File name:

e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a

Full analysis: https://app.any.run/tasks/6e768542-47ee-4f2e-902e-6eb2938e3984
Verdict: Malicious activity
Analysis date: January 11, 2025, 01:01:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

F6F040A290CC9C41A1B07307F12310E5

SHA1:

C34B80EA358BBDDC007A7E9054F9D71EEE00799F

SHA256:

E1C5B7A7FA4B308E50AA7061DD1E691CD253F63DC99745977164EC5D5311047A

SSDEEP:

49152:rPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtGAhh:rP/mp7t3T4+B/btosJwIA4hHmZlKH2TL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executes application which crashes

      • e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe (PID: 3688)
  • INFO

    • Checks supported languages

      • e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe (PID: 3688)
    • Create files in a temporary directory

      • e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe (PID: 3688)
    • The process uses AutoIt

      • e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe (PID: 3688)
    • The sample compiled with english language support

      • e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe (PID: 3688)
    • Reads mouse settings

      • e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe (PID: 3688)
    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6172)
    • Reads the software policy settings

      • WerFault.exe (PID: 6172)
    • Checks proxy server information

      • WerFault.exe (PID: 6172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x20577
UninitializedDataSize: -
InitializedDataSize: 610816
CodeSize: 633856
LinkerVersion: 14.16
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:22 23:19:42+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe svchost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
3688"C:\Users\admin\AppData\Local\Temp\e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe" C:\Users\admin\AppData\Local\Temp\e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
4188"C:\Users\admin\AppData\Local\Temp\e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe" C:\Windows\SysWOW64\svchost.exee1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
6172C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3688 -s 732C:\Windows\SysWOW64\WerFault.exe
e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 096
Read events
3 096
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_e1c5b7a7fa4b308e_ce9b18c0e0fdcda626709a2a791c7935bf9788df_708e9b73_e5513d38-4ead-4546-baa0-93e53fb19ac5\Report.wer
MD5:
SHA256:
3688e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exeC:\Users\admin\AppData\Local\Temp\nonplacentaltext
MD5:3A122E0B0905AB3F0B785723FBFD51AD
SHA256:11BA5A39B30D7D81C98E3E5AF3761F4F27C0CC5B0B3F0B6F60CDA4735F651C9E
3688e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exeC:\Users\admin\AppData\Local\Temp\aut70B0.tmpbinary
MD5:22BABDA68A3954AA10B0B0281E3AC687
SHA256:83E0D0F4ECC101A16194F7232E7BBDCA84F70262BEB3C573435E7579C3748BFE
3688e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exeC:\Users\admin\AppData\Local\Temp\aut6B8E.tmpbinary
MD5:83386E8A3E3CF1EEF6C2B14FBCF1EFAB
SHA256:B111047B56976E8DBDECCFBC73ECC56AB93032D1421E808CEBD87F93156C2BA3
6172WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
3688e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exeC:\Users\admin\AppData\Local\Temp\konkedbinary
MD5:22BABDA68A3954AA10B0B0281E3AC687
SHA256:83E0D0F4ECC101A16194F7232E7BBDCA84F70262BEB3C573435E7579C3748BFE
6172WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe.3688.dmpbinary
MD5:48603A9F595EC1B91AB8F11B726D6643
SHA256:A70D04E5F5D21FFB5E7C7B6C2460D19CABD54028E16DA4BE10E26AF910C794E7
6172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER8263.tmp.WERInternalMetadata.xmlxml
MD5:4A529E28273E6A65E12ADB065C5EAF91
SHA256:3514B00CD849A9E9C4AABA3D14F46067BE3E7AA9377C84DFCE1E8C3B35C3C0FF
6172WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:4FB8DBF783A88C7407B259A94A78BE96
SHA256:B613DA11D90DF052C5BF3995D633A401D05FC22F28A3859A3FBC0131B00AA3A0
6172WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEder
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3700
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6172
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3700
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6172
WerFault.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7076
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7076
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6460
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3700
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3700
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6172
WerFault.exe
13.89.179.12:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5000
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6172
WerFault.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6172
WerFault.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.159.64
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.159.73
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

No threats detected
No debug info