File name:

6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535

Full analysis: https://app.any.run/tasks/2c6ba23f-9fcd-4f55-9480-76324254f7ca
Verdict: Malicious activity
Analysis date: December 14, 2024, 07:14:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
themida
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 11 sections
MD5:

FC3EA123F4C00E61BDBFF6DA8578C280

SHA1:

A1A8913077DB23F22FF583045DD68E803FBEC6D7

SHA256:

6884BDC623D477394BCBF05BB4A2ED841FE8B1B50AD06F44DF143832CA6CD535

SSDEEP:

98304:66hinuTTOuMS4tnNHxJjXRREENh9lF6OfFU4XzQAm9ohZIuVP+U/c0RSKzt0atHd:7GFKiDn2I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe (PID: 5092)

  • INFO

    • Creates files in the program directory

      • 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe (PID: 5092)

    • Themida protector has been detected

      • 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe (PID: 5092)

    • Checks supported languages

      • 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe (PID: 5092)

    • Reads the computer name

      • 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe (PID: 5092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

ProductVersion: 1.0.0.0
LegalCopyright: Copyright (C) 2024
InternalName: hookload.exe
FileVersion: 1.0.0.0
FileDescription: RiotGameSkin
CompanyName: TODO: <公司名>
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x958058
UninitializedDataSize: -
InitializedDataSize: 1564160
CodeSize: 155136
LinkerVersion: 14.38
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 2024:12:14 05:25:52+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5092"C:\Users\admin\Desktop\6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe" C:\Users\admin\Desktop\6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeexplorer.exe
User:
admin
Company:
TODO: <公司名>
Integrity Level:
MEDIUM
Description:
RiotGameSkin
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
72
Read events
60
Write events
12
Delete events
0

Modification events

(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CLASSES_ROOT\CertificateAuthority.Request\CLSID
Operation:writeName:Certificate Number (860055337)
Value:
48F36158ACD549BB
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DrWatson
Operation:writeName:bbqcbykfu
Value:
A08C5AD16C504F85
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CLASSES_ROOT\CompressedFolder\CLSID
Operation:writeName:vfimptqo05
Value:
72C2982E99E06FFD6DBE1ADC
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DrWatson
Operation:writeName:InitOrder(684177973)
Value:
01D9A02F490EA09328D473A8
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CLASSES_ROOT\CLSID\{12b3ecec-3c8e-a50e-336d-01767967}
Operation:writeName:SortOrderIndex
Value:
D1DFFA57F528E189D17F60D8
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DrWatson
Operation:writeName:InitOrder(56046649)
Value:
6E92E01F87931CBE9842B550
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CLASSES_ROOT\CLSID\{12b3ecec-3c8e-a50e-336d-01767967}
Operation:writeName:SortOrderIndex
Value:
C165FC57F528E189D17F60D8
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DrWatson
Operation:writeName:InitOrder(56046649)
Value:
7E28E61F87931CBE9842B550
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CLASSES_ROOT\CLSID\{12b3ecec-3c8e-a50e-336d-01767967}
Operation:writeName:SortOrderIndex
Value:
C1DE02B3F528E189D17F60D8
(PID) Process:(5092) 6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DrWatson
Operation:writeName:InitOrder(56046649)
Value:
7E9318FB87931CBE9842B550
Executable files
0
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
50926884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeC:\ProgramData\kfpondqx.plwbinary
MD5:34EBDEE2E7ED7F98518A586FFC476260
SHA256:B4EF899521D50AE1C6642C5E0A53E03A17F339FCE2130269459E2A72EED0592F
50926884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeC:\ProgramData\mntempbinary
MD5:0BA1EF720A85681A0F0567793CE256D1
SHA256:1E5ADF5C42153174305C80E329715209051C16259ADD7C196E599D0D085CB3A1
50926884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeC:\ProgramData\ffvfimpt.qortext
MD5:24D20A181D6B9A0B9EA264A6AA3E11A4
SHA256:A9792648DC27A87BD9CED9A65A0741EFE08B3FBCF14246B59F5AF1CD97BE51D7
50926884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeC:\ProgramData\svakaain.wtbbinary
MD5:8C5CBF28C0897C00BD4BEC3197C3EEB2
SHA256:628ABA7C582776F2C9D98ED9BBE45235EF1A174F786CF8F7DC0E1758C60B1E97
50926884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeC:\ProgramData\iylmhori.fiebinary
MD5:6EF783E49BF2C2531B84AA74745808E0
SHA256:EC2EF02EAA6661E79968DBCC0E53DE9636629976848666947160BC804094E6FD
50926884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeC:\ProgramData\qcbykfut.pdubinary
MD5:0E8FB06757E68A45ACF163349224F964
SHA256:F299323FD4728E709B7FD5F4EA2E9E4459A960E954171155592801C51E0502DA
50926884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535.exeC:\ProgramData\gmqitmeh.xcntext
MD5:9483EE495DBC8431385A997C69700905
SHA256:C084F5A9218265E0C41C6509091E6F963ED419149924A4B16F008BCE424F9AD4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5004
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5004
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
5004
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5004
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5004
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.44.10.123
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6884bdc623d477394bcbf05bb4a2ed841fe8b1b50ad06f44df143832ca6cd535