File name:

1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N

Full analysis: https://app.any.run/tasks/2d4d072b-dd11-4fb5-87f1-87fed9457dc8
Verdict: Malicious activity
Analysis date: October 25, 2024, 14:27:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

AA484D51497E641453970416583C78B0

SHA1:

73E6B0C121950D3F09A17F69F39F10938F79C3DA

SHA256:

1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9

SSDEEP:

768:b/bWvkfs+ETVCgAI+NQdP4jBVVVVVVYhVVVUqOaoC1:TbWvkfs+ERJAKF49VVVVVV+VVVURa11

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

    • The process creates files with name similar to system file names

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

    • Changes the title of the Internet Explorer window

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

    • Creates file in the systems drive root

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

    • Changes the Home page of Internet Explorer

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

  • INFO

    • Creates files or folders in the user directory

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

    • Create files in a temporary directory

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)

    • Checks supported languages

      • 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe (PID: 6256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Mew compressed Win32 Executable (88.8)
.exe | Win32 Executable (generic) (5.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: -
CodeSize: 512
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x246c4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9n.exe

Process information

PID
CMD
Path
Indicators
Parent process
6256"C:\Users\admin\Desktop\1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe" C:\Users\admin\Desktop\1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
72
Read events
57
Write events
15
Delete events
0

Modification events

(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:SCRNSAVE.EXE
Value:
C:\WINDOWS\system32\babon.SCR
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaverIsSecure
Value:
0
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaveTimeOut
Value:
600
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:babon
Value:
C:\WINDOWS\babon
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSMSGS
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\winlogon.exe
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Logonadmin
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\csrss.exe
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System Monitoring
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\lsass.exe
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:Start Page
Value:
http://www.jasakom.com
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:Search Page
Value:
http://www.jasakom.com
(PID) Process:(6256) 1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:Windows Title
Value:
Babon hates Norman..:P~~
Executable files
9
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\WINDOWS\winlogon.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\smss.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\winlogon.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\csrss.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\WINDOWS\smss.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\WINDOWS\csrss.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\lsass.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\WINDOWS\lsass.exeexecutable
MD5:AA484D51497E641453970416583C78B0
SHA256:1A87F5271763889692E192E5AAF73FDF9E8ED577B47FF9147C4EA240A24F6CE9
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\Temp\~DFFA2A48A9C8ACEB08.TMPbinary
MD5:86EABA21AA8B287D08FC3FCF2115C0B0
SHA256:C2066F9BC98EED06EFECE83F15FC6B2CC601F0C952B60E25DB9542449B1B9BDA
62561a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N.exeC:\Users\admin\AppData\Local\VirtualStore\wangsit.txttext
MD5:DF2F3E6971A7548C1688706F9A9798A8
SHA256:1FD0A101A74C19C0C9E287EAC64EE506DF3EEBDBC11F12022DDA94FEDD123918
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
25
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1752
RUXIMICS.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1752
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1752
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.177:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1752
RUXIMICS.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1752
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.209.177
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.182
  • 2.23.209.158
  • 2.23.209.150
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.176
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.164.51
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1a87f5271763889692e192e5aaf73fdf9e8ed577b47ff9147c4ea240a24f6ce9N