498574D17563}C:\Windows\System32\taskeng.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
612"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
1392"C:\Program Files\Windows Mail\WinMail.exe" -EmbeddingC:\Program Files\Windows Mail\WinMail.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Mail
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows mail\winmail.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1404"C:\Users\admin\AppData\Roaming\Fyuq\itxos.exe"C:\Users\admin\AppData\Roaming\Fyuq\itxos.exemyfile.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\fyuq\itxos.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ipsmsnap.dll
1844"C:\Windows\system32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2000"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\tmp03cebda9.bat"C:\Windows\System32\cmd.exemyfile.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
4 758
Read events
4 718
Write events
34
Delete events
6

Modification events

(PID) Process:(300) taskeng.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ofedz
Operation:writeName:9999882
Value:
HgcQoQ==
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Operation:writeName:StoreMigratedV5
Value:
1
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Operation:writeName:Settings Upgraded
Value:
10
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\IAM
Operation:writeName:Server ID
Value:
2
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Identities
Operation:writeName:Identity Ordinal
Value:
2
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Operation:writeName:LastBackup
Value:
E1070A0004000500090014000400CA01
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\IAM
Operation:writeName:Default News Account
Value:
account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\WAB
Operation:delete valueName:NamedProps
Value:
0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\WAB
Operation:delete valueName:NamedPropCount
Value:
1
(PID) Process:(1392) WinMail.exeKey:HKEY_CURRENT_USER\Software\Microsoft\WAB
Operation:delete valueName:NamedProps
Value:
0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000
Executable files
2
Suspicious files
19
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStorebinary
MD5:997543EC1CDE4A69BDB404E5154E41DB
SHA256:AB06476A058AB0AE50167F776C6ECE590996FA39BAC9F12F2875897EBBBBDCCF
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chkbinary
MD5:8772FAEDBEB9D6AED5283C0825590CFC
SHA256:9558AAB47E4698D28B94D6352085475B390AD43BD9B5BBDFBE6FDCD69545DBF4
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.logbinary
MD5:ECB810651982A35EAF8D17C1FC4C07DA
SHA256:2DEF1901FDC1358A764603EA71EBE0A342469B0C5262D313BE27AECE03BC5533
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.folbinary
MD5:1D1A60631EFCF505795FB06471CB6A48
SHA256:87EED194D869F1DEC6EBF639E985101ABAD37F6E5A347237A1B056B2DCBFC481
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStorebinary
MD5:B45D26E7688E37C569E7E5EAA0A96854
SHA256:98D332C69FAB689D76A9923C57BF9998F2D665EE2A7789A7AA59AA516DD1FF00
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.folbinary
MD5:639576DAA0EC432482ADC290DB5DA4CC
SHA256:B56D2C191A46CB8E816BA1B23DAED89947628DBAEFE28B430412B1E507AD9161
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.folbinary
MD5:4BCBF3AE2DB0F8AEE8E792FD9BA8DA7F
SHA256:1A17F24F9D36E0ABE7E2C7C1AD06E30E9EBE674ED2E2E2E0FB9FD451C4D64B51
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\51B51D64-00000001.emlbinary
MD5:CB071D274A42B95D7EDAB8855017D890
SHA256:7712804AD1FFAF528261D2B2178770495B883B6390B4BFCF6DB8E730FD365396
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.folbinary
MD5:9EF0149FAEFF67AA41DA62C9A4B3226C
SHA256:4B8D7DCC16F962586F50184B40E8AD4D2B6E1980ECCACE178BC4B4D645751E49
1392WinMail.exeC:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.folbinary
MD5:A5A0F30BE56681F64A28A7BA72226EDE
SHA256:3EEE27C62FC3440D58C3BE414473A41809A372D2F9174CF0DB3059E21CC50225
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
276
taskhost.exe
66.159.154.0:29411
unknown
276
taskhost.exe
83.20.6.42:22693
unknown
276
taskhost.exe
178.37.165.192:10076
unknown
276
taskhost.exe
82.211.186.140:29092
unknown
276
taskhost.exe
199.59.157.124:11145
unknown
276
taskhost.exe
95.237.204.30:25633
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
myfile.exe