File name:

App_file_x64.exe.7z

Full analysis: https://app.any.run/tasks/af100e65-de8b-476d-a35a-c0dd79ba8900
Verdict: Malicious activity
Analysis date: February 06, 2024, 23:32:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

B4D9A3F0CC39290E03FCA02B3F8E2DA8

SHA1:

22D1F26C0A5C06BB0AA7CB0FEC228B7C4D2C7D3D

SHA256:

5F25C2F4DC5AE83882588DD60CC8DBAE741BB18AF40B51629244997BA32A9597

SSDEEP:

98304:Dkh0VaWFBrcuFHMa89f36TRp1IM22Whvq/nIRicCGaFKLt/4Q5RfJRxBdjf3xkZN:ATbL4qCog16GbA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • App_file_x64.exe (PID: 6624)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6956)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • App_file_x64.exe (PID: 6624)

    • Checks for Java to be installed

      • jusched.exe (PID: 5504)

    • Reads Microsoft Outlook installation path

      • App_file_x64.exe (PID: 6624)

    • Checks Windows Trust Settings

      • App_file_x64.exe (PID: 6624)

    • Reads Internet Explorer settings

      • App_file_x64.exe (PID: 6624)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6956)

    • Checks proxy server information

      • App_file_x64.exe (PID: 6624)

    • Manual execution by a user

      • App_file_x64.exe (PID: 6624)
      • jusched.exe (PID: 5504)

    • Reads the software policy settings

      • App_file_x64.exe (PID: 6624)

    • Creates files or folders in the user directory

      • App_file_x64.exe (PID: 6624)

    • Reads the machine GUID from the registry

      • App_file_x64.exe (PID: 6624)

    • Checks supported languages

      • jusched.exe (PID: 5504)
      • App_file_x64.exe (PID: 6624)

    • Reads the computer name

      • App_file_x64.exe (PID: 6624)

    • Process checks Internet Explorer phishing filters

      • App_file_x64.exe (PID: 6624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
280
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe app_file_x64.exe filecoauth.exe no specs jusched.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3732C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
5504"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exerunonce.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java Update Scheduler
Exit code:
4294967292
Version:
2.8.271.9
6624"C:\Users\admin\Desktop\App_file_x64.exe" C:\Users\admin\Desktop\App_file_x64.exe
explorer.exe
User:
admin
Company:
LM Studio
Integrity Level:
HIGH
Description:
Discover, download, and run LLMs locally
Exit code:
0
Version:
0.2.6
6956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\App_file_x64.exe.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6624App_file_x64.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\61424c3d98c12d2c6116907a_discords-404-page[1].pngimage
MD5:A78C3455CF49BCA92E08E7C2D4CF6D0D
SHA256:540E98B588C749CF9505B8C9615BE98633A116435BD3CD6642835956E32D9B54
3732FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-02-06.2335.3732.1.odlbinary
MD5:5CBB736E79C6DD4836A8E65E83975C1F
SHA256:B1826037EF5CB52471A309A544A38A9457A1BC670535FE4DD7E65BF8AD11C79C
3732FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-02-06.2335.3732.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
6956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6956.34510\App_file_x64.exeexecutable
MD5:6B9E5C0D87E8E11FE1EE9E4F7EC1B8BB
SHA256:79E7AC368ED32889059E4614B62CE85A19832687137DAB6FEA7432181E0DD2BF
6956WinRAR.exeC:\Users\admin\AppData\Roaming\WinRAR\version.datbinary
MD5:90192E3708C1BF4B63EC60E9998CDF30
SHA256:2C2421C5C55A1A2B0491F3C3680B447BFF0EE5A0BF7648C4A16A4AC727975D32
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
149
TCP/UDP connections
87
DNS requests
44
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5756
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707511006&P2=404&P3=2&P4=BoyP3S057eZ1orXuwuBzkEwSubslg5JjRmwk%2fJlbeCVz4Ah8J4K7O3Odgpq%2frVlieDC%2bAELbMN5ozdgT0r0PTA%3d%3d
unknown
binary
9.28 Kb
unknown
6492
msedge.exe
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?linkid=2133855&bucket=15
unknown
5756
svchost.exe
HEAD
200
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707511006&P2=404&P3=2&P4=BoyP3S057eZ1orXuwuBzkEwSubslg5JjRmwk%2fJlbeCVz4Ah8J4K7O3Odgpq%2frVlieDC%2bAELbMN5ozdgT0r0PTA%3d%3d
unknown
unknown
5756
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707511006&P2=404&P3=2&P4=BoyP3S057eZ1orXuwuBzkEwSubslg5JjRmwk%2fJlbeCVz4Ah8J4K7O3Odgpq%2frVlieDC%2bAELbMN5ozdgT0r0PTA%3d%3d
unknown
binary
6.64 Kb
unknown
5756
svchost.exe
HEAD
200
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/78c34df8-0979-4065-b0a1-02478ab0702c?P1=1707511007&P2=404&P3=2&P4=Smf1W2g9xiyeLAi30h39VNrKljZ6ZJvUAMCvTwoVRJe0laZpbF%2ff2KKy3H%2bLu3vpqHYEyGeKStm5zGSYJnoqNw%3d%3d
unknown
binary
6.64 Kb
unknown
5756
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/78c34df8-0979-4065-b0a1-02478ab0702c?P1=1707511007&P2=404&P3=2&P4=Smf1W2g9xiyeLAi30h39VNrKljZ6ZJvUAMCvTwoVRJe0laZpbF%2ff2KKy3H%2bLu3vpqHYEyGeKStm5zGSYJnoqNw%3d%3d
unknown
binary
253 b
unknown
1828
SIHClient.exe
GET
304
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
1828
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
1828
SIHClient.exe
GET
200
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
6492
msedge.exe
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/111.0.1661.62?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&scpver=0&osarch=x86_64&osver=10.0.19044&wu=1&devicefamily=desktop&uma=0&sessionid=13&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245
unknown
binary
81.5 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.251:5353
unknown
4
System
192.168.100.255:137
whitelisted
3720
svchost.exe
239.255.255.250:1900
unknown
6492
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1612
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5612
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4188
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6492
msedge.exe
184.30.17.189:443
go.microsoft.com
AKAMAI-AS
DE
unknown
6492
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6492
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 23.48.23.7
  • 23.48.23.66
  • 178.79.227.128
  • 178.79.227.0
  • 152.199.19.161
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.159.73
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.4
  • 40.126.31.67
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
App_file_x64.exe.7z