File name:

VirusShare_5d6a5c35d185e72516897330c2714060.exe

Full analysis: https://app.any.run/tasks/fe3f9d04-23da-4d29-a47e-7a9ebf6ed793
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 11, 2025, 20:50:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
socelars
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

5D6A5C35D185E72516897330C2714060

SHA1:

C7E5AD93F0543B0AE92C9CBF2BF847F04AA59439

SHA256:

261C68610E3D936C814C45DAB37060C7745DB505DFF46A561EBF84C7B2B8E75E

SSDEEP:

49152:iAoZMF3ipS7mTCjd3vVNQmt2uhvjdJYL58yrYOlPMLNdou4FCQjhpO:iATFSPQPNQmt2uhvjdeL58tLk/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SOCELARS mutex has been found

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

    • Known privilege escalation attack

      • dllhost.exe (PID: 2716)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

    • Executes application which crashes

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2200)
      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

  • INFO

    • The sample compiled with english language support

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 6104)

    • Checks supported languages

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 6104)
      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

    • Reads the computer name

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 6104)
      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

    • Reads the machine GUID from the registry

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 6104)
      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 2716)

    • Checks proxy server information

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)
      • WerFault.exe (PID: 4528)
      • slui.exe (PID: 2272)

    • Reads the software policy settings

      • VirusShare_5d6a5c35d185e72516897330c2714060.exe (PID: 5528)
      • WerFault.exe (PID: 4528)
      • slui.exe (PID: 2272)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:11:02 09:46:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.28
CodeSize: 1145344
InitializedDataSize: 395264
UninitializedDataSize: -
EntryPoint: 0xe5eb3
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 1.0.0.1
LegalCopyright: Copyright (C) 2019
ProductVersion: 1.0.0.1
No data.
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start virusshare_5d6a5c35d185e72516897330c2714060.exe no specs CMSTPLUA #SOCELARS virusshare_5d6a5c35d185e72516897330c2714060.exe svchost.exe werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2272C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2716C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
4528C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5528 -s 1308C:\Windows\SysWOW64\WerFault.exe
VirusShare_5d6a5c35d185e72516897330c2714060.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5528"C:\Users\admin\Desktop\VirusShare_5d6a5c35d185e72516897330c2714060.exe" C:\Users\admin\Desktop\VirusShare_5d6a5c35d185e72516897330c2714060.exe
dllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221226505
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\virusshare_5d6a5c35d185e72516897330c2714060.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6104"C:\Users\admin\Desktop\VirusShare_5d6a5c35d185e72516897330c2714060.exe" C:\Users\admin\Desktop\VirusShare_5d6a5c35d185e72516897330c2714060.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\virusshare_5d6a5c35d185e72516897330c2714060.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
13 353
Read events
13 345
Write events
5
Delete events
3

Modification events

(PID) Process:(4528) WerFault.exeKey:\REGISTRY\A\{31096e31-2c90-a7d9-32af-e51bc69ea396}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(4528) WerFault.exeKey:\REGISTRY\A\{31096e31-2c90-a7d9-32af-e51bc69ea396}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(4528) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
3679716800000000
(PID) Process:(4528) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
2A76170000000000
Executable files
0
Suspicious files
0
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
4528WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VirusShare_5d6a5_c6a05dc87332263650d6a7ee8789bb54ccaadce_9c493d80_bf6baa10-14ab-42d6-b20e-c6096f183035\Report.wer
MD5:
SHA256:
4528WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvehiv
MD5:556E8BAB1BE3B048EF99BC9B499164CB
SHA256:E9988C374AB0D24F6E4AA6759E021C9CE1FA289814511353127367E566952DF1
4528WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7551.tmp.xmlxml
MD5:7B4D9B2C60E5E90F61F9EA253BF65DF0
SHA256:740874DF8709790D63C2791BBFEE89A05A49F5111507AD0BD565977E8F1422EF
4528WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7474.tmp.dmpdmp
MD5:80FE706C8B10EF388EBDFE094A6BA819
SHA256:62A1551E6669CF7F13E407D5A0ECD17044FF8463880759ACC2E756398119BF5C
4528WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7531.tmp.WERInternalMetadata.xmlxml
MD5:2158CC21B8D4B7CC7C2881628ECE6DEF
SHA256:C1EC0B079E7A7400AC39F59091055F201D583DDC3B0002644CF4B38C86D7E151
4528WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\VirusShare_5d6a5c35d185e72516897330c2714060.exe.5528.dmpdmp
MD5:9C6F6DD36D6E5098F23126397007F51B
SHA256:482F0C35000A92AC9F9E036ACC7AA02A83F7E1DF4E3384204A63883D384B36FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
58
DNS requests
26
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5504
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5504
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5980
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5980
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5504
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5504
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5504
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 69.192.161.161
whitelisted
www.listincode.com
whitelisted
iplogger.org
  • 104.26.3.46
  • 172.67.74.161
  • 104.26.2.46
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.128
  • 40.126.31.131
  • 20.190.159.2
  • 40.126.31.69
  • 40.126.31.1
  • 20.190.159.23
  • 20.190.159.64
whitelisted
watson.events.data.microsoft.com
  • 13.92.180.205
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Potential Corporate Privacy Violation
ET INFO IP Check Domain (iplogger .org in DNS Lookup)
5528
VirusShare_5d6a5c35d185e72516897330c2714060.exe
Potential Corporate Privacy Violation
ET INFO IP Check Domain (iplogger .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VirusShare_5d6a5c35d185e72516897330c2714060.exe