File name:

PacMan.exe

Full analysis: https://app.any.run/tasks/0b2c8b6e-1137-4596-8cf7-88c0e2b02872
Verdict: Malicious activity
Analysis date: July 31, 2024, 02:56:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CFF7FAB474E2CF33B332210AF5608FD7

SHA1:

79A7FCF6B799F70E2389CE04A669D55B96F022F9

SHA256:

A59BB85B74832A7AAEE6C4CFD2383F03A64A1BA06A442CC5A51DCA559BCDAE75

SSDEEP:

98304:uu46pKI0HBaS4bOItZ0Aa0Cwfxb4v37APpRQViJ8Q/jyB3cHHpqI0azJ7BSF9EP1:12OGLs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • PacMan CRT.exe (PID: 7084)

    • Application was injected by another process

      • csrss.exe (PID: 604)

    • Drops the executable file immediately after the start

      • PacMan.exe (PID: 5696)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • PacMan.exe (PID: 5696)

    • Executable content was dropped or overwritten

      • PacMan.exe (PID: 5696)

  • INFO

    • Creates files or folders in the user directory

      • PacMan CRT.exe (PID: 7084)

    • Checks supported languages

      • PacMan CRT.exe (PID: 7084)
      • PacMan.exe (PID: 5696)

    • Reads the computer name

      • PacMan CRT.exe (PID: 7084)

    • Create files in a temporary directory

      • PacMan.exe (PID: 5696)

    • Reads the software policy settings

      • slui.exe (PID: 6328)

    • Checks proxy server information

      • slui.exe (PID: 6328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:10:31 03:28:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 27136
InitializedDataSize: 4444160
UninitializedDataSize: -
EntryPoint: 0x69d0
OSVersion: 6.3
ImageVersion: 6.3
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName:
FileDescription:
FileVersion: 1.0.0.4
InternalName: Wextract
LegalCopyright:
OriginalFileName: WEXTRACT.EXE .MUI
ProductName:
ProductVersion: 1.0.0.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start pacman.exe pacman crt.exe no specs slui.exe csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
604%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\avrt.dll
c:\windows\system32\sechost.dll
5696"C:\Users\admin\AppData\Local\Temp\PacMan.exe" C:\Users\admin\AppData\Local\Temp\PacMan.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\appdata\local\temp\pacman.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6328C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7084"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\PacMan CRT.exe"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\PacMan CRT.exePacMan.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\pacman crt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
1 106
Read events
1 101
Write events
5
Delete events
0

Modification events

(PID) Process:(7084) PacMan CRT.exeKey:HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0
Operation:writeName:GUID
Value:
C0053E88E84EEF118001444553540000
(PID) Process:(7084) PacMan CRT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Version
Value:
0A050000
(PID) Process:(7084) PacMan CRT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Name
Value:
PACMAN CRT.EXE
(PID) Process:(7084) PacMan CRT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Id
Value:
PACMAN CRT.EXE55F7C3C10032C200
(PID) Process:(7084) PacMan CRT.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:MostRecentStart
Value:
0B71964AF5E2DA01
Executable files
2
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5696PacMan.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\D3DX9_43.dllexecutable
MD5:86E39E9161C3D930D93822F1563C280D
SHA256:0B28546BE22C71834501F7D7185EDE5D79742457331C7EE09EFC14490DD64F5F
7084PacMan CRT.exeC:\Users\admin\AppData\Local\PacMan_CRT\lines.pngimage
MD5:21C565153059BCF655E3F73966F53905
SHA256:A8998F7DA0801BF9A17DD8372704C7EDDDCD84A4DA8A436E9EFD02F093CEBB8F
5696PacMan.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\PacMan CRT.exeexecutable
MD5:CBF5F66F38D503F4F38FF6A1601F3F4D
SHA256:844A6E4BD55FB7C88AB476734A2180E70D2298E20C0EA4B23D94F29F75FCACA2
7084PacMan CRT.exeC:\Users\admin\AppData\Local\PacMan_CRT\noise.pngimage
MD5:5873FB91D292F3F600B21298CAE1858D
SHA256:94242FD9E681654C34251AC793F6D1C7C54452A89249F05D039578A6D2DD8B00
5696PacMan.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\data.winbinary
MD5:3267BFD83D96C89FF1989C582787F1E4
SHA256:53AEFF59D147AEFD3B43BB07EE5711DE2D5224302C7BFD10B83A99E9CD73DB31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
62
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5368
SearchApp.exe
GET
304
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6776
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1028
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.86.251.27:443
www.bing.com
Akamai International B.V.
DE
unknown
1996
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4560
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
528
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 184.86.251.27
  • 184.86.251.22
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.149
  • 2.23.209.133
whitelisted
google.com
  • 216.58.212.142
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.60
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.72
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
th.bing.com
  • 184.86.251.27
  • 184.86.251.22
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.130
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PacMan.exe