Malware analysis https://suporte.camaratunapolis.sc.gov.br/ti/8.exe Malicious activity

Add for printing

URL:	https://suporte.camaratunapolis.sc.gov.br/ti/8.exe
Full analysis:	https://app.any.run/tasks/21dc477f-6f5f-4208-8009-481ddf9022c2
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 10, 2025, 01:44:25
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader
Indicators:
MD5:	63441D1ED7F67B894BA4241FB8964367
SHA1:	4E0B081C6B1CC37E37B388B4540B5A3727C217EC
SHA256:	FCE5795BF57C537CBEB6B47E53D55F8007CF9D09A43D841F75D45E12BA615235
SSDEEP:	3:N8dSmYVQL8KC0qdJn:2cmae8KC0qdJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

142

Monitored processes

1

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1396	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2372,i,8504447382059928769,14367336096275567116,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

11

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb		—
		MD5:—	SHA256:—
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ba		compressed
		MD5:10B84D6DDEFB33D0D3F0615CA3E91C5A	SHA256:C69A6E50A300D39721F9AE8FC5B40600DD90093F65E3A4650C9540C58C071144
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\758537ff-300d-4b47-af22-9697a8660aa8.tmp		binary
		MD5:3140CB797498137E330D3CAE1AD5970A	SHA256:B4C87E65FB18FF2E4028E934653089C7DE70D854E7D861D9A1063189C5212119
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State		binary
		MD5:3140CB797498137E330D3CAE1AD5970A	SHA256:B4C87E65FB18FF2E4028E934653089C7DE70D854E7D861D9A1063189C5212119
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity		binary
		MD5:6B040E21525B970CEC9D898A6B2ED990	SHA256:DAAB77018C5C88ED101EEACD621F60F65DCDC20FED69B444FD056F3CECD51B49
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\1543d428-33ea-419d-9ddb-54fb5c77a56d.tmp		binary
		MD5:6B040E21525B970CEC9D898A6B2ED990	SHA256:DAAB77018C5C88ED101EEACD621F60F65DCDC20FED69B444FD056F3CECD51B49
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF1496d0.TMP		binary
		MD5:15D26FA4E16467BE658F42074AC0DBAA	SHA256:D287407BD901A32E3F38F4392984507184D596C3694FAA69DD0B2E68F9F3A8FE
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF13ce9e.TMP		binary
		MD5:50823AF426E5FA5F5641C1004F470D3E	SHA256:599163927CC9E5640C868AEDD3B0B6EC79E6513970504124E417922D8AAAB7C3
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bc		binary
		MD5:A620A68D8F00E5C4F2803E686D6F7514	SHA256:44A8F499F80F75FBD07885DBB5BDAF97BD9BE7B0B8DBC0C769960F7F6EF5E22D
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\993c7611-40ba-4757-98f3-801d5758df8d.tmp		binary
		MD5:0182A3E90D44AE385B46E762999DBA15	SHA256:D7ED0601ECCD279902DB1AB3F922A9A0E889A45E1E6D5D0F064D734C8E3F3517

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

52

TCP/UDP connections

64

DNS requests

35

Threats

2

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3256	RUXIMICS.exe	GET	200	23.216.77.38:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3484	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3080	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	188.114.97.3:443	https://suporte.camaratunapolis.sc.gov.br/ti/8.exe	unknown	executable	56.1 Mb	malicious
—	—	POST	200	40.126.31.1:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	40.126.31.1:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	403	23.35.229.160:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	382 b	whitelisted
—	—	POST	403	23.35.229.160:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	382 b	whitelisted
—	—	POST	403	23.35.229.160:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	382 b	whitelisted
—	—	GET	200	150.171.27.11:443	https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=edge_hub_apps_manifest_gz&version=4.10.*&channel=stable&key=d414dd4f9db345fa8003e32adc81b362	unknown	text	266 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	whitelisted
3256	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3080	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3484	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1396	msedge.exe	188.114.96.3:443	suporte.camaratunapolis.sc.gov.br	CLOUDFLARENET	NL	suspicious
5508	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3256	RUXIMICS.exe	23.216.77.38:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3484	svchost.exe	23.216.77.38:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3080	MoUsoCoreWorker.exe	23.216.77.38:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3256	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146 40.127.240.158	whitelisted
google.com	216.58.206.46	whitelisted
suporte.camaratunapolis.sc.gov.br	188.114.96.3 188.114.97.3	malicious
login.live.com	20.190.159.64 40.126.31.0 20.190.159.75 20.190.159.0 40.126.31.129 40.126.31.2 20.190.159.128 40.126.31.69	whitelisted
crl.microsoft.com	23.216.77.38 23.216.77.10 23.216.77.23 23.216.77.35 23.216.77.5 23.216.77.21 23.216.77.37 23.216.77.19 23.216.77.30 23.216.77.18 23.216.77.28 23.216.77.36 23.216.77.15 23.216.77.13 23.216.77.6	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
www.bing.com	92.123.104.32 92.123.104.34 2.16.241.218 2.16.241.201	whitelisted
v10.events.data.microsoft.com	20.42.65.93	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

Add for printing

No debug info

General Info

https://suporte.camaratunapolis.sc.gov.br/ti/8.exe

63441D1ED7F67B894BA4241FB8964367

4E0B081C6B1CC37E37B388B4540B5A3727C217EC

FCE5795BF57C537CBEB6B47E53D55F8007CF9D09A43D841F75D45E12BA615235

3:N8dSmYVQL8KC0qdJn:2cmae8KC0qdJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings