File name:

0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675

Full analysis: https://app.any.run/tasks/8907cf76-0392-4338-ac13-97351aee53bc
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: November 16, 2024, 23:07:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
emotet
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

87D829465B26DED44949A10B6048B491

SHA1:

32C7071F985448EE2A7382484C06421A97A0A994

SHA256:

0AB270A6D6E720F1409CDF46D2F01E5CB1F677F2A7BA11853CA2A468E42D7675

SSDEEP:

12288:yxV3qYLUCOhc4P5O7F/VOWC2bhZ0/MAl2NC:yxV3A8RVOP2bnEHl2NC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMOTET has been detected (YARA)

      • Windows.Security.Integrity.exe (PID: 6128)

    • Connects to the CnC server

      • Windows.Security.Integrity.exe (PID: 6128)

    • EMOTET has been detected (SURICATA)

      • Windows.Security.Integrity.exe (PID: 6128)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe (PID: 5748)
      • Windows.Security.Integrity.exe (PID: 6128)

    • Executable content was dropped or overwritten

      • 0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe (PID: 5748)

    • Starts itself from another location

      • 0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe (PID: 5748)

    • Connects to the server without a host name

      • Windows.Security.Integrity.exe (PID: 6128)

  • INFO

    • Checks supported languages

      • 0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe (PID: 5748)
      • Windows.Security.Integrity.exe (PID: 6128)

    • Reads the computer name

      • 0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe (PID: 5748)
      • Windows.Security.Integrity.exe (PID: 6128)

    • The process uses the downloaded file

      • 0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe (PID: 5748)

    • Reads the machine GUID from the registry

      • Windows.Security.Integrity.exe (PID: 6128)

    • Checks proxy server information

      • Windows.Security.Integrity.exe (PID: 6128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:10:16 20:25:24+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 156160
InitializedDataSize: 231936
UninitializedDataSize: -
EntryPoint: 0x10b66
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe #EMOTET windows.security.integrity.exe

Process information

PID
CMD
Path
Indicators
Parent process
5748"C:\Users\admin\Desktop\0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe" C:\Users\admin\Desktop\0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6128"C:\Users\admin\AppData\Local\credprovhost\Windows.Security.Integrity.exe"C:\Users\admin\AppData\Local\credprovhost\Windows.Security.Integrity.exe
0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\credprovhost\windows.security.integrity.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
581
Read events
578
Write events
3
Delete events
0

Modification events

(PID) Process:(6128) Windows.Security.Integrity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6128) Windows.Security.Integrity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6128) Windows.Security.Integrity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
57480ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675.exeC:\Users\admin\AppData\Local\credprovhost\Windows.Security.Integrity.exeexecutable
MD5:87D829465B26DED44949A10B6048B491
SHA256:0AB270A6D6E720F1409CDF46D2F01E5CB1F677F2A7BA11853CA2A468E42D7675
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
28
DNS requests
7
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1248
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1248
RUXIMICS.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6128
Windows.Security.Integrity.exe
POST
2.45.176.233:80
http://2.45.176.233/uVqYu/nZ5jYLhDQsFeTon9fx/
unknown
malicious
6128
Windows.Security.Integrity.exe
POST
502
98.103.204.12:443
http://98.103.204.12:443/BoQo3zPz2MD/BECm1qJi1zbkYH622/
unknown
unknown
6128
Windows.Security.Integrity.exe
POST
172.86.186.21:8080
http://172.86.186.21:8080/FjoON9M/Y7CcZ/
unknown
unknown
6128
Windows.Security.Integrity.exe
POST
192.175.111.214:8080
http://192.175.111.214:8080/tMelDI1P0INCeCWaLif/8gpQJKoH7T/vtGLWM4Av/VQy4U/iPxmzcXrZv4rO3T7bqi/BpTMic1IPW1NXICqfrT/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1248
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.20.142.187:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1248
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.20.142.187
  • 2.20.142.154
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 72.246.169.155
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted

Threats

PID
Process
Class
Message
6128
Windows.Security.Integrity.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M11
6128
Windows.Security.Integrity.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M11
6128
Windows.Security.Integrity.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M11
6128
Windows.Security.Integrity.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M11
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0ab270a6d6e720f1409cdf46d2f01e5cb1f677f2a7ba11853ca2a468e42d7675