File name: | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe |
Full analysis: | https://app.any.run/tasks/ef3c8fe8-307c-46b6-adad-5dae56fa4179 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 19:01:09 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections |
MD5: | 5159F505D351AAD992BB5A9228BB1474 |
SHA1: | A4DC91FF6BC6556B9BEEFC9DF02074E6964548AA |
SHA256: | BEF09720420C26367F856266CF1803B7F235DB46DA3545EB7A7878E39570BFB2 |
SSDEEP: | 6144:cdSvVVVVVVVVrfuj5q4uFTDhfqfWJUNo5kUe7xo6oD:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5ke |
.exe | | | Win32 Executable MS Visual C++ (generic) (30.9) |
---|---|---|
.exe | | | Win64 Executable (generic) (27.3) |
.exe | | | UPX compressed Win32 Executable (26.8) |
.dll | | | Win32 Dynamic Link Library (generic) (6.5) |
.exe | | | Win32 Executable (generic) (4.4) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x2130 |
UninitializedDataSize: | 24576 |
InitializedDataSize: | 4096 |
CodeSize: | 8192 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit, No debug |
TimeStamp: | 2011:03:15 04:06:07+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6268 | "C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe" | C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | — | ||
MD5:— | SHA256:— | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp | executable | |
MD5:3998CFE05C542B6AF248EB5657D9AF5A | SHA256:2BABF93127B59D3A3DBAECB3E6FB811B973BBE113F3209C1E67B5CCFE82DD1CD | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp | executable | |
MD5:1C5CCDA8BE65EE79D31FAEACEA188E68 | SHA256:B72DA35240DDF457A3D88254A70E8397F865B95E00663EFCDD1C3B1DCF52A7A2 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp | executable | |
MD5:7C451527C38639A9A9402F0649A28BA4 | SHA256:A642C1BECAE7AE1CD33427DE47EF80EEDF6EBF1B985B5C7D61E560A4B1D52734 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp | executable | |
MD5:0436A84C8776892A9EFB198B03B803E2 | SHA256:23F94973C824D7C4ACCCD14C18EB8131977B3D6585E0F7B41BB21C350563CCD9 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp | executable | |
MD5:EC23035034E25BA1D8665E03F5D53C17 | SHA256:7A3E1FCBB4733652F9640C2C84F06B757E7BF56C69B64730D26AD1AFEFFE60DE | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp | executable | |
MD5:B109EE2AC32EF0BA7CA92140DD4B1874 | SHA256:B21CCEE087FF6505CFB0621C7C647B76C1A7989061A7A8D0DC0FE2D9DC45837D | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp | executable | |
MD5:DD3FB2C82DF4347178575789A97433BD | SHA256:A7FFA6280813619829B23C9DBBEAB24CE364CED16C14193012C03F086D7E929C | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp | executable | |
MD5:76C33510668E48C7E1CC401BD622BFB0 | SHA256:45D53649DA915C2576308F1B2CC2CC21AFE0C4053D6D05C51D86A39266734E9F | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmp | executable | |
MD5:9E6F0478A0225F6EF0A8653539FCC83D | SHA256:D0CC43143B7FC1859AE6EFD4247AB140DB0D9ABED464F300A8FD4E9B74BA3F65 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4712 | MoUsoCoreWorker.exe | 23.48.23.177:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3976 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| unknown |
google.com |
| unknown |
crl.microsoft.com |
| unknown |
www.microsoft.com |
| unknown |
self.events.data.microsoft.com |
| unknown |