File name:

89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe

Full analysis: https://app.any.run/tasks/9235e593-226a-45a4-8b74-da5a779b3823
Verdict: Malicious activity
Analysis date: July 19, 2024, 16:13:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
antivm
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

177DBA5455E57AFE9DA6CFA0DDA3D61D

SHA1:

96A4C6B60F58313FB18B6546871006A174D207FF

SHA256:

89FFB715E0A02EB089269F055F3104AECF648CD88366BF3ED49FB318EE257588

SSDEEP:

98304:nerFpgFMcnWWGME6XVgjsaXBaIyKmw3bVA/cAkrqYjGnE2EOOBqdLIikYtLvfFBQ:nlEVH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • Changes the login/logoff helper path in the registry

      • AppLaunch.exe (PID: 3020)

    • Changes the autorun value in the registry

      • AppLaunch.exe (PID: 3020)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • Executable content was dropped or overwritten

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • The process creates files with name similar to system file names

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • Application launched itself

      • AppLaunch.exe (PID: 2252)
      • AppLaunch.exe (PID: 7852)
      • AppLaunch.exe (PID: 6668)
      • AppLaunch.exe (PID: 1832)
      • AppLaunch.exe (PID: 1300)
      • AppLaunch.exe (PID: 8028)
      • AppLaunch.exe (PID: 1580)
      • AppLaunch.exe (PID: 5612)
      • AppLaunch.exe (PID: 6948)
      • AppLaunch.exe (PID: 6324)
      • AppLaunch.exe (PID: 7588)
      • AppLaunch.exe (PID: 3724)
      • AppLaunch.exe (PID: 6616)

    • Reads security settings of Internet Explorer

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • The process checks if it is being run in the virtual environment

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • Executes application which crashes

      • cmd.exe (PID: 7028)
      • AppLaunch.exe (PID: 2252)
      • cmd.exe (PID: 7384)
      • AppLaunch.exe (PID: 7852)
      • cmd.exe (PID: 7588)
      • cmd.exe (PID: 7364)
      • AppLaunch.exe (PID: 6668)
      • cmd.exe (PID: 7236)
      • AppLaunch.exe (PID: 1832)
      • AppLaunch.exe (PID: 1300)
      • AppLaunch.exe (PID: 8028)
      • cmd.exe (PID: 972)
      • cmd.exe (PID: 6288)
      • AppLaunch.exe (PID: 1580)
      • AppLaunch.exe (PID: 5612)
      • cmd.exe (PID: 5920)
      • cmd.exe (PID: 6608)
      • AppLaunch.exe (PID: 6324)
      • cmd.exe (PID: 3556)
      • AppLaunch.exe (PID: 6948)
      • cmd.exe (PID: 3328)
      • AppLaunch.exe (PID: 3724)
      • cmd.exe (PID: 1068)
      • AppLaunch.exe (PID: 7588)
      • cmd.exe (PID: 1580)
      • AppLaunch.exe (PID: 6616)

    • There is functionality for VM detection (VMWare)

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 6916)
      • cmd.exe (PID: 4568)
      • cmd.exe (PID: 4612)
      • cmd.exe (PID: 7796)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 4568)

    • Uses TASKKILL.EXE to kill process

      • AppLaunch.exe (PID: 3020)

    • Starts CMD.EXE for commands execution

      • AppLaunch.exe (PID: 3020)

  • INFO

    • Checks supported languages

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)
      • cmd.exe (PID: 7028)
      • forfiles.exe (PID: 7228)
      • AppLaunch.exe (PID: 2252)
      • AppLaunch.exe (PID: 3020)
      • cmd.exe (PID: 7384)
      • AppLaunch.exe (PID: 7852)
      • AppLaunch.exe (PID: 7160)
      • cmd.exe (PID: 7588)
      • AppLaunch.exe (PID: 1832)
      • AppLaunch.exe (PID: 6404)
      • AppLaunch.exe (PID: 2788)
      • AppLaunch.exe (PID: 6668)
      • cmd.exe (PID: 7364)
      • cmd.exe (PID: 7236)
      • AppLaunch.exe (PID: 1300)
      • AppLaunch.exe (PID: 7132)
      • cmd.exe (PID: 972)
      • AppLaunch.exe (PID: 6404)
      • cmd.exe (PID: 6288)
      • AppLaunch.exe (PID: 1580)
      • AppLaunch.exe (PID: 8028)
      • AppLaunch.exe (PID: 5612)
      • cmd.exe (PID: 5920)
      • AppLaunch.exe (PID: 8140)
      • AppLaunch.exe (PID: 6948)
      • AppLaunch.exe (PID: 8176)
      • cmd.exe (PID: 3556)
      • AppLaunch.exe (PID: 508)
      • AppLaunch.exe (PID: 1940)
      • cmd.exe (PID: 1068)
      • AppLaunch.exe (PID: 7588)
      • AppLaunch.exe (PID: 5444)
      • cmd.exe (PID: 6608)
      • AppLaunch.exe (PID: 6324)
      • AppLaunch.exe (PID: 7792)
      • cmd.exe (PID: 3328)
      • cmd.exe (PID: 1580)
      • AppLaunch.exe (PID: 3724)
      • AppLaunch.exe (PID: 4968)
      • AppLaunch.exe (PID: 6616)

    • Creates files in the program directory

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)

    • Reads the computer name

      • 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe (PID: 4496)
      • AppLaunch.exe (PID: 3020)
      • AppLaunch.exe (PID: 7160)
      • AppLaunch.exe (PID: 6404)
      • AppLaunch.exe (PID: 2788)
      • AppLaunch.exe (PID: 7132)
      • AppLaunch.exe (PID: 6404)
      • AppLaunch.exe (PID: 8140)
      • AppLaunch.exe (PID: 8176)
      • AppLaunch.exe (PID: 508)
      • AppLaunch.exe (PID: 1940)
      • AppLaunch.exe (PID: 5444)
      • AppLaunch.exe (PID: 7792)
      • AppLaunch.exe (PID: 4968)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7480)
      • WerFault.exe (PID: 7380)
      • WerFault.exe (PID: 5896)
      • WerFault.exe (PID: 2140)
      • WerFault.exe (PID: 5116)
      • WerFault.exe (PID: 8152)
      • WerFault.exe (PID: 5468)
      • WerFault.exe (PID: 5820)
      • WerFault.exe (PID: 6512)
      • WerFault.exe (PID: 5408)
      • WerFault.exe (PID: 7616)
      • WerFault.exe (PID: 568)
      • WerFault.exe (PID: 1340)
      • WerFault.exe (PID: 6292)
      • WerFault.exe (PID: 1652)
      • WerFault.exe (PID: 7588)
      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 4804)
      • WerFault.exe (PID: 7400)
      • WerFault.exe (PID: 6264)
      • WerFault.exe (PID: 5004)
      • WerFault.exe (PID: 2028)
      • WerFault.exe (PID: 2788)
      • WerFault.exe (PID: 2060)
      • WerFault.exe (PID: 6204)
      • WerFault.exe (PID: 5112)
      • WerFault.exe (PID: 6356)
      • WerFault.exe (PID: 3688)
      • WerFault.exe (PID: 7180)
      • WerFault.exe (PID: 5400)
      • WerFault.exe (PID: 5420)
      • WerFault.exe (PID: 6972)
      • WerFault.exe (PID: 5732)
      • WerFault.exe (PID: 4328)
      • WerFault.exe (PID: 6880)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 7160)
      • AppLaunch.exe (PID: 3020)
      • AppLaunch.exe (PID: 2788)
      • AppLaunch.exe (PID: 6404)
      • AppLaunch.exe (PID: 7132)
      • AppLaunch.exe (PID: 6404)
      • AppLaunch.exe (PID: 8140)
      • AppLaunch.exe (PID: 508)
      • AppLaunch.exe (PID: 1940)
      • AppLaunch.exe (PID: 8176)
      • AppLaunch.exe (PID: 5444)
      • AppLaunch.exe (PID: 7792)
      • AppLaunch.exe (PID: 4968)

    • Create files in a temporary directory

      • AppLaunch.exe (PID: 3020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:18 15:15:41+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.3
CodeSize: 3346432
InitializedDataSize: 106496
UninitializedDataSize: 4251648
EntryPoint: 0x73f9c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Windows, Latin1
CompanyName: NoStopMedia
FileVersion: 1.0.0.0
FileDescription: Launcher
InternalName: trenininmiba
LegalCopyright: Copyright © NoStopMedia. All rights reserved.
LegalTrademarks: -
OriginalFileName: trenininmiba.exe
ProductName: Launcher
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
294
Monitored processes
119
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe forfiles.exe no specs conhost.exe no specs cmd.exe applaunch.exe conhost.exe no specs applaunch.exe werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe no specs applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs applaunch.exe conhost.exe no specs werfault.exe no specs attrib.exe no specs werfault.exe no specs applaunch.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs werfault.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe applaunch.exe conhost.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe no specs applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe applaunch.exe conhost.exe no specs werfault.exe no specs applaunch.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs 89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
508"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeAppLaunch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
568C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1832 -s 632C:\Windows\SysWOW64\WerFault.exeAppLaunch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
972/c echo "groupna.png"C:\ProgramData\Microsoft\Windows\MSCaches\cmd.exe
forfiles.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\programdata\microsoft\windows\mscaches\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1068/c echo "strongfamilies.rtf"C:\ProgramData\Microsoft\Windows\MSCaches\cmd.exe
forfiles.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\programdata\microsoft\windows\mscaches\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAppLaunch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1300"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
3221225477
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1340C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7236 -s 524C:\Windows\SysWOW64\WerFault.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAppLaunch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1540"C:\Users\admin\Desktop\89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe" C:\Users\admin\Desktop\89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exeexplorer.exe
User:
admin
Company:
NoStopMedia
Integrity Level:
MEDIUM
Description:
Launcher
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe
c:\windows\system32\ntdll.dll
1580"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
3221225477
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
91 879
Read events
91 577
Write events
185
Delete events
117

Modification events

(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7480) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7480) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\applaunch.exe|7127527a8f617d48
Operation:writeName:ProgramId
Value:
0000f519feec486de87ed73cb92d3cac802400000000
(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\applaunch.exe|7127527a8f617d48
Operation:writeName:FileId
Value:
0000fd08e9a06fe2897850095ed293f90c77489a08f7
(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\applaunch.exe|7127527a8f617d48
Operation:writeName:LowerCaseLongPath
Value:
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\applaunch.exe|7127527a8f617d48
Operation:writeName:LongPathHash
Value:
applaunch.exe|7127527a8f617d48
(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\applaunch.exe|7127527a8f617d48
Operation:writeName:Name
Value:
AppLaunch.exe
(PID) Process:(7380) WerFault.exeKey:\REGISTRY\A\{19f6146b-f670-b4e1-4693-11b37f5b5c5c}\Root\InventoryApplicationFile\applaunch.exe|7127527a8f617d48
Operation:writeName:OriginalFileName
Value:
applaunch.exe
Executable files
4
Suspicious files
69
Text files
82
Unknown types
10

Dropped files

PID
Process
Filename
Type
7480WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cmd.exe_a62847f525d85c16db81bd0e7ef97a412ff56b_2076538d_f3c885e5-edef-426a-9d36-5528b25aff64\Report.wer
MD5:
SHA256:
7380WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AppLaunch.exe_e7da30cf5d9744fbce7b9206b9c58a4383a2cb8_e872a7f5_a60ffbab-63a4-485a-af00-b8a7ef15ff8b\Report.wer
MD5:
SHA256:
5896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AppLaunch.exe_e53256f71dfa44eaf6293a32c34cec881a4cbc_e872a7f5_498e470e-b39f-48ae-b226-40518f397086\Report.wer
MD5:
SHA256:
2140WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cmd.exe_a62847f525d85c16db81bd0e7ef97a412ff56b_2076538d_49927bf0-0345-4c56-9408-c4416e30b1c6\Report.wer
MD5:
SHA256:
7480WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A6.tmp.xmlxml
MD5:F86DF8AC7EC509CBA36CF37BAE96A8A5
SHA256:C427413CFC9125AC2EAEFE09ECA4E61895353BD1E0164236CB15C5EEB188B82F
7480WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD36C.tmp.dmpbinary
MD5:5A1774530CDE80EA3357F3C7489AE6A3
SHA256:A6C03202FF2414BD27C540EBCEF7E914F47CAF5EEE1606ECCC7DD8C4751C45CD
7480WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\cmd.exe.7028.dmpbinary
MD5:B83BC03EB22AE968D0A4940E7E0369B8
SHA256:765FCFD24457015227A04F849E8CA5CFDC9A06B22AB54CE73434A4A1DE944736
5468WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AppLaunch.exe_e7da30cf5d9744fbce7b9206b9c58a4383a2cb8_e872a7f5_cccb6e4c-95b5-4570-b865-c597f4361e46\Report.wer
MD5:
SHA256:
5896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD784.tmp.xmlxml
MD5:0EE523EF6C9824A783764026A46BA6E0
SHA256:1B6C2A979B1C94A2C6F091BEA8AF9347DB0747620A53052C1C91073DDA344ADD
2140WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD773.tmp.dmpbinary
MD5:3E06261EE46200741269D8DD8B95C9AE
SHA256:02AF43F8C5D9219727154758495E91329C1C14662CDB4F6DE6FEDFCD1A0C7D92
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
52
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
118.139.162.14:443
https://excelautomationsolutions.in/222/xex.php
unknown
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
4496
89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe
GET
3.233.207.248:80
http://blockpg-dock.safezone.mcafee.com/blockpage/redirect/?ctxt=Kzd5WVBCL0JWS0lTS0c0YXhxNWdKMjlLbi9rQjN6UlMzVE01NGxYMnMyaEVDeFpXYzgvYlVCcS9LUzkyVnpkNUE0NkNITVh4ZGNZbzFnbTNXWWZEMS8zT1hIa3kySzBCaTNkRFFTMVhielJxMk5vU2x4dGJydz09&ts=1721405636
unknown
unknown
GET
200
40.68.123.157:443
https://slscr.update.microsoft.com/sls/ping
unknown
POST
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
POST
40.126.32.72:443
https://login.live.com/RST2.srf
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4716
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5620
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.209.33.156:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
239.255.255.250:1900
whitelisted
2760
svchost.exe
40.113.103.199:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3196
svchost.exe
20.189.173.21:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6068
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.133
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.74
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
google.com
  • 142.250.186.142
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
excelautomationsolutions.in
  • 118.139.162.14
unknown
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
blockpg-dock.safezone.mcafee.com
  • 3.233.207.248
  • 34.226.187.2
unknown
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
89ffb715e0a02eb089269f055f3104aecf648cd88366bf3ed49fb318ee257588.exe