File name:

b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exe

Full analysis: https://app.any.run/tasks/6113e768-e696-48bf-8048-fde4dc2c9ff1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 13, 2023, 01:07:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7D726C8BE35F9E9F010363C050EE86B3

SHA1:

13D73CEA5B8D05B338F347CDFC4088CC4F38FCAC

SHA256:

B2C3517BB90933390DF4EB01C6BA36F2A519A69B5BCEE703F4889B8336CB7027

SSDEEP:

3072:O98WPLTgdxkBH8ZQYTr6DQ6v+UT4i0JKIMuFes7P:XWzcdxkFhCwQC8bMuF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • explorer.exe (PID: 3492)

    • Runs injected code in another process

      • b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exe (PID: 1008)

    • Application was dropped or rewritten from another process

      • AM_Engine.exe (PID: 5984)
      • MpSigStub.exe (PID: 5404)
      • AM_Base.exe (PID: 4900)
      • AM_Delta.exe (PID: 2384)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 3492)
      • MpSigStub.exe (PID: 5404)

  • INFO

    • Checks supported languages

      • b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exe (PID: 1008)
      • AM_Delta.exe (PID: 2384)
      • AM_Base.exe (PID: 4900)
      • ricgshj (PID: 888)
      • AM_Engine.exe (PID: 5984)

    • The process checks LSA protection

      • AM_Base.exe (PID: 4900)
      • AM_Delta.exe (PID: 2384)
      • dllhost.exe (PID: 4372)
      • explorer.exe (PID: 3492)
      • MpSigStub.exe (PID: 5404)
      • AM_Engine.exe (PID: 5984)

    • Checks proxy server information

      • explorer.exe (PID: 3492)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 3492)

    • Creates files in the program directory

      • MpSigStub.exe (PID: 5404)

    • Reads the software policy settings

      • MpSigStub.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 65.61.98.41
ProductName: BroadwayStreet
LegalTrademarks2: objfngizdf
LegalCopyrights: Challenger fazan inc.
InternalName: Brucus.exe
FileDescriptions: NiceIncorporated
CompanyName: Bootleneck
CharacterSet: Unknown (85B1)
LanguageCode: Unknown (0292)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 32.0.0.0
FileVersionNumber: 61.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x5110
UninitializedDataSize: -
InitializedDataSize: 646656
CodeSize: 81920
LinkerVersion: 10
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2022:02:17 21:12:26+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 17-Feb-2022 21:12:26
Detected languages:
  • Tamil - India
CompanyName: Bootleneck
FileDescriptions: NiceIncorporated
InternalName: Brucus.exe
LegalCopyrights: Challenger fazan inc.
LegalTrademarks2: objfngizdf
ProductName: BroadwayStreet
ProductVersion: 65.61.98.41

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 17-Feb-2022 21:12:26
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00013FDE
0x00014000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.8643
.data
0x00015000
0x00087298
0x00013600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.79137
.rsrc
0x0009D000
0x00014AE0
0x00014C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.70242

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.55923
1736
UNKNOWN
Tamil - India
RT_ICON
2
3.18367
1384
UNKNOWN
Tamil - India
RT_ICON
3
2.34845
4264
UNKNOWN
Tamil - India
RT_ICON
4
2.51774
1128
UNKNOWN
Tamil - India
RT_ICON
5
4.23909
2216
UNKNOWN
Tamil - India
RT_ICON
6
4.03858
1736
UNKNOWN
Tamil - India
RT_ICON
7
3.34688
1384
UNKNOWN
Tamil - India
RT_ICON
8
2.37469
4264
UNKNOWN
Tamil - India
RT_ICON
9
2.39511
2440
UNKNOWN
Tamil - India
RT_ICON
10
2.54302
1128
UNKNOWN
Tamil - India
RT_ICON

Imports

GDI32.dll
KERNEL32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
9
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
inject start b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exe no specs Delivery Optimization User no specs explorer.exe filecoauth.exe no specs ricgshj no specs am_engine.exe no specs mpsigstub.exe am_base.exe no specs am_delta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
888C:\Users\admin\AppData\Roaming\ricgshjC:\Users\admin\AppData\Roaming\ricgshjsvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\ricgshj
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
1008"C:\Users\admin\AppData\Local\Temp\b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exe" C:\Users\admin\AppData\Local\Temp\b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
2384"C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Delta.exe" WD /qC:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exewuauclt.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
AntiMalware Definition Update
Exit code:
2147942405
Version:
1.381.122.0
Modules
Images
c:\windows\softwaredistribution\download\install\am_delta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\bcryptprimitives.dll
3492C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.1806 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
4372C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
4572C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_1\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_1\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013_1\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4900"C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Base.exe" C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exewuauclt.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
AntiMalware Definition Update
Exit code:
0
Version:
1.381.0.0
Modules
Images
c:\windows\softwaredistribution\download\install\am_base.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\bcryptprimitives.dll
5404C:\WINDOWS\system32\MpSigStub.exe /stub 1.1.18500.10 /payload 1.1.19900.2 /MpWUStub /program C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Engine.exeC:\Windows\System32\MpSigStub.exe
AM_Engine.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Malware Protection Signature Update Stub
Exit code:
2147942405
Version:
1.1.18500.10 (bd3bd17b10e8c188734ef863541b1db0d3f8b954)
Modules
Images
c:\windows\system32\mpsigstub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\bcryptprimitives.dll
5984"C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Engine.exe" C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exewuauclt.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
AntiMalware Definition Update
Exit code:
0
Version:
1.1.19900.2
Modules
Images
c:\windows\softwaredistribution\download\install\am_engine.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\bcryptprimitives.dll
Total events
4 063
Read events
4 045
Write events
16
Delete events
2

Modification events

(PID) Process:(3492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000003D68DDD8753413B5
(PID) Process:(3492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800
Operation:writeName:CheckSetting
Value:
23004100430042006C006F006200000000000000010000008000000098088314F8688E7A939DD901000000007B00440045003700420032003400450041002D0037003300430038002D0034004100300039002D0039003800350044002D003500420044004100440043004600410039003000310037007D002E006E006F00740069006600690063006100740069006F006E002E00320000001F1F1F1F1F1F1F1F000000
(PID) Process:(5984) AM_Engine.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MpSigStub
Operation:writeName:LastStartTime
Value:
332C5E360A0BD901
(PID) Process:(4900) AM_Base.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MpSigStub
Operation:writeName:LastStartTime
Value:
B6A953D9939DD901
(PID) Process:(4900) AM_Base.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MpSigStub
Operation:writeName:LastExitCode
Value:
0
(PID) Process:(5404) MpSigStub.exeKey:\REGISTRY\A\{fde979c6-df5c-32b4-9598-b9688a2cae99}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(5404) MpSigStub.exeKey:\REGISTRY\A\{fde979c6-df5c-32b4-9598-b9688a2cae99}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(5404) MpSigStub.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property
Operation:writeName:0018C0078EAEE7CC
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000B5E3FB06026AB1499750D852A9B8FDFE00000000020000000000106600000001000020000000806BC13F42A6D7707D959E24AC0A844DD63DEF07B3E6CE78FB5A18D83C2F1F3A000000000E8000000002000020000000C1FF92441066B892E4B50F609E2DCB8BD9B43537BAE8840D59F69423EA26597580000000F4BFC83EEECD07566BCB93F76124AD13C229AC14C99B7096B7A57323EDA1FED84EC44F0105DF35A3C1D44571A0F804B5C715BCA8A474448BB55036478EF0F588889C39E9CC79E014BC5FEE72095801300E21CD8B327808FC2D02C78BE482355B71F3F7D6720E09118DC0E02A898E3B418CC6625593C1D38DD9CF90BA81EDF68140000000C53D4A98D41408F3E9797490C13405BF12D5A53EC42D8B71EA14692BE90EAC70267DC6FBA233232C9B30F3BF5B855BB878621C824B58D6C709279990230610E8
(PID) Process:(5404) MpSigStub.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceTicket
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000758B79D662C6ED409024AE8665017AB700000000020000000000106600000001000020000000E49B0264428D4E59126EFB6BD3D12C6A7795A306A88BF28423734A67D18193BA000000000E80000000020000200000006714B269CED82027C1E6AD0B75B541444989830FE56947F69CCE11D45229AE0B1008000080A242066F5DE68A24AF4EC14FBD400C2D178E8E736BDF85DF2190FA46505F09AF2B467CEFA27C49D3029D25F2FF6AF89880E44C53C29464D38D151F80E49AC065E478C3C1FFAB93639E378434FC0004C1F8DA52EBA228682142206ABACA2F223F78D4324FF746117D2EDA85E29FBE243F1BCE418F271E04FD06A66CBC891F83290CB3740AC60708801ED185475B5F7323393C8845E7488136AE70ABAFF41EBC490441CBE7C517AB80884C8F6A9C2D6DF50261294F01174A8AB0C056D2B6F54A413F0B869130E50D8C838E8B1FEECD5F4F896432347B6B1CD09510CB9EE37B782E426E97D82089433A3D5E35083793A8D54813A9DDC1DA7E4460FD7BC05070F4FA9817E374E8F86AE74CF6DE0D315F07FA6293749211E12635E25AFE906ABEFFB00802FBEC22DD29BC769FF6C1EB593B463453A18D097A832D6060203FB4475A5316D10D16F8BDF4D711498904E7DCA9C809EA21DFA1DFD31E5F66460B61895E7B7257588BD7785223DB62889BB2D32DE2DC722C9F558090C05993523C27D36AB1A5F86CA7A1936D0B9210B0C9299A3C5B0A2F560FB44DF5BC5BA0854D1802544CB8EBDF6D5586CE3AA929D49AB1EC5542601D86845B69067DCEA710C92AC9733A3B3C28FFB1ED9E6A2845BB565AAEEB67CFC41961F983F2A58173756611866F52048714409ABBC7C02E0B5E169AC57FACF7B54D0FCFBB2089056397F56323E763514260555022F53EB94B41514EC0996FD3EF9DCEDEC262E42DB32070675752B883EF64A35EF26522BA68DC7EA0D564A239F8BC4EBA7409B7B89DC109FABF89655165DDF182F567394A94E2CA21EAF227D494427047457DAA0B8A4F72DE91AA8DAD9960E6536781F4214BA773FBA9086054FDB5B530E620DE4E4B7F7BB7E69EB4087A1369476BE460FFE6BCFE3BAA193D49782683AB55D65EB12EE04459272D85748B7D8C39540C6457DDF77E3BC138BF1A66F3B2BED2012A6EE46B131C5540E2F4BE288DCC39D1FE3801B3D3065FCA9F6E83180278AD04F420E7660A91AD28E05F30AC744983A2FBA652749D92C9A7859EBE8BB352AAD12FF42D66234E2B7A620E3FD53023B41BFBAD2B3DCF03C59E27CABCE6C4D539BBE61A79C9F7C063653C75648D5CA24514B36E5FBFCFE3A06BD6D19E2F661D763A85D09E59EEF1DCDFA9837BE33CCD6266D536B37F5405B149DB6A40ABE89AEDAD68F5CC1BFB86F289C3CD52BB188D691D28EC4949D4BC2D377B483A17058758E38317A8066FE060900E8A8C4C18275A5A71A950C55974BB0742189202FC42459019E0511643173B9E8119EB3A6E3CAA2C714795EA1AD1850C9A3AD9E7F394B1A02F2D67F825A86C4AFA35677C95AC104E187F5B28425937D7D7BC7EA97F0034693980560F9D6CA22DB47C72A2441B0C3D64C494E5989E3880898388E84EDF41D41BB7F7529A7A2D47F1708FAB6B6A28632317438C6DC202DC5E00041CFAD3C62A1DA1C82402805D8ABFD523D1FC18953067526E93FDAC2E023DA74BD8D4269CCA88D7D8C846C6417099DC4CDA8D44BDBDE048A8BC7725ABD09CF01E0B213763F5534F1E6E3947C87EF374ABE84091CC8347DFDB633DE67944D22F19FC17B7AEEC9D926C79F8131A1412EB252EEA82716449A2255B6C25949AD317442CB905C59E3EB86B96C3AEE5081CFA24B0483250451C30B701AF09DD821A9259166897AA50588F129604759B2AE91BC863E2A3FC5BF4DFDBEFABEC3101EB3710E4EEDBF294CE7DAC29BA5593E2C0563E80AD74AB4F675A25A818EDCFBD13708EDC4B56FDF299E8C03744313B24CC26AA2A77CDE3409F41A18A9023E253F8DA184A71F60DDCB51C1B110DEFD0F8B7D8241D006F4D0E2CE2EED9532B185606F910F702F595DCA4346AD5EA8154D621DA3B3B3F7E535FA517A9D2E2C7D4863B476BF84426A1BC356FD97F17A3CF5F1044650DA74E1111DBE456D1259FEA24367ADE69C5F666BC92B1A1E1827036915C18FF02A6EA89309A9605B52AA7F7A1FF2477C76859343BB9EFD8145AE55CBEF3737BCEBAA79EB53C215BD7C46ECF7E71D8B183281E7D3929E7FE3F2F20E78DEA36DF44D10D170FD5524010F77C82A8543C5BBFF7270143045914411662E6D7EBDA1D373A1739BF06F5A788609A9C9F2AF0C1A6EFD46C43766ABABEB41C7DF0AC366FD789ADA8DF5086FB76B4253A0C0E3FAEDC6215A91D1EB3C58FFFE5947009E0D63481C550A1B7CDB1BA60D8781AC08A4C38CFF514E2AF7C7277C2E4ECC7CE370DDBD5B1082C0BEAE2D46062B7693FB95DCB60AB922A029E9A1AFF0C40AE70AA1882BE06D9EB1382B6E85B1998D01CA1D4B199104C340347E9162E2179621680F42571F68BF77855A432CC83A398E574F06A4BE578072A019A9EF1C6B52E041338C65FE69B7D7022234516EB1FF26E9BB269A46EF4EE9BCC98E069C7EE472E348586965D9E43FC268E0A7BFEFEB71307F722D09B90027FB9EFA1FED4E0BF5577D29D441A243FF0DA2EE7A459B28BD28350A1D6727E851F66F0D79EEF5BB73ED916E4DD876714B61ECFEEF88508AAD8EC918AC78B336619EB4A3CAC65F9CEA1D4B6B78A0B373208FE48D1047D04A13F68DFCE96886EA8248D3EB747883A32E7229812D125C650BD6EB351B9A85F698FA38410F89F64E5ADC6C7AE8A60BB7C8B6A944C39AF9B081D2A4827040B910F5643C60AADB02463C65902D40D5ED9A138EB889316516D4AEB1EA97D9A34D0481D81426FB1C8ACBBA47F6E94F40BE7C2D2860F936AAF8E6550355EEB050DFAA0CD23BF8AF8C3CE52EEEF9EE2C6042DC2ED513AC7D972922F1C2EB639034F1227EA8240A63F4B2560D6C602906951385154F4992685EFED6CAB721AB5C260A3B1B8781B180AAE4A5EE67CEAC6AFAFBAF9EAD3975B0BB13B83BA55092420991130400000007B46E684B46720C7C077F95984FAA812B3A1E48566C0947E4FF111F349EC51A417921E3D1FF0EDF70B87B4EBD8BE8220464F1B7BF17E79C0DB99CA734BEC03B1
(PID) Process:(5404) MpSigStub.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceId
Value:
0018C0078EAEE7CC
Executable files
7
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5404MpSigStub.exeC:\WINDOWS\Temp\3B4B1C2A-7C2F-4098-A140-C0A7CD8037F9151c.1d99d93d9580d2a\mpasbase.vdm
MD5:
SHA256:
5404MpSigStub.exeC:\WINDOWS\Temp\3B4B1C2A-7C2F-4098-A140-C0A7CD8037F9151c.1d99d93d9580d2a\mpavbase.vdm
MD5:
SHA256:
5404MpSigStub.exeC:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpasbase.vdm
MD5:
SHA256:
5404MpSigStub.exeC:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpavbase.vdm
MD5:
SHA256:
5404MpSigStub.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_0x80070005_e865777b0d7de36448289cda813de552cfbf9e1_00000000_be704ede-3620-498b-937c-4dc38e6c817f\Report.wer
MD5:
SHA256:
4572FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-06-13.0108.4572.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
4572FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-06-13.0108.4572.1.odlbinary
MD5:3BC9CF0A09B0CBF752C0717931E05D92
SHA256:AD3306CF29D56461F72878F2FD57AE1AB232C80D4EBA335C94E5DB1979BC26CA
5404MpSigStub.exeC:\WINDOWS\Temp\3B4B1C2A-7C2F-4098-A140-C0A7CD8037F9151c.1d99d93d9580d2a\mpavdlta.vdmexecutable
MD5:D9FC3B46C6FB8137A7554DB7C23F33AC
SHA256:03CBBC7FB5A50A726E3E5D58E8F1E67538F395A103CAD82D7AD3C827B112B9DD
5404MpSigStub.exeC:\WINDOWS\Temp\E8A562D5-E836-4DBB-9F9D-7FF3A01EDA98-Sigs\MpSigStub.pidbinary
MD5:D2741D88ABF745745EDF4A9F7969951E
SHA256:DFCBC278CFF0C13FED5DA38ADC49CBFDD1216A31605448E42658D09C3A1FD149
3492explorer.exeC:\Users\admin\AppData\Roaming\ricgshjexecutable
MD5:7D726C8BE35F9E9F010363C050EE86B3
SHA256:B2C3517BB90933390DF4EB01C6BA36F2A519A69B5BCEE703F4889B8336CB7027
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
452
TCP/UDP connections
97
DNS requests
28
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5348
svchost.exe
GET
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.19044.1889/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1865&MK=DELL&MD=DELL
US
whitelisted
5348
svchost.exe
GET
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.19044.1889/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1865&MK=DELL&MD=DELL
US
whitelisted
5348
svchost.exe
GET
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.19044.1889/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1865&MK=DELL&MD=DELL
US
whitelisted
5348
svchost.exe
GET
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.19044.1889/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1865&MK=DELL&MD=DELL
US
whitelisted
1432
svchost.exe
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
US
xml
9.93 Kb
whitelisted
1432
svchost.exe
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
1432
svchost.exe
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
US
xml
9.93 Kb
whitelisted
5348
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
der
813 b
whitelisted
5348
svchost.exe
GET
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.19044.1889/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1865&MK=DELL&MD=DELL
US
whitelisted
5348
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
der
401 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4764
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2900
svchost.exe
51.105.71.136:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
suspicious
5348
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5348
svchost.exe
23.32.238.91:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1432
svchost.exe
40.126.31.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
1992
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
suspicious
5716
svchost.exe
23.212.213.218:443
geover.prod.do.dsp.mp.microsoft.com
AKAMAI-AS
AU
unknown
4700
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
v10.events.data.microsoft.com
  • 51.105.71.136
whitelisted
crl.microsoft.com
  • 23.32.238.91
  • 23.32.238.147
  • 95.101.54.122
  • 95.101.54.128
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.52.120.96
  • 95.101.149.131
whitelisted
geo.prod.do.dsp.mp.microsoft.com
  • 20.191.46.211
whitelisted
geover.prod.do.dsp.mp.microsoft.com
  • 23.212.213.218
whitelisted
au.download.windowsupdate.com
  • 209.197.3.8
whitelisted
stalagmijesarl.com
  • 194.50.153.77
malicious
ukdantist-sarl.com
  • 194.50.153.77
malicious

Threats

PID
Process
Class
Message
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET INFO Windows OS Submitting USB Metadata to Microsoft
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
4680
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027.exe