File name:

NDP481-Web (1).exe

Full analysis: https://app.any.run/tasks/57955a57-196c-45cf-a4a8-415324e7942b
Verdict: Malicious activity
Analysis date: January 05, 2025, 15:15:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

39304CE18D93EEEB6EFA488387ADAED8

SHA1:

22C974F3865CCE3F0EC385DD9C0B291CA045BC2C

SHA256:

05E9ADA305FD0013A6844E7657F06ED330887093E3DF59C11CB528B86EFA3FBF

SSDEEP:

49152:AIyyfl6pwuJlZ/koJ2LdbHDdEQwWiS4G1RlTnVVi93WTCdgJliViVXHGL4e8VZMM:9yiUmu7xR2LdbHDhwPsRlTVoGTHJlYaR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • NDP481-Web (1).exe (PID: 6280)

    • Starts a Microsoft application from unusual location

      • NDP481-Web (1).exe (PID: 6280)
      • NDP481-Web (1).exe (PID: 1580)

    • Executable content was dropped or overwritten

      • NDP481-Web (1).exe (PID: 6280)

    • Creates file in the systems drive root

      • NDP481-Web (1).exe (PID: 6280)

  • INFO

    • The sample compiled with english language support

      • NDP481-Web (1).exe (PID: 6280)

    • Create files in a temporary directory

      • NDP481-Web (1).exe (PID: 6280)
      • Setup.exe (PID: 6404)

    • The sample compiled with chinese language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with korean language support

      • NDP481-Web (1).exe (PID: 6280)

    • Reads the machine GUID from the registry

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with japanese language support

      • NDP481-Web (1).exe (PID: 6280)

    • Checks supported languages

      • NDP481-Web (1).exe (PID: 6280)
      • Setup.exe (PID: 6404)

    • The sample compiled with arabic language support

      • NDP481-Web (1).exe (PID: 6280)

    • Reads the computer name

      • NDP481-Web (1).exe (PID: 6280)
      • Setup.exe (PID: 6404)

    • The sample compiled with czech language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with portuguese language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with swedish language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with Italian language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with polish language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with russian language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with german language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with spanish language support

      • NDP481-Web (1).exe (PID: 6280)

    • The sample compiled with turkish language support

      • NDP481-Web (1).exe (PID: 6280)

    • Reads CPU info

      • Setup.exe (PID: 6404)

    • The sample compiled with french language support

      • NDP481-Web (1).exe (PID: 6280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:16 21:09:16+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 160256
InitializedDataSize: 29184
UninitializedDataSize: -
EntryPoint: 0x18ee7
OSVersion: 5.1
ImageVersion: 10
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 4.8.9195.10
ProductVersionNumber: 4.8.9195.10
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft .NET Framework 4.8.1 Setup
FileVersion: 4.8.09195.10
InternalName: NDP481-Web.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: NDP481-Web.exe
ProductName: Microsoft .NET Framework 4.8.1
ProductVersion: 4.8.09195.10
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ndp481-web (1).exe setup.exe no specs ndp481-web (1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Users\admin\AppData\Local\Temp\NDP481-Web (1).exe" C:\Users\admin\AppData\Local\Temp\NDP481-Web (1).exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework 4.8.1 Setup
Exit code:
3221226540
Version:
4.8.09195.10
Modules
Images
c:\users\admin\appdata\local\temp\ndp481-web (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6280"C:\Users\admin\AppData\Local\Temp\NDP481-Web (1).exe" C:\Users\admin\AppData\Local\Temp\NDP481-Web (1).exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.8.1 Setup
Version:
4.8.09195.10
Modules
Images
c:\users\admin\appdata\local\temp\ndp481-web (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6404C:\90f0f0fb33aef269aa\\Setup.exe /x86 /x64 /webC:\90f0f0fb33aef269aa\Setup.exeNDP481-Web (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Version:
14.8.9195.0 built by: NET481REL1LAST_B
Modules
Images
c:\90f0f0fb33aef269aa\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
223
Read events
223
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
0
Text files
78
Unknown types
0

Dropped files

PID
Process
Filename
Type
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\Graphics\Rotate2.icoimage
MD5:F824905E5501603E6720B784ADD71BDD
SHA256:D15A6F1EEFEFE4F9CD51B7B22E9C7B07C7ACAD72FD53E5F277E6D4E0976036C3
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\watermark.bmpimage
MD5:B0075CEE80173D764C0237E840BA5879
SHA256:AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\Graphics\Rotate7.icoimage
MD5:B4947D242AB4A902031FCD1FFD3A56CD
SHA256:995C9F4EA0D98C0C4E5037EDE43FC44A680D85CB1E37C782ADAB775915E975B8
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\Graphics\Print.icoimage
MD5:D39BAD9DDA7B91613CB29B6BD55F0901
SHA256:D80FFEB020927F047C11FC4D9F34F985E0C7E5DFEA9FB23F2BC134874070E4E6
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\Graphics\Rotate10.icoimage
MD5:0CCA04A3468575FDCEFEE9957E32F904
SHA256:B94E68C711B3B06D9A63C80AD013C7C7BBDB5F8E82CBC866B246FF22D99B03FE
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\SplashScreen.bmpimage
MD5:BC32088BFAA1C76BA4B56639A2DEC592
SHA256:B05141DBC71669A7872A8E735E5E43A7F9713D4363B7A97543E1E05DCD7470A7
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\Graphics\Rotate1.icoimage
MD5:9B70C7FA81DCA6D3B992037D0C251D92
SHA256:18226B9D56D2B1C070A2C606428892773CB00B5B4B95397E79D01DE26685CCD4
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\DisplayIcon.icoimage
MD5:F9657D290048E169FFABBBB9C7412BE0
SHA256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\Graphics\Rotate4.icoimage
MD5:267B198FEF022D3B1D44CCA7FE589373
SHA256:303989B692A57FE34B47BB2F926B91AC605F288AE6C9479B33EAF15A14EB33AC
6280NDP481-Web (1).exeC:\90f0f0fb33aef269aa\Graphics\Save.icoimage
MD5:C66BBE8F84496EF85F7AF6BED5212CEC
SHA256:1372C7F132595DDAD210C617E44FEDFF7A990A9E8974CC534CA80D897DD15ABD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6876
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5432
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6876
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3884
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.152
  • 104.126.37.186
  • 104.126.37.160
  • 104.126.37.146
  • 104.126.37.170
  • 104.126.37.161
  • 104.126.37.185
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.72
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NDP481-Web (1).exe