Malware analysis MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip
Full analysis:	https://app.any.run/tasks/13a72252-eeb0-4ac9-8e16-515597ed7dc4
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	January 10, 2025 at 21:57:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	464C846584279DAA16CAEA73B4C3D333
SHA1:	49C5B21342445683617564859B2C2A884D2D8CF4
SHA256:	8DB146D4448E5B67610359FC4C12C3FAFA193BF60024E6E50E0BEB284E0CC0EA
SSDEEP:	24576:WgZdYe6oApzHLTMvPLHIHrB0airMrUzoz3mc5ex14wTM2LCXToJUqRtfwqhH2j:WgZdYe65zHLTMvPLHArB0airMwzoz3ma

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
- Reads security settings of Internet Explorer
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - Email Access Online.exe (PID: 3724)
- The process creates files with name similar to system file names
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
- Process requests binary or script from the Internet
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
- Searches for installed software
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - Email Access Online.exe (PID: 3724)
- Executable content was dropped or overwritten
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
- Checks Windows Trust Settings
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - Email Access Online.exe (PID: 3724)
- Creates a software uninstall entry
  - Email Access Online.exe (PID: 3724)
- Reads Microsoft Outlook installation path
  - Email Access Online.exe (PID: 3724)
- Reads Internet Explorer settings
  - Email Access Online.exe (PID: 3724)
INFO
- Manual execution by a user
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
- The sample compiled with english language support
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - WinRAR.exe (PID: 1852)
- The process uses the downloaded file
  - WinRAR.exe (PID: 1852)
- Creates files or folders in the user directory
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - Email Access Online.exe (PID: 3724)
- Checks supported languages
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1852)
- Reads the machine GUID from the registry
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - Email Access Online.exe (PID: 3724)
- Checks proxy server information
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - Email Access Online.exe (PID: 3724)
- Reads the software policy settings
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
  - Email Access Online.exe (PID: 3724)
- Create files in a temporary directory
  - Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
- Reads the computer name
  - identity_helper.exe (PID: 1856)
- Application launched itself
  - msedge.exe (PID: 5696)
  - msedge.exe (PID: 8)
- Reads Environment values
  - identity_helper.exe (PID: 1856)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	Access Gov Docs Tab_5e961b22d7571.exe
ZipUncompressedSize:	790960
ZipCompressedSize:	755896
ZipCRC:	0x851c521d
ZipModifyDate:	2025:01:10 21:56:56
ZipCompression:	Deflated
ZipBitFlag:	0x0001
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

178

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1852

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7108

"C:\Users\admin\Desktop\Access Gov Docs Tab_5e961b22d7571.exe"

C:\Users\admin\Desktop\Access Gov Docs Tab_5e961b22d7571.exe

explorer.exe

User:

admin

Company:

Better Cloud Solutions LTD

Integrity Level:

MEDIUM

Description:

Desktop web search

Exit code:

Version:

3.9.0.1

Modules

Images
c:\users\admin\desktop\access gov docs tab_5e961b22d7571.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3724

"C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe" /firstrun

C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe

Access Gov Docs Tab_5e961b22d7571.exe

User:

admin

Company:

Better Cloud Solutions LTD

Integrity Level:

MEDIUM

Description:

Desktop web search

Version:

3.9.0.1

Modules

Images
c:\users\admin\appdata\local\email access online\email access online.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

5696

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20250110&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Email Access Online.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3988

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x31c,0x320,0x324,0x314,0x32c,0x7ff821c95fd8,0x7ff821c95fe4,0x7ff821c95ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

6268

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2456 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

6304

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

6552

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2704 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

6744

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3352 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1544

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3768 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

13 217

Read events

13 143

Write events

Delete events

Modification events


(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:

Add for printing

Executable files

Suspicious files

274

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\Local\Temp\nsq251C.tmp\terms.rtf		text
		MD5:B056EF6D4BD8257ED72BB891116F9D25	SHA256:358D9486CA52E2BB2A2AB4AD856186FCBC8C91289F3BED59BD6EEA395416828D
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe		executable
		MD5:274571892CCA0BD86E4075FE2E34B2F5	SHA256:CAE17EBA18160EC9A9BAC823F715619593DC068781773378698C7DF27708AEF2
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\Local\Temp\nsq251C.tmp\npHelper.dll		executable
		MD5:94E82583F53A9BDF534B8A8D135BA959	SHA256:9C9D23489AF9449215C17FEE86496C55E309AF32057400C1726E30311677C7B4
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517		der
		MD5:EA77FF6B9F8CD8481BA33062D9A6C482	SHA256:C02C06367922C99C043474BEC40C8CF3A12C1C9AD6062079119CA26F8C9730F1
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656		binary
		MD5:0840CE55A79825EE94E535E7BAAEB110	SHA256:5F1E9524694E316E261FB284EE9CAC8D1CA91981524F5E7DD5256F7DA95A469E
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\Local\Temp\nsq251C.tmp\installer_small_sb.bmp		image
		MD5:9BC62942811FDC96A20A280F0CA71B6C	SHA256:5A95502E8E34B041679DBA2288E8F511EE14AAFB23A97F96A3B4CED7C37BF991
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\Local\Email Access Online\widgets.json		text
		MD5:E5D73C304455C7A4728FE5EF1C770334	SHA256:FA978CC72E0F0A766F315F7B6B1824DE403A1AB1368872ED2EF9AC895D6D43C5
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\Local\Temp\nsq251C.tmp\System.dll		executable
		MD5:A4DD044BCD94E9B3370CCF095B31F896	SHA256:2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\Local\Temp\nsq251C.tmp\nsDialogs.dll		executable
		MD5:0D45588070CF728359055F776AF16EC4	SHA256:067C77D51DF034B4A614F83803140FBF4CD2F8684B88EA8C8ACDF163EDAD085A
7108	Access Gov Docs Tab_5e961b22d7571.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656		binary
		MD5:68A372C3CB02EE13D5859586384F2B4D	SHA256:0AE1E361CD2CC977822B81910533B5271FA504D6CBCABCF2E48E4E893AF18F24

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

131

DNS requests

110

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6848	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7108	Access Gov Docs Tab_5e961b22d7571.exe	GET	503	18.218.193.209:80	http://sb-mybettercloud.com/cgi/adk/chrdlid.cgi?id=5e961b22d7571	unknown	—	—	—
7108	Access Gov Docs Tab_5e961b22d7571.exe	GET	503	18.218.193.209:80	http://websearchdl.com/cgi/adk/chrdlid.cgi?dfn=Access%20Gov%20Docs%20Tab_5e961b22d7571.exe&err=4&data=<html><head><title>503%20Service%20Temporarily%20Unavailable</title></head><body><center><h1>503%20Service%20Temporarily%20Unavailable</h1></center></body></html>	unknown	—	—	—
7108	Access Gov Docs Tab_5e961b22d7571.exe	GET	200	18.245.65.219:80	http://ocsp.r2m02.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRmbQtwnInkvkvr7BNFR%2BS2lTYPjAQUwDFSzVpQw4J8dHHOy%2Bmc%2BXrrguICEAcgJC2RE6WQrxCNDcG%2BhG0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	2.23.227.215:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
5848	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	2.23.246.101 184.30.21.171	whitelisted
google.com	216.58.206.78	whitelisted
www.bing.com	2.23.227.215 2.23.227.208 104.126.37.129 104.126.37.163 104.126.37.123 104.126.37.170 104.126.37.177 104.126.37.131 104.126.37.185 104.126.37.128 104.126.37.130	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.71 20.190.159.2 20.190.159.73 20.190.159.68 20.190.159.64 40.126.31.67 20.190.159.75 20.190.159.0	whitelisted
go.microsoft.com	2.23.242.9	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip

464C846584279DAA16CAEA73B4C3D333

49C5B21342445683617564859B2C2A884D2D8CF4

8DB146D4448E5B67610359FC4C12C3FAFA193BF60024E6E50E0BEB284E0CC0EA

24576:WgZdYe6oApzHLTMvPLHIHrB0airMrUzoz3mc5ex14wTM2LCXToJUqRtfwqhH2j:WgZdYe65zHLTMvPLHArB0airMwzoz3ma

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Process requests binary or script from the Internet

Searches for installed software

Executable content was dropped or overwritten

Checks Windows Trust Settings

Creates a software uninstall entry

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

INFO

Manual execution by a user

The sample compiled with english language support

The process uses the downloaded file

Creates files or folders in the user directory

Checks supported languages

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Create files in a temporary directory

Reads the computer name

Application launched itself

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings