File name: | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122 |
Full analysis: | https://app.any.run/tasks/e146711f-658c-451a-acc1-6bac973a7f89 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2025, 00:53:06 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections |
MD5: | 02715805E25E14E5B16E8849EF30D657 |
SHA1: | AE7ECB3F5ADFEAB52BCBF1664E49AE36BE5848F0 |
SHA256: | 639B6EC0C8975FAA8584FC08485C509C044E087A475BFEC3E12FD19179F44122 |
SSDEEP: | 12288:DvVVVVVVVVtu74R0vVVVVVVVVtu74RYvVVVVVVVVtu74R0vVVVVVVVVtu74R5Nf:U74RP74RD74RP74R5Nf |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x7f80 |
UninitializedDataSize: | 24576 |
InitializedDataSize: | 4096 |
CodeSize: | 8192 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2011:03:15 04:06:07+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6564 | "C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe" | C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | — | ||
MD5:— | SHA256:— | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe | executable | |
MD5:DD2114159341AD1C8D2ACC2D6F0E2BDB | SHA256:3D4D8563E4EB09471B1AEAD6F043EDC7836D7B1DFD6566D87B664B1F633CD9A1 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp | executable | |
MD5:DD2114159341AD1C8D2ACC2D6F0E2BDB | SHA256:3D4D8563E4EB09471B1AEAD6F043EDC7836D7B1DFD6566D87B664B1F633CD9A1 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp | executable | |
MD5:918F30B9E59E62C6FE43E6997B1E2363 | SHA256:BDC0A9FADBCDAFCB2248EABC9755685056C2BAB8646B4F33E51DB00EEBE4E185 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp | executable | |
MD5:D44B32C79C1A993D75B8E281B34C24AC | SHA256:BF827E8B0349267C275678D0A02EAE99C314380CCE4F4CD98A06317D07B369F6 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp | executable | |
MD5:9CF60F2D34D4C66910370815353D2161 | SHA256:C35BF511A70C061320DEDB6FF3A08E1F452791F13EEB8061A111BE55B4669675 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp | executable | |
MD5:25C0A4319F61146E66DB69DF546C9379 | SHA256:BC6559488D0C9955A9D5CF06CC753463D7A6D8AAB887ACD4D3441845B885CAB4 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp | executable | |
MD5:3DA775504271020205081EB9EDF54C5B | SHA256:5C46C1D3C30655A8AC4F2432C67CA9C70CB5E711958CCD0A4D342ACD97003C51 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp | executable | |
MD5:E721630035AFF3278012709636D72CDC | SHA256:D4C5D59BCE228D54F3FC45CD15752D7AD11323F90A6E015A6B2E9B585A84F682 | |||
6564 | 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp | executable | |
MD5:C8BD8EE1416D4B6A4FABE5CF8C33DC2E | SHA256:063A67FA0D3E82373B231B39DD26F1615E7A0173A106541D068A97E42BB828F0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3040 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3040 | svchost.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3040 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.23.227.215:443 | www.bing.com | Ooredoo Q.S.C. | QA | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3040 | svchost.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
3040 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |