File name:

62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d

Full analysis: https://app.any.run/tasks/19055265-1892-4b99-99df-8fe07f40d566
Verdict: Malicious activity
Analysis date: December 24, 2024, 04:06:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

C8E7170430618864CBC94A1D2962188D

SHA1:

53E0DBCE98308CA1BF31B8783FD071FB1012C6D7

SHA256:

62A987B48D8DE7B16C00B86930DFD8BB840A0D3727085A46986EDF47FB50CF1D

SSDEEP:

6144:PLCuyn3GkKLFqJzC2usrRiY4zg5xAcTciQwM:A3GB4RiY4zg5nT9nM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4952)
      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

    • Process drops legitimate windows executable

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

    • Executes application which crashes

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

  • INFO

    • Checks supported languages

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

    • The sample compiled with chinese language support

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

    • Creates files in the program directory

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

    • The sample compiled with english language support

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

    • Reads the computer name

      • 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe (PID: 4716)

    • Checks proxy server information

      • WerFault.exe (PID: 2928)

    • Reads the software policy settings

      • WerFault.exe (PID: 2928)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:28 01:20:18+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 89600
InitializedDataSize: 48128
UninitializedDataSize: -
EntryPoint: 0x3af8
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: Wondershare Software
FileVersion: 1.0.0.1
InternalName: WSPrtSet.exe
LegalCopyright: Copyright © 2012 Wondershare. All Rights Reserved.
OriginalFileName: WSPrtSet.exe
ProductName: PDF Converter
ProductVersion: 4.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe werfault.exe 62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4716 -s 612C:\Windows\SysWOW64\WerFault.exe
62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4716"C:\Users\admin\Desktop\62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe" C:\Users\admin\Desktop\62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe
explorer.exe
User:
admin
Company:
Wondershare Software
Integrity Level:
HIGH
Exit code:
3221225477
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4952"C:\Users\admin\Desktop\62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe" C:\Users\admin\Desktop\62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exeexplorer.exe
User:
admin
Company:
Wondershare Software
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 978
Read events
5 970
Write events
5
Delete events
3

Modification events

(PID) Process:(2928) WerFault.exeKey:\REGISTRY\A\{1d694381-bf94-7488-cf7a-ece2fd62766b}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(2928) WerFault.exeKey:\REGISTRY\A\{1d694381-bf94-7488-cf7a-ece2fd62766b}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(2928) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
4F336A6700000000
(PID) Process:(2928) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
6F6B130000000000
Executable files
1
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2928WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_62a987b48d8de7b1_bf17db6cccd2c6ea5d14fabe23ac3543d9fb6036_addcfec2_940fddf6-a851-4cdf-8c69-dea32e017041\Report.wer
MD5:
SHA256:
2928WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER69AB.tmp.WERInternalMetadata.xmlxml
MD5:C7E12A8EA643A2E60EA4F641C8C35D48
SHA256:70DF4A9AC1AE2FDF4E5B3B1CA0DE82D339C5C5CE6C4706A04239237DB7301572
471662a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exeC:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
2928WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d.exe.4716.dmpbinary
MD5:007A378E21D99BBB4CC3FE5CBA01284A
SHA256:0E85645DEEC58B6AFE6C92D632D1B9D7084D62955318E43A80D7442E4C3E8F43
2928WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER69EA.tmp.xmlxml
MD5:077182A7547735BEF25951A8EFF6CD8B
SHA256:B4BB8860FA0978472922D7EB694EE67D7270C231D00D5B8F83A3A93190C2DCD9
2928WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6574.tmp.dmpdmp
MD5:391C7EED859758EE420DA92397C070F0
SHA256:21BA8C566F657373B1B2661A16CA65A35F613A9AE8995B753915001F00200357
2928WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:F9DDBF98B3E61965DF9C673AF19276B6
SHA256:EE236D9B65796B366A38DA267742340DA7C70E0EB05D6BF526971E442613585B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5448
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5448
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5448
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5448
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5448
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.187
  • 2.23.209.179
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
watson.events.data.microsoft.com
  • 52.182.143.212
whitelisted
self.events.data.microsoft.com
  • 20.42.73.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
62a987b48d8de7b16c00b86930dfd8bb840a0d3727085a46986edf47fb50cf1d