File name:

77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe

Full analysis: https://app.any.run/tasks/a95f8491-43d6-454a-ab22-32c5d9ef9f93
Verdict: Malicious activity
Analysis date: November 12, 2024, 10:58:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 13 sections
MD5:

A114099AFF8347ED74E2164229F90397

SHA1:

257D2962DE28C17F9676DF496E2E719B8915FF86

SHA256:

77739C19825E11F265457EE981727EC47CEFF6D6E38BEA5C445F2FF5B61ACAFB

SSDEEP:

12288:WwLBnLn934uRJ5EiAaMDdCVYEe1rX689V3Vqm:jBnj934uRJ5EirMUYp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe (PID: 512)
      • zvzvgjn.exe (PID: 6480)

    • The process executes via Task Scheduler

      • zvzvgjn.exe (PID: 6480)
      • zvzvgjn.exe (PID: 6940)

    • Starts itself from another location

      • zvzvgjn.exe (PID: 6480)

    • Executes application which crashes

      • zvzvgjn.exe (PID: 6940)

  • INFO

    • Checks supported languages

      • 77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe (PID: 512)

    • Creates files in the program directory

      • 77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe (PID: 512)

    • Create files in a temporary directory

      • zvzvgjn.exe (PID: 6480)

    • The process uses the downloaded file

      • zvzvgjn.exe (PID: 6480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.1)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:28 22:30:49+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 24576
InitializedDataSize: 251392
UninitializedDataSize: -
EntryPoint: 0x33240
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2600.0
ProductVersionNumber: 5.1.2600.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Hilgraeve, Inc.
FileDescription: HyperTerminal Applet
FileVersion: 5.1.2600.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe zvzvgjn.exe java_update_dcphbaa.exe zvzvgjn.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\Desktop\77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe" C:\Users\admin\Desktop\77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe
explorer.exe
User:
admin
Company:
Hilgraeve, Inc.
Integrity Level:
MEDIUM
Description:
HyperTerminal Applet
Exit code:
0
Version:
5.1.2600.0
Modules
Images
c:\users\admin\desktop\77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4376"C:\Users\admin\AppData\Local\Temp\java_update_dcphbaa.exe" C:\Users\admin\AppData\Local\Temp\java_update_dcphbaa.exe
zvzvgjn.exe
User:
admin
Company:
Hilgraeve, Inc.
Integrity Level:
HIGH
Description:
HyperTerminal Applet
Exit code:
0
Version:
5.1.2600.0
Modules
Images
c:\users\admin\appdata\local\temp\java_update_dcphbaa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6184C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6940 -s 456C:\Windows\SysWOW64\WerFault.exe
zvzvgjn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6480"C:\PROGRA~3\Mozilla\zvzvgjn.exe" -eglgyjmC:\ProgramData\Mozilla\zvzvgjn.exe
svchost.exe
User:
admin
Company:
Hilgraeve, Inc.
Integrity Level:
MEDIUM
Description:
HyperTerminal Applet
Exit code:
0
Version:
5.1.2600.0
Modules
Images
c:\programdata\mozilla\zvzvgjn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6940"C:\PROGRA~3\Mozilla\zvzvgjn.exe" -eglgyjmC:\ProgramData\Mozilla\zvzvgjn.exe
svchost.exe
User:
SYSTEM
Company:
Hilgraeve, Inc.
Integrity Level:
SYSTEM
Description:
HyperTerminal Applet
Exit code:
255
Version:
5.1.2600.0
Modules
Images
c:\programdata\mozilla\zvzvgjn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
5 579
Read events
5 552
Write events
24
Delete events
3

Modification events

(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:ProgramId
Value:
00066235646864b7a4b838f6e1756db7a45600000904
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:FileId
Value:
000009e559302f91e7400a04503a102f67da76a4ff14
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:LowerCaseLongPath
Value:
c:\programdata\mozilla\zvzvgjn.exe
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:LongPathHash
Value:
zvzvgjn.exe|e0b2dabeb09912c8
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:Name
Value:
zvzvgjn.exe
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:OriginalFileName
Value:
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:Publisher
Value:
hilgraeve, inc.
(PID) Process:(6184) WerFault.exeKey:\REGISTRY\A\{4ab627b7-6419-c308-b767-ee65f57e8309}\Root\InventoryApplicationFile\zvzvgjn.exe|e0b2dabeb09912c8
Operation:writeName:Version
Value:
5.1.2600.0
Executable files
2
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6184WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zvzvgjn.exe_3241526b99d38b8be41c26552971f87b9936676_0903add8_89940f3f-2186-4b82-8148-ed4ba6fda71f\Report.wer
MD5:
SHA256:
51277739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exeC:\ProgramData\Mozilla\zvzvgjn.exeexecutable
MD5:76FA98D287EE8D93E8944CA2952DD907
SHA256:80B06CBD41FBF05B32AB2F1CAC00669CAC39F581091FC52E8D39E90B508E4E9E
6184WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER25AD.tmp.WERInternalMetadata.xmlxml
MD5:1FD7237BAD4014216E631D42CE2449A1
SHA256:97BF3EC099D96EDE3E1D0FE0B31812DE1D37C53972A2B33B20CE6AABEE23F50E
6184WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER253F.tmp.dmpbinary
MD5:E88E160D1E403AA2CB3C10BB604E6C57
SHA256:9552B64ABB75395A508F619005628AE5C9E93C11484005CB51A301CE613001A1
6480zvzvgjn.exeC:\Users\admin\AppData\Local\Temp\java_update_dcphbaa.exeexecutable
MD5:0CE78E0A0CF1409B727329BE72FA64AF
SHA256:1B33B3862171F3483832CA1521FEA0E9E9A03557B898BE1F614355AAC25C55A2
6184WerFault.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\zvzvgjn.exe.6940.dmpbinary
MD5:ACA4487EEDD3C9C11EA21AF8D38CF2B2
SHA256:4DC24660D0B49DE69CE479FBEBFB54B02EA2BB96BDA1339453DB306AD331632B
6184WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER25ED.tmp.xmlxml
MD5:FCB95907A333A50ABB7202DD4CF48A4A
SHA256:84F660275E14FC55D075BDE7BD51007762621D86D0AF137BFAA8519F38F8177D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7044
RUXIMICS.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7044
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
7044
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.204.157:443
Akamai International B.V.
DE
unknown
6944
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7044
RUXIMICS.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
77739c19825e11f265457ee981727ec47ceff6d6e38bea5c445f2ff5b61acafb.exe