File name:

crss.exe

Full analysis: https://app.any.run/tasks/cc4e3d29-5ffe-4220-bbe7-88e02085c032
Verdict: Malicious activity
Analysis date: October 29, 2024, 16:22:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
pyinstaller
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

F3BB8CF06F10DD217E03FDBC59469133

SHA1:

0C502245D752A6025706E77D67BD20815C8534E4

SHA256:

B7A5D160E405DD03C501272FFBD4D0B8C33FEA67FE357C3362AAEA1B49B820D4

SSDEEP:

98304:s6ClazeJu8M+J4tqaOFHhwIsRjKOVWjtKxgA5evnaY8g2XpNpZM/xiLEDKIbjQrc:47rbyLh6YCU3pIwWm1bUe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • crss.exe (PID: 2648)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • crss.exe (PID: 5832)

    • The process drops C-runtime libraries

      • crss.exe (PID: 5832)

    • Application launched itself

      • crss.exe (PID: 5832)

    • Process drops python dynamic module

      • crss.exe (PID: 5832)

    • Process drops legitimate windows executable

      • crss.exe (PID: 5832)

    • Starts CMD.EXE for commands execution

      • crss.exe (PID: 2648)

    • Potential Corporate Privacy Violation

      • crss.exe (PID: 2648)

  • INFO

    • Create files in a temporary directory

      • crss.exe (PID: 5832)

    • Checks supported languages

      • crss.exe (PID: 5832)
      • crss.exe (PID: 2648)

    • Reads the computer name

      • crss.exe (PID: 5832)
      • crss.exe (PID: 2648)

    • Reads the machine GUID from the registry

      • crss.exe (PID: 2648)

    • Checks operating system version

      • crss.exe (PID: 2648)

    • Checks proxy server information

      • crss.exe (PID: 2648)

    • PyInstaller has been detected (YARA)

      • crss.exe (PID: 2648)
      • crss.exe (PID: 5832)

    • Application based on Rust

      • crss.exe (PID: 2648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:29 16:21:28+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 93184
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT crss.exe THREAT crss.exe cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2648"C:\Users\admin\Desktop\crss.exe" C:\Users\admin\Desktop\crss.exe
crss.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\crss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3648\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5832"C:\Users\admin\Desktop\crss.exe" C:\Users\admin\Desktop\crss.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\crss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5920C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.execrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
348
Read events
347
Write events
1
Delete events
0

Modification events

(PID) Process:(2648) crss.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:козляк
Value:
C:\Users\admin\Desktop\crss.exe
Executable files
33
Suspicious files
1
Text files
122
Unknown types
0

Dropped files

PID
Process
Filename
Type
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\VCRUNTIME140_1.dllexecutable
MD5:135359D350F72AD4BF716B764D39E749
SHA256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_multiprocessing.pydexecutable
MD5:A9A0588711147E01EED59BE23C7944A9
SHA256:7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_bz2.pydexecutable
MD5:86D1B2A9070CD7D52124126A357FF067
SHA256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_hashlib.pydexecutable
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_ctypes.pydexecutable
MD5:1635A0C5A72DF5AE64072CBB0065AEBE
SHA256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_decimal.pydexecutable
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_brotli.cp310-win_amd64.pydexecutable
MD5:EE3D454883556A68920CAAEDEFBC1F83
SHA256:791E7195D7DF47A21466868F3D7386CFF13F16C51FCD0350BF4028E96278DFF1
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_socket.pydexecutable
MD5:819166054FEC07EFCD1062F13C2147EE
SHA256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
5832crss.exeC:\Users\admin\AppData\Local\Temp\_MEI58322\_queue.pydexecutable
MD5:D8C1B81BBC125B6AD1F48A172181336E
SHA256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
1 000
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1248
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1248
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2648
crss.exe
GET
200
142.250.184.228:80
http://www.google.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1248
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1248
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1248
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
www.google.com
  • 142.250.184.228
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
shared
self.events.data.microsoft.com
  • 20.189.173.4
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
crss.exe