File name:

b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273

Full analysis: https://app.any.run/tasks/a59c03a5-fbb5-4908-90fa-49674bdecd01
Verdict: Malicious activity
Analysis date: November 02, 2024, 14:37:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vobfus
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

1F25C98B9980DC2756C34B3751F580DA

SHA1:

006E2E1A9223FAE0BC7E6817284B8BF0BFEC54D6

SHA256:

B90C8C645E7F9449E5D51523F6C84C7309D7D755C33C57073597AE330E49C273

SSDEEP:

3072:nunsO3QZLqIlCubM+EMVezSFW3EFySfAb0LUorn5lCA8TA2Mn1klaQAid6yjquXS:nO3QZLqIlCubM+EMVkSFW3uySfAb0LUi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VOBFUS has been detected

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)

    • Changes the autorun value in the registry

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)

    • Changes the Windows auto-update feature

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)
      • wuiuxuh.exe (PID: 7080)
      • jktef.exe (PID: 3824)
      • yeopa.exe (PID: 7124)
      • wooohe.exe (PID: 7128)
      • guqup.exe (PID: 1084)
      • toogel.exe (PID: 3964)
      • baueh.exe (PID: 4868)
      • meeazad.exe (PID: 2428)
      • miaudo.exe (PID: 2272)
      • neecek.exe (PID: 6596)
      • riusio.exe (PID: 6892)
      • xiedal.exe (PID: 7052)
      • hiehe.exe (PID: 6276)
      • maaiya.exe (PID: 6804)
      • xuauyic.exe (PID: 6232)
      • cauuh.exe (PID: 6416)
      • rpkoug.exe (PID: 2376)
      • keegoj.exe (PID: 3108)
      • reoag.exe (PID: 6764)
      • fyjieg.exe (PID: 5956)
      • tauxua.exe (PID: 2140)
      • ltruy.exe (PID: 4080)
      • peeki.exe (PID: 6260)
      • qoedaej.exe (PID: 864)
      • kiedoh.exe (PID: 6556)
      • veonaof.exe (PID: 6628)
      • naieya.exe (PID: 1252)
      • luxol.exe (PID: 5912)
      • guined.exe (PID: 1572)
      • biukeum.exe (PID: 7100)
      • puuhaq.exe (PID: 4340)
      • yaubuod.exe (PID: 3904)
      • gouox.exe (PID: 1952)
      • qxgeav.exe (PID: 6932)
      • pouyef.exe (PID: 696)
      • bieus.exe (PID: 6328)
      • mepas.exe (PID: 6964)
      • zoafaa.exe (PID: 7116)
      • huoesor.exe (PID: 6520)
      • xaauqet.exe (PID: 7184)
      • wuoucig.exe (PID: 540)
      • fieas.exe (PID: 6524)
      • fetat.exe (PID: 4072)

    • Reads security settings of Internet Explorer

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)

  • INFO

    • Checks supported languages

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)
      • jktef.exe (PID: 3824)

    • Reads the computer name

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)

    • Process checks computer location settings

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)

    • The process uses the downloaded file

      • b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe (PID: 6468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:04:10 21:59:09+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 102400
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x1164
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
44
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VOBFUS b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exe jktef.exe wuiuxuh.exe yeopa.exe toogel.exe wooohe.exe guqup.exe meeazad.exe baueh.exe miaudo.exe fetat.exe neecek.exe hiehe.exe maaiya.exe xuauyic.exe xiedal.exe rpkoug.exe keegoj.exe reoag.exe fyjieg.exe tauxua.exe cauuh.exe riusio.exe peeki.exe ltruy.exe qoedaej.exe kiedoh.exe veonaof.exe wuoucig.exe fieas.exe naieya.exe biukeum.exe guined.exe yaubuod.exe puuhaq.exe qxgeav.exe pouyef.exe bieus.exe mepas.exe zoafaa.exe gouox.exe huoesor.exe luxol.exe xaauqet.exe

Process information

PID
CMD
Path
Indicators
Parent process
540"C:\Users\admin\wuoucig.exe" C:\Users\admin\wuoucig.exe
veonaof.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\wuoucig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
696"C:\Users\admin\pouyef.exe" C:\Users\admin\pouyef.exe
qxgeav.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\pouyef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
864"C:\Users\admin\qoedaej.exe" C:\Users\admin\qoedaej.exe
ltruy.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\qoedaej.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1084"C:\Users\admin\guqup.exe" C:\Users\admin\guqup.exe
wooohe.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\guqup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1252"C:\Users\admin\naieya.exe" C:\Users\admin\naieya.exe
fieas.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\naieya.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1572"C:\Users\admin\guined.exe" C:\Users\admin\guined.exe
biukeum.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\guined.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1952"C:\Users\admin\gouox.exe" C:\Users\admin\gouox.exe
zoafaa.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\gouox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2140"C:\Users\admin\tauxua.exe" C:\Users\admin\tauxua.exe
fyjieg.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\tauxua.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2272"C:\Users\admin\miaudo.exe" C:\Users\admin\miaudo.exe
baueh.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\miaudo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2376"C:\Users\admin\rpkoug.exe" C:\Users\admin\rpkoug.exe
xiedal.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\rpkoug.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
27 783
Read events
27 662
Write events
121
Delete events
0

Modification events

(PID) Process:(6468) b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6468) b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:jktef
Value:
C:\Users\admin\jktef.exe /c
(PID) Process:(6468) b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
1
(PID) Process:(3824) jktef.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3824) jktef.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wuiuxuh
Value:
C:\Users\admin\wuiuxuh.exe /I
(PID) Process:(3824) jktef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
1
(PID) Process:(7080) wuiuxuh.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7080) wuiuxuh.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:yeopa
Value:
C:\Users\admin\yeopa.exe /f
(PID) Process:(7080) wuiuxuh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
1
(PID) Process:(7124) yeopa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:toogel
Value:
C:\Users\admin\toogel.exe /a
Executable files
44
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7128wooohe.exeC:\Users\admin\guqup.exeexecutable
MD5:2C55A02E3AF77910788EB64C66A5EACE
SHA256:BE3C86C0A9F7F1CA8B1785A5BEA43591A98D947D9798E6DA35BEB492C4AEBC36
2272miaudo.exeC:\Users\admin\fetat.exeexecutable
MD5:EBD197CCC8FF06E5EE01E8A14F9969B5
SHA256:F8ACFACE984F4A7862501AAB965632A29432A5F899D5EE881E88F9CDB410FD16
2428meeazad.exeC:\Users\admin\baueh.exeexecutable
MD5:1F1C6F3717E57CE8327EA5208E082A3D
SHA256:74EBAC664A0FE93B1F94EE7C0ECBD3186347F7EB450B1807FCC7531DD902C3C3
3964toogel.exeC:\Users\admin\wooohe.exeexecutable
MD5:B117BF949D2FF7B83175CA2FC33C355B
SHA256:8D9DB7D5AC93A0A5603AFD53D953EC6069C443C718A548EED9C2AD360A44D863
6804maaiya.exeC:\Users\admin\xuauyic.exeexecutable
MD5:219D50A173C1786BCCA881F573894B18
SHA256:6EDA493AEF4E50A506FC9F1D7F2CCDF97DAB7E76AE44928C235046DD499ADC56
1084guqup.exeC:\Users\admin\meeazad.exeexecutable
MD5:83E96CD293B24017BF3DC2F240C02885
SHA256:238ADD90A16233DFEAE73A75837435DFFC44E91B458EBDBF1EE64898684D6CB6
6596neecek.exeC:\Users\admin\hiehe.exeexecutable
MD5:84D2AF1E6A26D1317039D1D7E6ED5917
SHA256:D09E0686F38F0D654607FFA633B7F3253AB877A3BF5B17AD24A9AD198ED72E73
4868baueh.exeC:\Users\admin\miaudo.exeexecutable
MD5:6919E2C2F728A3C7F637C7DBD98D5767
SHA256:B3F2935116D7386E6FF9216A246337D7B67D1E5CFFFB67AC968119EE88863A07
7052xiedal.exeC:\Users\admin\rpkoug.exeexecutable
MD5:1B37127EC35B86D05CAE31796089E42A
SHA256:7DBB1E2906A1825356896CD31C7096173B57C16D013BD665F98DB0FC4857F2BD
6276hiehe.exeC:\Users\admin\maaiya.exeexecutable
MD5:293FD6EEC382DA93D910516D382AF7BC
SHA256:DF4FC5A0B1F90C3542AA1106A59553C3C488B45162F13E53AAAFE8A0DBDB0C4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
27
DNS requests
50
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2464
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2464
RUXIMICS.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2464
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2464
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.163
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.139
  • 104.126.37.186
  • 104.126.37.130
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
ns1.spansearcher.net
unknown
ns1.spinsearcher.org
unknown
ns1.player1352.net
  • 104.155.138.21
  • 107.178.223.183
unknown
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b90c8c645e7f9449e5d51523f6c84c7309d7d755c33c57073597ae330e49c273