File name:

NewApp.exe

Full analysis: https://app.any.run/tasks/4989c575-3b22-48a5-996e-fd67cd4079fa
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: December 30, 2024, 21:38:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
pastebin
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 11 sections
MD5:

5D1255087C4512F2121410A008218430

SHA1:

AE51B87CABDF99D54A4EF1A1A565A111F4F1A942

SHA256:

C9D6EBDFF127C1486E402B5F4FBCDC5FAC953CDD390890A5066464261B1EEF34

SSDEEP:

98304:Vhjn7gnAVvv9vyYM1nFh6brtc/gpE/gz8P8NrX3QJujOTGSOHXTQcPXNPdSlMAVB:uwehcy5MrM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 6464)

    • Starts POWERSHELL.EXE for commands execution

      • NewApp.exe (PID: 6296)

  • INFO

    • The process uses the downloaded file

      • powershell.exe (PID: 6464)

    • Checks supported languages

      • NewApp.exe (PID: 6296)
      • NewApp.exe (PID: 6912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:13 22:56:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 74752
InitializedDataSize: 5404160
UninitializedDataSize: -
EntryPoint: 0x685007
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start newapp.exe no specs powershell.exe no specs conhost.exe no specs newapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
6296"C:\Users\admin\Desktop\NewApp.exe" C:\Users\admin\Desktop\NewApp.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\newapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
6464C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\admin\Desktop\NewApp.exe" -Verb runAsC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNewApp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6912"C:\Users\admin\Desktop\NewApp.exe" C:\Users\admin\Desktop\NewApp.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\newapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
Total events
3 892
Read events
3 892
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6464powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wff4hlpi.5d3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6464powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0zh3nlqw.re5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6464powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:374F4FCE8F9DED037D6D9B364BAA4202
SHA256:3000BE9A4F980DE17B68EA001CA021B6DA0CC7053CBE23B4B42E56C91BD4AA65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
35
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
418 b
whitelisted
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.145
  • 23.48.23.194
  • 23.48.23.176
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.bing.com
  • 104.126.37.144
  • 104.126.37.130
  • 104.126.37.177
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.186
  • 104.126.37.131
  • 104.126.37.179
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.75
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
xmr-eu1.nanopool.org
  • 51.89.23.91
  • 146.59.154.106
  • 51.15.58.224
  • 141.94.23.83
  • 51.15.193.130
  • 212.47.253.124
  • 163.172.154.142
  • 51.15.65.182
  • 162.19.224.121
  • 54.37.232.103
  • 54.37.137.114
whitelisted
pastebin.com
  • 104.20.4.235
  • 104.20.3.235
  • 172.67.19.24
shared

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
Potential Corporate Privacy Violation
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NewApp.exe