File name:

Aronium.exe

Full analysis: https://app.any.run/tasks/43b86a89-205c-4ceb-86a7-3568cb6b431f
Verdict: Malicious activity
Analysis date: June 12, 2025, 17:45:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 5 sections
MD5:

E0A82C3C60C3816A86C15DDFD82B207F

SHA1:

3FCE674597CACD4D5D723808E997EBD295A08071

SHA256:

1AA10D4475291DBF673C796AFA6EF59A0852E332D794228F5F7FE00BA4699E7B

SSDEEP:

6144:FHpSBFGylucdTbZZagd4yQIW46AuiMkVvanHnys6b+Gmg:NQuSuUbaI4yvF6li3Vv0jPg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • Aronium.exe (PID: 1132)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3672)
      • cmd.exe (PID: 6776)

    • Changes the AppInit_DLLs value (autorun option)

      • Aronium.exe (PID: 1132)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Aronium.exe (PID: 4500)
      • Aronium.exe (PID: 1132)

    • Reads the date of Windows installation

      • Aronium.exe (PID: 4500)
      • Aronium.exe (PID: 1132)

    • Application launched itself

      • Aronium.exe (PID: 4500)

    • Found strings related to reading or modifying Windows Defender settings

      • Aronium.exe (PID: 1132)

    • Starts CMD.EXE for commands execution

      • Aronium.exe (PID: 1132)
      • xdwdAntimalware Service Executable (PID: 3980)

    • Executable content was dropped or overwritten

      • Aronium.exe (PID: 1132)

  • INFO

    • Reads the computer name

      • Aronium.exe (PID: 4500)
      • Aronium.exe (PID: 1132)
      • xdwdAntimalware Service Executable (PID: 3980)

    • Checks supported languages

      • Aronium.exe (PID: 4500)
      • Aronium.exe (PID: 1132)
      • xdwdAntimalware Service Executable (PID: 3980)

    • Reads Environment values

      • Aronium.exe (PID: 4500)
      • Aronium.exe (PID: 1132)
      • xdwdAntimalware Service Executable (PID: 3980)

    • Reads the machine GUID from the registry

      • Aronium.exe (PID: 4500)
      • Aronium.exe (PID: 1132)
      • xdwdAntimalware Service Executable (PID: 3980)

    • Process checks computer location settings

      • Aronium.exe (PID: 4500)

    • Creates files in the program directory

      • Aronium.exe (PID: 1132)

    • Creates files or folders in the user directory

      • Aronium.exe (PID: 1132)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 6776)

    • Manual execution by a user

      • xdwdAntimalware Service Executable (PID: 3980)

    • Checks proxy server information

      • slui.exe (PID: 1512)

    • Reads the software policy settings

      • slui.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:26 21:19:29+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 432640
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Aronium
FileDescription: Aronium
FileVersion: 1.0.0.0
InternalName: Aronium.dll
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Aronium.dll
ProductName: Aronium
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
16
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aronium.exe no specs svchost.exe aronium.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs xdwdantimalware service executable no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1132"C:\Users\admin\Desktop\Aronium.exe" C:\Users\admin\Desktop\Aronium.exe
Aronium.exe
User:
admin
Company:
Aronium
Integrity Level:
HIGH
Description:
Aronium
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\aronium.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2220"CMD" /c schtasks /run /i /tn "System32"C:\Windows\System32\cmd.exexdwdAntimalware Service Executable
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2632schtasks /create /f /sc minute /mo 30 /tn "Antimalware Service Driver" /tr "C:\Users\admin\AppData\Local\xdwdAntimalware Service Executable" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3584schtasks /create /f /sc minute /mo 1 /tn "System32" /tr "C:\Program Files\xdwdMalware Defender Service" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3672"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "System32" /tr "C:\Program Files\xdwdMalware Defender Service" /RL HIGHEST & exitC:\Windows\System32\cmd.exeAronium.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3936\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 928
Read events
7 924
Write events
4
Delete events
0

Modification events

(PID) Process:(1132) Aronium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
C:\Windows\System32\userinit.exe,C:\Program Files\xdwdMalware Defender Service
(PID) Process:(1132) Aronium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:AppInit_DLLs
Value:
C:\WINDOWS\xdwd.dll
(PID) Process:(1132) Aronium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:LoadAppInit_DLLs
Value:
1
(PID) Process:(1132) Aronium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:RequireSignedAppInit_DLLs
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1132Aronium.exeC:\Program Files\xdwdMalware Defender Service
MD5:
SHA256:
1132Aronium.exeC:\Users\admin\AppData\Local\xdwdAntimalware Service Executable
MD5:
SHA256:
1132Aronium.exeC:\Windows\xdwd.dllexecutable
MD5:16E5A492C9C6AE34C59683BE9C51FA31
SHA256:35C8D022E1D917F1AABDCEAE98097CCC072161B302F84C768CA63E4B32AC2B66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
37
DNS requests
19
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
4800
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4680
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
keyauth.win
  • 104.26.1.5
  • 172.67.72.57
  • 104.26.0.5
malicious
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.16.253.202
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
coprophile.bounceme.net
  • 0.0.0.0
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.129
  • 40.126.31.2
  • 40.126.31.67
  • 20.190.159.71
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
2200
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.bounceme .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Aronium.exe