| File name: | consolidate.exe |
| Full analysis: | https://app.any.run/tasks/5b610559-9753-46c7-86d9-612787784ed8 |
| Verdict: | Malicious activity |
| Analysis date: | April 05, 2025, 00:26:05 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 85809FBCA4E485A3B2D6D4D2FAEF920B |
| SHA1: | 7BEADF39AF26242EFB43B72A0C360346CAEECA83 |
| SHA256: | 3D97B2E89A829AAC668F27FF94F89FB7AB6CA4F157E88A8B02DF38F648FF99F1 |
| SSDEEP: | 98304:5s0Tfr2Q36su1AAn8cWwDWSNcZVEDVIv1v1QwG/zS9P2OilThxVPpIG613z0wLU8:J9r+dFrSoHHB2OxAJds3857ZZKF7aIy |
MALICIOUS
No malicious indicators.SUSPICIOUS
There is functionality for taking screenshot (YARA)
- consolidate.exe (PID: 5064)
Executable content was dropped or overwritten
- consolidate.exe (PID: 5064)
Executes application which crashes
- consolidate.exe (PID: 5064)
The process checks if it is being run in the virtual environment
- Aac3572MbHal.exe (PID: 1056)
INFO
Reads the machine GUID from the registry
- consolidate.exe (PID: 5064)
Reads the software policy settings
- consolidate.exe (PID: 5064)
- slui.exe (PID: 5720)
The sample compiled with english language support
- consolidate.exe (PID: 5064)
Checks supported languages
- consolidate.exe (PID: 5064)
- Aac3572MbHal.exe (PID: 1056)
Reads the computer name
- consolidate.exe (PID: 5064)
- Aac3572MbHal.exe (PID: 1056)
Creates files or folders in the user directory
- WerFault.exe (PID: 2240)
- WerFault.exe (PID: 7152)
Create files in a temporary directory
- consolidate.exe (PID: 5064)
Checks proxy server information
- slui.exe (PID: 5720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:10:18 21:08:36+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 5316096 |
| InitializedDataSize: | 7612416 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x30ec2f |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 8.1.8325.0 |
| ProductVersionNumber: | 8.1.8325.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Paramount Software UK Ltd |
| FileDescription: | Macrium Reflect image consolidation tool |
| FileVersion: | 8, 1, 8325, 0 |
| InternalName: | consolidate.exe |
| LegalCopyright: | Copyright (C) 2024 Paramount Software UK Ltd |
| OriginalFileName: | consolidate.exe |
| ProductName: | Disk restore |
| ProductVersion: | 8, 1, 8325, 0 |
Total processes
134
Monitored processes
7
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1056 | C:\Users\admin\AppData\Local\Temp\81102\Aac3572MbHal.exe | C:\Users\admin\AppData\Local\Temp\81102\Aac3572MbHal.exe | — | consolidate.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 2240 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5064 -s 1416 | C:\Windows\SysWOW64\WerFault.exe | — | consolidate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4208 | C:\WINDOWS\SysWOW64\gpupdate.exe | C:\Windows\SysWOW64\gpupdate.exe | — | consolidate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Group Policy Update Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5064 | "C:\Users\admin\Desktop\consolidate.exe" | C:\Users\admin\Desktop\consolidate.exe | explorer.exe | ||||||||||||
User: admin Company: Paramount Software UK Ltd Integrity Level: MEDIUM Description: Macrium Reflect image consolidation tool Exit code: 1 Version: 8, 1, 8325, 0 Modules
| |||||||||||||||
| 5720 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6988 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | gpupdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7152 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5064 -s 732 | C:\Windows\SysWOW64\WerFault.exe | — | consolidate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
10 529
Read events
10 529
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
8
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5064 | consolidate.exe | C:\Users\admin\AppData\Local\Temp\jmaxyogwnyntax | — | |
MD5:— | SHA256:— | |||
| 7152 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_consolidate.exe_e8de21d38aa8c9738b265047bef551b0dd6533f_6768a237_031529b6-3c93-42e8-8c6f-5a7d72faec6c\Report.wer | — | |
MD5:— | SHA256:— | |||
| 2240 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_consolidate.exe_89be8e3bc9ee4af020e02b7ffafa998647aeb96f_6768a237_a45db4f7-e0c7-4031-9dc9-ebcaa5981736\Report.wer | — | |
MD5:— | SHA256:— | |||
| 5064 | consolidate.exe | C:\Users\admin\AppData\Local\Temp\ec1ee088 | image | |
MD5:B27FB1197F31B1E8E8B7897763A0C7BB | SHA256:C3EAABF0CEE57144B88EDC2DA0F2DCE82DDD7819536BD0906FC8CEB0E1B847D1 | |||
| 5064 | consolidate.exe | C:\Users\admin\AppData\Local\Temp\81102\Aac3572MbHal.exe | executable | |
MD5:AE79B9B54539EE8E995121B2A34DE737 | SHA256:A72CC6D5D3A6A1CC362D71EEFBC35E72E9AC31439885904270CCD74F9197A04E | |||
| 7152 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER49E9.tmp.xml | xml | |
MD5:958E5AFA12CE9484D9995BC8C2607FDA | SHA256:E84B7EC1FEB415FC582CDF00FD4DF0A2549EA5B502944B33919DB443C1157BB5 | |||
| 5064 | consolidate.exe | C:\Users\admin\AppData\Local\Temp\ec66f8c6 | binary | |
MD5:BA991E236330313A8D1271564CBFDBF4 | SHA256:634B0CB4AA23FA28D73D7DB4977AB78738EB77AF001CA68AA1AFD1147E90B3F5 | |||
| 7152 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A9.tmp.WERInternalMetadata.xml | binary | |
MD5:569A5C20E04CEC3AC100C88392DFD08D | SHA256:7EE080836BC8F1754947B251DC99957347FFFBF8E8DB100AFB7B050ED400E9C1 | |||
| 2240 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D61.tmp.dmp | binary | |
MD5:1DE50DDE1EA1B3B2A668B57636997C13 | SHA256:08D52BD7D5FAC1CB6066E259986931E5BB45D06F0348119EA5F47F54F235BE20 | |||
| 2240 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\consolidate.exe(1).5064.dmp | binary | |
MD5:60CE0326983D21831F74450BF278D509 | SHA256:72C3B33C29214C4E36A90935E92BD47E0DA075C15E02AEC55B2DED378D769102 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3812 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3156 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5720 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |