URL:

https://github.com/nxllone/Auto-MoonSec-v3-Dumper/releases/download/Lua/downloaded_file.zip

Full analysis: https://app.any.run/tasks/6f2df5f0-efef-4df4-8038-8a2471a45a16
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: October 02, 2024, 09:11:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
Indicators:
MD5:

3407C3DE10861E1CCC83F9D672DBC930

SHA1:

9368280654566252C833A728F201107A00F4E13E

SHA256:

19FF216A508A8D2DADE43DC1B7A2040C716B09EF614B06BA84396A1EAEFF92FF

SSDEEP:

3:N8tEd79K0ScXuJAE2kC+o4sBo9YV:2uv8FJArA9YV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds extension to the Windows Defender exclusion list

      • sigmahacks2.0.exe (PID: 4712)
      • elzltdtrkrql.exe (PID: 5976)

    • Application was injected by another process

      • dwm.exe (PID: 852)
      • svchost.exe (PID: 476)
      • winlogon.exe (PID: 684)
      • lsass.exe (PID: 768)
      • svchost.exe (PID: 1200)
      • svchost.exe (PID: 1036)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 1208)
      • svchost.exe (PID: 1272)
      • svchost.exe (PID: 1588)
      • svchost.exe (PID: 1600)
      • svchost.exe (PID: 1472)
      • svchost.exe (PID: 1628)
      • svchost.exe (PID: 1408)
      • svchost.exe (PID: 1620)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 2344)
      • svchost.exe (PID: 2160)
      • svchost.exe (PID: 2496)
      • svchost.exe (PID: 2412)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2312)
      • svchost.exe (PID: 2304)
      • svchost.exe (PID: 2184)
      • spoolsv.exe (PID: 2592)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 2692)
      • svchost.exe (PID: 3020)
      • svchost.exe (PID: 3012)
      • svchost.exe (PID: 1508)
      • svchost.exe (PID: 1816)
      • svchost.exe (PID: 1796)
      • svchost.exe (PID: 1872)
      • svchost.exe (PID: 2072)
      • svchost.exe (PID: 2000)
      • svchost.exe (PID: 1864)
      • svchost.exe (PID: 3056)
      • svchost.exe (PID: 2968)
      • svchost.exe (PID: 3340)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 3260)
      • svchost.exe (PID: 3304)
      • svchost.exe (PID: 3548)
      • dasHost.exe (PID: 3692)
      • svchost.exe (PID: 3220)
      • svchost.exe (PID: 3496)
      • svchost.exe (PID: 4140)
      • svchost.exe (PID: 4184)
      • sihost.exe (PID: 4112)
      • svchost.exe (PID: 4300)
      • svchost.exe (PID: 3888)
      • svchost.exe (PID: 3408)
      • svchost.exe (PID: 4332)
      • svchost.exe (PID: 2788)
      • OfficeClickToRun.exe (PID: 2656)
      • svchost.exe (PID: 3200)
      • ctfmon.exe (PID: 4356)
      • MoUsoCoreWorker.exe (PID: 2120)
      • RuntimeBroker.exe (PID: 4244)
      • svchost.exe (PID: 4808)
      • svchost.exe (PID: 4324)
      • RuntimeBroker.exe (PID: 776)
      • dllhost.exe (PID: 3312)
      • svchost.exe (PID: 5416)
      • UserOOBEBroker.exe (PID: 2744)
      • RuntimeBroker.exe (PID: 5560)
      • ApplicationFrameHost.exe (PID: 4052)
      • svchost.exe (PID: 5236)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 1824)
      • svchost.exe (PID: 4532)
      • explorer.exe (PID: 4552)
      • dllhost.exe (PID: 5568)
      • uhssvc.exe (PID: 536)
      • svchost.exe (PID: 5996)
      • svchost.exe (PID: 6052)
      • svchost.exe (PID: 2520)
      • svchost.exe (PID: 5940)
      • svchost.exe (PID: 2956)
      • svchost.exe (PID: 6360)
      • svchost.exe (PID: 2208)
      • svchost.exe (PID: 2476)
      • svchost.exe (PID: 5036)
      • dllhost.exe (PID: 4996)
      • svchost.exe (PID: 5256)
      • WmiPrvSE.exe (PID: 5112)
      • svchost.exe (PID: 6284)
      • WmiPrvSE.exe (PID: 6336)
      • svchost.exe (PID: 6852)
      • RuntimeBroker.exe (PID: 4668)
      • svchost.exe (PID: 2580)
      • taskhostw.exe (PID: 2088)
      • svchost.exe (PID: 5244)

    • Runs injected code in another process

      • dialer.exe (PID: 5632)
      • dialer.exe (PID: 5104)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2256)
      • dialer.exe (PID: 5164)

    • Connects to the CnC server

      • dialer.exe (PID: 5164)

  • SUSPICIOUS

    • Script adds exclusion path to Windows Defender

      • sigmahacks2.0.exe (PID: 4712)
      • elzltdtrkrql.exe (PID: 5976)

    • Powershell scripting: start process

      • sigmahacks2.0.exe (PID: 5164)

    • Starts POWERSHELL.EXE for commands execution

      • sigmahacks2.0.exe (PID: 5164)
      • sigmahacks2.0.exe (PID: 4712)
      • elzltdtrkrql.exe (PID: 5976)

    • Script adds exclusion extension to Windows Defender

      • sigmahacks2.0.exe (PID: 4712)
      • elzltdtrkrql.exe (PID: 5976)

    • Starts CMD.EXE for commands execution

      • sigmahacks2.0.exe (PID: 4712)
      • elzltdtrkrql.exe (PID: 5976)

    • Starts SC.EXE for service management

      • sigmahacks2.0.exe (PID: 4712)

    • Uses powercfg.exe to modify the power settings

      • sigmahacks2.0.exe (PID: 4712)
      • elzltdtrkrql.exe (PID: 5976)

    • Process uninstalls Windows update

      • wusa.exe (PID: 5476)
      • wusa.exe (PID: 5068)

    • Executes as Windows Service

      • elzltdtrkrql.exe (PID: 5976)

    • Executable content was dropped or overwritten

      • sigmahacks2.0.exe (PID: 4712)
      • elzltdtrkrql.exe (PID: 5976)

    • Drops a system driver (possible attempt to evade defenses)

      • elzltdtrkrql.exe (PID: 5976)

    • Crypto Currency Mining Activity Detected

      • dialer.exe (PID: 5164)
      • svchost.exe (PID: 2256)

    • Potential Corporate Privacy Violation

      • dialer.exe (PID: 5164)

  • INFO

    • Manual execution by a user

      • sigmahacks2.0.exe (PID: 5164)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 2120)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4552)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3276)

    • Application launched itself

      • chrome.exe (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
148
Malicious processes
99
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs svchost.exe chrome.exe no specs svchost.exe wmiprvse.exe svchost.exe chrome.exe no specs winrar.exe runtimebroker.exe sigmahacks2.0.exe no specs powershell.exe no specs svchost.exe conhost.exe no specs sigmahacks2.0.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe cmd.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs elzltdtrkrql.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs dialer.exe no specs conhost.exe no specs #MINER dialer.exe conhost.exe no specs wusa.exe no specs taskhostw.exe svchost.exe svchost.exe uhssvc.exe winlogon.exe lsass.exe runtimebroker.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe mousocoreworker.exe svchost.exe svchost.exe #MINER svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe officeclicktorun.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe applicationframehost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
476C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
536"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
768C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
852"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
48 653
Read events
47 647
Write events
558
Delete events
448

Modification events

(PID) Process:(1316) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2AF3602-9179-4BAE-85B3-74A4EF5CF51F}
Operation:writeName:DynamicInfo
Value:
03000000BDCB09F80A59DA0160E3C610AB14DB0100000000000000001CB00A14AB14DB01
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000008C00000000000000
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000190068
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated
Operation:writeName:Chrome
Value:
6
(PID) Process:(6364) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6364) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6364) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6364) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6364) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{86337897-999e-fb05-e6d0-f7eb349132bc}\Root\InventoryDevicePnp
Operation:writeName:WritePermissionsCheck
Value:
1
Executable files
4
Suspicious files
117
Text files
46
Unknown types
5

Dropped files

PID
Process
Filename
Type
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF3f5541.TMP
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF3f5551.TMP
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF3f5551.TMP
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF3f5561.TMP
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF3f5570.TMP
MD5:
SHA256:
6364chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
55
DNS requests
28
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3588
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1144
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1144
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2620
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3588
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6364
chrome.exe
239.255.255.250:1900
whitelisted
6524
chrome.exe
140.82.121.4:443
github.com
GITHUB
US
shared
4
System
192.168.100.255:138
whitelisted
6524
chrome.exe
64.233.167.84:443
accounts.google.com
GOOGLE
US
whitelisted
6524
chrome.exe
185.199.110.133:443
objects.githubusercontent.com
FASTLY
US
shared
6524
chrome.exe
142.250.184.228:443
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 52.167.17.97
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.238
whitelisted
github.com
  • 140.82.121.4
shared
accounts.google.com
  • 64.233.167.84
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
shared
www.google.com
  • 142.250.184.228
whitelisted
sb-ssl.google.com
  • 142.250.184.206
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.22
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/nxllone/Auto-MoonSec-v3-Dumper/releases/download/Lua/downloaded_file.zip