File name:

aspnetcore-runtime-8.0.1-win-x64.exe

Full analysis: https://app.any.run/tasks/a795ea57-3268-4cb6-aa23-a6ac8bb2a8b0
Verdict: Malicious activity
Analysis date: January 29, 2024, 07:23:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

417424CE82668952F34DBB581074BDD5

SHA1:

0C4BE638C70EAC3B1F3B351D759F80F7D73518AE

SHA256:

918B126D94AB2795B00CB700CDEDA1B0B74B56EE82B75032C484FCB0F422FF16

SSDEEP:

98304:m+1MAK2LBwVD9Pd0IyrpmPCYn7QZAP/92+nqn5oovcObrMJzag/3LLSjuhzKSBSb:LcZuG2O5DgCCI/BK8WL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Starts a Microsoft application from unusual location

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)

    • Executable content was dropped or overwritten

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Searches for installed software

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Reads the Internet Settings

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)

    • Starts itself from another location

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)

    • Creates a software uninstall entry

      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

  • INFO

    • Checks supported languages

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Create files in a temporary directory

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)

    • Reads the computer name

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Reads the machine GUID from the registry

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Creates files in the program directory

      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:22 17:58:18+02:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 302080
InitializedDataSize: 162816
UninitializedDataSize: -
EntryPoint: 0x2e082
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 8.0.1.23580
ProductVersionNumber: 8.0.1.23580
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
FileVersion: 8.0.1.23580
InternalName: setup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: AspNetCoreSharedFrameworkBundle-x64.exe
ProductName: Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
ProductVersion: 8.0.1.23580
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aspnetcore-runtime-8.0.1-win-x64.exe aspnetcore-runtime-8.0.1-win-x64.exe aspnetcoresharedframeworkbundle-x64.exe

Process information

PID
CMD
Path
Indicators
Parent process
552"C:\Users\admin\AppData\Local\Temp\{D77DA8A7-9565-4243-B260-5EE67311A6B7}\.cr\aspnetcore-runtime-8.0.1-win-x64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\aspnetcore-runtime-8.0.1-win-x64.exe" -burn.filehandle.attached=152 -burn.filehandle.self=160 C:\Users\admin\AppData\Local\Temp\{D77DA8A7-9565-4243-B260-5EE67311A6B7}\.cr\aspnetcore-runtime-8.0.1-win-x64.exe
aspnetcore-runtime-8.0.1-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
Exit code:
0
Version:
8.0.1.23580
Modules
Images
c:\users\admin\appdata\local\temp\{d77da8a7-9565-4243-b260-5ee67311a6b7}\.cr\aspnetcore-runtime-8.0.1-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
984"C:\Users\admin\AppData\Local\Temp\aspnetcore-runtime-8.0.1-win-x64.exe" C:\Users\admin\AppData\Local\Temp\aspnetcore-runtime-8.0.1-win-x64.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
Exit code:
0
Version:
8.0.1.23580
Modules
Images
c:\users\admin\appdata\local\temp\aspnetcore-runtime-8.0.1-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2452"C:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.be\AspNetCoreSharedFrameworkBundle-x64.exe" -q -burn.elevated BurnPipe.{FDDF5503-F59D-447D-B975-070530E0F803} {08187F27-9314-4C47-8D34-7C6B60C5460B} 552C:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.be\AspNetCoreSharedFrameworkBundle-x64.exe
aspnetcore-runtime-8.0.1-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
Exit code:
0
Version:
8.0.1.23580
Modules
Images
c:\users\admin\appdata\local\temp\{13cf05d4-087d-4187-99a5-0b399069863b}\.be\aspnetcoresharedframeworkbundle-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 434
Read events
1 402
Write events
30
Delete events
2

Modification events

(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000003811FC442B2FDA01740A0000480C0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000003811FC442B2FDA01740A0000480C0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
74
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
400000000000000086834F452B2FDA01740A0000480C0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000E0E551452B2FDA01740A0000340B0000E8030000010000000000000000000000C3E45FD4C91B4942AEB82FA6735F4DE60000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A63F0E462B2FDA01740A0000340B0000E8030000000000000000000000000000C3E45FD4C91B4942AEB82FA6735F4DE60000000000000000
Executable files
4
Suspicious files
3
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1028\thm.wxlxml
MD5:423EE6BAFEB6F2D8D3C9C9BD12DB179B
SHA256:B427A8FF060943FC26EBC09A3652D3B233F590D883BDD997365DC7FD42D9C445
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1046\thm.wxlxml
MD5:E4F17BB3D78D13E459C4864CA5275EAC
SHA256:9B8CBDD928CBABCCD9D42F6035C81A360C48DE82AF7E3525233C64C5404F8A31
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\2052\thm.wxlxml
MD5:746BA4C9816D9E151D4814D606BB5B17
SHA256:B50A6DE4C1834889DC39BD3944D6539FCF13FDB544769DE738A36BB4838C1E1F
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\wixstdba.dllexecutable
MD5:4356EE50F0B1A878E270614780DDF095
SHA256:41A8787FDC9467F563438DABA4131191AA1EB588A81BEB9A89FE8BD886C16104
2452AspNetCoreSharedFrameworkBundle-x64.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1029\thm.wxlxml
MD5:BAB2CEA64BA8779D11C881BB497E254F
SHA256:7A3D1C7744F8E07A4F456F7A2EB99630568C617F4655092E93E62EA966F82228
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1041\thm.wxlxml
MD5:D486C0E0AD40377B9A6916CFFF882F8F
SHA256:4C6D4734F77698FA5050DD93648D25B73853A834919B75D5C677B48B60CB77D3
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1036\thm.wxlxml
MD5:D7D57C17E633E99888CAABADBA8093AB
SHA256:607F94E200ED131CC0439D326491A2ECF1FD8A2EB4F1664E12FA7EE6DC914C94
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1040\thm.wxlxml
MD5:F5FAF70E5413B4CD0D4BE910EBFA47DE
SHA256:381D318AE2AD67D7DE09F4B3AA215F329C034FD38C5C79E3FD4862D45A4A7017
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1033\thm.wxlxml
MD5:D4226D322E0A676476DB291AB59C0CD1
SHA256:65507DDC6F2AB2A93B684684BA1D69FDF0B024296367CDCE5DAD31D5E49813D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aspnetcore-runtime-8.0.1-win-x64.exe