File name: | 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe |
Full analysis: | https://app.any.run/tasks/e872963a-08e1-4ad5-80cd-7ebc0f92d891 |
Verdict: | Malicious activity |
Analysis date: | May 04, 2024, 18:26:04 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 813B31F7EE7BBDD8E42890394EA6F16F |
SHA1: | 31F3B24AB55399F61CA2A39055714883BA01807C |
SHA256: | 07A437E8B997D03BC1380C93A69D19DC236DC672F737540F98C618F7B0D5908F |
SSDEEP: | 196608:F0kL+/fHfiYjRLwPK3sZI7rOvkIec6+MxU:FVmq0RwPK3ou6PehjxU |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0xfce7 |
UninitializedDataSize: | - |
InitializedDataSize: | 64512 |
CodeSize: | 135168 |
LinkerVersion: | 14 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2016:08:14 19:15:54+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6484 | "C:\Users\admin\AppData\Local\Temp\07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe" | C:\Users\admin\AppData\Local\Temp\07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
6532 | "C:\tcls\Cyber.exe" | C:\tcls\Cyber.exe | — | 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
6592 | "C:\tcls\Cyber.exe" | C:\tcls\Cyber.exe | 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
6640 | icacls "C:\WINDOWS\" /grant Administrator:(OI)(CI)F | C:\Windows\SysWOW64\icacls.exe | — | Cyber.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 123 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6652 | icacls "C:\WINDOWS\" /grant Administrators:(OI)(CI)F | C:\Windows\SysWOW64\icacls.exe | — | Cyber.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 123 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6660 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | icacls.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6668 | icacls "C:\Users\admin\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F | C:\Windows\SysWOW64\icacls.exe | — | Cyber.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 123 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6684 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | icacls.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6692 | icacls "C:\Users\admin\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F | C:\Windows\SysWOW64\icacls.exe | — | Cyber.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 123 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6712 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | icacls.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (6792) paakacqik.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6792) paakacqik.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (6792) paakacqik.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (6792) paakacqik.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (7092) slui.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E |
Operation: | write | Name: | @%SystemRoot%\System32\sppcomapi.dll,-3200 |
Value: Software Licensing |
PID | Process | Filename | Type | |
---|---|---|---|---|
7072 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-04.1827.7072.1.odl | binary | |
MD5:BFD2667FAFDE9EF7F10DCEDC95F35588 | SHA256:F1B2A8B99E5F3466D589638FE8E7C051074ECA9EAE7032246B26EB209548E326 | |||
6484 | 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | C:\tcls\Client.dll | executable | |
MD5:76EB13182111ADDD7F0AF02BC8C17420 | SHA256:A3841858E540AA052CE043D231CC32B23D5E3C977E4E95AEAC5611F1BC31F35C | |||
6484 | 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe | C:\tcls\Cyber.exe | executable | |
MD5:E30F528038EFC32CBA51643BF67B7AF2 | SHA256:E6544E5013F949FBB7F478B2857811E62AC3E1C58961177A68F6A5C043FA80A5 | |||
6592 | Cyber.exe | C:\WINDOWS\paakacqik.exe | executable | |
MD5:AE62909C8433ECDBE8289E3E1B5EC35E | SHA256:6CF2B9A34AB1F04433DF6E6B0284777EAB479C3C0D855C2462DF17CB88FFA167 | |||
7072 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-04.1827.7072.1.aodl | binary | |
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3 | SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3592 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | unknown |
528 | svchost.exe | GET | 200 | 2.19.45.226:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
6412 | SIHClient.exe | GET | 200 | 2.19.45.226:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
6412 | SIHClient.exe | GET | 200 | 2.19.45.226:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
5196 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4540 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4364 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
528 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
528 | svchost.exe | 2.19.45.226:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5196 | svchost.exe | 20.190.160.14:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5196 | svchost.exe | 192.229.221.95:80 | — | EDGECAST | US | whitelisted |
1032 | svchost.exe | 2.19.45.160:443 | go.microsoft.com | AKAMAI-AS | DE | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |