File name: | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe |
Full analysis: | https://app.any.run/tasks/1f25ea03-3ef3-4a4e-b230-f824c2928502 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 19:15:11 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections |
MD5: | 4A1EE23D58805B29664F68BA16236BE1 |
SHA1: | 567906729E908632A6D7298C37BBD089482C7A20 |
SHA256: | AAF2EBE531FD8A56CA56615570B9D0D917CBA243F326FDEB6BC291AF226D95A2 |
SSDEEP: | 768:vAUo9AvVVVVVVVV+s5ZEPzWuqxWsqxWbHvvDOZnvvT0OIa9QMqUUwnIlUUVUUhV6:vASvVVVVVVVV+s5ZEDgWsgWWZjTPZw6 |
.exe | | | Win64 Executable (generic) (39.5) |
---|---|---|
.exe | | | UPX compressed Win32 Executable (38.7) |
.dll | | | Win32 Dynamic Link Library (generic) (9.4) |
.exe | | | Win32 Executable (generic) (6.4) |
.exe | | | Generic Win/DOS Executable (2.8) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2011:03:15 04:06:07+00:00 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 8192 |
InitializedDataSize: | 4096 |
UninitializedDataSize: | 24576 |
EntryPoint: | 0x7f80 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6320 | "C:\Users\admin\Desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe" | C:\Users\admin\Desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | — | ||
MD5:— | SHA256:— | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp | executable | |
MD5:2C75078E4F19849F7CE39881BE7714ED | SHA256:AF19341BB4C096F1D09DE4E7F31900F96DC88FC8843D45CE6586CCF6AA7A0133 | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp | executable | |
MD5:6944980AAF5FA9606BEC9801B05BF0B3 | SHA256:F83E494BD4E21D69BD3E37504981CCF33165186EFAE68E55B66AE6CA9CF184A7 | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp | executable | |
MD5:FB6FC53BE379DD1E5B765E45CB99953A | SHA256:2A1F1631614DCEC77C319BE5A5ED7A7C0A11E2426265C3B12F51F6ADFDD62E68 | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp | executable | |
MD5:2037275145841AB58ADE5377BB1485A4 | SHA256:4894E2876061A77D879FF689D05563EE0E77D907E7288BCAD7FEEC103C9B99F0 | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp | executable | |
MD5:1197D9A903700882F0418BC87D6BD120 | SHA256:F1FBCB7771C48CF0E0A194DF9D3F6FD7D830A8EBE4B3C94F0AAD87475535900C | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp | executable | |
MD5:E3E2D0B1E5A46A97DED43213096D01AF | SHA256:7DC2BF54FFAA6E308F84E817D1D5DF29916540BED4ABF507811A26B0B379CC44 | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp | executable | |
MD5:7BA5737EB9F8E968A3302466FBC7D828 | SHA256:CE70BCB46AF8D13E4CD8502895EA6C3A84D5FB2B08F5F0977AA51CAF0DB45A04 | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmp | executable | |
MD5:70549B1495BE8BB6AA127F436CA8D53D | SHA256:A7E5722574300A859817C2DDC08F19FE5699F2E6F004DEC1B9D188CA6A2F54B7 | |||
6320 | aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe | C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp | executable | |
MD5:1A98F4381326578CBAB9BC48F9B44827 | SHA256:78F3FFA8A316CACB01C497F9D5047D39AB90059FCEFE18AC5E008EB7A120DEE8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.161:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
640 | svchost.exe | GET | 200 | 23.48.23.161:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
640 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
640 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
640 | svchost.exe | 23.48.23.161:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
640 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
640 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |