analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe

Full analysis: https://app.any.run/tasks/56ce904a-2fc5-4d31-9ff2-5d416b032d73
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Analysis date: May 19, 2024, 12:54:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
stealc
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

347044F36D5C438D45D1E1A19333BFC4

SHA1:

7879A5CD293ACBFA57CD81D6417FC7D1FFD4D5C2

SHA256:

5CE986AA91B63B877B80363406C71947E6CAC66D4D8A77D4F9CA2C87B15F70C5

SSDEEP:

6144:eEEeszYh8Zin6cvvBUXpm161SYFsXbyrtZngDyeHcDV/VC0ATUjS4I8LVVN:e0wY6ZinNved57V/VvVVN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 3808)
    • STEALC has been detected (YARA)

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
  • SUSPICIOUS

    • Executes application which crashes

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
    • Reads security settings of Internet Explorer

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
    • Connects to the server without a host name

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
    • Windows Defender mutex has been found

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
  • INFO

    • Checks supported languages

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
    • Checks proxy server information

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
      • WerFault.exe (PID: 5032)
    • Reads the computer name

      • 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe (PID: 1752)
    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5032)
    • Reads the software policy settings

      • WerFault.exe (PID: 5032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Stealc

(PID) Process(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe
C2185.172.128.170
Strings (351)INSERT_KEY_HERE
27
05
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.172.128.170
/7043a0c6a68d9c65.php
/8420e83ceb95f3af/
default11
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: Debug, Pre-release, Patched, Private build, Special build
FileFlagsMask: 0x003f
ProductVersionNumber: 24.0.0.0
FileVersionNumber: 68.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x1602
UninitializedDataSize: -
InitializedDataSize: 32808448
CodeSize: 37376
LinkerVersion: 9
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2022:12:26 03:22:29+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs #STEALC 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe werfault.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3808"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1752"C:\Users\admin\Desktop\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe" C:\Users\admin\Desktop\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Stealc
(PID) Process(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe
C2185.172.128.170
Strings (351)INSERT_KEY_HERE
27
05
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.172.128.170
/7043a0c6a68d9c65.php
/8420e83ceb95f3af/
default11
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
5032C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1752 -s 1236C:\Windows\SysWOW64\WerFault.exe
5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3244C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
15 384
Read events
15 357
Write events
24
Delete events
3

Modification events

(PID) Process:(3808) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3808) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3808) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3808) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
0
Suspicious files
8
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5:
SHA256:
5032WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5ce986aa91b63b87_89d98c7c9a4c9d6e58cd5394efb58833d3ba4_55d8319c_ca2f7c5e-47cd-4726-a44f-e8bda33eef42\Report.wer
MD5:
SHA256:
5032WerFault.exeC:\WINDOWS\AppCompat\Programs\Amcache.hvebinary
MD5:E408A297050FC1938846C25BE5C8816A
SHA256:FA7A7398536B5A09B6DCF3F431FC11DCBC146A3E3C5FDF682F734F9C8DDC0F3A
3808powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:2F2C2A2EE732DF86493C15C8C19FF07D
SHA256:688BC8CD8C893812A1FC3494786E7CFEF0F2350EA7F325272BE12A929272DE4B
5032WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER77DC.tmp.dmpbinary
MD5:442A9C6D3E2ED84EE49B3544455EAC46
SHA256:F43213AB588B30E6755D13FE65E0395C3C9A87FA2D860E7A6169BE1ECCFA4127
5032WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe.1752.dmpdmp
MD5:481FD31DD22CDC3BD53ED9F4072D1D48
SHA256:3651C53D61AB344439C9E0E0BED9A8DAB47F70155662A7442FD17B451CAA9830
3808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C496LCMJG21Z6Y36W2ZB.tempbinary
MD5:A73735197A95AAE684F34215D590971B
SHA256:AE7F65206A7EAB9AE3AE1C51972780D9D7FC75CDDE42D8A1517B7EEE039B412E
3244FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-19.1256.3244.1.odlbinary
MD5:3372A8BB710AE0F2097C2E04893D2C8C
SHA256:B6ED8D47C11A2206C55B51CF75786066A51DEC39608662B0D63906C4B3F7444B
3244FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-19.1256.3244.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
5032WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7AAC.tmp.WERInternalMetadata.xmlxml
MD5:CC610C6E9861744F2C295447FC948FD6
SHA256:F3F4E0578E5E725F6E3EA1A091A8DB86592BEC03FB542D2AA066135FB459A9D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1752
5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe
POST
200
185.172.128.170:80
http://185.172.128.170/7043a0c6a68d9c65.php
unknown
unknown
2908
OfficeClickToRun.exe
POST
200
20.189.173.12:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2492
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5140
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1752
5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe
185.172.128.170:80
OOO Nadym Svyaz Service
RU
malicious
5456
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5032
WerFault.exe
13.89.179.12:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted
2908
OfficeClickToRun.exe
20.189.173.13:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
self.events.data.microsoft.com
  • 20.189.173.13
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
No debug info