File name:

MEDefaultPCReset.exe

Full analysis: https://app.any.run/tasks/18d918d9-de79-44cb-b7d4-0133da17baaf
Verdict: Malicious activity
Analysis date: July 01, 2024, 14:15:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

721E8F6718E324813D7FCE4B134FCD5F

SHA1:

3D753621AD75412D1DB4C8630B1E11165A6B871E

SHA256:

D7CB7937EC870BEAFE6580C841B137FE2A7584E0CB3076E0FD1E8621DFC7FDE7

SSDEEP:

24576:ALnTKqndIHpAqmqoDJnuM8rsDgY8x28OvQR15J4UFnozq7QTv58G:ALnemIHpAqm11nuM8rs0Y8x28OvQRJ4V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • MEDefaultPCReset.exe (PID: 3380)
      • MEDefaultPCReset.exe (PID: 3280)

    • Drops the executable file immediately after the start

      • MEDefaultPCReset.exe (PID: 3380)

    • Actions looks like stealing of personal data

      • MEDefaultPCReset.exe (PID: 3280)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MEDefaultPCReset.exe (PID: 3380)

    • Executable content was dropped or overwritten

      • MEDefaultPCReset.exe (PID: 3380)

    • Starts a Microsoft application from unusual location

      • MEDefaultPCReset.exe (PID: 3380)

    • Reads the Internet Settings

      • MEDefaultPCReset.exe (PID: 3280)

    • Reads settings of System Certificates

      • MEDefaultPCReset.exe (PID: 3280)

  • INFO

    • Checks supported languages

      • MEDefaultPCReset.exe (PID: 3380)
      • MEDefaultPCReset.exe (PID: 3280)

    • Create files in a temporary directory

      • MEDefaultPCReset.exe (PID: 3380)

    • Reads the computer name

      • MEDefaultPCReset.exe (PID: 3280)

    • Reads Environment values

      • MEDefaultPCReset.exe (PID: 3280)

    • Reads the machine GUID from the registry

      • MEDefaultPCReset.exe (PID: 3280)

    • Disables trace logs

      • MEDefaultPCReset.exe (PID: 3280)

    • Reads the software policy settings

      • MEDefaultPCReset.exe (PID: 3280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2068:06:21 06:07:02+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.15
CodeSize: 25600
InitializedDataSize: 624640
UninitializedDataSize: -
EntryPoint: 0x6a00
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: MEDefaultPCReset
FileVersion: 1.0.0.0
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: MEDefaultPCReset
ProductVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start medefaultpcreset.exe medefaultpcreset.exe

Process information

PID
CMD
Path
Indicators
Parent process
3280C:\Users\admin\AppData\Local\Temp\IXP000.TMP\MEDefaultPCReset.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\MEDefaultPCReset.exe
MEDefaultPCReset.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MEDefaultPCReset
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\medefaultpcreset.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3380"C:\Users\admin\Desktop\MEDefaultPCReset.exe" C:\Users\admin\Desktop\MEDefaultPCReset.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MEDefaultPCReset
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\medefaultpcreset.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 678
Read events
3 652
Write events
26
Delete events
0

Modification events

(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3280) MEDefaultPCReset.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEDefaultPCReset_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3380MEDefaultPCReset.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dllexecutable
MD5:6815034209687816D8CF401877EC8133
SHA256:7F912B28A07C226E0BE3ACFB2F57F050538ABA0100FA1F0BF2C39F1A1F1DA814
3280MEDefaultPCReset.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferencesbinary
MD5:E52E55C4D109D60FB5546F6E3BB53C32
SHA256:453606C79202E67BFBFEAE1502298CD8A5357E27C4E6931BF03F97EE4F952038
3380MEDefaultPCReset.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\DefaultPackOffer.dllexecutable
MD5:8814D8E2B58A7238D0AC4538D6A062BB
SHA256:ED992E6D05307971933F7134034EDCCAB5845B682081BEE46AD59B35A5373802
3380MEDefaultPCReset.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\MEDefaultPCReset.exeexecutable
MD5:3526350C8494AA9095693BBF82DEA05A
SHA256:12E74C699BCE84F5CED242E4BC6966A5CCF6E66CB4D00E3887FA0E7BA943565F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3280
MEDefaultPCReset.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
unknown
3280
MEDefaultPCReset.exe
52.173.134.115:443
bingwallpaper.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 23.35.238.131
whitelisted
bingwallpaper.microsoft.com
  • 52.173.134.115
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.216
  • 23.50.131.196
  • 23.50.131.213
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MEDefaultPCReset.exe