File name:

M0dules.exe

Full analysis: https://app.any.run/tasks/fe2b67b3-b14d-4883-8367-626b8fccf487
Verdict: Malicious activity
Analysis date: August 18, 2024, 14:19:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A731EFB425AE9CBE205502CB8612951A

SHA1:

D303F7E6FDA49A6EE9063646D00E67C425F618BE

SHA256:

4442B12455B315A30912760E44151FE646DCD91DD27E0E426D278AD198290CEE

SSDEEP:

6144:RoqbI/WKXYiC3yO69DCrL7seR5DkyQ1YvQTf4oNRbv9ue3pqvV:RosTyO6xCo45oZuWfRbVue3pqvV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • M0dules.exe (PID: 6480)

    • Reads the date of Windows installation

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

  • INFO

    • Checks supported languages

      • M0dules.exe (PID: 6480)
      • dw20.exe (PID: 7056)
      • M0dules.exe (PID: 6260)
      • dw20.exe (PID: 6368)

    • Reads the computer name

      • M0dules.exe (PID: 6480)
      • dw20.exe (PID: 7056)
      • M0dules.exe (PID: 6260)
      • dw20.exe (PID: 6368)

    • Creates files in the program directory

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Reads the machine GUID from the registry

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Reads Environment values

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Reads product name

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Process checks computer location settings

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Reads CPU info

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Checks proxy server information

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Reads the software policy settings

      • dw20.exe (PID: 7056)
      • dw20.exe (PID: 6368)

    • Manual execution by a user

      • M0dules.exe (PID: 6260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2066:12:16 21:18:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 334336
InitializedDataSize: 102912
UninitializedDataSize: -
EntryPoint: 0x538be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: m0dules
FileVersion: 1.0.0.0
InternalName: m0dules.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: m0dules.exe
ProductName: m0dules
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start m0dules.exe no specs dw20.exe m0dules.exe no specs dw20.exe

Process information

PID
CMD
Path
Indicators
Parent process
6260"C:\Users\admin\Desktop\M0dules.exe" C:\Users\admin\Desktop\M0dules.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
m0dules
Exit code:
3762507597
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\m0dules.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6368dw20.exe -x -s 1052C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
M0dules.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6480"C:\Users\admin\Desktop\M0dules.exe" C:\Users\admin\Desktop\M0dules.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
m0dules
Exit code:
3762507597
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\m0dules.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7056dw20.exe -x -s 1080C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
M0dules.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\msvcr80.dll
Total events
12 945
Read events
12 945
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7056dw20.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_m0dules.exe_7c1f5debf91829f48fe3e73db1f9889ce5796b_00000000_301ba141-44d5-42de-81e4-9ad343f3d61f\Report.wer
MD5:
SHA256:
6368dw20.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_m0dules.exe_7c1f5debf91829f48fe3e73db1f9889ce5796b_00000000_a87a9853-8c49-40ba-9109-82f4c10f4c22\Report.wer
MD5:
SHA256:
6368dw20.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERDFCC.tmp.WERInternalMetadata.xmlxml
MD5:A900B03426E7FF1A94C71D2086BCB10B
SHA256:5AEF31CDB4ACD9F2E568E8E6BF9C48976CF71D0820E33529CD92972D4AF18DCE
6368dw20.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERDFED.tmp.xmlxml
MD5:AB0ECE24D3BD9B24E3A1CE6DC21B25C0
SHA256:70E3CFFCAC2753756DB229C3835DC5AB0E9B9DE739EA7F5A7920DA5F2C30EF93
7056dw20.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERAC98.tmp.xmlxml
MD5:FB042056ED2AA79FDB9A3B397068703F
SHA256:4DAFE958BB735139056B0CCBBD3555B3AD250E06EB599988927B87F9F947EE3A
7056dw20.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERAC59.tmp.WERInternalMetadata.xmlxml
MD5:03A12645AE080488CEF369A1F4E06C74
SHA256:B4C14AA22D12C7610743EBBB8741DD1C373547EB08851A047EEC03301F117293
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
16
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
5116
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.255:138
whitelisted
2272
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5116
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7056
dw20.exe
20.189.173.20:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6368
dw20.exe
20.189.173.22:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.20
  • 20.189.173.22
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
M0dules.exe