File name:

37e1693d19e0b95cd47f8116603d1550N.exe

Full analysis: https://app.any.run/tasks/f352bc25-e7d6-4446-96a9-e7b5485d4ea8
Verdict: Malicious activity
Analysis date: July 12, 2024, 07:29:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
MD5:

37E1693D19E0B95CD47F8116603D1550

SHA1:

938AC974BE799F3C427A874FFD2E1A2BDEB3654E

SHA256:

1885974A95C542C1E2EFD6E79519B9A018CCC715426C8791074C44ABC395A30A

SSDEEP:

6144:i0/1Thw5w4qjPRrf2VrRZHMrbLcPNfVVVVVp:5cPNfVVVVVp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 37e1693d19e0b95cd47f8116603d1550N.exe (PID: 3128)
      • explorer.exe (PID: 2408)
      • spoolsv.exe (PID: 1956)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 2872)
      • explorer.exe (PID: 2408)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 2872)
      • explorer.exe (PID: 2408)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 37e1693d19e0b95cd47f8116603d1550N.exe (PID: 3128)
      • spoolsv.exe (PID: 1956)

    • Executable content was dropped or overwritten

      • 37e1693d19e0b95cd47f8116603d1550N.exe (PID: 3128)
      • explorer.exe (PID: 2408)
      • spoolsv.exe (PID: 1956)

    • Starts itself from another location

      • 37e1693d19e0b95cd47f8116603d1550N.exe (PID: 3128)
      • explorer.exe (PID: 2408)
      • svchost.exe (PID: 2872)
      • spoolsv.exe (PID: 1956)

    • Creates or modifies Windows services

      • svchost.exe (PID: 2872)

  • INFO

    • Create files in a temporary directory

      • 37e1693d19e0b95cd47f8116603d1550N.exe (PID: 3128)
      • explorer.exe (PID: 2408)
      • spoolsv.exe (PID: 1956)
      • spoolsv.exe (PID: 5316)
      • svchost.exe (PID: 2872)

    • Checks supported languages

      • 37e1693d19e0b95cd47f8116603d1550N.exe (PID: 3128)
      • explorer.exe (PID: 2408)
      • spoolsv.exe (PID: 1956)
      • spoolsv.exe (PID: 5316)
      • svchost.exe (PID: 2872)

    • Reads the computer name

      • svchost.exe (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 37e1693d19e0b95cd47f8116603d1550n.exe explorer.exe spoolsv.exe svchost.exe spoolsv.exe no specs 37e1693d19e0b95cd47f8116603d1550n.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1956c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2408c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
37e1693d19e0b95cd47f8116603d1550N.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2872c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
3128"C:\Users\admin\Desktop\37e1693d19e0b95cd47f8116603d1550N.exe" C:\Users\admin\Desktop\37e1693d19e0b95cd47f8116603d1550N.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\37e1693d19e0b95cd47f8116603d1550n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
3724"C:\Users\admin\Desktop\37e1693d19e0b95cd47f8116603d1550N.exe" C:\Users\admin\Desktop\37e1693d19e0b95cd47f8116603d1550N.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\37e1693d19e0b95cd47f8116603d1550n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5316c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
542
Read events
520
Write events
18
Delete events
4

Modification events

(PID) Process:(3128) 37e1693d19e0b95cd47f8116603d1550N.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(2408) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(2408) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(2408) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2408) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(2408) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
(PID) Process:(2872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(2872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(2872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
3
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2408explorer.exeC:\windows\resources\spoolsv.exeexecutable
MD5:C111988D7257A09B1EE67017E33FDB0D
SHA256:30D0ED6DC793BE4DD45EDB5EC35469D2FF2EFFB9B6FF313EFA3A9F2A768BEFE7
312837e1693d19e0b95cd47f8116603d1550N.exeC:\Users\admin\AppData\Local\Temp\~DF4F4DB4DA1EF9C614.TMPbinary
MD5:755F257DD19E4261448EA7231FCD7CCE
SHA256:FDAC4D71EF760D5608AB64FFE8140BA061AE047BD489DD2AB20667D20AC705BD
5316spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFE518693DEB9EF33E.TMPbinary
MD5:9A517696E1C0E6900C3121AFE8B33872
SHA256:8D67D2C84B26B34C8BA2F14EB9E2D6A257EA0876F2A79C7B022B9A8F4A463844
1956spoolsv.exeC:\windows\resources\svchost.exeexecutable
MD5:A28B8B452DCCDB6DA9D4DF7C48651127
SHA256:4476C7D834F697D6FF4AF0E5340B0A991E032E8DF9918C5A3BC8BF36B3FA9108
1956spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF731C479CE744810C.TMPbinary
MD5:FBF1CC702C3398437A55824736B0B237
SHA256:EEE91D96B2C2F9BBE21E5FBB6C0B66356FA23A05EDD8E61B82A6960ED20E6C60
312837e1693d19e0b95cd47f8116603d1550N.exeC:\windows\resources\themes\explorer.exeexecutable
MD5:DB64EAA98FBCB91069A51B169E1E1F0A
SHA256:B5A3F9DEED3D73DD04E75634CD80A9E5580387C370CBCC7572053B950328871A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4976
RUXIMICS.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4976
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5148
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.74.98.193:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4752
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4976
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5148
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4752
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4976
RUXIMICS.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4976
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5148
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.4
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
37e1693d19e0b95cd47f8116603d1550N.exe