File name:

Autoruns64.exe

Full analysis: https://app.any.run/tasks/1554735d-942e-4e0c-b3ae-4ad2571821c2
Verdict: Malicious activity
Analysis date: August 28, 2024, 21:13:44
OS: Windows 10 Professional (build: 19045, 64 bit)
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

07F151495C65098FB635D3C95AAFC285

SHA1:

20A8A5BDF45F896FBCA70BCE4B99AFA2C7CB6F35

SHA256:

32E268B87130B7B24969718F81534BAFEC92985C2ECE6765A88C20C28C55BCA1

SSDEEP:

49152:KVDpiqIn08bZOinNQXF1OkwVw4uSOYj8noHd0Kdq6hYp:KVDpzIn08bvkF1nwVw4a96mp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Autoruns64.exe (PID: 6808)

    • Reads security settings of Internet Explorer

      • Autoruns64.exe (PID: 6808)

    • Read startup parameters

      • Autoruns64.exe (PID: 6808)

    • Checks Windows Trust Settings

      • Autoruns64.exe (PID: 6808)

  • INFO

    • Checks supported languages

      • Autoruns64.exe (PID: 6808)

    • Reads product name

      • Autoruns64.exe (PID: 6808)

    • Reads Environment values

      • Autoruns64.exe (PID: 6808)

    • Reads the computer name

      • Autoruns64.exe (PID: 6808)

    • Reads the machine GUID from the registry

      • Autoruns64.exe (PID: 6808)

    • Reads Microsoft Office registry keys

      • Autoruns64.exe (PID: 6808)

    • Checks proxy server information

      • Autoruns64.exe (PID: 6808)

    • Creates files or folders in the user directory

      • Autoruns64.exe (PID: 6808)

    • Reads the software policy settings

      • Autoruns64.exe (PID: 6808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:02:01 10:36:55+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 854528
InitializedDataSize: 1164288
UninitializedDataSize: -
EntryPoint: 0x9d1b4
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 14.11.0.0
ProductVersionNumber: 14.11.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Sysinternals - www.sysinternals.com
FileDescription: Autostart program viewer
FileVersion: 14.11
InternalName: Sysinternals Autoruns
LegalCopyright: Copyright (C) 2002-2024 Mark Russinovich
OriginalFileName: autoruns.exe
ProductName: Sysinternals autoruns
ProductVersion: 14.11
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start autoruns64.exe

Process information

PID
CMD
Path
Indicators
Parent process
6808"C:\Users\admin\Desktop\Autoruns64.exe" C:\Users\admin\Desktop\Autoruns64.exe
explorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Autostart program viewer
Version:
14.11
Modules
Images
c:\users\admin\desktop\autoruns64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
42 441
Read events
42 387
Write events
54
Delete events
0

Modification events

(PID) Process:(6808) Autoruns64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Autoruns
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\mswsock.dll,-60100
Value:
MSAFD Tcpip [TCP/IP]
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\mswsock.dll,-60101
Value:
MSAFD Tcpip [UDP/IP]
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\mswsock.dll,-60102
Value:
MSAFD Tcpip [RAW/IP]
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\mswsock.dll,-60200
Value:
MSAFD Tcpip [TCP/IPv6]
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\mswsock.dll,-60201
Value:
MSAFD Tcpip [UDP/IPv6]
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\mswsock.dll,-60202
Value:
MSAFD Tcpip [RAW/IPv6]
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\wshqos.dll,-100
Value:
RSVP TCPv6 Service Provider
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\wshqos.dll,-101
Value:
RSVP TCP Service Provider
(PID) Process:(6808) Autoruns64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\wshqos.dll,-102
Value:
RSVP UDPv6 Service Provider
Executable files
0
Suspicious files
58
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:B3DB886B983929AA7B320A3E55BEDC0F
SHA256:9C6931331BEEF5D10989DBFE7F03B881629C5BEAA4DB37A6DDC0AC922E8FFA97
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:A27AA4863B3E97E612B536A3E62134AF
SHA256:E00AF06C9E22BDE57715AEAF6D0632FD81CF17CD59467E1892D5B9BB7B2E85FD
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850der
MD5:C7D1234376F3389D6C220F0DCF24341B
SHA256:F67F7E62B47D1C4D9059F9F01FF40D52044EE81F594C5B8C8925C254381061E5
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\45AE547469FB7137480E06153457A2DDbinary
MD5:26A84F25069F36DC40289084779E9496
SHA256:5FD4CEE68493F02B286F40EF52261FEF9CE2E0E760E85456DAA04CE671962E91
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEbinary
MD5:DDF4DE0DC1AC39C22F605957A1FE614B
SHA256:0ACF9791F2CBBF8330653DF8D90E760108DD7ED3B5DB03C4DE164BD5047E4D4A
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:586BF632A6386C2F2556A9A42AAF080D
SHA256:ABDE858CC99EA908F10B9C704853B5F5EB1328EDE3CF14200DB4DD51E690D1D0
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\45AE547469FB7137480E06153457A2DDbinary
MD5:6B769DB3020C81D2E526159023B9859E
SHA256:1E929D06F06A034171AB4F6C015C97C8927E5FB43C6DA2FDE645AD16CAE7CDEF
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:0840F3C261E695105CD15C84EA85BEED
SHA256:F60632399A87485A7417DDF8B407DA66794C37347B3AA9E995EC389ECD091947
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9Eder
MD5:8A5425662455BB2E60040E1F9851BC65
SHA256:E5AF1F870B35108F22B2ADA888A24257D060A932B7FAD108917198E3040B8539
6808Autoruns64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:925A309A6EFCC71E5BC1D4F79863CC8D
SHA256:874A5840AFA3EB993167DA46B1C9FA096B179F7CD0F26685EABA37B95E9A6882
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
27
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6808
Autoruns64.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6808
Autoruns64.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
6808
Autoruns64.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20
unknown
whitelisted
6808
Autoruns64.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
6808
Autoruns64.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6808
Autoruns64.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6808
Autoruns64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA0srM0%2BnuwGc4QQujG%2FZZU%3D
unknown
whitelisted
6808
Autoruns64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
unknown
whitelisted
6808
Autoruns64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEARSlvj82CmnXclClPWkFaQ%3D
unknown
whitelisted
6808
Autoruns64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4760
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6880
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6880
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6808
Autoruns64.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6808
Autoruns64.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6808
Autoruns64.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.verisign.com
  • 192.229.221.95
whitelisted
ocsp.verisign.com
  • 152.199.19.74
whitelisted
csc3-2004-crl.verisign.com
whitelisted
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
crl.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Autoruns64.exe