File name:

f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768

Full analysis: https://app.any.run/tasks/0bdb14e1-d913-453f-9463-58390edb813e
Verdict: Malicious activity
Analysis date: November 16, 2024, 11:58:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

77A1C8918AE7893671D3DFE3B410A107

SHA1:

C863D6378582314B9898054031B0EB7019CFF637

SHA256:

F091AFFA4BFE7B5D24C784295F49CE788032B3DD89B0160E95CACA1D08F92768

SSDEEP:

24576:GBL9fw3bDDItXehi1sfpbkseKnUSr6Fzv8ilsvbZ3Q07:GBL9fw3bDDyD1sfpbkstnUSr6Fzv8usN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 6436)

    • The process creates files with name similar to system file names

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 6436)

    • Executable content was dropped or overwritten

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 6436)

    • Application launched itself

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 6436)

    • Reads security settings of Internet Explorer

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 4816)

    • Connects to the server without a host name

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 4816)

  • INFO

    • Checks supported languages

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 6436)
      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 4816)

    • Reads the computer name

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 6436)
      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 4816)

    • Create files in a temporary directory

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 6436)

    • Checks proxy server information

      • f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe (PID: 4816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:15+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x351c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.0.0
ProductVersionNumber: 2.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: bondefangernes plimsoll
FileDescription: nyligt sorcerers
FileVersion: 2.1.0.0
LegalCopyright: ultraminiature
LegalTrademarks: sidevggenes
ProductVersion: 2.1.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe

Process information

PID
CMD
Path
Indicators
Parent process
4816"C:\Users\admin\Desktop\f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe" C:\Users\admin\Desktop\f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
User:
admin
Integrity Level:
MEDIUM
Description:
nyligt sorcerers
Version:
2.1.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\desktop\f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6436"C:\Users\admin\Desktop\f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe" C:\Users\admin\Desktop\f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
nyligt sorcerers
Exit code:
0
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
409
Read events
409
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\Kommasystem\adjudantsnorene\Coleads123\S284990.jpgimage
MD5:522158B73236ED38616748B5B9F07B22
SHA256:6729EF33F4E42AF2716B718BDEC91076827AEA5203365DE96F28B92E25E44855
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\Kommasystem\adjudantsnorene\Coleads123\Nettoomstnings54.Exhbinary
MD5:8D83ED7B2EDD49248F5CE6D4F20E128C
SHA256:4D342BA1005D8A109CFC9C0CFEE0324DBC16908DB26117450F4731995D2E2EF5
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\Kommasystem\adjudantsnorene\Coleads123\Overcivil.txttext
MD5:F57D0E102255C70B8A2E07B047B16E91
SHA256:6F9B31CBC3264243EE5981FA234EE45CC0EAADF6536DB856F1A2438B690948A7
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\Kommasystem\adjudantsnorene\Coleads123\twit.jenbinary
MD5:3DF747E56C37ADDB64F80C180B1420ED
SHA256:F893C06E43EF85EA11F56E4C28FD51C18310074B16DC142BE05342E7C2555068
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\AppData\Local\Temp\nsxCD5C.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\Kommasystem\adjudantsnorene\Coleads123\Seropus.Gruabr
MD5:EA67807B0B2538E03A600267BA8E8F92
SHA256:3E08F1E150F2D2816E45F1E43B262D323BDCEBBACF2DC22D7A7BBD7261F7B1E8
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\Kommasystem\adjudantsnorene\Coleads123\overskuedes.chabinary
MD5:4647BE9BCF4F9E71DE311A9A3151C012
SHA256:FEC69311370CA6EED8E4687F96E2D7C31AF4424766E42F81560AA4BD571540F2
6436f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exeC:\Users\admin\Kommasystem\adjudantsnorene\Coleads123\denotationen.unrbinary
MD5:FC81F85F90C7B2817E282C356C85717B
SHA256:0ACB8C6A3E0D2008888EBC92F741EC1766BE0919C369469CB9867C3EA5347029
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
7
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1588
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4816
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
GET
212.162.149.224:80
http://212.162.149.224/BtdTNq121.bin
unknown
unknown
4816
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
GET
212.162.149.224:80
http://212.162.149.224/BtdTNq121.bin
unknown
unknown
4816
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
GET
212.162.149.224:80
http://212.162.149.224/BtdTNq121.bin
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1588
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1588
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

PID
Process
Class
Message
4816
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
4816
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
4816
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
4816
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768