| File name: | 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb |
| Full analysis: | https://app.any.run/tasks/3782dedf-cbb5-4b34-b5c1-d8afe79a66e3 |
| Verdict: | Malicious activity |
| Analysis date: | March 24, 2025, 20:11:48 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | AFBDD30EAB204D94AA3DD6DCE03C220D |
| SHA1: | 6873D4E0A31C6E126CD4CA8A7D47B2743E303850 |
| SHA256: | 099C3C6B090ED71A65BB453376E40E628E1E9A7B6D6EB4EB70D057B4F7BFF4CB |
| SSDEEP: | 6144:zqFLvoNTvox4BT/f5AuRZMOfOQr1KSckoLrPvd+EgcPxG1tkBsi:zqANLox6yQPcwU |
MALICIOUS
TINBA mutex has been found
- 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe (PID: 7516)
Runs injected code in another process
- winver.exe (PID: 7812)
- 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe (PID: 7516)
Application was injected by another process
- explorer.exe (PID: 5492)
SUSPICIOUS
There is functionality for taking screenshot (YARA)
- 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe (PID: 7516)
Executes application which crashes
- winver.exe (PID: 7812)
- 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe (PID: 7516)
INFO
The sample compiled with english language support
- 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe (PID: 7516)
Reads the computer name
- 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe (PID: 7516)
Checks supported languages
- 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe (PID: 7516)
Creates files or folders in the user directory
- WerFault.exe (PID: 7900)
- WerFault.exe (PID: 8048)
Checks proxy server information
- slui.exe (PID: 8112)
Reads the software policy settings
- slui.exe (PID: 8112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2009:11:07 21:04:28+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No symbols, Aggressive working-set trim, Large address aware, [6], 32-bit, Net run from swap, Uniprocessor only |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 135168 |
| InitializedDataSize: | 93696 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x4040 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 4.0.2.28 |
| ProductVersionNumber: | 4.0.2.28 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Boris Eyrich Software |
| FileDescription: | Print Provider Wizard |
| FileVersion: | 4.0.2.28 |
| InternalName: | Print Provider Wizard |
| LegalCopyright: | © 2002-2014 Boris Eyrich Software |
| OriginalFileName: | PrintWiz.exe |
| ProductName: | Print Provider Wizard |
| ProductVersion: | 4.0.2.28 |
Total processes
131
Monitored processes
6
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5492 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7516 | "C:\Users\admin\Desktop\099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe" | C:\Users\admin\Desktop\099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe | explorer.exe | ||||||||||||
User: admin Company: Boris Eyrich Software Integrity Level: MEDIUM Description: Print Provider Wizard Exit code: 3221225477 Version: 4.0.2.28 Modules
| |||||||||||||||
| 7812 | winver | C:\Windows\SysWOW64\winver.exe | 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Version Reporter Applet Exit code: 3221225477 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7900 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7812 -s 336 | C:\Windows\SysWOW64\WerFault.exe | — | winver.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8048 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7516 -s 972 | C:\Windows\SysWOW64\WerFault.exe | — | 099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8112 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 096
Read events
7 096
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
6
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7900 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_winver.exe_aff513f11b555c92ececddc0740d1eb75f39d_51f598c9_652ac99e-385b-4980-bcb8-8f72f5fe3e62\Report.wer | — | |
MD5:— | SHA256:— | |||
| 8048 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_099c3c6b090ed71a_6d48a89d68c76eb7a7fa23c1c1e25a532958139d_174d3a9e_d651208d-e37d-4c0a-adf8-a27a1566db45\Report.wer | — | |
MD5:— | SHA256:— | |||
| 7900 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C7A.tmp.WERInternalMetadata.xml | binary | |
MD5:13A4AEB3DA9CB59D02773EAC0654DE4D | SHA256:D7CF277F0CBFC1C31D02786DEBBE23DBF09B74C663AABE58DE58F05F610F1BA8 | |||
| 8048 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AE8.tmp.WERInternalMetadata.xml | binary | |
MD5:3859A03BD561C06A1FAB6352D54002FA | SHA256:CFF2D0FFFF5518256A9A80FC68B7A5F8F92ED3E19C23955C9A3B1A5CE6B04863 | |||
| 8048 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\099c3c6b090ed71a65bb453376e40e628e1e9a7b6d6eb4eb70d057b4f7bff4cb.exe.7516.dmp | binary | |
MD5:A2E30E74D485FD4F7E9D99156CE34ADC | SHA256:C517DE2A9B5301FE02C90EF72601BF771F2810B71E6EC9FAEF85DAAC86D5E57B | |||
| 7900 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BED.tmp.dmp | binary | |
MD5:828B3A4916E531FEEA8F988331A6CD69 | SHA256:8B0C668D954D07C75B58EE89C62A29980B3BD773D2A7ED2CEF37E78D5B678817 | |||
| 7900 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CAA.tmp.xml | xml | |
MD5:C510C0C1AECB003584D6538C79DB9919 | SHA256:81AEB830DBBA605B0F6897E8ABCA9152F6DAA2FBD8F0985FC851A091E594FAC0 | |||
| 7900 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\winver.exe.7812.dmp | binary | |
MD5:42FD1928C909E10EAE82014946D6647D | SHA256:EF10CE700FA957829D3DE95AE578A6FE4848D51BB002335F17B04E89B1E1C423 | |||
| 8048 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B09.tmp.xml | xml | |
MD5:CCCA90FF526F314CF4724818F6842BFC | SHA256:27C04C086AAAEF0C3367FFDA3913A71BF45EE637ACFC6615750CFB923A727FC3 | |||
| 8048 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A5B.tmp.dmp | binary | |
MD5:869C83DCB1BE78758379C30DA31A36A6 | SHA256:06D6F5DE113212DEB34FD63AA45BEA2EC5FF4ADD777EE71C29A17131EAFF2469 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6436 | RUXIMICS.exe | GET | 200 | 23.48.23.158:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6436 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6436 | RUXIMICS.exe | 23.48.23.158:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
7344 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8112 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |