File name:

aspnetcore-runtime-8.0.1-win-x64.exe

Full analysis: https://app.any.run/tasks/a795ea57-3268-4cb6-aa23-a6ac8bb2a8b0
Verdict: Malicious activity
Analysis date: January 29, 2024, 07:23:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

417424CE82668952F34DBB581074BDD5

SHA1:

0C4BE638C70EAC3B1F3B351D759F80F7D73518AE

SHA256:

918B126D94AB2795B00CB700CDEDA1B0B74B56EE82B75032C484FCB0F422FF16

SSDEEP:

98304:m+1MAK2LBwVD9Pd0IyrpmPCYn7QZAP/92+nqn5oovcObrMJzag/3LLSjuhzKSBSb:LcZuG2O5DgCCI/BK8WL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Process drops legitimate windows executable

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Executable content was dropped or overwritten

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Searches for installed software

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Starts itself from another location

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)

    • Reads the Internet Settings

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)

    • Creates a software uninstall entry

      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

  • INFO

    • Checks supported languages

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Create files in a temporary directory

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 984)
      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)

    • Reads the computer name

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Reads the machine GUID from the registry

      • aspnetcore-runtime-8.0.1-win-x64.exe (PID: 552)
      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)

    • Creates files in the program directory

      • AspNetCoreSharedFrameworkBundle-x64.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:22 17:58:18+02:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 302080
InitializedDataSize: 162816
UninitializedDataSize: -
EntryPoint: 0x2e082
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 8.0.1.23580
ProductVersionNumber: 8.0.1.23580
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
FileVersion: 8.0.1.23580
InternalName: setup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: AspNetCoreSharedFrameworkBundle-x64.exe
ProductName: Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
ProductVersion: 8.0.1.23580
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aspnetcore-runtime-8.0.1-win-x64.exe aspnetcore-runtime-8.0.1-win-x64.exe aspnetcoresharedframeworkbundle-x64.exe

Process information

PID
CMD
Path
Indicators
Parent process
552"C:\Users\admin\AppData\Local\Temp\{D77DA8A7-9565-4243-B260-5EE67311A6B7}\.cr\aspnetcore-runtime-8.0.1-win-x64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\aspnetcore-runtime-8.0.1-win-x64.exe" -burn.filehandle.attached=152 -burn.filehandle.self=160 C:\Users\admin\AppData\Local\Temp\{D77DA8A7-9565-4243-B260-5EE67311A6B7}\.cr\aspnetcore-runtime-8.0.1-win-x64.exe
aspnetcore-runtime-8.0.1-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
Exit code:
0
Version:
8.0.1.23580
Modules
Images
c:\users\admin\appdata\local\temp\{d77da8a7-9565-4243-b260-5ee67311a6b7}\.cr\aspnetcore-runtime-8.0.1-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
984"C:\Users\admin\AppData\Local\Temp\aspnetcore-runtime-8.0.1-win-x64.exe" C:\Users\admin\AppData\Local\Temp\aspnetcore-runtime-8.0.1-win-x64.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
Exit code:
0
Version:
8.0.1.23580
Modules
Images
c:\users\admin\appdata\local\temp\aspnetcore-runtime-8.0.1-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2452"C:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.be\AspNetCoreSharedFrameworkBundle-x64.exe" -q -burn.elevated BurnPipe.{FDDF5503-F59D-447D-B975-070530E0F803} {08187F27-9314-4C47-8D34-7C6B60C5460B} 552C:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.be\AspNetCoreSharedFrameworkBundle-x64.exe
aspnetcore-runtime-8.0.1-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ASP.NET Core 8.0.1 - Shared Framework (x64)
Exit code:
0
Version:
8.0.1.23580
Modules
Images
c:\users\admin\appdata\local\temp\{13cf05d4-087d-4187-99a5-0b399069863b}\.be\aspnetcoresharedframeworkbundle-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 434
Read events
1 402
Write events
30
Delete events
2

Modification events

(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(552) aspnetcore-runtime-8.0.1-win-x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000003811FC442B2FDA01740A0000480C0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000003811FC442B2FDA01740A0000480C0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
74
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
400000000000000086834F452B2FDA01740A0000480C0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000E0E551452B2FDA01740A0000340B0000E8030000010000000000000000000000C3E45FD4C91B4942AEB82FA6735F4DE60000000000000000
(PID) Process:(2452) AspNetCoreSharedFrameworkBundle-x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A63F0E462B2FDA01740A0000340B0000E8030000000000000000000000000000C3E45FD4C91B4942AEB82FA6735F4DE60000000000000000
Executable files
4
Suspicious files
3
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
984aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{D77DA8A7-9565-4243-B260-5EE67311A6B7}\.cr\aspnetcore-runtime-8.0.1-win-x64.exeexecutable
MD5:A22069C21520F8C54C45BB6EAB357E62
SHA256:05E01EEB6EF4421D18DA39435F244990F27F4B8479212B7515CCCE8BAD30E6FD
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1028\thm.wxlxml
MD5:423EE6BAFEB6F2D8D3C9C9BD12DB179B
SHA256:B427A8FF060943FC26EBC09A3652D3B233F590D883BDD997365DC7FD42D9C445
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1031\thm.wxlxml
MD5:640087421D90D8CB132AF3563AD719DF
SHA256:4717A1D19F622D64B446B9995C5388E40BFC3B0E87C6B96F12A9F3562F5AF279
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\wixstdba.dllexecutable
MD5:4356EE50F0B1A878E270614780DDF095
SHA256:41A8787FDC9467F563438DABA4131191AA1EB588A81BEB9A89FE8BD886C16104
2452AspNetCoreSharedFrameworkBundle-x64.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\3082\thm.wxlxml
MD5:0DC3CEF13A278C1CE556B6C2C4185D57
SHA256:8E1357B280A7829AA527D93D388F924BD7052D1E04B7AC92421042D7D980B2AA
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1036\thm.wxlxml
MD5:D7D57C17E633E99888CAABADBA8093AB
SHA256:607F94E200ED131CC0439D326491A2ECF1FD8A2EB4F1664E12FA7EE6DC914C94
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1042\thm.wxlxml
MD5:259931057CFE2E32A198475B4F8DB842
SHA256:410EFD075793743A04F6F6CDF117695F19BF01B90DFE0A177EF225D8CF4F4DBF
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1041\thm.wxlxml
MD5:D486C0E0AD40377B9A6916CFFF882F8F
SHA256:4C6D4734F77698FA5050DD93648D25B73853A834919B75D5C677B48B60CB77D3
552aspnetcore-runtime-8.0.1-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13CF05D4-087D-4187-99A5-0B399069863B}\.ba\1029\thm.wxlxml
MD5:BAB2CEA64BA8779D11C881BB497E254F
SHA256:7A3D1C7744F8E07A4F456F7A2EB99630568C617F4655092E93E62EA966F82228
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aspnetcore-runtime-8.0.1-win-x64.exe