File name: | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe |
Full analysis: | https://app.any.run/tasks/bdb8066a-1ed8-4c2b-9ab0-7680b75b5b9a |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 23:06:23 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections |
MD5: | 4AE4B14E3B65B197D3ACFC66BBCE5053 |
SHA1: | 13BBE87DC07D88524B4214D0F8B2536FBBAC23C1 |
SHA256: | 0E64579F96EA13352BE8BC49A97B561E78C372AA1C1F04EE2EF962A9211EF21F |
SSDEEP: | 12288:DvVVVVVVVVTfuj5q4uFTDhSfWJUNo5kUe7evVVVVVVVVTfuj5q4uFTDhSfWJUNoh:Hfuj5DuFRSfWJUq5kUe+fuj5DuFRSfWj |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2011:03:15 04:06:07+00:00 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 8192 |
InitializedDataSize: | 4096 |
UninitializedDataSize: | 24576 |
EntryPoint: | 0x7f80 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3772 | "C:\Users\admin\Desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe" | C:\Users\admin\Desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | — | ||
MD5:— | SHA256:— | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp | executable | |
MD5:D07E8594DE6612631FDBC384B3CF181A | SHA256:E489A8FC70D1794AAE27E068213260F6B47DF60DD1C6F341184C7AE5B5B4CC34 | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe | executable | |
MD5:8EAA02770D7832BBCF3FA8CDAE16E0F0 | SHA256:84F769E244F7511D0420A9A680F5D826BE0F18141D6BDCCE33F90683EB4ADD62 | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp | executable | |
MD5:C473F9E0A5E5CE45C743848FA2B10164 | SHA256:B92F4106AF58D375AEE6CE0C811E8B547589886B8074596C7147EE2D2882FD5C | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp | executable | |
MD5:817D9BC2B81EDA73A6FE253C4CE36E3F | SHA256:B132F4164B4E65DB4998ADF63CBD5BA6BD14E3C8C7A02B8685D0E525F3CC5420 | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmp | executable | |
MD5:AA7A4705631E6D37565B32FCE948CD59 | SHA256:ED4ECD1B3DAAE39BF17C97ED87111FF54A26F0BB00C9C0C71361B6C6544D0009 | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp | executable | |
MD5:8625A07CF6DBA0C6BEBDED9DBE719245 | SHA256:C49873440E685AAE3246E22C7993879BBF41327DD99676E6EB328E5B357D4D07 | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmp | executable | |
MD5:701293E80CED8527C022C70324A543D7 | SHA256:074D700AA4FBAF18F3D023208A55E9EA33CA339E29B663932600FD050BEBB420 | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp | executable | |
MD5:505502F04FE20FE618CFC979913539A7 | SHA256:3342A499C57EE582A4FFB4372C9D3BF36EA93368D249CD42B3036874A16A374F | |||
3772 | 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmp | executable | |
MD5:AFE5D3FCF4E66DD9C88369DF3591FE95 | SHA256:4C59E1FCEA7C4A990F6B8296E416227B4806FA1AD01F3552469BD897981369DC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5892 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5892 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
5892 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.139:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5892 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5892 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |