File name:

d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a

Full analysis: https://app.any.run/tasks/7c7f23da-8036-4173-97e8-01b07967e37d
Verdict: Malicious activity
Analysis date: November 11, 2024, 05:31:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
confuser
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

BD33CC7CFEBAF5F2CB603B7FAC790634

SHA1:

BFFEFCB2973BB70F0DE474521D292C6D1AE6B7BB

SHA256:

D9C86E6C00D3F44D5378CA9A2F03389D071343AF77A0384AB9C1CF3A39C9040A

SSDEEP:

49152:+i15kDGEWv7fQX6qkvy+PPHucq9NJBK1DyaiplaGS19LltR6V3Q5QWie15LbyBeP:dzkEv7fQX6qkvrOPzH0eaimhht6Q5QWV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • xW437664.exe (PID: 6720)
      • be231436.exe (PID: 6548)

    • Process drops legitimate windows executable

      • d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe (PID: 6572)
      • xW437664.exe (PID: 6720)

    • Executable content was dropped or overwritten

      • d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe (PID: 6572)
      • xW437664.exe (PID: 6720)
      • be231436.exe (PID: 6548)

    • Executes application which crashes

      • 150960642.exe (PID: 6712)

    • Connects to unusual port

      • 211336502.exe (PID: 6612)

  • INFO

    • Create files in a temporary directory

      • d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe (PID: 6572)
      • be231436.exe (PID: 6548)
      • xW437664.exe (PID: 6720)

    • Checks supported languages

      • d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe (PID: 6572)
      • xW437664.exe (PID: 6720)
      • be231436.exe (PID: 6548)
      • 150960642.exe (PID: 6712)
      • 211336502.exe (PID: 6612)

    • Reads the computer name

      • 150960642.exe (PID: 6712)
      • 211336502.exe (PID: 6612)

    • Reads the machine GUID from the registry

      • 150960642.exe (PID: 6712)
      • 211336502.exe (PID: 6612)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 824)

    • Checks proxy server information

      • WerFault.exe (PID: 824)

    • Reads the software policy settings

      • WerFault.exe (PID: 824)

    • Confuser has been detected (YARA)

      • 211336502.exe (PID: 6612)

    • .NET Reactor protector has been detected

      • 211336502.exe (PID: 6612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:30 22:58:44+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 155648
InitializedDataSize: 4966400
UninitializedDataSize: -
EntryPoint: 0xa663
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 14.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0498)
CharacterSet: Unknown (05B1)
CompanyName: TakeoffDonaldDuck
FileDescriptions: NiceIncorporated
FileVersion: 78.56.71.37
InternalName: NeutralBuffer.exe
LegalTrademark1: ElonDoesntGetIt
OriginalFileName: HerbalEssentials.exe
ProductName: MiddlwestIncProductOfFabuluous
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe xw437664.exe be231436.exe 150960642.exe werfault.exe THREAT 211336502.exe

Process information

PID
CMD
Path
Indicators
Parent process
824C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6712 -s 1244C:\Windows\SysWOW64\WerFault.exe
150960642.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6548C:\Users\admin\AppData\Local\Temp\IXP001.TMP\be231436.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
xW437664.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.14393.0 (rs1_release.160715-1616)
Modules
Images
c:\users\admin\appdata\local\temp\ixp001.tmp\be231436.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6572"C:\Users\admin\Desktop\d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe" C:\Users\admin\Desktop\d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6612C:\Users\admin\AppData\Local\Temp\IXP002.TMP\211336502.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
be231436.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\ixp002.tmp\211336502.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6712C:\Users\admin\AppData\Local\Temp\IXP002.TMP\150960642.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
be231436.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\ixp002.tmp\150960642.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6720C:\Users\admin\AppData\Local\Temp\IXP000.TMP\xW437664.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.14393.0 (rs1_release.160715-1616)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\xw437664.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
7 574
Read events
7 574
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
824WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_150960642.exe_cf6febb435e155fcbf2232859c2ac7c6ae30fe_054c1ffc_257e16d2-9a1d-4093-827b-e4bd88d0c80d\Report.wer
MD5:
SHA256:
824WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\150960642.exe.6712.dmp
MD5:
SHA256:
824WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERDB17.tmp.dmpbinary
MD5:A93C10BC922629A9639691688C920242
SHA256:EDE3CB0462ECB3010EC19CBAE00FC7E01F8CF472C513435BE01978F8B0A2D270
6572d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\xW437664.exeexecutable
MD5:F06E39167486FC96F3EEB3AC7407B38B
SHA256:39A59C9411B604DE582B4D0DEFD8AF49451ED7BB019E4EB8BF66FEE6250EDCD8
824WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERDC40.tmp.WERInternalMetadata.xmlxml
MD5:E0202FE5CF52F85958F40834BC02779D
SHA256:E7301A885AED86A7FC06A8C73F9AD404EC13A3F9B96AB39F5F740E53D6B6C909
6548be231436.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\150960642.exeexecutable
MD5:16143C4BD073FCF8ABD2525F982C6190
SHA256:14F7F92ECEE0D34D1F2D355ECD7C1F45E0C5ED9BB2D2446260F042A9E330BBC9
6572d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\454772290.exeexecutable
MD5:50E5AFF16E771CCAD53C809D96E1DC81
SHA256:12393BE0ADFFFFE8855A2419663B7AB4B0171C3FC30FF4FE6618BA796DCEF9D8
6720xW437664.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\398761517.exeexecutable
MD5:1304F384653E08AE497008FF13498608
SHA256:2A9DABAB35FB09085750E1CC762E32B0FE4CBD7ED4276EF7E68BA159AE330EAA
6720xW437664.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\be231436.exeexecutable
MD5:B5D38B0B9FEC4B6C942B149C0E893BBD
SHA256:DFB7F1F7C6DE8988F69B12DBCC4C9BF2DDB8DDAEC696FE86A0BE556CA94DAADD
824WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERDC80.tmp.xmlxml
MD5:6990C499853D40B32DEE101E741EC25C
SHA256:C4E11B76723D1B150682357F7A3C28514C077D8BD215BE9354F54EECC86728F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
26
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1744
RUXIMICS.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1744
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
104.126.37.139:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1744
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1744
RUXIMICS.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.184
  • 104.126.37.186
  • 104.126.37.163
  • 104.126.37.137
  • 104.126.37.171
  • 104.126.37.153
  • 104.126.37.128
  • 104.126.37.130
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
watson.events.data.microsoft.com
  • 52.168.117.173
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

PID
Process
Class
Message
6612
211336502.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
6612
211336502.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d9c86e6c00d3f44d5378ca9a2f03389d071343af77a0384ab9c1cf3a39c9040a