File name: | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe |
Full analysis: | https://app.any.run/tasks/a0bd6b32-e6cd-4ff0-9465-0f78e717a2d8 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2025, 00:23:33 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections |
MD5: | 1CF3CD0F2F33CBF5C4B13C6043A46F66 |
SHA1: | D56D139C384377572F6FD0D5A2969A17B45A4329 |
SHA256: | AB326DCC6CD58FE04C5245BFFC77EB9AF7E892FC6748CDB90EAF093400BEB5A0 |
SSDEEP: | 6144:QbIsM09rOgQTglMAGGB5USSzJZguJZdLqvzxleIZvd+ujmfIa:kocIq+u9a |
.exe | | | Win32 Executable MS Visual C++ (generic) (27.4) |
---|---|---|
.exe | | | Win64 Executable (generic) (24.3) |
.exe | | | Win32 EXE Yoda's Crypter (23.3) |
.scr | | | Windows screen saver (11.5) |
.dll | | | Win32 Dynamic Link Library (generic) (5.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x1000 |
UninitializedDataSize: | - |
InitializedDataSize: | 95232 |
CodeSize: | 396288 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2014:12:02 16:57:06+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6232 | "C:\Users\admin\Desktop\ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe" | C:\Users\admin\Desktop\ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
6436 | "C:\Users\admin\AppData\Local\Temp\Systemprfyx.exe" | C:\Users\admin\AppData\Local\Temp\Systemprfyx.exe | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6232 | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | C:\Users\admin\AppData\Local\Temp\2.dat | — | |
MD5:— | SHA256:— | |||
6232 | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | C:\Users\admin\AppData\Local\Temp\3.dat | — | |
MD5:— | SHA256:— | |||
6232 | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | C:\Users\admin\AppData\Local\Temp\4.dat | — | |
MD5:— | SHA256:— | |||
6232 | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | C:\Users\admin\AppData\Local\Temp\Systemprfyx.exe | executable | |
MD5:41D53C1FBD91482C94888EF72B55DC71 | SHA256:58244A63C05FB8F46217452C373BF9D44BE32F73970C8A732155E2BAE2025F87 | |||
6232 | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | C:\Users\admin\AppData\Local\Temp\path.ini | text | |
MD5:877311B92D37CA3883C8F38E0F5BA1D7 | SHA256:6040E8C521F445D5A883081D70B21FD1691B2023A220CFF7D8C43DC6B97E4FC5 | |||
6232 | ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe | C:\Users\admin\AppData\Local\Temp\Systamprfyx.exe | executable | |
MD5:95D8EF51F0964F6D14CACB62506BFD66 | SHA256:13CA7248E18E21DD32AA9F7D2B7226B090D13B043286EB0054109E0BA9816C58 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4300 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4300 | svchost.exe | GET | 200 | 23.32.238.112:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4300 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4300 | svchost.exe | 23.32.238.112:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4300 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3976 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
i2.tietuku.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |