File name:

al-khaser_x64.exe

Full analysis: https://app.any.run/tasks/58a07cd7-b1a7-4495-bbae-6d9144f9f136
Verdict: Malicious activity
Analysis date: June 30, 2024, 02:24:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

D06AC635B1EF21C7EFC60CEB8DA9D15D

SHA1:

858E1F8C2891534E8C2D0AA8DAA0D25B70988D57

SHA256:

7035C9AF2452A82026DB724D072B1D50D779EEDCB71872D25746F0F6D7528445

SSDEEP:

3072:85E+p4R4O24hXz8TtZ5AZHdvKEfZTHy4QG4BCPOClK22JXtU6ZxuMpQomDkMki6v:Y+R44hXldFZxNX2NNNynSKAmq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • al-khaser_x64.exe (PID: 1484)

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • al-khaser_x64.exe (PID: 1484)

    • The process checks if it is being run in the virtual environment

      • al-khaser_x64.exe (PID: 1484)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 1140)

    • Read disk information to detect sandboxing environments

      • al-khaser_x64.exe (PID: 1484)

    • Reads the BIOS version

      • al-khaser_x64.exe (PID: 1484)

  • INFO

    • Checks supported languages

      • al-khaser_x64.exe (PID: 1484)

    • Create files in a temporary directory

      • al-khaser_x64.exe (PID: 1484)

    • Reads the computer name

      • al-khaser_x64.exe (PID: 1484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:30 01:56:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 91136
InitializedDataSize: 167936
UninitializedDataSize: -
EntryPoint: 0x16828
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start al-khaser_x64.exe conhost.exe no specs wmiapsrv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140C:\WINDOWS\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
1484"C:\Users\admin\AppData\Local\Temp\al-khaser_x64.exe" C:\Users\admin\AppData\Local\Temp\al-khaser_x64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\al-khaser_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeal-khaser_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 986
Read events
1 985
Write events
1
Delete events
0

Modification events

(PID) Process:(1140) WmiApSrv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance
Operation:writeName:Performance Refreshed
Value:
0
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1484al-khaser_x64.exeC:\Users\admin\AppData\Local\Temp\log.txttext
MD5:C6F7FC1A344C03ECAFE49BF9CF55B706
SHA256:DB7F2D8B6AA1C8115FE54056C1B56F9CA409012F5C81E5533483FC6E27816E1D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
57
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
5584
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
1096
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
2612
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
2612
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
2336
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2476
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4656
SearchApp.exe
92.123.104.28:443
www.bing.com
Akamai International B.V.
DE
unknown
1544
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4656
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1544
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2912
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.28
  • 92.123.104.34
  • 92.123.104.59
  • 92.123.104.31
  • 92.123.104.33
  • 92.123.104.60
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.136
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.105.99.58
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 88.221.125.143
whitelisted

Threats

No threats detected
Process
Message
al-khaser_x64.exe
TLS callback: process attach
al-khaser_x64.exe
All seems fine for TLSCallbackProcess.
al-khaser_x64.exe
TLS callback: thread attach
al-khaser_x64.exe
TLS callback: dummy thread launched
al-khaser_x64.exe
All seems fine for TLSCallbackThread.
al-khaser_x64.exe
TLS callback: thread attach
al-khaser_x64.exe
TLS callback: thread attach
al-khaser_x64.exe
TLS callback: thread attach
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
al-khaser_x64.exe