File name: | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93 |
Full analysis: | https://app.any.run/tasks/be0e52e1-f344-4e20-9c4c-f176f9ff8acd |
Verdict: | Malicious activity |
Analysis date: | December 13, 2024, 19:42:13 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections |
MD5: | 18A7BFE9B0107C31BCB8AA6419398A8B |
SHA1: | 8B6EC61503AF53A1DF799EE5F0D05E7590FA48EF |
SHA256: | EC97AF940E709F506E9F40E2B9E0EA5AB915ED637A3471DE54C9583A906B3C93 |
SSDEEP: | 1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfs4:cpDSvVVVVVVVVrf4SvVVVVVVVVTf5 |
.exe | | | Win32 Executable MS Visual C++ (generic) (30.9) |
---|---|---|
.exe | | | Win64 Executable (generic) (27.3) |
.exe | | | UPX compressed Win32 Executable (26.8) |
.dll | | | Win32 Dynamic Link Library (generic) (6.5) |
.exe | | | Win32 Executable (generic) (4.4) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2011:03:15 04:06:07+00:00 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit, No debug |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 8192 |
InitializedDataSize: | 4096 |
UninitializedDataSize: | 24576 |
EntryPoint: | 0x2130 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3620 | "C:\Users\admin\Desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe" | C:\Users\admin\Desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe | — | |
MD5:— | SHA256:— | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | — | ||
MD5:— | SHA256:— | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp | executable | |
MD5:754E67333D833FA0B08DB3B136244DC4 | SHA256:F0C34237451D01B6B2D092A8F0EAF16FE344ECC90134AD5E7AC69D261547EF5B | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp | executable | |
MD5:E7EF6B7109A8AFCA1FE5FEBE681FC99F | SHA256:16DB9D59CF0DB26B7BB1638BC2BF6A855656D1E0B73E84A65C8ADD9EDB99D875 | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp | executable | |
MD5:D8442D350E2B58DA11BBF0FAEF4EE9DF | SHA256:0107D4FEC811F5BEF16E9698E59753CF03BE9E7D01E573304495E0415524F704 | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp | executable | |
MD5:E2B8B028C76C2A74BF33A2DFC44927EC | SHA256:5AC7FDE3DF8F4A5737D20AD652538C9C6257D46F341F15F347FE0CCC7EF53FEE | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp | executable | |
MD5:90D905BEFEA6AB3427D78FE49E48C710 | SHA256:3FD20B8352B9EEB807B3B134D75908FDE640E1C7CAD57200D8BB31F23F85C6B3 | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp | executable | |
MD5:B353E8B1A17BD21E73E231BEC27F66B4 | SHA256:CDC823A12241440C2D97F18CD53E7A821F88808F107061DCF26A56FDD232CD28 | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp | executable | |
MD5:FA1902B8E716E66EBE0EC3566377A95F | SHA256:98AB9CB601A7F5CAE30813ED48112B6D85404E120CB21525F92C7D19386B4BCE | |||
3620 | ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmp | executable | |
MD5:014ECC5A741F408A15F083909EE16C39 | SHA256:E9DC37042E1725DF496FB2056FCF6925ED546BEF8EEC75137705C63CDF0AA1D7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.167:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3996 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3996 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 104.126.37.162:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.167:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3996 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |