File name:

7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770

Full analysis: https://app.any.run/tasks/a963bd07-6b9d-45e7-a45b-0c3c44f4c9a4
Verdict: Malicious activity
Analysis date: October 26, 2024, 22:03:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

41040B888A87F81D7F62FE4A8E65F73A

SHA1:

3C58DBEAF63E6632186331B8049346D364699326

SHA256:

7C0C99B4F57CC9E7AA86772A594F8DE5A2980B16B123D3DEEE6513B0B9BDC770

SSDEEP:

49152:vKq0hL6qVeZY/Q5b3mcjiGtDJ3bj9ZYDgW6VkT7dsFDqp1puEXGVmg1K4GHORFj/:iq0h+qVIt3bj9ZYEW6S7UwrxGHK4FFNp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe (PID: 2692)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe (PID: 2692)

  • INFO

    • Checks supported languages

      • 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe (PID: 2692)

    • Creates files or folders in the user directory

      • 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe (PID: 2692)

    • Create files in a temporary directory

      • 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe (PID: 2692)

    • Reads the computer name

      • 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2000:08:06 04:00:48+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 442880
InitializedDataSize: 141824
UninitializedDataSize: -
EntryPoint: 0x53e3d
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 32-bit
ObjectFileType: Dynamic link library
FileSubtype: 3
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe

Process information

PID
CMD
Path
Indicators
Parent process
2692"C:\Users\admin\Desktop\7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe" C:\Users\admin\Desktop\7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
79
Read events
75
Write events
4
Delete events
0

Modification events

(PID) Process:(2692) 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Msn Messsenger
Value:
C:\Users\admin\AppData\Roaming\regsvr.exe
(PID) Process:(2692) 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Yahoo Messsenger
Value:
C:\Users\admin\AppData\Roaming\support\svchost.exe
(PID) Process:(2692) 7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Operation:writeName:shared
Value:
\New Folder .exe
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
26927c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exeC:\Users\admin\AppData\Roaming\regsvr.exeexecutable
MD5:41040B888A87F81D7F62FE4A8E65F73A
SHA256:7C0C99B4F57CC9E7AA86772A594F8DE5A2980B16B123D3DEEE6513B0B9BDC770
26927c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exeC:\Users\admin\AppData\Local\Temp\autC201.tmpbinary
MD5:C03D6FF6A3EB8D38648A9F1FDA409864
SHA256:37C5BF6958842753616B9ADC9EC54857F72E0C5B2A35BED97FC65946696BC637
26927c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770.exeC:\Users\admin\AppData\Roaming\setup.initext
MD5:C4961474A0B39CB0800D307F4F0C7E04
SHA256:57CF266E05450D1DF810234C677DBF394CEBA43E7D5319C1FB745DD8D738BB33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4292
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4292
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4292
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.110.121:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4292
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4292
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.110.121
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7c0c99b4f57cc9e7aa86772a594f8de5a2980b16b123d3deee6513b0b9bdc770