File name:

b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe

Full analysis: https://app.any.run/tasks/edc26f8e-f3cf-4ed6-a600-581260228c0e
Verdict: Malicious activity
Analysis date: May 31, 2024, 10:21:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
MD5:

55F00748454A5BC47A98D5CD51F2E877

SHA1:

3E8B2354B6987D4FAD54E838DDE767DF1554A3BB

SHA256:

B7974DFD10DEA3D89979B441677202D9BE7D5C9EAB26DF59B9D7AFE27F56A290

SSDEEP:

6144:c0/1Thw5w4qjPRrf2VrRZHMrbLcPNDVVVVVVV6qqqqqqqqqqqqqqqqqqqqqqqqqY:HcPNDVVVVVVV6qqqqqqqqqqqqqqqqqqr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 6364)
      • svchost.exe (PID: 6404)
      • explorer.exe (PID: 4768)
      • svchost.exe (PID: 4800)
      • svchost.exe (PID: 6072)
      • explorer.exe (PID: 5972)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 6404)
      • explorer.exe (PID: 6364)
      • explorer.exe (PID: 5972)
      • svchost.exe (PID: 6072)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)

    • The process creates files with name similar to system file names

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • spoolsv.exe (PID: 6384)

    • Starts itself from another location

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)
      • svchost.exe (PID: 6404)
      • explorer.exe (PID: 5972)
      • spoolsv.exe (PID: 6052)
      • svchost.exe (PID: 6072)

    • Reads security settings of Internet Explorer

      • TextInputHost.exe (PID: 6976)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 876)

  • INFO

    • Checks supported languages

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)
      • svchost.exe (PID: 6404)
      • spoolsv.exe (PID: 6432)
      • PLUGScheduler.exe (PID: 876)
      • TextInputHost.exe (PID: 6976)
      • explorer.exe (PID: 4768)
      • svchost.exe (PID: 4800)
      • explorer.exe (PID: 5972)
      • spoolsv.exe (PID: 6052)
      • svchost.exe (PID: 6072)
      • spoolsv.exe (PID: 6092)
      • svchost.exe (PID: 764)

    • Create files in a temporary directory

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • spoolsv.exe (PID: 6384)
      • svchost.exe (PID: 6404)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6432)
      • explorer.exe (PID: 4768)
      • svchost.exe (PID: 6072)
      • explorer.exe (PID: 5972)
      • spoolsv.exe (PID: 6052)
      • spoolsv.exe (PID: 6092)
      • svchost.exe (PID: 4800)
      • svchost.exe (PID: 764)

    • Reads the computer name

      • svchost.exe (PID: 6404)
      • TextInputHost.exe (PID: 6976)
      • PLUGScheduler.exe (PID: 876)
      • svchost.exe (PID: 6072)

    • Reads the time zone

      • runonce.exe (PID: 4496)

    • Manual execution by a user

      • runonce.exe (PID: 4496)
      • explorer.exe (PID: 5916)
      • explorer.exe (PID: 5972)
      • svchost.exe (PID: 6132)
      • svchost.exe (PID: 764)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 876)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
19
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe explorer.exe spoolsv.exe svchost.exe spoolsv.exe no specs textinputhost.exe no specs plugscheduler.exe no specs runonce.exe runonce.exe no specs explorer.exe svchost.exe explorer.exe no specs explorer.exe spoolsv.exe no specs svchost.exe spoolsv.exe no specs svchost.exe no specs svchost.exe b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Windows\Resources\svchost.exe" C:\Windows\Resources\svchost.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
876"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4496runonce.exe /ExplorerC:\Windows\System32\runonce.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
4528C:\WINDOWS\SysWOW64\runonce.exe /RunOnce6432C:\Windows\SysWOW64\runonce.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4768"C:\Windows\Resources\Themes\explorer.exe" ROC:\Windows\Resources\Themes\explorer.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
4800"C:\Windows\Resources\svchost.exe" ROC:\Windows\Resources\svchost.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
5916"C:\Windows\Resources\Themes\explorer.exe" C:\Windows\Resources\Themes\explorer.exerunonce.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5972"C:\Windows\Resources\Themes\explorer.exe" C:\Windows\Resources\Themes\explorer.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6052c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exeexplorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6072c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
4 144
Read events
4 088
Write events
46
Delete events
10

Modification events

(PID) Process:(6324) b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(6364) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
3
Suspicious files
20
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
6384spoolsv.exeC:\windows\resources\svchost.exeexecutable
MD5:E4406BE41445F416CFB8C37553C754A0
SHA256:F61818E5537380B6914AB307D60F86F76B6AC84BEC178BA37E4AB407B8448165
6324b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exeC:\Users\admin\AppData\Local\Temp\~DF229E9DBA1B0D3E6B.TMPbinary
MD5:6299CBC2138013E1C3281A435126C197
SHA256:BEA87AB178A11FE3C21F2B1EE7B25D3942FC4C582B0E07FF5F03E9DE57EC5E88
6324b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exeC:\windows\resources\themes\explorer.exeexecutable
MD5:28788445AC7F9BF8C9ABBAE84DF847CA
SHA256:18A0DC3743A6D5322CBFF2F3ADC8FBE3299C308ADFBE4025DCA164470AA31E02
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.015.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
6384spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF367E81B9F849D679.TMPbinary
MD5:40AC19CED58CF900A10DB566A743A18E
SHA256:F6E8E538CF02F76640122575D37ED17E111ED858AA020714243736D5E68A9983
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.010.etletl
MD5:868E79A00A8204448B2FFC4F4D5C08EA
SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC
6364explorer.exeC:\windows\resources\spoolsv.exeexecutable
MD5:173A4448FED6A11B178AF74FE4FE4905
SHA256:F8C846285569AAC1973ED33B5753496AC15B8703B37DFC4A22E6D67FE08AD10E
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.013.etletl
MD5:673727AF7C6805E869C9F8BE1E468F4A
SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B
6432spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFDB3C34718E6ED513.TMPbinary
MD5:2F3D30F7B680264DB06B38BE974317F9
SHA256:48A74FEE917EDD5123CF238E29B0665DF9CB96EF6BF55E0EA1DDF35542B1E814
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.007.etletl
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
33
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.20.13.130:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
4312
RUXIMICS.exe
GET
200
2.20.13.130:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
4264
svchost.exe
GET
200
2.20.13.130:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
4312
RUXIMICS.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
4264
svchost.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
GET
200
23.45.176.238:443
https://r.bing.com/rb/17/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DygxdoIBhQGIAX95fLsBvgExrgExwQE&or=w
unknown
21.3 Kb
GET
200
23.45.176.238:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B68CP54ChwFZWbkC&or=w
unknown
5.88 Kb
GET
200
23.45.176.197:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/uANxnX_BheDjd2-cdR8N9DEWlds.css?bu=C8QIhQP7A5wJhQjvB6QGWVlZWQ&or=w
unknown
19.9 Kb
GET
200
23.45.176.240:443
https://r.bing.com/rb/3K/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w
unknown
15.5 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4264
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4312
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
2.20.13.130:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4312
RUXIMICS.exe
2.20.13.130:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4264
svchost.exe
2.20.13.130:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown
4312
RUXIMICS.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown
4264
svchost.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.20.13.130
  • 2.20.13.143
unknown
www.microsoft.com
  • 2.22.201.205
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
unknown
www.bing.com
  • 23.45.176.238
  • 23.45.176.222
  • 23.45.176.225
  • 23.45.176.240
  • 23.45.176.197
unknown
self.events.data.microsoft.com
  • 104.208.16.89
  • 13.69.239.72
unknown
officeclient.microsoft.com
  • 52.109.28.46
unknown
ecs.office.com
  • 52.123.243.197
  • 52.123.243.215
  • 52.123.243.68
  • 52.123.243.84
unknown
r.bing.com
  • 23.45.176.240
  • 23.45.176.197
  • 23.45.176.238
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe