File name:

8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8

Full analysis: https://app.any.run/tasks/1cd856fb-75cc-4c88-a342-6b07eebe9867
Verdict: Malicious activity
Analysis date: January 10, 2025, 23:20:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

6601489A77FE0D96CAD5785D92CC6EC1

SHA1:

40741DBFFBF1F32628068C2C11A2340435B8AA38

SHA256:

8E0661081D96C59206F46AD57C7B8339901A5B5B87EA7EEA22A39DC500671AE8

SSDEEP:

49152:RPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtnrD5:tP/mp7t3T4+B/btosJwIA4hHmZlKH2TV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executes application which crashes

      • 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe (PID: 4516)
  • INFO

    • Reads mouse settings

      • 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe (PID: 4516)
    • The sample compiled with english language support

      • 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe (PID: 4516)
    • Checks supported languages

      • 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe (PID: 4516)
    • Create files in a temporary directory

      • 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe (PID: 4516)
    • Checks proxy server information

      • WerFault.exe (PID: 6384)
    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6384)
    • The process uses AutoIt

      • 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe (PID: 4516)
    • Reads the software policy settings

      • WerFault.exe (PID: 6384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x20577
UninitializedDataSize: -
InitializedDataSize: 712192
CodeSize: 633856
LinkerVersion: 14.16
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:19 04:44:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe svchost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
4516"C:\Users\admin\AppData\Local\Temp\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe" C:\Users\admin\AppData\Local\Temp\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6228"C:\Users\admin\AppData\Local\Temp\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe" C:\Windows\SysWOW64\svchost.exe8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
6384C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4516 -s 764C:\Windows\SysWOW64\WerFault.exe
8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 107
Read events
3 107
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
6384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_8e0661081d96c592_45367e9b594598cce7267152b480481ceb79dd58_ce8e30bc_79b0466f-ef5a-47e3-ac61-1351b22ea705\Report.wer
MD5:
SHA256:
6384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7320.tmp.dmpbinary
MD5:E6C912D7E917F13F829BF7BEDBBE56DC
SHA256:B95688BD839A4B7433009F7FF6D1F63F0EE7253B4728B33EB698063360B38C50
6384WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785binary
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
6384WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:59A2C596F1E1B58D228051A506FD5EEE
SHA256:33A0197D6ECFB95E67775758F3DFD39E8819AF22CCD37C24DE7D2CDA11C5AAAA
45168e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exeC:\Users\admin\AppData\Local\Temp\translucentlybinary
MD5:24D22E256A287CC7BFD8164E0D11DDAC
SHA256:DD45A827A3099338F954855D7504053A1388D3CFBBD3B324D0A680BC5FA85D17
6384WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:DEB55653ED1A068629358A9FBA9B3C3B
SHA256:6E92B78D8415F3167EDA9064F094909FD92AC00065C3E48A6D2DCD400B2697EC
6384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER765D.tmp.WERInternalMetadata.xmlxml
MD5:FBF917F444B2AB9E8A409E3FF55D93CB
SHA256:BE74CE6C7CE8C8F3D0021A6F6B7FA4999F73DB1159127881C130369E5B9FC132
6384WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEder
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
6384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7842.tmp.xmlxml
MD5:F1D98CD2723EC64FF9E39DF077AD270C
SHA256:66FCD8E0D4E53C3760885C03922C5EAAE4D6F20984259D3218F0A4F75298FE28
6384WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\8e0661081d96c59206f46ad57c7b8339901a5b5b87ea7eea22a39dc500671ae8.exe.4516.dmpbinary
MD5:C349814722E207FFD7409AF2B919CE82
SHA256:85C7C8A61D75C9BA75B0C2A3132B2498732F3703AC425843BAD26AB904F83238
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
37
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6384
WerFault.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6384
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3552
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4536
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
google.com
  • 142.250.74.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.178
  • 104.126.37.154
  • 104.126.37.129
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.73
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.0
  • 40.126.31.67
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info