File name:

Traffmonetizer.exe

Full analysis: https://app.any.run/tasks/abb815dd-1c12-4519-9b9c-34e51452f77d
Verdict: Malicious activity
Analysis date: December 24, 2024, 10:01:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

E13E53A6C9EFC83324751986AA7A5E79

SHA1:

B5AB0CA7D2D8D52D4F390CCEF67A8597E07AC456

SHA256:

317321B56E5A1C635E9AE107116A0594A649D9FA18F781CE7C6034D06AEF8770

SSDEEP:

12288:Cz/B4VHrCku2DJQVxVI/B4VHrK/B4VHr5jSp:CVku2DJexVzjSp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Traffmonetizer.exe (PID: 6168)

  • SUSPICIOUS

    • Executes application which crashes

      • Traffmonetizer.exe (PID: 6168)

  • INFO

    • Reads the computer name

      • Traffmonetizer.exe (PID: 6168)

    • Reads the software policy settings

      • WerFault.exe (PID: 6344)

    • Checks supported languages

      • Traffmonetizer.exe (PID: 6168)

    • Checks proxy server information

      • WerFault.exe (PID: 6344)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2052:10:16 08:48:17+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 518144
InitializedDataSize: 167936
UninitializedDataSize: -
EntryPoint: 0x80602
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.1.3.40
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Bytemarket
FileDescription: Traffmonetizer
FileVersion: 1.1.3.40
InternalName: Traffmonetizer.exe
LegalCopyright:
OriginalFileName: Traffmonetizer.exe
ProductName: Traffmonetizer
ProductVersion: 1.0.0+5464b4427fd8c142974ee95561ce242497618214
AssemblyVersion: 1.1.3.40
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start traffmonetizer.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6168"C:\Users\admin\AppData\Local\Temp\Traffmonetizer.exe" C:\Users\admin\AppData\Local\Temp\Traffmonetizer.exe
explorer.exe
User:
admin
Company:
Bytemarket
Integrity Level:
MEDIUM
Description:
Traffmonetizer
Exit code:
3762504530
Version:
1.1.3.40
Modules
Images
c:\users\admin\appdata\local\temp\traffmonetizer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6344C:\WINDOWS\system32\WerFault.exe -u -p 6168 -s 800C:\Windows\System32\WerFault.exe
Traffmonetizer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
3 281
Read events
3 281
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6344WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Traffmonetizer.e_54dbfa0b35e95b2cd8e8487b6cac96a62d6694_c5ead90a_d51acc7a-731d-454f-b178-1e0dd106873e\Report.wer
MD5:
SHA256:
6344WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Traffmonetizer.exe.6168.dmp
MD5:
SHA256:
6344WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER575B.tmp.WERInternalMetadata.xmlxml
MD5:E014781BDA1D08141C5FA51DFAA10A15
SHA256:C82A14DE3C1B76131BB17190DA371769B7E3868AD86F8C240EDFAB721346E7FF
6344WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
6344WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:86534E6F457BB914A71D0FDC635CCEFC
SHA256:C957FBC29CF23D1BF4687145D2BF68CC8C15B080DA78A918A2C119E89A34BD8A
6344WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:4FF66E78B53AC047A5760DE3274FC968
SHA256:66C6866C5F84F55D57F9630520291F85637D9E8BE1CBD0923CD6A5DC3F381661
6344WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
6344WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER55E3.tmp.dmpbinary
MD5:1C2928F0B5521829B6FE6380EE214458
SHA256:645F5A381112D2D6947FAF6EDBA0E67668585F3CF5BAF349E80921656CBD6828
6344WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER578B.tmp.xmlxml
MD5:AB7B113D6704100BC6F8C220912841EA
SHA256:B37D7287F511F5456C4893B55E8F1C30A0B2EE2B6473299CAC418B378046FF52
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
34
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
314 b
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6344
WerFault.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
6344
WerFault.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
6436
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
6436
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
6176
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
418 b
whitelisted
6176
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.150:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.11.168.232
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.23.209.150
  • 2.23.209.177
  • 2.23.209.160
  • 2.23.209.158
  • 2.23.209.179
  • 2.23.209.148
  • 2.23.209.149
  • 2.23.209.176
  • 2.23.209.182
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.64
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.23
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.22
whitelisted
arc.msn.com
  • 20.86.201.138
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Traffmonetizer.exe