| File name: | b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120 |
| Full analysis: | https://app.any.run/tasks/58e68953-e40d-4445-9446-9421daf3548a |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | December 14, 2024, 09:17:26 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections |
| MD5: | E60EE90A3D3FA75CA36E06E8FF06CDFC |
| SHA1: | EFED3CAA44F62633AC34699321D1ACB7D487D8CE |
| SHA256: | B06377380E5763CB56334FF1304908FC1F503B65BEA4286374988D8C7B5B1120 |
| SSDEEP: | 192:YauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqnvvcOo0eptL7GbUaYnCrUR1p7gJTD:7WXGaNp+QWAClYR8OAn7GbUanrUPYD |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads security settings of Internet Explorer
- b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe (PID: 2220)
Executes application which crashes
- b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe (PID: 2220)
Access to an unwanted program domain was detected
- b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe (PID: 2220)
INFO
Creates files or folders in the user directory
- WerFault.exe (PID: 1804)
Checks proxy server information
- b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe (PID: 2220)
- WerFault.exe (PID: 1804)
Checks supported languages
- b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe (PID: 2220)
Reads the computer name
- b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe (PID: 2220)
Reads the software policy settings
- WerFault.exe (PID: 1804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.2) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 2.34 |
| CodeSize: | 8704 |
| InitializedDataSize: | 18432 |
| UninitializedDataSize: | 2560 |
| EntryPoint: | 0x14c0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2220 | "C:\Users\admin\Desktop\b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe" | C:\Users\admin\Desktop\b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
| 1804 | C:\WINDOWS\system32\WerFault.exe -u -p 2220 -s 1168 | C:\Windows\System32\WerFault.exe | b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 443
Read events
6 443
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1804 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_b06377380e5763cb_f061c1a8646d388bfbdb89c06155f9929db71e2_53db5208_f5eaf654-a57d-4745-b879-50c45d6b4bd7\Report.wer | — | |
MD5:— | SHA256:— | |||
| 1804 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER67F6.tmp.xml | xml | |
MD5:921E229CAB36F8732D0E7CAEE291CA1E | SHA256:18940BB07107EB581F3DB7FC5403CFCDACC35A8C29A275AB70540778434E926E | |||
| 1804 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER670A.tmp.dmp | binary | |
MD5:5AC4E1B391CD96087802BF1654084303 | SHA256:113E6014434222061032FC6FA0F49701DBEDA1AE97B33D5C46FAD59698A225F4 | |||
| 1804 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER67C7.tmp.WERInternalMetadata.xml | xml | |
MD5:4A7AC0B9386E486B32EFD354E1747CC9 | SHA256:6887B79C851A3689DA004EBBC5BAE398460DEC21006CE5B33378E105898505F0 | |||
| 1804 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe.2220.dmp | binary | |
MD5:B2FA9F61E5A9E96B8BD1E2F8C732F1E4 | SHA256:6042C12940C74C469430E9DB6087D3F11DDD7C17B2AB8C643EA0EE86A0A94C4E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
20
DNS requests
8
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2624 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2624 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2624 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.147:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2220 | b06377380e5763cb56334ff1304908fc1f503b65bea4286374988d8c7b5b1120.exe | 192.168.50.131:80 | — | — | — | unknown |
1804 | WerFault.exe | 52.182.143.212:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2624 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2624 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Possibly Unwanted Program Detected | ET ADWARE_PUP Fun Web Products Spyware User-Agent (FunWebProducts) |