File name:

adc343913c919330a0cc97b7c6494460.exe

Full analysis: https://app.any.run/tasks/552e0f25-68d0-4e66-a7e5-5d152b45b7ec
Verdict: Malicious activity
Analysis date: May 17, 2024, 16:18:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

ADC343913C919330A0CC97B7C6494460

SHA1:

104BB7A772DB722E90E5C278A8EA0D08A04B4F6C

SHA256:

E01B35EF49421F9462A8799F5B57527D39EA80C3FD3BEB5161421B871E5BC6D9

SSDEEP:

49152:gVV4k6ijmpRCnb8BR+CWyC7tuut7tgz9xmIWLiMad+c598lh0nTdkyw:gIk5jERCngGqut7o9xmRLiMaF598E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Actions looks like stealing of personal data

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Connects to the CnC server

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Starts a Microsoft application from unusual location

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Executable content was dropped or overwritten

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Contacting a server suspected of hosting an CnC

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

  • INFO

    • Checks proxy server information

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Checks supported languages

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Reads the computer name

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)

    • Creates files or folders in the user directory

      • adc343913c919330a0cc97b7c6494460.exe (PID: 6492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2009:06:04 03:59:29+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 74240
InitializedDataSize: 8704
UninitializedDataSize: -
EntryPoint: 0x7840
OSVersion: 5
ImageVersion: 8
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 2.0.50727.4927
ProductVersionNumber: 2.0.50727.4927
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: .NET Runtime Optimization Service
FileVersion: 2.0.50727.4927 (NetFXspW7.050727-4900)
InternalName: mscorsvw.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: mscorsvw.exe
ProductName: Microsoft® .NET Framework
ProductVersion: 2.0.50727.4927
Comments: Flavor=Retail
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
112
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start adc343913c919330a0cc97b7c6494460.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6492"C:\Users\admin\AppData\Local\Temp\adc343913c919330a0cc97b7c6494460.exe" C:\Users\admin\AppData\Local\Temp\adc343913c919330a0cc97b7c6494460.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Runtime Optimization Service
Exit code:
1
Version:
2.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\users\admin\appdata\local\temp\adc343913c919330a0cc97b7c6494460.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6828C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
608
Read events
608
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6492adc343913c919330a0cc97b7c6494460.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexecutable
MD5:3C152EBEF6EC677CF513C437487EB16A
SHA256:AB068487FB54544377ED42025038520E9D4D1A9E24EC2B07F948E308720A92E8
6492adc343913c919330a0cc97b7c6494460.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:DCEF79CA7D080726EDCBBC07131165D9
SHA256:53AB739A07B4FC9A3EE937F44FC5D859A7B6D74DAA3366672C295E4FC1D77422
6492adc343913c919330a0cc97b7c6494460.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:CB9EC2965F7B14C7A0011C7A564A2B72
SHA256:765BE5BF70996C20DA1105177FA5074413C0A6AF3D6B44EFE57901A1432B30F8
6492adc343913c919330a0cc97b7c6494460.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:7FD8B5A9725528B906BE22299C71C2A3
SHA256:6311E49F50FDFD82C88AC79E58713E8369EC8D50C3FCE8DFED84EC7402E8714E
6492adc343913c919330a0cc97b7c6494460.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:A5ABAFC295D558D75222B619F28D8FF9
SHA256:477ABB48B4670CE5347C1B816D8775496F56B72B28661F309E20B3BC883A9D9F
6492adc343913c919330a0cc97b7c6494460.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:7A21BF95BF46DA15830ACA9F9801F7EB
SHA256:28C5F10D3FEF8F3EEDDBBB0CFC585AA00EE55B0CC0278EA73CBACB722A33A88B
6492adc343913c919330a0cc97b7c6494460.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:3720B823BDD6CB326BE3908E1114F32E
SHA256:D1EFB4EC30973898485D0E4C1979CDF30DA8E626D80CCE3BD892ABF212A87AA9
6492adc343913c919330a0cc97b7c6494460.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:4AC65625360AC970F5FE834BBD7014A1
SHA256:83E612D7052DDB508F6B521DB37236EE4F4C4200FA4046DEDBBC71E5B4DA435C
6828FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-17.1620.6828.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
6828FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-17.1620.6828.1.odlbinary
MD5:BEC48BFDC3A9EAF70D7D99750C29F003
SHA256:ED59F134B61193196D5EB22AB6BBE4D21CC8499A80BC204F7AC14D593AEF1325
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
3
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6492
adc343913c919330a0cc97b7c6494460.exe
POST
35.91.124.102:80
http://pywolwnvd.biz/pcefbuldgg
unknown
unknown
GET
200
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
unknown
binary
3.41 Kb
2908
OfficeClickToRun.exe
POST
200
13.89.179.11:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
whitelisted
6492
adc343913c919330a0cc97b7c6494460.exe
35.91.124.102:80
pywolwnvd.biz
AMAZON-02
US
unknown
4
System
192.168.100.255:137
whitelisted
4264
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2908
OfficeClickToRun.exe
20.42.65.91:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
pywolwnvd.biz
  • 35.91.124.102
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.42.65.91
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
adc343913c919330a0cc97b7c6494460.exe