File name:

file.exe

Full analysis: https://app.any.run/tasks/f1b1d475-6cc3-4262-b221-f4128fe5927f
Verdict: Malicious activity
Analysis date: December 04, 2024, 17:28:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

54C804C8F597748CE17394624B6C08A4

SHA1:

4AFA779208E5FA47630A8C4A17107E54DB2234F5

SHA256:

6163A3302B0EB60FF371116B0E90DE30DF65493AC7192235D4495E43C4A41D4F

SSDEEP:

49152:9TXsikhSWzyHBpc1qonwwpuQNie803bk9vK7OJtpSxJ9L/9uk2zR5atcxzqTSvaf:x7D9R2ie803bk9vK7Tx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • file.exe (PID: 4132)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • file.exe (PID: 4132)

    • Process drops legitimate windows executable

      • file.exe (PID: 4132)

    • Starts a Microsoft application from unusual location

      • file.exe (PID: 4056)
      • file.exe (PID: 2972)

    • Executable content was dropped or overwritten

      • file.exe (PID: 4132)

    • Mutex name with non-standard characters

      • file.exe (PID: 4132)

  • INFO

    • Process checks computer location settings

      • file.exe (PID: 4132)

    • Checks supported languages

      • file.exe (PID: 4132)
      • file.exe (PID: 2972)

    • Create files in a temporary directory

      • file.exe (PID: 4132)

    • Reads the computer name

      • file.exe (PID: 4132)
      • file.exe (PID: 2972)

    • Sends debugging messages

      • file.exe (PID: 2972)

    • Reads the machine GUID from the registry

      • file.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (85.5)
.exe | Win32 Executable Delphi generic (4.6)
.scr | Windows screen saver (4.2)
.dll | Win32 Dynamic Link Library (generic) (2.1)
.exe | Win32 Executable (generic) (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NESHTA file.exe file.exe no specs file.exe

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Users\admin\AppData\Local\Temp\3582-490\file.exe" C:\Users\admin\AppData\Local\Temp\3582-490\file.exe
file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
SQL Server Installer for Developer Edition
Version:
15.2204.5490.2
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4056"C:\Users\admin\AppData\Local\Temp\3582-490\file.exe" C:\Users\admin\AppData\Local\Temp\3582-490\file.exefile.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Server Installer for Developer Edition
Exit code:
3221226540
Version:
15.2204.5490.2
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\file.exe
c:\windows\system32\ntdll.dll
4132"C:\Users\admin\Desktop\file.exe" C:\Users\admin\Desktop\file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 572
Read events
5 558
Write events
14
Delete events
0

Modification events

(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2972) file.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
8
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4132file.exeC:\Users\admin\AppData\Local\Temp\3582-490\file.exeexecutable
MD5:0066F98970748D1173343ECB8EFCB60F
SHA256:FDEC686409D94188A755F39CB793F93FD2F0B62E99BC13EA9A63E1F3DD78C8A1
4132file.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
4132file.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:A747FA4161FE3C00C3FBB4BF391D4D4E
SHA256:B7BA59428AF7AE08C5BF927B57E326D5259E6ED31BD4237AA6A44378177364C1
4132file.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:1C0BE16E6ED8F5B6F0910650A25F4FA7
SHA256:3028F6A6A7A10DC5D63F256FEEB8275F3818BF3371EAF8B20A2D0BF2FCD5F4A9
4132file.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:178B773B3FB050FCE26E40A9E8C2EE9A
SHA256:1E03573733F25B44004049A535E7E79366FD86FE953F6DFEDAAD05513B46A6C5
4132file.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:13C2D5BF03C4A2B28E930F990CCC32DB
SHA256:12D24D0BC0E7CDC902E3540A3C6F7B755094F011A8EAD49A47A00563710B8F80
4132file.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
4132file.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
4132file.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmptext
MD5:42D1F2198CCF6E407C8EC1038DC4B3B2
SHA256:9EFDD9A0D53EFF54D147558B69E1A6734B2AA8B82CC6C57CAEAC0ED83178F6F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?LinkID=866662
unknown
GET
200
184.30.21.171:443
https://download.microsoft.com/download/d/a/2/da259851-b941-459d-989c-54a18a5d44dd/SQL2019-SSEI-Dev.exe
unknown
GET
200
184.30.21.171:443
https://download.microsoft.com/download/d/a/2/da259851-b941-459d-989c-54a18a5d44dd/Manifest_Bootstrap_All.xml
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
716
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2972
file.exe
23.32.186.57:443
go.microsoft.com
AKAMAI-AS
BR
whitelisted
716
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted
download.microsoft.com
  • 23.212.89.111
whitelisted
self.events.data.microsoft.com
  • 20.50.73.11
whitelisted

Threats

No threats detected
Process
Message
file.exe
(01) 2024-12-04 17:28:17 SSEI v15.2204.5490.2
file.exe
(01) 2024-12-04 17:28:17 CorrelationId: 22b509c1-ec85-45e3-9276-cadc5079e392
file.exe
(01) 2024-12-04 17:28:17 CurrentCulture.Name='en-US'.LCID='1033'.Parent.Name='en'
file.exe
(01) 2024-12-04 17:28:17 CurrentUICulture.Name='en-US'.LCID='1033'.Parent.Name='en'
file.exe
(01) 2024-12-04 17:28:17 supported culture detected ='en-US'.
file.exe
(01) 2024-12-04 17:28:17 resolvedCulture: en-US
file.exe
(01) 2024-12-04 17:28:17 osSupported: True, osVersion: 10.0.19045.0, osPlatform: amd64
file.exe
(04) 2024-12-04 17:28:19 .NET Framework Version: 4.5
file.exe
(04) 2024-12-04 17:28:19 StartupBootstrapActivity:SSEIActivityStart:Message: Starting Activity StartupBootstrapActivity
file.exe
(04) 2024-12-04 17:28:19 StartupBootstrapActivity:SSEIProgressReport:ProgressPercent: 1
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
file.exe