File name:

5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin

Full analysis: https://app.any.run/tasks/c606f7da-40b0-4741-bd20-73145a9f6b5d
Verdict: Malicious activity
Analysis date: April 15, 2025, 17:53:56
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

CD60623FF3AAA18F0F133AC52CD2994B

SHA1:

2238A3306BADB1B80C6F04B272C4CE1F6E4356B5

SHA256:

5723793F48E3688EF7417F0F1CD7D76AE5635782E6B3F21A5B6937C7BFA6E583

SSDEEP:

3072:fAUXrUFJugKZudJ86w5IxyUIefCnon6FGM+F74S7:IUbUeqdJ8zGxyuCnp1S7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe (PID: 1708)

  • SUSPICIOUS

    • Executes application which crashes

      • 5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe (PID: 1708)

    • Reads the Internet Settings

      • WerFault.exe (PID: 4596)

  • INFO

    • Checks supported languages

      • 5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe (PID: 1708)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4596)

    • Checks proxy server information

      • WerFault.exe (PID: 4596)

    • Reads the software policy settings

      • WerFault.exe (PID: 4596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:17 14:10:40+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 7680
InitializedDataSize: 95744
UninitializedDataSize: -
EntryPoint: 0x1140
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe werfault.exe dllhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1708"C:\Users\admin\Desktop\5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe" C:\Users\admin\Desktop\5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2840"C:\Windows\system32\DllHost.exe" /Processid:{B41DB860-64E4-11D2-9906-E49FADC173CA}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
4596C:\Windows\system32\WerFault.exe -u -p 1708 -s 216C:\Windows\System32\WerFault.exe
5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.348 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
3 098
Read events
3 098
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4596WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_5723793f48e3688e_9fd2bbce996079c4a9f1fdcda61671e62ae1e53_a0007d22_f6e59ed0-8d8e-46c7-ab74-02fa83c788c8\Report.wer
MD5:
SHA256:
4596WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.4c3c8b8c-0679-47e3-b8e9-a3f908886921.tmp.dmpbinary
MD5:D8C8EAC26853C881EE978F1D9A2D8D1B
SHA256:178C29B5C59F9167F65851DA654BF91173AFFAACEE79AA3BFDB60692F79D3224
4596WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.6421d532-6014-42d5-9020-9eb7fb9da4d3.tmp.WERInternalMetadata.xmlbinary
MD5:C92C10CAE57C963D09AC193312E1E327
SHA256:77149BB161F0343A3B3DEB704E4602AE23F070298BB5966089AD642DAFFA8284
4596WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin.exe.1708.dmpbinary
MD5:AE81EC66940A2DD63E9B6C24E42C6D18
SHA256:40ADFEFE7EA84C68C5B84B1558FF1198B33C6A675E79694C7F5E85D78EEABE85
4596WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.59f66c28-3c98-40fd-8bbb-14c934d79d21.tmp.xmlxml
MD5:32611E4B2CC45EA5D36B2EE02A60A67A
SHA256:9A9C6C1B9333189FBD5547D6439F3A7718323D22BD68457011F01B06D5A7025E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
33
DNS requests
29
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3040
smartscreen.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3040
smartscreen.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d0a596e17d8c3902
unknown
whitelisted
1352
svchost.exe
GET
200
2.23.155.168:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
1784
firefox.exe
POST
200
184.24.77.62:80
http://r11.o.lencr.org/
unknown
whitelisted
1784
firefox.exe
POST
200
2.17.190.73:80
http://ocsp.digicert.com/
unknown
whitelisted
3640
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1784
firefox.exe
POST
200
184.24.77.65:80
http://r10.o.lencr.org/
unknown
whitelisted
4012
svchost.exe
POST
403
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
4012
svchost.exe
POST
403
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
4012
svchost.exe
POST
403
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
5960
OfficeC2RClient.exe
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
5936
rundll32.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3040
smartscreen.exe
48.209.144.71:443
checkappexec.microsoft.com
US
whitelisted
3040
smartscreen.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3040
smartscreen.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
unknown
4596
WerFault.exe
104.208.16.94:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1352
svchost.exe
2.23.155.147:80
Akamai International B.V.
IT
unknown
5184
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1784
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
checkappexec.microsoft.com
  • 48.209.144.71
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
umwatson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
  • 2600:1901:0:c47c::
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
5723793f48e3688ef7417f0f1cd7d76ae5635782e6b3f21a5b6937c7bfa6e583.bin