File name:

procexp.exe

Full analysis: https://app.any.run/tasks/997b9ab6-adf2-47d7-9a84-292bc19ad329
Verdict: Malicious activity
Analysis date: September 14, 2024, 13:00:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

94C60E6704B5DD11A139F2FFEBDE9135

SHA1:

CD89F1CF9428A3EAB554A3EB9FF6CA869E5BC368

SHA256:

106BF123359D03963B1DF1011FB8560AAF1C5E811DE775DCE1D8A53758A69102

SSDEEP:

98304:kQ/qdW5SWBJdgKwBFip2LytbxPiei81/mxKkAcEgHboS3FdF:Keiqo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • procexp.exe (PID: 2876)
      • procexp64.exe (PID: 5388)

    • Drops a system driver (possible attempt to evade defenses)

      • procexp64.exe (PID: 5388)

    • The process checks if it is being run in the virtual environment

      • procexp64.exe (PID: 5388)
      • procexp.exe (PID: 2876)

    • Reads security settings of Internet Explorer

      • procexp64.exe (PID: 5388)

    • Detected use of alternative data streams (AltDS)

      • procexp64.exe (PID: 5388)

    • Checks Windows Trust Settings

      • procexp64.exe (PID: 5388)

  • INFO

    • Reads the computer name

      • procexp.exe (PID: 2876)
      • procexp64.exe (PID: 5388)

    • Reads product name

      • procexp64.exe (PID: 5388)

    • Checks supported languages

      • procexp64.exe (PID: 5388)
      • procexp.exe (PID: 2876)

    • Create files in a temporary directory

      • procexp64.exe (PID: 5388)
      • procexp.exe (PID: 2876)

    • Reads Environment values

      • procexp64.exe (PID: 5388)

    • Reads the software policy settings

      • procexp64.exe (PID: 5388)

    • Checks proxy server information

      • procexp64.exe (PID: 5388)

    • Creates files or folders in the user directory

      • procexp64.exe (PID: 5388)

    • Reads the machine GUID from the registry

      • procexp64.exe (PID: 5388)

    • Reads Microsoft Office registry keys

      • procexp64.exe (PID: 5388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:28 15:50:44+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 1014272
InitializedDataSize: 3712512
UninitializedDataSize: -
EntryPoint: 0xc43ce
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 17.6.0.0
ProductVersionNumber: 17.6.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Sysinternals - www.sysinternals.com
FileDescription: Sysinternals Process Explorer
FileVersion: 17.06
InternalName: Process Explorer
LegalCopyright: Copyright © 1998-2024 Mark Russinovich
LegalTrademarks: Copyright © 1998-2024 Mark Russinovich
OriginalFileName: Procexp.exe
ProductName: Process Explorer
ProductVersion: 17.06
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start procexp.exe procexp64.exe

Process information

PID
CMD
Path
Indicators
Parent process
2876"C:\Users\admin\Desktop\procexp.exe" C:\Users\admin\Desktop\procexp.exe
explorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Sysinternals Process Explorer
Version:
17.06
Modules
Images
c:\users\admin\desktop\procexp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5388"C:\Users\admin\Desktop\procexp.exe" C:\Users\admin\AppData\Local\Temp\procexp64.exe
procexp.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Sysinternals Process Explorer
Version:
17.06
Modules
Images
c:\users\admin\appdata\local\temp\procexp64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
Total events
45 397
Read events
45 394
Write events
3
Delete events
0

Modification events

(PID) Process:(2876) procexp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer
Operation:writeName:OriginalPath
Value:
C:\Users\admin\Desktop\procexp.exe
(PID) Process:(2876) procexp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Local\Temp\procexp64.exe
(PID) Process:(5388) procexp64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Explorer
Operation:writeName:EulaAccepted
Value:
1
Executable files
2
Suspicious files
56
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2876procexp.exeC:\Users\admin\AppData\Local\Temp\procexp64.exeexecutable
MD5:DFEEA73E421C76DEB18D5CA0800DCCF2
SHA256:8158DC0569972C10056F507CF9E72F4946600CE163C4C659A610480585CD4935
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\45AE547469FB7137480E06153457A2DDder
MD5:607E2F82F28C67AE4F1118F13163EAEE
SHA256:731296029DE520110728583B3B315C9B554E6DD41EC15C4953AA9A8A49F7B5F8
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:C7D1234376F3389D6C220F0DCF24341B
SHA256:F67F7E62B47D1C4D9059F9F01FF40D52044EE81F594C5B8C8925C254381061E5
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:AA22265AA1C8CB5618C9514A457DC071
SHA256:1C92413E04360F3D2FBE02A9ED99A2B532043DB6B4052590346D95F9FECE1D0C
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_EB45B4DDD2CA201E87E40B2FB5245AEFbinary
MD5:3238DF72FE392B9EE0274A2B4C059E2E
SHA256:C3CFF12896B4197F648440CA0B35C90B1D6DD6B08E8309345464E69E722DE3EB
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEder
MD5:DDF4DE0DC1AC39C22F605957A1FE614B
SHA256:0ACF9791F2CBBF8330653DF8D90E760108DD7ED3B5DB03C4DE164BD5047E4D4A
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_EB45B4DDD2CA201E87E40B2FB5245AEFbinary
MD5:D1B186AF438C317037B741EAB36B17BD
SHA256:B0F2FFDFF551DB1CEE04F255DEE7DED6B195329014E67895772B1082AD9FCD97
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:214DDADD170CABEC9B9EF5416E574F80
SHA256:4EA3CD87712FE6AFEAB7AB67D4E2FC107A175695BF22776ECAF2EBF94953B5DD
5388procexp64.exeC:\Users\admin\AppData\Local\Temp\PROCEXP152.SYSexecutable
MD5:350AABF315C387C677BD5B9CE80BF525
SHA256:86F635BF43A64A267A003260EB9B93FF05799F12DE84E9A2F01A02B4DD92AFC2
5388procexp64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9Ebinary
MD5:8A5425662455BB2E60040E1F9851BC65
SHA256:E5AF1F870B35108F22B2ADA888A24257D060A932B7FAD108917198E3040B8539
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
31
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2016
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6232
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5388
procexp64.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5388
procexp64.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20
unknown
whitelisted
5388
procexp64.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
5388
procexp64.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
5388
procexp64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5388
procexp64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5388
procexp64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEARSlvj82CmnXclClPWkFaQ%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6232
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2016
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6232
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2016
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6232
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
crl.microsoft.com
  • 152.199.19.74
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.verisign.com
  • 192.229.221.95
whitelisted
ocsp.verisign.com
whitelisted
csc3-2004-crl.verisign.com
whitelisted
ocsp.trust-provider.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
crl.trust-provider.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
procexp.exe