File name:

Документация от 29.04.2025.exe

Full analysis: https://app.any.run/tasks/4d25791d-e36a-4056-bb1a-01a6f4b3483a
Verdict: Malicious activity
Analysis date: May 15, 2025, 13:25:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

0D881BB9756C9CD5C8B02FFCE576B2ED

SHA1:

16CC5274AF3FD0C6FF0172ACF8074B3D05E2DBF2

SHA256:

92DA38C8E608963F46B2F5B1636C82BA86503F509DD6EF3F53435F5967FEDDE6

SSDEEP:

49152:r93v5IKLnsMlvt1yXTcYsE2Ykqymp25T/rc3XXwaUJbNS1ot7m:hFLnso0TcoyQC7rc3XAZNS1Cm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Документация от 29.04.2025.exe (PID: 2320)
      • Документация от 29.04.2025.exe (PID: 8032)

  • SUSPICIOUS

    • Executes application which crashes

      • Документация от 29.04.2025.exe (PID: 2320)
      • Документация от 29.04.2025.exe (PID: 8032)

  • INFO

    • Reads the computer name

      • Документация от 29.04.2025.exe (PID: 2320)
      • Документация от 29.04.2025.exe (PID: 8032)

    • Checks supported languages

      • Документация от 29.04.2025.exe (PID: 2320)
      • Документация от 29.04.2025.exe (PID: 8032)

    • Reads the machine GUID from the registry

      • Документация от 29.04.2025.exe (PID: 2320)
      • Документация от 29.04.2025.exe (PID: 8032)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7764)
      • WerFault.exe (PID: 8112)

    • Manual execution by a user

      • Документация от 29.04.2025.exe (PID: 8032)

    • Reads the software policy settings

      • slui.exe (PID: 8188)

    • Checks proxy server information

      • slui.exe (PID: 8188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2088:09:06 01:02:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 764416
InitializedDataSize: 287232
UninitializedDataSize: -
EntryPoint: 0xbc8fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start документация от 29.04.2025.exe werfault.exe no specs документация от 29.04.2025.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2320"C:\Users\admin\Desktop\Документация от 29.04.2025.exe" C:\Users\admin\Desktop\Документация от 29.04.2025.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Modules
Images
c:\users\admin\desktop\документация от 29.04.2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7764C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2320 -s 1268C:\Windows\SysWOW64\WerFault.exeДокументация от 29.04.2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8032"C:\Users\admin\Desktop\Документация от 29.04.2025.exe" C:\Users\admin\Desktop\Документация от 29.04.2025.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Modules
Images
c:\users\admin\desktop\документация от 29.04.2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
8112C:\WINDOWS\SysWOW64\WerFault.exe -u -p 8032 -s 1276C:\Windows\SysWOW64\WerFault.exeДокументация от 29.04.2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 920
Read events
3 920
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7764WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CQXMULSO3L5SPCXX_38a53c1d545564a04059b730ca417df2174c61d8_55d7b26d_a8fa58e4-3daf-4a62-aa82-8aa130dac492\Report.wer
MD5:
SHA256:
7764WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Документация от 29.04.2025.exe.2320.dmp
MD5:
SHA256:
8112WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CQXMULSO3L5SPCXX_38a53c1d545564a04059b730ca417df2174c61d8_55d7b26d_e36e4a91-dbe9-4ed4-9fbf-348fb2e2e8b9\Report.wer
MD5:
SHA256:
8112WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Документация от 29.04.2025.exe.8032.dmp
MD5:
SHA256:
7764WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERB0A.tmp.WERInternalMetadata.xmlbinary
MD5:FF59D5CFFFE2998F164FE04D81F16879
SHA256:B9B6623B6DAD2C660B4606C40175A235783FD751A0238C082181D5E1B6318831
7764WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERB2A.tmp.xmlxml
MD5:4A537ED9A99EFAC3DB68731A6C515559
SHA256:1D6CDEB6F23120B65DDCBB14FFFF4D01170147C5124844806AA25C09AACA4736
8112WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7435.tmp.xmlxml
MD5:33F94025961944F50E86E9AC608CD372
SHA256:906CAE9704094F0D14624C334AE91494293447242FB6824C3ED8A17174A7182F
8112WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7415.tmp.WERInternalMetadata.xmlbinary
MD5:33F441DB87823CE102A10F312D936049
SHA256:EEAF5B4D4C49958829D50AADD0F324348A472A493C9DBC6EEA78F050023872A5
7764WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER992.tmp.dmpbinary
MD5:0832B525F79DA547C5A5A83BB10191F8
SHA256:D08A0D9DB04DC9C21E4198E8B0A6292ABA20CA0663C3E43F896C2AC8C6A0E2B9
8112WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7358.tmp.dmpbinary
MD5:B0FAC70BF4E5FCF357256D01FA4C8A5B
SHA256:2E3084334E6A9CC10FCB39CB8F905060E060C42B63A121F8720A109A0C78AA83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7888
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7888
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6652
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.141
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.190
  • 23.48.23.176
  • 23.48.23.180
  • 23.48.23.158
  • 23.48.23.193
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.132
  • 40.126.32.68
  • 20.190.160.131
  • 40.126.32.140
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.5
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Документация от 29.04.2025.exe