File name:

c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe

Full analysis: https://app.any.run/tasks/80a68010-b522-4403-bed0-49544b45fc6d
Verdict: Malicious activity
Analysis date: May 15, 2025, 16:29:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

4AEFAB006F68A35B0E15B043C0234BA1

SHA1:

22D87556FCAE0D955DD8DD782FC75998F10A3D3C

SHA256:

C0DF68ACF71411C87EB7D343EA88D128F2986497676A21CF0AD200E2CB393818

SSDEEP:

24576:DbHlGAauWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWh:PHlGAXWQkC2R/QORBt7QjFtmcaTH/vUX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe (PID: 7704)

  • SUSPICIOUS

    • Executes application which crashes

      • c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe (PID: 7704)

  • INFO

    • Reads mouse settings

      • c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe (PID: 7704)

    • The sample compiled with english language support

      • c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe (PID: 7704)

    • Checks supported languages

      • c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe (PID: 7704)

    • Create files in a temporary directory

      • c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe (PID: 7704)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7844)

    • Reads the software policy settings

      • slui.exe (PID: 7364)

    • Checks proxy server information

      • slui.exe (PID: 7364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:14 17:41:52+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 581120
InitializedDataSize: 312832
UninitializedDataSize: -
EntryPoint: 0x27dcd
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7364C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7704"C:\Users\admin\Desktop\c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe" C:\Users\admin\Desktop\c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7844C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7704 -s 652C:\Windows\SysWOW64\WerFault.exec0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 016
Read events
5 016
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_c0df68acf71411c8_2f63691962a15d391a6c086d57738575e29afe_d8a8b02a_22501bc0-4d55-47ca-9fd9-d423a8ea8cb4\Report.wer
MD5:
SHA256:
7704c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exeC:\Users\admin\AppData\Local\Temp\bohmitetext
MD5:662C88537ECB8DC3EA28030239C91F5F
SHA256:C30CB6520AB84D623B8E23FF217C989C8B63DFEAEE0457A0DEBE887516F84548
7844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER4B2.tmp.xmlxml
MD5:A229D6DA6BF4028E0BEBAF928C6D0C36
SHA256:7D4A6C4F427E62EBD8AA8E1AB7780E56519C976C823627324569F03339C7FD23
7704c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exeC:\Users\admin\AppData\Local\Temp\autFAFC.tmpbinary
MD5:06AB1860DC6ED52B2D9A794DD46A0B5E
SHA256:04ADA9318DF64D0B450D1F93A98EE4AA50C02C79C6BD2E5D075AAD169D6B510F
7704c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exeC:\Users\admin\AppData\Local\Temp\autFB0C.tmpbinary
MD5:C76E7B009A27E72D947A8905850BBAD0
SHA256:67A5318F88D7AF845916D6B78EE13FB3507D23271BF041B97D36426B50D20637
7844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER28D.tmp.dmpbinary
MD5:98A72D8A2D9681EC70F77B9535E6406F
SHA256:709368785092B2220850F754ECB498516284C8C2087A8FCE2970B09016F48DCD
7844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER473.tmp.WERInternalMetadata.xmlbinary
MD5:A69DE8F10BAEBF8494DDB17E4A185A3B
SHA256:10C8D406DC63AB85B610D7BB293AD2341B36CBC88BCC1026B7DFBAA7FCDC48CA
7704c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exeC:\Users\admin\AppData\Local\Temp\inhumationbinary
MD5:06AB1860DC6ED52B2D9A794DD46A0B5E
SHA256:04ADA9318DF64D0B450D1F93A98EE4AA50C02C79C6BD2E5D075AAD169D6B510F
7844WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe.7704.dmpbinary
MD5:B00FAAE0692A799BDF4A2CA529C75B86
SHA256:7BDBFE79BD42D377B971BACA8B55B8C809E324A84865D0B3D3F320476BA6A0FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
56
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8156
SIHClient.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8156
SIHClient.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8156
SIHClient.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8156
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8156
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8156
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8156
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
8156
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.128
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.131
  • 20.190.159.130
  • 20.190.159.71
  • 40.126.31.1
  • 20.190.159.23
whitelisted
google.com
  • 142.250.185.206
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.48.23.157
  • 23.48.23.171
  • 23.48.23.158
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.160
  • 23.48.23.159
  • 23.48.23.163
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c0df68acf71411c87eb7d343ea88d128f2986497676a21cf0ad200e2cb393818.exe