File name:

crss.exe

Full analysis: https://app.any.run/tasks/ba1a3984-eea1-4972-b36a-28bae5ab7cde
Verdict: Malicious activity
Analysis date: November 13, 2024, 07:26:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
python
pyinstaller
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

B38288FC18C577D8FF848DA5C86D3289

SHA1:

F39E8C501284B3B76D6E0DDB97E8D0322AED3D1D

SHA256:

F8F5CF6656A0881B61BCD1108B172A8A26AFA1104A69D9FC663EBB79DD998B25

SSDEEP:

98304:8J3Nu8M+J4tqaOFHhwIsRjKOVWjtKxgA5evnaY8g2XpNC41HHZPthJyYffIbjQrD:s7rbdKLh6YCU3pIwW7bbVPw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • crss.exe (PID: 3620)

  • SUSPICIOUS

    • Application launched itself

      • crss.exe (PID: 6752)

    • The process drops C-runtime libraries

      • crss.exe (PID: 6752)

    • Process drops python dynamic module

      • crss.exe (PID: 6752)

    • Process drops legitimate windows executable

      • crss.exe (PID: 6752)

    • Executable content was dropped or overwritten

      • crss.exe (PID: 6752)

    • Loads Python modules

      • crss.exe (PID: 3620)

    • Potential Corporate Privacy Violation

      • crss.exe (PID: 3620)

    • Starts CMD.EXE for commands execution

      • crss.exe (PID: 3620)

  • INFO

    • Checks supported languages

      • crss.exe (PID: 6752)
      • crss.exe (PID: 3620)

    • Create files in a temporary directory

      • crss.exe (PID: 6752)

    • Reads the computer name

      • crss.exe (PID: 6752)
      • crss.exe (PID: 3620)

    • Reads the machine GUID from the registry

      • crss.exe (PID: 3620)

    • Checks operating system version

      • crss.exe (PID: 3620)

    • Checks proxy server information

      • crss.exe (PID: 3620)

    • PyInstaller has been detected (YARA)

      • crss.exe (PID: 6752)
      • crss.exe (PID: 3620)

    • Application based on Rust

      • crss.exe (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:13 07:25:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 93184
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT crss.exe THREAT crss.exe cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3000C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.execrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3620"C:\Users\admin\Desktop\crss.exe" C:\Users\admin\Desktop\crss.exe
crss.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\crss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6752"C:\Users\admin\Desktop\crss.exe" C:\Users\admin\Desktop\crss.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\crss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
348
Read events
347
Write events
1
Delete events
0

Modification events

(PID) Process:(3620) crss.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:козляк
Value:
C:\Users\admin\Desktop\crss.exe
Executable files
44
Suspicious files
1
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_hashlib.pydexecutable
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_decimal.pydexecutable
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\VCRUNTIME140_1.dllexecutable
MD5:135359D350F72AD4BF716B764D39E749
SHA256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_asyncio.pydexecutable
MD5:33D0B6DE555DDBBBD5CA229BFA91C329
SHA256:A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_cffi_backend.cp310-win_amd64.pydexecutable
MD5:2BAAA98B744915339AE6C016B17C3763
SHA256:4F1CE205C2BE986C9D38B951B6BCB6045EB363E06DACC069A41941F80BE9068C
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_ctypes.pydexecutable
MD5:1635A0C5A72DF5AE64072CBB0065AEBE
SHA256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:F9653F362C597CA64C309D5B0F817D6D
SHA256:70FB4062A84F05B4DBBB045EC853A12D0C664ECCB5327799EBC9054864157C97
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_pytransform.dllexecutable
MD5:23376A4DF02C2BB0B770930449355ACB
SHA256:E999F10F53A09DDD5C6E05AD8BD3635C43D1035EB70AFD32463875A1AEF030CD
6752crss.exeC:\Users\admin\AppData\Local\Temp\_MEI67522\_queue.pydexecutable
MD5:D8C1B81BBC125B6AD1F48A172181336E
SHA256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
1 004
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7040
RUXIMICS.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7040
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3620
crss.exe
GET
200
172.217.18.4:80
http://www.google.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
7040
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.182:443
Akamai International B.V.
GB
unknown
6944
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7040
RUXIMICS.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7040
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.google.com
  • 172.217.18.4
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
shared
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
crss.exe