File name:

f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin

Full analysis: https://app.any.run/tasks/7fdfde08-2733-42e0-9edd-e3c856e334e9
Verdict: Malicious activity
Analysis date: April 15, 2025, 17:49:39
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

C162433D319143640ACB465131546890

SHA1:

EAE910B4E006BFE416BFE9E7A1CC439446C010F4

SHA256:

F7CCE6E6E79DA0B4E5244347B9A5D9FC96B02D85570511B1894F5CC52E2206C7

SSDEEP:

3072:jAUXrUFJugKZudJ86w5IxyUIefCnon6FGM+Q74SZ:EUbUeqdJ8zGxyuCnpwSZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe (PID: 1784)

  • SUSPICIOUS

    • Executes application which crashes

      • f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe (PID: 1784)

    • Reads the Internet Settings

      • WerFault.exe (PID: 3884)

  • INFO

    • Checks supported languages

      • f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe (PID: 1784)

    • Checks proxy server information

      • WerFault.exe (PID: 3884)

    • Reads the software policy settings

      • WerFault.exe (PID: 3884)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:17 14:10:40+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 7680
InitializedDataSize: 95744
UninitializedDataSize: -
EntryPoint: 0x1140
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1784"C:\Users\admin\Desktop\f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe" C:\Users\admin\Desktop\f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3884C:\Windows\system32\WerFault.exe -u -p 1784 -s 212C:\Windows\System32\WerFault.exe
f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.348 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
2 934
Read events
2 934
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3884WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_f7cce6e6e79da0b4_91b8f34c56566a6c0717b12324ba9e24f4a33e_058a7129_882ff74f-797e-45bf-a1a3-e598cfa638d5\Report.wer
MD5:
SHA256:
3884WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.8e9cedbf-66e3-4df8-934a-89797ff6fe29.tmp.dmpbinary
MD5:14F13BE2B185C8585E3DEA5FBB9A0D6F
SHA256:7BD24D71FE42E5AAFE389B81C5783A0446D66DE947C90583CB13E831CB0733D6
3884WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.57f02322-97b4-4157-9105-4115669e2191.tmp.xmlxml
MD5:251AB8BF6F5114CFD7D7AB60E4DFC1C9
SHA256:F12422C7E7B8A9D7415ADFF4727C81213FDB4A1E3289ABFF9D3B34861407B479
3884WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.90f1c646-cca2-4de7-8363-aaa600e01034.tmp.WERInternalMetadata.xmlbinary
MD5:F3CCE78B7EF653D9DF9180FFFB13D231
SHA256:DF38D7A9BDAC16D778C2098FE6FBC7C310A6557E4ECEE5C43651420F362E4CA0
3884WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin.exe.1784.dmpbinary
MD5:9556D00B4B42B02AA8AD9406CD602C22
SHA256:3B483CD65E482A5AD5CD673E9295B88FE2FE4DD0417575183B5EC01BAD45D835
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1748
smartscreen.exe
GET
200
208.89.74.27:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a8a094648910ae9c
unknown
whitelisted
3640
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1748
smartscreen.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1352
svchost.exe
GET
200
23.53.42.64:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
23.53.42.66:80
Akamai International B.V.
DE
unknown
1748
smartscreen.exe
4.175.223.124:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1748
smartscreen.exe
208.89.74.27:80
ctldl.windowsupdate.com
US
whitelisted
1748
smartscreen.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3884
WerFault.exe
20.189.173.22:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4432
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1316
svchost.exe
23.199.214.10:443
fs.microsoft.com
AKAMAI-AS
DE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
checkappexec.microsoft.com
  • 4.175.223.124
whitelisted
ctldl.windowsupdate.com
  • 208.89.74.27
  • 208.89.74.31
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
umwatson.events.data.microsoft.com
  • 20.189.173.22
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.64
  • 40.126.31.129
  • 20.190.159.128
  • 40.126.31.2
  • 20.190.159.130
whitelisted
fs.microsoft.com
  • 23.199.214.10
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
f7cce6e6e79da0b4e5244347b9a5d9fc96b02d85570511b1894f5cc52e2206c7.bin