File name:

06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe

Full analysis: https://app.any.run/tasks/42a8e136-0e66-4849-a76b-6f24eb8c219f
Verdict: Malicious activity
Analysis date: May 16, 2025, 05:13:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

0B8B8F020B56E9CF8151CB1D4AE5D875

SHA1:

622C0A80A497AD4C0781705651AB18552165AD07

SHA256:

06AC5FC64C6E10E23E4BAD4DF969ED6A71DFAC3FFEC07F8C5F5AC265771F771C

SSDEEP:

49152:lsyf3NUckEfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfrfW:lZf8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 8016)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)

    • Executable content was dropped or overwritten

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)

    • Executes application which crashes

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)
      • dfyjqymc.exe (PID: 7948)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 8016)

    • Connects to SMTP port

      • svchost.exe (PID: 8016)

  • INFO

    • Reads the computer name

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)
      • dfyjqymc.exe (PID: 7948)

    • Create files in a temporary directory

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)

    • Checks supported languages

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)

    • The sample compiled with chinese language support

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)

    • Process checks computer location settings

      • 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe (PID: 7340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:24 23:06:32+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 65024
InitializedDataSize: 289792
UninitializedDataSize: -
EntryPoint: 0x2a34
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x006f
FileFlags: Pre-release, Patched
FileOS: Unknown (0x40304)
ObjectFileType: Static library
FileSubtype: 81
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.4
InternalName: dgfjhdgfjdf.exe
LegalCopyright: Copyright (C) 2019, dfgjdgfhdgf
ProductVersion: 1.0.0.4
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
14
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs wusa.exe no specs dfyjqymc.exe werfault.exe no specs #TOFSEE svchost.exe werfault.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6712C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7340"C:\Users\admin\AppData\Local\Temp\06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe" C:\Users\admin\AppData\Local\Temp\06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
7472C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7340 -s 680C:\Windows\SysWOW64\WerFault.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7524C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7340 -s 828C:\Windows\SysWOW64\WerFault.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7576C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7340 -s 836C:\Windows\SysWOW64\WerFault.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7632C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7340 -s 968C:\Windows\SysWOW64\WerFault.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7680C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7340 -s 992C:\Windows\SysWOW64\WerFault.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7736C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7340 -s 1008C:\Windows\SysWOW64\WerFault.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7784C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7340 -s 984C:\Windows\SysWOW64\WerFault.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7808"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 057
Read events
3 057
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
734006ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exeC:\Users\admin\dfyjqymc.exeexecutable
MD5:919322354B758A1F61F59EE44E79608F
SHA256:16972A958ABAA6BE3910A6FCACD4B7BCF3CF46E6A9EDA1FE2B43D8B1E1649BE0
734006ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exeC:\Users\admin\AppData\Local\Temp\wskkhwvj.exeexecutable
MD5:CA09135E8F4192BCA709C67446B58D21
SHA256:2B9C7A825640865434291B9899CB08ED4AAE4C600D19776D1080E7720833A801
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
27
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
8016
svchost.exe
13.107.246.44:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
microsoft.com
  • 13.107.246.44
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.41.28
  • 52.101.41.0
  • 52.101.10.1
  • 52.101.10.5
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.130
  • 40.126.32.138
  • 20.190.160.64
  • 20.190.160.2
  • 20.190.160.67
  • 20.190.160.5
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
yahoo.com
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
06ac5fc64c6e10e23e4bad4df969ed6a71dfac3ffec07f8c5f5ac265771f771c.exe