File name:

.Trashes .exe

Full analysis: https://app.any.run/tasks/35eb90bd-54f1-4777-bbe1-803b5ad3f518
Verdict: Malicious activity
Analysis date: July 02, 2024, 07:15:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3517A8BD429A3647A673EA607360A638

SHA1:

0FF80CFAA0278104656DF05A17DCD5CA212AD7A5

SHA256:

139CB2AD4CBF6CFD4F9A7FE6DDB56AD2EE12C46B930A0963CBE5766BC26812DE

SSDEEP:

24576:6W6VkT7dTYFDqp1puETGdtg1K4GHj7e+sDYmH:6W6VkT7dsFDqp1puETG3g1K4GHjS+sDp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3348)

    • Changes the autorun value in the registry

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3348)
      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3700)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3348)

  • INFO

    • Creates files or folders in the user directory

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3348)

    • Create files in a temporary directory

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3348)
      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3700)

    • Reads the computer name

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3348)
      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3700)

    • Checks supported languages

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3348)
      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3700)

    • Manual execution by a user

      • 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe (PID: 3700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1987:01:30 03:38:08+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 414208
InitializedDataSize: 250368
UninitializedDataSize: -
EntryPoint: 0xa5000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe

Process information

PID
CMD
Path
Indicators
Parent process
3348"C:\Users\admin\Desktop\35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe" C:\Users\admin\Desktop\35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
3700"C:\Users\admin\Desktop\35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe" C:\Users\admin\Desktop\35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\35eb90bd-54f1-4777-bbe1-803b5ad3f518.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
236
Read events
229
Write events
7
Delete events
0

Modification events

(PID) Process:(3348) 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Msn Messsenger
Value:
C:\Users\admin\AppData\Roaming\regsvr.exe
(PID) Process:(3348) 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Yahoo Messsenger
Value:
C:\Users\admin\AppData\Roaming\support\svchost.exe
(PID) Process:(3348) 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Operation:writeName:shared
Value:
\New Folder .exe
(PID) Process:(3700) 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Msn Messsenger
Value:
C:\Users\admin\AppData\Roaming\regsvr.exe
(PID) Process:(3700) 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Yahoo Messsenger
Value:
C:\Users\admin\AppData\Roaming\support\svchost.exe
(PID) Process:(3700) 35eb90bd-54f1-4777-bbe1-803b5ad3f518.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Operation:writeName:shared
Value:
\New Folder .exe
Executable files
2
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
334835eb90bd-54f1-4777-bbe1-803b5ad3f518.exeC:\Users\admin\AppData\Roaming\regsvr.exeexecutable
MD5:3517A8BD429A3647A673EA607360A638
SHA256:139CB2AD4CBF6CFD4F9A7FE6DDB56AD2EE12C46B930A0963CBE5766BC26812DE
370035eb90bd-54f1-4777-bbe1-803b5ad3f518.exeC:\Users\admin\AppData\Local\Temp\autF9AE.tmpbinary
MD5:D4F4C7B06BD1A7FF56E1391E9FB350E6
SHA256:63B1D2DA3901236647546CE2C79897D4F6C7791AC534DD4537E9D1F26AB06627
334835eb90bd-54f1-4777-bbe1-803b5ad3f518.exeC:\Users\admin\AppData\Local\Temp\autD8D8.tmpbinary
MD5:D4F4C7B06BD1A7FF56E1391E9FB350E6
SHA256:63B1D2DA3901236647546CE2C79897D4F6C7791AC534DD4537E9D1F26AB06627
334835eb90bd-54f1-4777-bbe1-803b5ad3f518.exeC:\Users\admin\AppData\Roaming\setup.initext
MD5:C4961474A0B39CB0800D307F4F0C7E04
SHA256:57CF266E05450D1DF810234C677DBF394CEBA43E7D5319C1FB745DD8D738BB33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
.Trashes .exe