File name:	1fac92b90fb8cdd631a24d207caa114abd24648287bc6b7ec29cb99a97df2069.exe
Full analysis:	https://app.any.run/tasks/8a93962b-dcdc-473c-beae-ba5265b4b42d
Verdict:	Malicious activity
Analysis date:	March 05, 2026, 02:50:55
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:	58FE50AFF4694C94C90C13095A5AD758
SHA1:	5EC571D84EFB93E0EC8BD73C5DF6059AA46D0AB4
SHA256:	1FAC92B90FB8CDD631A24D207CAA114ABD24648287BC6B7EC29CB99A97DF2069
SSDEEP:	98304:b6CjmeOZu45rmzAUERmR4N4BLaN+MKELrqozUj3nzBMax+1ozAs5rxSODBHGv527:q51UI7Zk

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:02:09 00:12:54+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	9
CodeSize:	4608
InitializedDataSize:	1096192
UninitializedDataSize:	-
EntryPoint:	0x2e26cc
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	10.0.22621.1
ProductVersionNumber:	10.0.22621.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Resource Monitor
FileVersion:	10.0.22621.1 (WinBuild.160101.0800)
InternalName:	resmon.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	resmon.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.22621.1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2912	SIHClient.exe	GET	304	74.179.77.204:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4280	net.exe	HEAD	404	23.95.245.178:80	http://23.95.245.178/lab/fu0a1	US	—	—	unknown
2912	SIHClient.exe	GET	200	135.233.95.135:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	US	—	—	whitelisted
—	—	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
2912	SIHClient.exe	GET	200	74.179.77.204:443	https://slscr.update.microsoft.com/sls/ping	US	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
2912	SIHClient.exe	GET	304	74.179.77.204:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
4280	net.exe	HEAD	404	23.95.245.178:80	http://23.95.245.178/lab/fu0a1	US	—	—	unknown
—	—	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	92.123.104.59:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
492	svchost.exe	2.16.164.120:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	2.16.164.120:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
492	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
6768	MoUsoCoreWorker.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
self.events.data.microsoft.com	52.182.143.215 20.189.173.7	whitelisted
www.bing.com	92.123.104.59 92.123.104.31 92.123.104.47 92.123.104.60 92.123.104.52 92.123.104.32 92.123.104.38 92.123.104.34 92.123.104.33	whitelisted
google.com	192.178.204.113 192.178.204.100 192.178.204.101 192.178.204.138 192.178.204.139 192.178.204.102	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
slscr.update.microsoft.com	74.179.77.204	whitelisted
fe3cr.delivery.mp.microsoft.com	135.233.95.135	whitelisted

PID	Process	Class	Message
—	—	Generic Protocol Command Decode	SURICATA STREAM suspected RST injection
3412	svchost.exe	Generic Protocol Command Decode	SURICATA HTTP unable to match response to request
—	—	Generic Protocol Command Decode	SURICATA HTTP unable to match response to request
—	—	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction

General Info

1fac92b90fb8cdd631a24d207caa114abd24648287bc6b7ec29cb99a97df2069.exe

58FE50AFF4694C94C90C13095A5AD758

5EC571D84EFB93E0EC8BD73C5DF6059AA46D0AB4

1FAC92B90FB8CDD631A24D207CAA114ABD24648287BC6B7EC29CB99A97DF2069

98304:b6CjmeOZu45rmzAUERmR4N4BLaN+MKELrqozUj3nzBMax+1ozAs5rxSODBHGv527:q51UI7Zk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

SUSPICIOUS

Application launched itself

INFO

The sample compiled with english language support

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings