File name:

SafeFilter.exe

Full analysis: https://app.any.run/tasks/258dfe28-aa2d-4b48-9ec5-04e93b5c7f12
Verdict: Malicious activity
Analysis date: April 29, 2025, 16:10:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 11 sections
MD5:

8833BEC76CB7B47121766EF86E5A9B0D

SHA1:

38B8BBA91AE079D9A438C72698FFACE8F604F8E3

SHA256:

0E7624EED070DDAE3ED19F3012EA28CD42672AFF8633BF22B0805F98B2A64E79

SSDEEP:

98304:oqGpEbaYGk8HPSj93EGeG/Fl4aBYjPu3rOkjXJ3:XHt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SafeFilter.exe (PID: 7452)

    • Runs injected code in another process

      • Autoit3.exe (PID: 7488)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Application was injected by another process

      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SafeFilter.exe (PID: 7452)
      • Autoit3.exe (PID: 7488)

    • Starts the AutoIt3 executable file

      • SafeFilter.exe (PID: 7452)

    • The process verifies whether the antivirus software is installed

      • Autoit3.exe (PID: 7488)
      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Starts CMD.EXE for commands execution

      • Autoit3.exe (PID: 7488)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7620)

    • Application launched itself

      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Accesses domain name via WMI (SCRIPT)

      • WMIC.exe (PID: 7700)

  • INFO

    • The sample compiled with english language support

      • SafeFilter.exe (PID: 7452)
      • Autoit3.exe (PID: 7488)

    • Reads mouse settings

      • Autoit3.exe (PID: 7488)

    • Checks supported languages

      • SafeFilter.exe (PID: 7452)
      • Autoit3.exe (PID: 7488)
      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Reads Windows Product ID

      • Autoit3.exe (PID: 7488)
      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Creates files or folders in the user directory

      • Autoit3.exe (PID: 7488)

    • Reads CPU info

      • Autoit3.exe (PID: 7488)
      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Creates files in the program directory

      • Autoit3.exe (PID: 7488)
      • cmd.exe (PID: 7620)
      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Reads the computer name

      • Autoit3.exe (PID: 7488)
      • MicrosoftEdgeUpdateCore.exe (PID: 7740)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.35
CodeSize: 2089472
InitializedDataSize: 3079680
UninitializedDataSize: 22016
EntryPoint: 0x107510
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.5.8.38743
ProductVersionNumber: 2.5.8.38743
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: This plugin is available under the terms of the GNU Lesser General Public License.
CompanyName: g10 Code GmbH
FileDescription: GpgOL - GnuPG plugin for Outlook
FileVersion: 2.5.8
InternalName: gpgol
LegalCopyright: Copyright © 2016 g10 Code GmbH
LegalTrademarks: -
OriginalFileName: gpgol.dll
PrivateBuild: -
ProductName: GpgOL
ProductVersion: 2.5.8
SpecialBuild: 2023-07-14T13:13+02:00
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start safefilter.exe autoit3.exe sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs microsoftedgeupdatecore.exe

Process information

PID
CMD
Path
Indicators
Parent process
7452"C:\Users\admin\AppData\Local\Temp\SafeFilter.exe" C:\Users\admin\AppData\Local\Temp\SafeFilter.exe
explorer.exe
User:
admin
Company:
g10 Code GmbH
Integrity Level:
MEDIUM
Description:
GpgOL - GnuPG plugin for Outlook
Exit code:
0
Version:
2.5.8
Modules
Images
c:\users\admin\appdata\local\temp\safefilter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7488"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xC:\temp\test\Autoit3.exe
SafeFilter.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\temp\test\autoit3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7512C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7552"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7620"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\feaaefc\eefahhbC:\Windows\SysWOW64\cmd.exeAutoit3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7700wmic ComputerSystem get domain C:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7740"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.17\MicrosoftEdgeUpdateCore.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.17\MicrosoftEdgeUpdateCore.exe
ApplicationFrameHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.185.17
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\1.3.185.17\microsoftedgeupdatecore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
794
Read events
759
Write events
35
Delete events
0

Modification events

(PID) Process:(7740) MicrosoftEdgeUpdateCore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:hacbebb
Value:
"C:\ProgramData\feaaefc\Autoit3.exe" C:\ProgramData\feaaefc\ddachdh.a3x
Executable files
2
Suspicious files
3
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7488Autoit3.exeC:\ProgramData\feaaefc\Autoit3.exeexecutable
MD5:C56B5F0201A3B3DE53E561FE76912BFD
SHA256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
7452SafeFilter.exeC:\temp\test\Autoit3.exeexecutable
MD5:C56B5F0201A3B3DE53E561FE76912BFD
SHA256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
7488Autoit3.exeC:\ProgramData\feaaefc\ddachdh.a3xbinary
MD5:2EA3D4504040FAF02AB6764B49B78E50
SHA256:260B59E12055551BCCAA24523BFB561D8E777651D3FCD15915EE49041E09A0A2
7452SafeFilter.exeC:\temp\test\script.a3xbinary
MD5:2EA3D4504040FAF02AB6764B49B78E50
SHA256:260B59E12055551BCCAA24523BFB561D8E777651D3FCD15915EE49041E09A0A2
7740MicrosoftEdgeUpdateCore.exeC:\temp\hekbekktext
MD5:F2481A10180DB21E8ED5EAF48390610D
SHA256:86001B716C593ABAE316DA4F9CD93D273B007E2FB9517191CD55D1F75081C3B5
7620cmd.exeC:\ProgramData\feaaefc\eefahhbtext
MD5:C8BBAD190EAAA9755C8DFB1573984D81
SHA256:7F136265128B7175FB67024A6DDD7524586B025725A878C07D76A9D8AD3DC2AC
7740MicrosoftEdgeUpdateCore.exeC:\temp\efbgbabtext
MD5:C095ADF35E6B52C2F125E8F39CA4906E
SHA256:84C25D66E2F76F44B1067603F5CF8844306C6063E6880D6367E7A80B5AC951A4
7488Autoit3.exeC:\temp\bcghcdctext
MD5:20DC81A9B1DD8A949AC05D84E1DB01C8
SHA256:1FCCDEDDC5B8763871B453F18C9EA20DC5BCE0F90573382F0E5F5E4FE6D8649D
7488Autoit3.exeC:\Users\admin\AppData\Roaming\AHdAGhhtext
MD5:7B729E33DF6DE3F9B0515290F0B1B4C8
SHA256:348CAC8D2CD24A5F22D7941E13C4044706C74BCF20BF474C31C51F4DF5D14602
7488Autoit3.exeC:\temp\hekbekktext
MD5:57DD013DF7D2AC2F1A063C00825980D5
SHA256:77290C915DC83A841E93E9460FAF89291CE52F460EC27EDA84A3D8B7A0E30F81
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
99
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8104
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:137
whitelisted
7740
MicrosoftEdgeUpdateCore.exe
173.255.204.62:80
harlemsupport.com
Linode, LLC
US
malicious
4172
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.131
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.130
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
harlemsupport.com
  • 173.255.204.62
malicious
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SafeFilter.exe