File name:

058a4dffcc235ad644fc024381649cc0N.exe

Full analysis: https://app.any.run/tasks/b763b24a-94cc-4bef-a15c-526cb6ecf153
Verdict: Malicious activity
Analysis date: July 14, 2024, 14:38:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

058A4DFFCC235AD644FC024381649CC0

SHA1:

27F57064345DC323D4427888453D63A419F9B457

SHA256:

91D928D2DA60FA4BDA0129114BCA87F1674E6618C9B0AC27D585B0A89FF410B4

SSDEEP:

6144:IfbtLyY3NR1uIk2Q22VL16rpclZh2c+vf5ARwCIyAzxEK+QmEd:Msa1uz16ls68wzyANEK5mY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 058a4dffcc235ad644fc024381649cc0N.exe (PID: 1228)
      • F247.tmp (PID: 3668)

    • Steals credentials from Web Browsers

      • F247.tmp (PID: 3668)

    • Actions looks like stealing of personal data

      • F247.tmp (PID: 3668)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • F247.tmp (PID: 3668)

    • Executable content was dropped or overwritten

      • 058a4dffcc235ad644fc024381649cc0N.exe (PID: 1228)
      • F247.tmp (PID: 3668)

    • Starts application with an unusual extension

      • 058a4dffcc235ad644fc024381649cc0N.exe (PID: 1228)

    • Process drops legitimate windows executable

      • F247.tmp (PID: 3668)

    • Reads browser cookies

      • F247.tmp (PID: 3668)

  • INFO

    • Checks supported languages

      • 058a4dffcc235ad644fc024381649cc0N.exe (PID: 1228)
      • F247.tmp (PID: 3668)

    • Create files in a temporary directory

      • 058a4dffcc235ad644fc024381649cc0N.exe (PID: 1228)

    • Reads the computer name

      • 058a4dffcc235ad644fc024381649cc0N.exe (PID: 1228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:10:04 07:42:12+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 24576
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x6937
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 058a4dffcc235ad644fc024381649cc0n.exe f247.tmp

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Users\admin\Desktop\058a4dffcc235ad644fc024381649cc0N.exe" C:\Users\admin\Desktop\058a4dffcc235ad644fc024381649cc0N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\058a4dffcc235ad644fc024381649cc0n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3668C:\Users\admin\AppData\Local\Temp\F247.tmpC:\Users\admin\AppData\Local\Temp\F247.tmp
058a4dffcc235ad644fc024381649cc0N.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\f247.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sfc.dll
Total events
121
Read events
121
Write events
0
Delete events
0

Modification events

No data
Executable files
22
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3668F247.tmpC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:264CE7AEFD96A639EBAD59363A12985C
SHA256:B16A3E7F1A189EF1DBD195DC06020A62D044CA7C2D8443C66D0ACB0156227BB8
3668F247.tmpC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:584A333C43720D49EED06CD287162986
SHA256:2C8DC21E19FFEB31C65CA9678CDE76F820155CA35912454053675979EB278118
3668F247.tmpC:\Users\admin\AppData\Local\VirtualStore\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\call_manager.nodeexecutable
MD5:7BBB23C04A66C6DC78DA1537FE35D8B8
SHA256:06BEE4E80F21A5AEA0D06DD6AE7D445A6CD12939A4D015050EA46BF46965F8FD
3668F247.tmpC:\Users\admin\AppData\Local\VirtualStore\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\keytar.nodeexecutable
MD5:7E18E015E4A5176A2B028E3D2C822BF8
SHA256:78B8DD67B3C6A9FCD6FE289D70F9A3871D52AF44C811C09945B1B5787554DCA1
1228058a4dffcc235ad644fc024381649cc0N.exeC:\Users\admin\AppData\Local\Temp\F247.tmpexecutable
MD5:C610E7CCD6859872C585B2A85D7DC992
SHA256:14063FC61DC71B9881D75E93A587C27A6DAF8779FF5255A24A042BEACE541041
3668F247.tmpC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncClient.dllexecutable
MD5:A5A8F2434B37AC856B4AA4F9CD25A338
SHA256:F1EFE7F729B65B9AD5D16745FDF5543E8C7790AF2591E1153B9762E181DD012F
3668F247.tmpC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncShell.dllexecutable
MD5:41BCA3370B3007AA48BB285E4E261915
SHA256:7EE360C08F0D82C5EC390A7A5180276673AA1124078718B1DB4DE04E83AF57C5
3668F247.tmpC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\libeay32.dllexecutable
MD5:DCF5476ED31C6B722320DADFA3D7B0FA
SHA256:E75DD68EE46CFB4D68607290BCAC75E9A2BEBEF95BA026B2A2C27A446C4692CB
3668F247.tmpC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\adal.dllexecutable
MD5:9E9ACCE3C69D714F52FB620C4E82D143
SHA256:03BAAACADB2BC1872A843E1E50C4FF48826BF8ADFD2228E5393B7B4355F5C492
3668F247.tmpC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncApi.dllexecutable
MD5:40AF0F09BB5BBBC09121A82F02A05584
SHA256:0534D6E08600DB1FCE3A5C3E7A4606E57DBDFE58200A86A3040F5B0500F8A75D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
31
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2060
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2248
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1452
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2060
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2248
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
52.168.112.66:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2060
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1452
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2248
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
92.123.104.30:443
www.bing.com
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
2248
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2060
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1452
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
www.bing.com
  • 92.123.104.30
  • 92.123.104.29
  • 92.123.104.31
  • 92.123.104.61
  • 92.123.104.32
  • 92.123.104.59
  • 92.123.104.58
  • 92.123.104.38
  • 92.123.104.33
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.73.30
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
058a4dffcc235ad644fc024381649cc0N.exe