File name: | 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8 |
Full analysis: | https://app.any.run/tasks/1cd856fb-75cc-4c88-a342-6b07eebe9867 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 23:20:52 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
MD5: | 6601489A77FE0D96CAD5785D92CC6EC1 |
SHA1: | 40741DBFFBF1F32628068C2C11A2340435B8AA38 |
SHA256: | 8E0661081D96C59206F46AD57C7B8339901A5B5B87EA7EEA22A39DC500671AE8 |
SSDEEP: | 49152:RPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtnrD5:tP/mp7t3T4+B/btosJwIA4hHmZlKH2TV |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
CharacterSet: | Unicode |
---|---|
LanguageCode: | English (British) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 0.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x20577 |
UninitializedDataSize: | - |
InitializedDataSize: | 712192 |
CodeSize: | 633856 |
LinkerVersion: | 14.16 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
TimeStamp: | 2024:12:19 04:44:07+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
4516 | "C:\Users\admin\AppData\Local\Temp\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe" | C:\Users\admin\AppData\Local\Temp\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
6228 | "C:\Users\admin\AppData\Local\Temp\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe" | C:\Windows\SysWOW64\svchost.exe | — | 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) | |||||||||||||||
6384 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4516 -s 764 | C:\Windows\SysWOW64\WerFault.exe | 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6384 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_8e0661081d96c592_45367e9b594598cce7267152b480481ceb79dd58_ce8e30bc_79b0466f-ef5a-47e3-ac61-1351b22ea705\Report.wer | — | |
MD5:— | SHA256:— | |||
6384 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7320.tmp.dmp | binary | |
MD5:E6C912D7E917F13F829BF7BEDBBE56DC | SHA256:B95688BD839A4B7433009F7FF6D1F63F0EE7253B4728B33EB698063360B38C50 | |||
6384 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785 | binary | |
MD5:F6F53CD09A41E968C363419B279D3112 | SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892 | |||
6384 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE | binary | |
MD5:59A2C596F1E1B58D228051A506FD5EEE | SHA256:33A0197D6ECFB95E67775758F3DFD39E8819AF22CCD37C24DE7D2CDA11C5AAAA | |||
4516 | 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe | C:\Users\admin\AppData\Local\Temp\translucently | binary | |
MD5:24D22E256A287CC7BFD8164E0D11DDAC | SHA256:DD45A827A3099338F954855D7504053A1388D3CFBBD3B324D0A680BC5FA85D17 | |||
6384 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785 | binary | |
MD5:DEB55653ED1A068629358A9FBA9B3C3B | SHA256:6E92B78D8415F3167EDA9064F094909FD92AC00065C3E48A6D2DCD400B2697EC | |||
6384 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER765D.tmp.WERInternalMetadata.xml | xml | |
MD5:FBF917F444B2AB9E8A409E3FF55D93CB | SHA256:BE74CE6C7CE8C8F3D0021A6F6B7FA4999F73DB1159127881C130369E5B9FC132 | |||
6384 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE | der | |
MD5:FA84E4BCC92AA5DB735AB50711040CDE | SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33 | |||
6384 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7842.tmp.xml | xml | |
MD5:F1D98CD2723EC64FF9E39DF077AD270C | SHA256:66FCD8E0D4E53C3760885C03922C5EAAE4D6F20984259D3218F0A4F75298FE28 | |||
6384 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe.4516.dmp | binary | |
MD5:C349814722E207FFD7409AF2B919CE82 | SHA256:85C7C8A61D75C9BA75B0C2A3132B2498732F3703AC425843BAD26AB904F83238 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6384 | WerFault.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6384 | WerFault.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6960 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6960 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
3552 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4536 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5064 | SearchApp.exe | 104.126.37.123:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1076 | svchost.exe | 23.35.238.131:443 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
crl.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |