File name: | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe |
Full analysis: | https://app.any.run/tasks/ef3c8fe8-307c-46b6-adad-5dae56fa4179 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 19:01:09 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections |
MD5: | 5159F505D351AAD992BB5A9228BB1474 |
SHA1: | A4DC91FF6BC6556B9BEEFC9DF02074E6964548AA |
SHA256: | BEF09720420C26367F856266CF1803B7F235DB46DA3545EB7A7878E39570BFB2 |
SSDEEP: | 6144:cdSvVVVVVVVVrfuj5q4uFTDhfqfWJUNo5kUe7xo6oD:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5ke |
.exe | | | Win32 Executable MS Visual C++ (generic) (30.9) |
---|---|---|
.exe | | | Win64 Executable (generic) (27.3) |
.exe | | | UPX compressed Win32 Executable (26.8) |
.dll | | | Win32 Dynamic Link Library (generic) (6.5) |
.exe | | | Win32 Executable (generic) (4.4) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2011:03:15 04:06:07+00:00 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit, No debug |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 8192 |
InitializedDataSize: | 4096 |
UninitializedDataSize: | 24576 |
EntryPoint: | 0x2130 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6268 | "C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe" | C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | — | ||
MD5:— | SHA256:— | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp | executable | |
MD5:EC23035034E25BA1D8665E03F5D53C17 | SHA256:7A3E1FCBB4733652F9640C2C84F06B757E7BF56C69B64730D26AD1AFEFFE60DE | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp | executable | |
MD5:7BC7B9C496C6AB4F33E78CB890768E17 | SHA256:E9C1D4DF9A258C6927DBF4C162CDA0A4C29FBBD45AC638AC7432585349B31944 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp | executable | |
MD5:0436A84C8776892A9EFB198B03B803E2 | SHA256:23F94973C824D7C4ACCCD14C18EB8131977B3D6585E0F7B41BB21C350563CCD9 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmp | executable | |
MD5:16D6D65B0C940F748D2083E28D087945 | SHA256:43B80654B8AF923080D8AED80CD3FB58D9E1ADB9158972553573F4E3C39822F7 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp | executable | |
MD5:76C33510668E48C7E1CC401BD622BFB0 | SHA256:45D53649DA915C2576308F1B2CC2CC21AFE0C4053D6D05C51D86A39266734E9F | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp | executable | |
MD5:FDF1788AAD8B2FE0CA0097D4B852B974 | SHA256:4EFCD1C7CB01C04DDD828F30207AD22BF75AAB155B5997F97E27E1B81B5B3DD7 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp | executable | |
MD5:7C451527C38639A9A9402F0649A28BA4 | SHA256:A642C1BECAE7AE1CD33427DE47EF80EEDF6EBF1B985B5C7D61E560A4B1D52734 | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmp | executable | |
MD5:930208C890460E62F3F38890CB312506 | SHA256:94CAAE5DA94FF7779880C274EDEA38FB8875B2E7CEF171352758FE08D6726B4C | |||
6268 | bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp | executable | |
MD5:B109EE2AC32EF0BA7CA92140DD4B1874 | SHA256:B21CCEE087FF6505CFB0621C7C647B76C1A7989061A7A8D0DC0FE2D9DC45837D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4712 | MoUsoCoreWorker.exe | 23.48.23.177:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3976 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| unknown |
google.com |
| unknown |
crl.microsoft.com |
| unknown |
www.microsoft.com |
| unknown |
self.events.data.microsoft.com |
| unknown |