File name:

malicious.exe

Full analysis: https://app.any.run/tasks/9a380bb6-cb35-461b-81d2-680ff17cb7b4
Verdict: Malicious activity
Analysis date: November 14, 2024, 11:10:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

18CBE55C3B28754916F1CBF4DFC95CF9

SHA1:

7CCFB7678C34D6A2BEDC040DA04E2B5201BE453B

SHA256:

248FCC901AFF4E4B4C48C91E4D78A939BF681C9A1BC24ADDC3551B32768F907B

SSDEEP:

98304:yn29ufYrBk8hEviaPnwwKLbM/Y30otsb7GYvoPpjtXXL658WrPf/OCdZzuYZHoap:x3p69jVx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 5uR3lF9.exe (PID: 4836)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • malicious.exe (PID: 4868)
      • Yt8ge85.exe (PID: 1196)
      • GY4IC43.exe (PID: 4348)
      • hE8Zq97.exe (PID: 6464)

    • Process drops legitimate windows executable

      • Yt8ge85.exe (PID: 1196)
      • malicious.exe (PID: 4868)
      • GY4IC43.exe (PID: 4348)

    • Executable content was dropped or overwritten

      • malicious.exe (PID: 4868)
      • Yt8ge85.exe (PID: 1196)
      • GY4IC43.exe (PID: 4348)
      • hE8Zq97.exe (PID: 6464)

    • Executes application which crashes

      • 1Zn59od7.exe (PID: 5172)
      • 2PO9885.exe (PID: 1396)
      • 3FD62NB.exe (PID: 4680)
      • 4Ii975UD.exe (PID: 6340)

    • Starts CMD.EXE for commands execution

      • 5uR3lF9.exe (PID: 4836)

    • Executing commands from a ".bat" file

      • 5uR3lF9.exe (PID: 4836)

  • INFO

    • Checks supported languages

      • malicious.exe (PID: 4868)
      • Yt8ge85.exe (PID: 1196)
      • GY4IC43.exe (PID: 4348)
      • hE8Zq97.exe (PID: 6464)
      • 1Zn59od7.exe (PID: 5172)
      • AppLaunch.exe (PID: 6704)
      • AppLaunch.exe (PID: 1552)
      • 2PO9885.exe (PID: 1396)
      • 3FD62NB.exe (PID: 4680)
      • AppLaunch.exe (PID: 6184)

    • Create files in a temporary directory

      • malicious.exe (PID: 4868)
      • Yt8ge85.exe (PID: 1196)
      • GY4IC43.exe (PID: 4348)
      • hE8Zq97.exe (PID: 6464)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 6704)

    • Reads the computer name

      • AppLaunch.exe (PID: 6704)

    • Checks proxy server information

      • WerFault.exe (PID: 540)
      • WerFault.exe (PID: 4128)

    • Reads the software policy settings

      • WerFault.exe (PID: 4128)
      • WerFault.exe (PID: 540)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 540)
      • WerFault.exe (PID: 4128)

    • Application launched itself

      • msedge.exe (PID: 7128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:24 22:49:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 1890816
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
54
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start malicious.exe yt8ge85.exe gy4ic43.exe he8zq97.exe 1zn59od7.exe applaunch.exe no specs werfault.exe 2po9885.exe applaunch.exe no specs werfault.exe 3fd62nb.exe applaunch.exe no specs werfault.exe no specs 4ii975ud.exe applaunch.exe no specs werfault.exe no specs 5ur3lf9.exe no specs conhost.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5172 -s 612C:\Windows\SysWOW64\WerFault.exe
1Zn59od7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1196C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe
malicious.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\yt8ge85.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1396C:\Users\admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe
hE8Zq97.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226505
Modules
Images
c:\users\admin\appdata\local\temp\ixp003.tmp\2po9885.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1500"C:\WINDOWS\sysnative\cmd" /c "C:\Users\admin\AppData\Local\Temp\C58.tmp\C59.tmp\C5A.bat C:\Users\admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe"C:\Windows\System32\cmd.exe5uR3lF9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1552"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2PO9885.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1732"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3472 --field-trial-handle=2376,i,10115467993412915605,17486988373416880348,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
2272"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2372 --field-trial-handle=2376,i,10115467993412915605,17486988373416880348,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
2484C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4680 -s 612C:\Windows\SysWOW64\WerFault.exe3FD62NB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3972"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3828 --field-trial-handle=2376,i,10115467993412915605,17486988373416880348,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
4128C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1396 -s 584C:\Windows\SysWOW64\WerFault.exe
2PO9885.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
8 692
Read events
8 692
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
277
Text files
59
Unknown types
1

Dropped files

PID
Process
Filename
Type
540WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_1Zn59od7.exe_317bf4fdddb0d3ad98b531274d3eab7c1afe03c_76adbf56_808c34ac-4f7e-4498-b9b9-f2ce633a9dbc\Report.wer
MD5:
SHA256:
4128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2PO9885.exe_3cc2f3b9fc7e60c55fd0dc6cef9ca96f26935_557ea383_27d4b6fd-8e70-4950-9451-30667452a940\Report.wer
MD5:
SHA256:
4868malicious.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exeexecutable
MD5:E0F8B21B36FEE4E7738A6B5A1AB83673
SHA256:C567D825D19E24343647ED36C77033FB1F46F420384745A9734618684CB7D384
6464hE8Zq97.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exeexecutable
MD5:144DC3C0A5275A93FF86F00B5C61B9EC
SHA256:179649325E561F83A53C5CBA99CD8F1F589064C8D0F2029FB8E06F61AE986787
1196Yt8ge85.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exeexecutable
MD5:CFBB3BE155B12D0CC69E3D932FBB81EB
SHA256:FD37C07F519F522EB717A372299525F667439B8B0D1AAFFB670A011DBBCD58F2
4868malicious.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exeexecutable
MD5:847EE3021803E4ADAEFCC00AA8283017
SHA256:4611614D9C95B0D0E4BF4AA486CC700DB6E49DBEF7FA2726B20F165E6798A9F7
2484WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_3FD62NB.exe_d4978256db187df0d5ec759b8bdbdf197637c711_a9de4905_d83e4fd5-87ec-4319-8375-d206b7392804\Report.wer
MD5:
SHA256:
540WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERBE1A.tmp.WERInternalMetadata.xmlxml
MD5:DB62C4367C03EBFC363AF53CD8CD5CED
SHA256:F8FAFBA9E0B2826D008DF7004C921CBC152A0B1EBEBFA4C4A084DD95AACA3CCB
4348GY4IC43.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exeexecutable
MD5:7D377F5E1BA6597FF2CFE4F92639367D
SHA256:C705EFD2888DFBEDE96714B58AEDE50A28B3DA45ABA83A909CB104CE34DC735E
1196Yt8ge85.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exeexecutable
MD5:252043D1805587B0E65A07F885D6719E
SHA256:66839BC22B9C9F717198CF8FAA64146FE95DFF51DFBB8C0F61982F2E50E89557
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
109
DNS requests
90
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
540
WerFault.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
692
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
540
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.83:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4836
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
540
WerFault.exe
20.42.73.29:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
540
WerFault.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
540
WerFault.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.44.239.154
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.136
  • 104.126.37.152
  • 104.126.37.131
  • 104.126.37.153
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.146
  • 104.126.37.179
  • 104.126.37.184
  • 104.126.37.186
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.142
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
  • 20.189.173.22
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
  • 2.16.164.83
  • 2.16.164.99
  • 2.16.164.113
  • 2.16.164.107
  • 2.16.164.98
  • 2.16.164.96
  • 2.16.164.91
  • 2.16.164.106
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.68
whitelisted
th.bing.com
  • 104.126.37.179
  • 104.126.37.137
  • 104.126.37.184
  • 104.126.37.144
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.186
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malicious.exe