File name:

82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe

Full analysis: https://app.any.run/tasks/f29b4d67-9a59-440a-abdc-b8e74e3d9236
Verdict: Malicious activity
Analysis date: April 28, 2024, 17:17:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

ABB479E268AB353A9A0B543F40A8FE4E

SHA1:

F63A9BDE38B24C3D5B83785A01928DFD91FDF01D

SHA256:

82FF14D43CB47B9956733B03996B4596CD2AD3787E1FBE0E091F2845C290D29D

SSDEEP:

49152:U5UdSVxw9OMTcfWBHMZ7XX6mGsyfdOFZFsw9cWUBvmV2eLzbQlQn7hu7ccVg:HdSVxwUWJYXqcyUFZFsgKpe8lGI7ccV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe (PID: 6460)

    • Application was injected by another process

      • sihost.exe (PID: 1560)
      • svchost.exe (PID: 2984)
      • explorer.exe (PID: 4472)
      • svchost.exe (PID: 4732)
      • svchost.exe (PID: 3876)
      • dllhost.exe (PID: 5408)
      • RuntimeBroker.exe (PID: 5048)
      • RuntimeBroker.exe (PID: 5212)
      • RuntimeBroker.exe (PID: 5888)
      • UserOOBEBroker.exe (PID: 5760)
      • RuntimeBroker.exe (PID: 6556)
      • svchost.exe (PID: 2760)
      • ApplicationFrameHost.exe (PID: 5544)

    • Runs injected code in another process

      • dialer.exe (PID: 7000)
      • dialer.exe (PID: 5632)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7016)
      • reg.exe (PID: 5576)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • 82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe (PID: 6460)
      • ehnwpptzoxzr.exe (PID: 5944)

    • Executable content was dropped or overwritten

      • 82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe (PID: 6460)

    • Starts itself from another location

      • 82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe (PID: 6460)

  • INFO

    • Checks supported languages

      • 82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe (PID: 6460)
      • ehnwpptzoxzr.exe (PID: 5944)

    • Reads security settings of Internet Explorer

      • RuntimeBroker.exe (PID: 6556)

    • Creates files or folders in the user directory

      • 82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe (PID: 6460)

    • Reads the software policy settings

      • slui.exe (PID: 6780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:04:27 08:34:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 27648
InitializedDataSize: 2852864
UninitializedDataSize: -
EntryPoint: 0x1140
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
26
Malicious processes
17
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe runtimebroker.exe sppextcomobj.exe no specs slui.exe dialer.exe no specs reg.exe conhost.exe no specs ehnwpptzoxzr.exe no specs dialer.exe no specs reg.exe conhost.exe no specs dialer.exe no specs slui.exe no specs filecoauth.exe no specs sihost.exe svchost.exe svchost.exe svchost.exe explorer.exe svchost.exe runtimebroker.exe runtimebroker.exe dllhost.exe applicationframehost.exe useroobebroker.exe runtimebroker.exe

Process information

PID
CMD
Path
Indicators
Parent process
1560sihost.exeC:\Windows\System32\sihost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Shell Infrastructure Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2760C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroupC:\Windows\System32\svchost.exe
services.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2984C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvcC:\Windows\System32\svchost.exe
services.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3808C:\WINDOWS\system32\dialer.exeC:\Windows\System32\dialer.exeehnwpptzoxzr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Phone Dialer
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dialer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
3876C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserServiceC:\Windows\System32\svchost.exe
services.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4472C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
4732C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvcC:\Windows\System32\svchost.exe
services.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5048C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
5176C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
2 240
Read events
2 223
Write events
17
Delete events
0

Modification events

(PID) Process:(1560) sihost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy
Operation:writeName:WasEverActivated
Value:
1
(PID) Process:(7016) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:YBEUGGGE
Value:
C:\Users\admin\AppData\Roaming\hizgwipekpug\ehnwpptzoxzr.exe
(PID) Process:(5576) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:YBEUGGGE
Value:
C:\Users\admin\AppData\Roaming\hizgwipekpug\ehnwpptzoxzr.exe
(PID) Process:(3876) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\MicrosoftWindows.Client.CBS_cw5n1h2txyewy!Global.IrisService
Operation:writeName:channelId
Value:
㬱㜸ㄹ㜴㘴㤵㤹〰㤱㈱6
(PID) Process:(3876) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\MicrosoftWindows.Client.CBS_cw5n1h2txyewy!Global.IrisService
Operation:writeName:channelUri
Value:
瑨灴㩳⼯湷㉳愭㍭⹰潮楴祦眮湩潤獷挮浯㼯潴敫㵮睁䅙䅁佂䑕丵允䍭塁乃扱煏㈥㝦塊払䙍䅊稸啓䭦浌汗䝳㝐慫潆汪坰煊佳桒椲䐹煖ㅨ桩戵䝉╙昲橗䰸㜹瑬摙昴济䍰䭨剐歂灗䉔奺啱卸䅘湅婯㥅㕩䑭䵆硗䴴摙䥎㐰䕢㤵㘳䔰噌㈥杢摯㙺㙥偡橯
(PID) Process:(3876) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\MicrosoftWindows.Client.CBS_cw5n1h2txyewy!Global.IrisService
Operation:writeName:channelExpiry
Value:
133613902680000000
(PID) Process:(3876) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\MicrosoftWindows.Client.CBS_cw5n1h2txyewy!Global.IrisService
Operation:writeName:channelCreation
Value:
133587982686856546
(PID) Process:(3876) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\MicrosoftWindows.Client.CBS_cw5n1h2txyewy!Global.IrisService
Operation:writeName:deviceVersion
Value:
5
(PID) Process:(5212) RuntimeBroker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Operation:writeName:0018C00DC34F12A9
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000AB9DAE5C820D6848BE6C1E42A06A38DD00000000020000000000106600000001000020000000074B3F0C3A8D9C6E444833E7A3151DAC991EB1A0B98C693C6DA502139E0E28ED000000000E80000000020000200000006E97C2FC2B28169DAB6556DC26A9ADBC77A0D2E73577F61B1823B62EF1B699FD80000000E11435E7B939605BA74A1D4D559BB0808DA39B6744E9BA6F1075BE1B872B4B9304E394BABFDD57EEE1BACDA8C54028F3E64EE239A060C42B649CE5AA560520100FD08BA2D5DD464DA0D0088F28E12E735F6BEF3E0649EDBC3E75B8E34486F3A2ABD51FBB1111930528ED494DD3FA3658958FEA7478C577A6F4AC77D11A3BD7DB400000002AA83C59AD08CCBA29E33058A032488F912BB28C7A752DA9A96DA7B815729CD235432C3793A07DA1DAB5019D77CC3F8D8C22BEDEE76A85410B6900EFD91D1B9F
(PID) Process:(5212) RuntimeBroker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757
Operation:writeName:DeviceTicket
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000AB9DAE5C820D6848BE6C1E42A06A38DD000000000200000000001066000000010000200000004F0FCF91DC2310CE1477CAF3E474CEA59CEC3C54C3DFFF0E1D0BEE522F93ECD1000000000E800000000200002000000066C3E85EF6194872FE9C67F8B89F28B803F73A06FF495B24256B53A2D6429754600800009A166FA335FA8F10D1B0F14282D1D9A4B757EA45E0B30650CE850E045916B34F8279F7B9DEBA8BF2EB1C8906AC82F0CD5664C65D3DBF9780A624C501DECEE027C1715075B3279AE96B7F458E2F0C9B9941CB078DFA43344C0862469DAE66EEBED89E5F26C60F22A3633ED85070772824620EE2A043A76E606F9FC2AD7786F2716E345878F7D570342541556E40CFF3A0C687794DAA8DC1698AB8E4C0052C3A030A10A0E4B28FD4C35E78889842F29067F334E188F0E4FFE627FEC794353BB6EF20F46343D6DB3F23A1D8D55C9CB32506ACBD3A9AE5815B68C949ABCA91068C93C9A1A7602A73B21A178DE0496AAC1011613781A1193EB01EC0FEC51221FBEB73C5A2E94A2C1B5AB1BAB092828E47EE524BE2341ADA12F95E753BF1A49599CDC8F3C67E9CD7383B39FB5B1CE02D0B762901E1578CB7EA15D6E8CA90D4AFE4F367FB906C9DEC3267711F614FF52CBF665BE9CD2940E2E67B07AAD46539C1C11418B6A2A330BE98C84F7E4832B1444EF30A3B9ABBC0882D7D4DFFBF70168F67C979E7898E4C28E0431FB562F63956F88D9E17BA91519119591B469478B38C282E93B9A850B99EA1D4E911B91B3F1BA2F9FA5E026E827A3E41C3B3D1F003A4D14D4303022CC330C1C49C84556B535097AC49B7797660F0E90B7F7D7DEFA750C9929432B97877B376C994E1DD4C1013F1E6FCE62AAF2DD5991F9C21F16EB57158864E4EBC270425A986139D16519EDFA110171471E1F4623DC7BD49FE8162C5336151CBE93F4389C8AB0D7D94BE156BEE64F8446C0B7551B17D00FE93FA1A4771E444AB52A9C2EB5EA394B83FB3FF396CD4E64176E18EC4F85D02FCADFF638E7D17FADC9B446D6C89B8666F15EE6B7A46206AC6272ACAC99E26DE89818996D310862AB81E6444C74E1E7A24EED5C3A7647FAE012325EF33244A86B64745E6EC996DDD8334C5959B1269CEA115203B0BB361422284928066563253661572FDD0BAA40CDC5632D81D13B25784B4D7C17F1ADE6600ED9200A6ECAFD7C693FB4652F413C2A14D5108D1CA82D0A2D8CDDE1060EFBA02A4647A7C2C088A090860C28309BCD25A7B34E27367D4030826BF547061F1577023E7199BC411026F2137BF7FF14FA9EAED9EAC38384199948696FBA564DBC5E099F72ED083F364A52FAFCAA59501D6FA4C066BB5A7146E68E238EC082B16BD47D7E6024DD059C0B5C50E1C8E7D4C177F50EB98430ADEAD627814FCA391CF6994C0B4EB056D59CAC0C8FFD3390A7219839452102FF063761007736254CDB4750C6D6BE5896B0E23B4FF7CF7DA99C2FCE1695C7F39E10582ADF1FF92234A694D1C693193C8E5049062149E39337F705F400B24999F75F7327C140105A35473E7FFC9A8BDE8C502E7E501E0815205AA85F7596E0F22B9DBB255399E4C7DEBD7A61DB79B487AF61DBC61F94407938AD39753879DFD251D170394AF610044DD900B09DCE56366FC50FBAC0BE4793E12F88508E6DF51DDDB5859EFB6B1C58668B53D577FADD3DE7868F6AC86ABC3F66E230850E95822B6D8157257C16A1DFD61B5039CCF80CE29ABB8D13AB00FCE944708AD88C6B9A73C8BD725E7D760185639D12DEF84A2859CADEDFEFD0ED887C7B16FFAF21C5C5CE70E1A0B427CE8169AB165BAEFFF801099DA17F38EB13AEDCBBA4746C12F02B0E6FFB51CE20A17E77AA3C337E32E5112FC8DE5FC54C9455920B6AC34AFDE53EBCF3602EDF854DF50952E9746AC812AB3E5C80C2459CAAD739120052ACF9B27514BCFBB317151E177BA6B69AD54806FC131E56BD1A5A1B8B5DB4482D49995EFF1A3061583BC084BF070752F2482ACD1C32DF8EE6423A187131F7E1FB898AC13AA64F6541166AE80F7A74286D9244038DC1B13A9F25091077C43930202457F03AC12AB82E6F6DD993ADF7DFD51CB87084BF18AF3C59BF347B549CC0405E453792496938DE59E4F92823FBF35933CBF544780192DAA8E479E5807B44359A98870D29A2CBBB90D05B8406A883186E2EE1FD5D6D3BE0904FECAA344FEA4D4A6E2F240E13C5581F48A7E70398CB7D95D2C53F699453E8A9F80CC8EDDADC41ABB72FE78934BBF018A0BD9660F8255EC63D82DD16DE918AB4F990540856566C0E88D1C60C5A7F9C4784D63E6B06909EF31759BC7AC7AC0E664E9F784CF48B1B9C2AD9205D973E9B8F48DFB231240F2FB50A2EB4EC0DC125B824D140646AEF8BE403B4EBEBCDC97AE3574729E2A48B48C47AF54DBD2F87F359B698C1F6F9BAAF37DBD7D4F3B999A058199532E637F8FB4772574B226897EA57C65A294F443FA9897BCE9B2C81DE36E7325A6A2863DCD9B953B28888EF44499E40F783CBF012EA83AF41382166592068661CD5E069B5188BAEC48E0E33FA83E091B396B62B2D156F36FE39B768894529258CCA32F0F89CB11CFE0CAADC2D0B171B2AF6260A04B8E174DBD435A48BA766899B8219DA7AF6A426ED78B0E9B23630BA803E14EE32E7961B0AF8E8F24451D4BBD3765DA407516A149B835CF41992B119B45F3266050191A2A61B91A7B4417D727D87BC47EB31BEDC0A00221A2CAA1B1BF1A7EF7F61638F70657182CC21D92312EE41D9FF698CAA831B6A26B848DD288D4250F5E287298406D5BB9FA00BAA35B21932B4AC7269CE4F6BD4A4A0B2C3F69958EAE8C4A7FAE71A637D9AFE8C46D1B84F2D8BC648F1AAFC2F52A8C7100F0A0148E753E74692A62E2A7F171E2A57777F31FFABA142F79A4BCBE361B4BE088B4B7E7A3F93F0B209FF13DC6BA5B993E1B1E548422F9DBD948E9D759FBB440336A41FF9B2B6997C57641693DE228D51D778938BB0BDAC9A3FF29829FA46062788DA0730EB3A9E714CF8DC8FE9D0AACB2960859FBFA2B101E6BE37BB1277CC8DC13D22CD8645BC30BD2FEF5FBED562921157B3505B22D8095F0879155CD4F17029E3907F14663D0B2E7B8B87E9230BFFF61CBC7F14FEFD02C6D347A89A1EAC0D5BC29F67AC9D0A3B469D3006B5B9BB649863F49D6B12A82EDDB0B32AC6FE273C6C9051F5969C4E529400000004AAA9F11FCA5BCAC4FBE8DF21856E0CB88A38AB9ADEEEEA550B6EE174F6703B90B4C295F06FF7E87224B71B814F962984E406203735E1D6F352337356C9F79B6
Executable files
1
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6828FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-04-28.1718.6828.1.odlbinary
MD5:E1FF013CC4A4BC913029EC0C92C7A4C4
SHA256:C4086B5DC085B9F03E3922C93F6DD8EC190F6988F658AABB1959D4F35B531AFC
6828FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-04-28.1718.6828.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
646082ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exeC:\Users\admin\AppData\Roaming\hizgwipekpug\ehnwpptzoxzr.exeexecutable
MD5:ABB479E268AB353A9A0B543F40A8FE4E
SHA256:82FF14D43CB47B9956733B03996B4596CD2AD3787E1FBE0E091F2845C290D29D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
54
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1208
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
4680
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.19.45.226:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6336
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
3644
SIHClient.exe
GET
200
2.19.45.226:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
3644
SIHClient.exe
GET
200
2.19.45.226:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
6296
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
2908
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3196
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4680
SearchApp.exe
23.205.255.140:443
www.bing.com
AKAMAI-AS
DE
unknown
4680
SearchApp.exe
23.205.255.145:443
AKAMAI-AS
DE
unknown
1208
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1208
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1032
svchost.exe
2.19.45.160:443
go.microsoft.com
AKAMAI-AS
DE
unknown
4680
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.73
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.67
  • 40.126.31.69
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.19.45.160
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 2.19.45.226
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
www.bing.com
  • 23.205.255.151
  • 23.205.255.140
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d.exe