File name: | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d |
Full analysis: | https://app.any.run/tasks/0858ee5a-7548-4e91-a53f-d1ca9aeea7f1 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 21:25:41 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections |
MD5: | D45B1582136D31D094E490DF3BB6E241 |
SHA1: | A4EF42581FE8E3F34D1330A031E303ACCA372206 |
SHA256: | 21BE6E51B21A8E7BB605AA42047F885E97D60AF4EDF734D8A13CEDB7A3E0F98D |
SSDEEP: | 3072:cpDSvVVVVVVVV/OuO+pDSvVVVVVVVV/OuOO:cdSvVVVVVVVVrdSvVVVVVVVVT |
.exe | | | Win32 Executable MS Visual C++ (generic) (30.9) |
---|---|---|
.exe | | | Win64 Executable (generic) (27.3) |
.exe | | | UPX compressed Win32 Executable (26.8) |
.dll | | | Win32 Dynamic Link Library (generic) (6.5) |
.exe | | | Win32 Executable (generic) (4.4) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x2130 |
UninitializedDataSize: | 24576 |
InitializedDataSize: | 4096 |
CodeSize: | 8192 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit, No debug |
TimeStamp: | 2011:03:15 04:06:07+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5604 | "C:\Users\admin\Desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe" | C:\Users\admin\Desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | — | ||
MD5:— | SHA256:— | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp | executable | |
MD5:39A177A78E8C2458C5DE686EA726133F | SHA256:343509336A2ABC9471CA11FE4E7291C89DD8BC8154DC14F2DD6291E998DCE453 | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp | executable | |
MD5:3A2316C1C0418B5F337ECACBC4444FC6 | SHA256:8AD75257B2E58ADE3926764D54F5CA91C620CC199721B952985CB466D360F2EF | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmp | executable | |
MD5:0114254571CCFD98F959A6D31B8AAFD0 | SHA256:0B0F63BBB10228A3EB19766199BEFC66B79A78D92EE2CDD68A7C86C1DD8ADBDE | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp | executable | |
MD5:0550D74BE827921CD65F4896046E7166 | SHA256:66A4D12FD79D2B39F0FCD575758BFB35FDD1880F344FB69F06345F74AF8D7821 | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp | executable | |
MD5:8943F64E11B5DED3FE7ED0909EC6DE1A | SHA256:898D310D336474149D529249C11285473B72B52A8CE1157E8B4E5C71864871AF | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp | executable | |
MD5:C9009478CC449181BE8C6C66F9219994 | SHA256:DA3D5363979F58B151DB21525DECA9445FC2F345240961BAC8EEB571971140B7 | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp | executable | |
MD5:EBAF0CA961775C3CBF979B4F6AB7B8ED | SHA256:D6E3A0D5D7098CB012F65F741B91C8D65A8A4F67527EA95F2E9A60E1B9C11D3B | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp | executable | |
MD5:FF83B2B33D92A306475B214CC5852326 | SHA256:E2BE65EC5AF07D11FFD39CFB0138E96657B64C885B2DB06CA7B4DBC34D2A6435 | |||
5604 | 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp | executable | |
MD5:1BA9BB2CC49031D83909AA5716EC1F09 | SHA256:B99EFD06AC3FF12DD030903797982BBA3139B1391819C22EB444CFE60B76763E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5448 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5160 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.158:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5160 | RUXIMICS.exe | GET | 200 | 23.48.23.158:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5448 | svchost.exe | GET | 200 | 23.48.23.158:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5160 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.137:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5448 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5448 | svchost.exe | 23.48.23.158:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.158:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5160 | RUXIMICS.exe | 23.48.23.158:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |