File name:

malicious.exe

Full analysis: https://app.any.run/tasks/9a380bb6-cb35-461b-81d2-680ff17cb7b4
Verdict: Malicious activity
Analysis date: November 14, 2024, 11:10:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

18CBE55C3B28754916F1CBF4DFC95CF9

SHA1:

7CCFB7678C34D6A2BEDC040DA04E2B5201BE453B

SHA256:

248FCC901AFF4E4B4C48C91E4D78A939BF681C9A1BC24ADDC3551B32768F907B

SSDEEP:

98304:yn29ufYrBk8hEviaPnwwKLbM/Y30otsb7GYvoPpjtXXL658WrPf/OCdZzuYZHoap:x3p69jVx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 5uR3lF9.exe (PID: 4836)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Yt8ge85.exe (PID: 1196)
      • GY4IC43.exe (PID: 4348)
      • malicious.exe (PID: 4868)

    • Starts a Microsoft application from unusual location

      • GY4IC43.exe (PID: 4348)
      • malicious.exe (PID: 4868)
      • Yt8ge85.exe (PID: 1196)
      • hE8Zq97.exe (PID: 6464)

    • Executable content was dropped or overwritten

      • malicious.exe (PID: 4868)
      • Yt8ge85.exe (PID: 1196)
      • hE8Zq97.exe (PID: 6464)
      • GY4IC43.exe (PID: 4348)

    • Executes application which crashes

      • 1Zn59od7.exe (PID: 5172)
      • 2PO9885.exe (PID: 1396)
      • 3FD62NB.exe (PID: 4680)
      • 4Ii975UD.exe (PID: 6340)

    • Executing commands from a ".bat" file

      • 5uR3lF9.exe (PID: 4836)

    • Starts CMD.EXE for commands execution

      • 5uR3lF9.exe (PID: 4836)

  • INFO

    • Create files in a temporary directory

      • GY4IC43.exe (PID: 4348)
      • Yt8ge85.exe (PID: 1196)
      • malicious.exe (PID: 4868)
      • hE8Zq97.exe (PID: 6464)

    • Checks supported languages

      • GY4IC43.exe (PID: 4348)
      • Yt8ge85.exe (PID: 1196)
      • hE8Zq97.exe (PID: 6464)
      • malicious.exe (PID: 4868)
      • 1Zn59od7.exe (PID: 5172)
      • AppLaunch.exe (PID: 6704)
      • 2PO9885.exe (PID: 1396)
      • AppLaunch.exe (PID: 1552)
      • AppLaunch.exe (PID: 6184)
      • 3FD62NB.exe (PID: 4680)

    • Reads the software policy settings

      • WerFault.exe (PID: 540)
      • WerFault.exe (PID: 4128)

    • Reads the computer name

      • AppLaunch.exe (PID: 6704)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 540)
      • WerFault.exe (PID: 4128)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 6704)

    • Checks proxy server information

      • WerFault.exe (PID: 4128)
      • WerFault.exe (PID: 540)

    • Application launched itself

      • msedge.exe (PID: 7128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:24 22:49:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 1890816
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
54
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start malicious.exe yt8ge85.exe gy4ic43.exe he8zq97.exe 1zn59od7.exe applaunch.exe no specs werfault.exe 2po9885.exe applaunch.exe no specs werfault.exe 3fd62nb.exe applaunch.exe no specs werfault.exe no specs 4ii975ud.exe applaunch.exe no specs werfault.exe no specs 5ur3lf9.exe no specs conhost.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5172 -s 612C:\Windows\SysWOW64\WerFault.exe
1Zn59od7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1196C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe
malicious.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\yt8ge85.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1396C:\Users\admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe
hE8Zq97.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226505
Modules
Images
c:\users\admin\appdata\local\temp\ixp003.tmp\2po9885.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1500"C:\WINDOWS\sysnative\cmd" /c "C:\Users\admin\AppData\Local\Temp\C58.tmp\C59.tmp\C5A.bat C:\Users\admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe"C:\Windows\System32\cmd.exe5uR3lF9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1552"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2PO9885.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1732"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3472 --field-trial-handle=2376,i,10115467993412915605,17486988373416880348,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
2272"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2372 --field-trial-handle=2376,i,10115467993412915605,17486988373416880348,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
2484C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4680 -s 612C:\Windows\SysWOW64\WerFault.exe3FD62NB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3972"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3828 --field-trial-handle=2376,i,10115467993412915605,17486988373416880348,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
4128C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1396 -s 584C:\Windows\SysWOW64\WerFault.exe
2PO9885.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
8 692
Read events
8 692
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
277
Text files
59
Unknown types
1

Dropped files

PID
Process
Filename
Type
540WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_1Zn59od7.exe_317bf4fdddb0d3ad98b531274d3eab7c1afe03c_76adbf56_808c34ac-4f7e-4498-b9b9-f2ce633a9dbc\Report.wer
MD5:
SHA256:
4128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2PO9885.exe_3cc2f3b9fc7e60c55fd0dc6cef9ca96f26935_557ea383_27d4b6fd-8e70-4950-9451-30667452a940\Report.wer
MD5:
SHA256:
6464hE8Zq97.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exeexecutable
MD5:144DC3C0A5275A93FF86F00B5C61B9EC
SHA256:179649325E561F83A53C5CBA99CD8F1F589064C8D0F2029FB8E06F61AE986787
1196Yt8ge85.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exeexecutable
MD5:252043D1805587B0E65A07F885D6719E
SHA256:66839BC22B9C9F717198CF8FAA64146FE95DFF51DFBB8C0F61982F2E50E89557
540WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEder
MD5:F0CF5B1794ECA7CD73F9C020DAAB8EF2
SHA256:2AF00EDCE7EF3266897E52DC81E8DE3B7A079028C0F1F96EAFF9E38AD342F617
540WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERBE1A.tmp.WERInternalMetadata.xmlxml
MD5:DB62C4367C03EBFC363AF53CD8CD5CED
SHA256:F8FAFBA9E0B2826D008DF7004C921CBC152A0B1EBEBFA4C4A084DD95AACA3CCB
2484WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_3FD62NB.exe_d4978256db187df0d5ec759b8bdbdf197637c711_a9de4905_d83e4fd5-87ec-4319-8375-d206b7392804\Report.wer
MD5:
SHA256:
540WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERBD3E.tmp.dmpbinary
MD5:D6EA35D96ED7F3E0A765FC6715A13CDE
SHA256:D01083ED4A2ACEC8F12F4D1F1880AF348830CB8E86911F5ABD230ABF80E09A50
540WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
540WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERBE59.tmp.xmlxml
MD5:05A6A6AFB1541397BD4461EDF8DDAAEF
SHA256:471FA02E816561EAC012E254F3383F5C55279C10738D2AC707A764CA3A99A582
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
109
DNS requests
90
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
692
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
540
WerFault.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
540
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.83:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4836
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
540
WerFault.exe
20.42.73.29:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
540
WerFault.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
540
WerFault.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.44.239.154
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.136
  • 104.126.37.152
  • 104.126.37.131
  • 104.126.37.153
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.146
  • 104.126.37.179
  • 104.126.37.184
  • 104.126.37.186
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.142
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
  • 20.189.173.22
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
  • 2.16.164.83
  • 2.16.164.99
  • 2.16.164.113
  • 2.16.164.107
  • 2.16.164.98
  • 2.16.164.96
  • 2.16.164.91
  • 2.16.164.106
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.68
whitelisted
th.bing.com
  • 104.126.37.179
  • 104.126.37.137
  • 104.126.37.184
  • 104.126.37.144
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.186
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malicious.exe