File name:

launcher.exe

Full analysis: https://app.any.run/tasks/fa2a358e-71b2-479c-a51e-eeeae79f5e7f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 08:46:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
pastebin
stealer
ms-smartcard
miner
winring0x64-sys
vuln-driver
upx
golang
susp-powershell
api-base64
wmi-base64
salatstealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:

D774B359EE8F952521FEB121E5DA2E08

SHA1:

B891466D404515437CE04461FB92ED64EF236E8B

SHA256:

25CBBABD46AD4FFFB57D0E673C542D6C51AB32CB2C811C0E866BB024B3B8B77D

SSDEEP:

24576:6wYUoJ3MuSe4uQKRbGnWiHDpebGnWiHDp:6wYUU3MuSe4uQKRqWiHDpeqWiHDp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • sessionuserhost.exe (PID: 7000)
      • cmd.exe (PID: 5236)

    • Changes Windows Defender settings

      • cmd.exe (PID: 5236)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Executing a file with an untrusted certificate

      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Deletes shadow copies

      • cmd.exe (PID: 2984)

    • Starts REAGENTC.EXE to disable the Windows Recovery Environment

      • ReAgentc.exe (PID: 4776)
      • ReAgentc.exe (PID: 5328)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 5776)
      • cmd.exe (PID: 5124)

    • Disables task manager

      • sessionuserhost.exe (PID: 7000)

    • Disables Windows Defender

      • sessionuserhost.exe (PID: 7000)

    • Changes the autorun value in the registry

      • sessionuserhost.exe (PID: 7000)

    • Actions looks like stealing of personal data

      • ApplicationFrameHost.exe (PID: 7900)

    • Adds extension to the Windows Defender exclusion list

      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 2516)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 776)
      • cmd.exe (PID: 5056)

    • SALATSTEALER has been detected (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Vulnerable driver has been detected

      • lxwvsyozcpiw.exe (PID: 4228)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 8012)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5624)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5624)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • launcher.exe (PID: 1180)
      • launcher.exe (PID: 664)

    • Starts a Microsoft application from unusual location

      • launcher.exe (PID: 1180)
      • launcher.exe (PID: 664)

    • Reads security settings of Internet Explorer

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)

    • Application launched itself

      • launcher.exe (PID: 1180)
      • sessionuserhost.exe (PID: 5400)
      • powershell.exe (PID: 8012)

    • The process creates files with name similar to system file names

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)
      • controlhost.exe (PID: 7788)
      • ApplicationFrameHost.exe (PID: 7900)

    • Potential Corporate Privacy Violation

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)

    • Executable content was dropped or overwritten

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)
      • controlhost.exe (PID: 7788)
      • ApplicationFrameHost.exe (PID: 7900)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)

    • Reads the date of Windows installation

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)

    • Starts CMD.EXE for commands execution

      • sessionuserhost.exe (PID: 7000)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 4244)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5236)
      • ApplicationFrameHost.exe (PID: 7900)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)
      • powershell.exe (PID: 8012)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 5236)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Creates a new Windows service

      • sc.exe (PID: 5592)
      • sc.exe (PID: 4404)
      • sc.exe (PID: 2984)
      • sc.exe (PID: 6988)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5404)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Starts itself from another location

      • controlhost.exe (PID: 7788)
      • ApplicationFrameHost.exe (PID: 7900)

    • Creates or modifies Windows services

      • sessionuserhost.exe (PID: 7000)

    • Modifies hosts file to alter network resolution

      • sessionuserhost.exe (PID: 7000)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Script adds exclusion extension to Windows Defender

      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Manipulates environment variables

      • powershell.exe (PID: 7420)
      • powershell.exe (PID: 776)
      • powershell.exe (PID: 2104)
      • powershell.exe (PID: 6708)

    • Stops a currently running service

      • sc.exe (PID: 7688)
      • sc.exe (PID: 2612)
      • sc.exe (PID: 7816)
      • sc.exe (PID: 7784)
      • sc.exe (PID: 7968)
      • sc.exe (PID: 1452)
      • sc.exe (PID: 6436)
      • sc.exe (PID: 716)
      • sc.exe (PID: 7508)
      • sc.exe (PID: 4528)
      • sc.exe (PID: 7308)
      • sc.exe (PID: 7512)
      • sc.exe (PID: 7632)
      • sc.exe (PID: 7128)
      • sc.exe (PID: 6944)
      • sc.exe (PID: 7812)
      • sc.exe (PID: 7732)
      • sc.exe (PID: 4336)
      • sc.exe (PID: 6036)
      • sc.exe (PID: 6192)
      • sc.exe (PID: 7752)
      • sc.exe (PID: 7676)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1088)
      • sc.exe (PID: 1472)
      • sc.exe (PID: 5800)
      • sc.exe (PID: 6660)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 1696)
      • powershell.exe (PID: 2140)
      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 7304)

    • Uses powercfg.exe to modify the power settings

      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • Process uninstalls Windows update

      • wusa.exe (PID: 1328)
      • wusa.exe (PID: 5608)
      • wusa.exe (PID: 744)
      • wusa.exe (PID: 8184)

    • There is functionality for taking screenshot (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 1696)
      • powershell.exe (PID: 2140)
      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 7304)

    • Multiple wallet extension IDs have been found

      • ApplicationFrameHost.exe (PID: 7900)

    • Drops a system driver (possible attempt to evade defenses)

      • lxwvsyozcpiw.exe (PID: 4228)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

  • INFO

    • Checks supported languages

      • launcher.exe (PID: 1180)
      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 5400)
      • sessionuserhost.exe (PID: 7000)
      • sessionhost.exe (PID: 7876)
      • controlhost.exe (PID: 7788)
      • ApplicationFrameHost.exe (PID: 7900)
      • userhost.exe (PID: 7972)
      • ApplicationFrameHost.exe (PID: 6668)
      • ApplicationFrameHost.exe (PID: 7084)
      • lxwvsyozcpiw.exe (PID: 4228)
      • ydmehmmzlokc.exe (PID: 1056)

    • The sample compiled with english language support

      • launcher.exe (PID: 1180)
      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)

    • Reads the computer name

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)
      • controlhost.exe (PID: 7788)
      • ApplicationFrameHost.exe (PID: 7900)
      • ApplicationFrameHost.exe (PID: 7084)
      • ApplicationFrameHost.exe (PID: 6668)

    • Checks proxy server information

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)

    • Creates files in the program directory

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)
      • controlhost.exe (PID: 7788)
      • ApplicationFrameHost.exe (PID: 7900)
      • sessionhost.exe (PID: 7876)
      • userhost.exe (PID: 7972)

    • Creates files or folders in the user directory

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)

    • Process checks computer location settings

      • launcher.exe (PID: 664)
      • sessionuserhost.exe (PID: 7000)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4224)
      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 7420)
      • powershell.exe (PID: 776)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4224)
      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 7420)
      • powershell.exe (PID: 776)

    • Reads the software policy settings

      • sessionuserhost.exe (PID: 7000)

    • Reads the machine GUID from the registry

      • sessionuserhost.exe (PID: 7000)
      • controlhost.exe (PID: 7788)
      • ApplicationFrameHost.exe (PID: 7900)
      • ApplicationFrameHost.exe (PID: 6668)
      • ApplicationFrameHost.exe (PID: 7084)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • ApplicationFrameHost.exe (PID: 7900)

    • Create files in a temporary directory

      • ApplicationFrameHost.exe (PID: 7900)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded file access via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Detects GO elliptic curve encryption (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded JSON usage via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Application based on Golang

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded reference to WMI classes (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • ApplicationFrameHost.exe (PID: 7900)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded access to Windows Identity via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • UPX packer has been detected

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded access to UAC via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • ApplicationFrameHost.exe (PID: 7900)

    • Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')

      • ApplicationFrameHost.exe (PID: 7900)

    • Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

      • ApplicationFrameHost.exe (PID: 7900)

    • Found Base64 encoded network access via PowerShell (YARA)

      • ApplicationFrameHost.exe (PID: 7900)

    • The sample compiled with japanese language support

      • lxwvsyozcpiw.exe (PID: 4228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:04 20:54:44+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 339968
InitializedDataSize: 70656
UninitializedDataSize: -
EntryPoint: 0x3df18
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.4355
ProductVersionNumber: 10.0.19041.4355
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Sync Center
FileVersion: 10.0.19041.4355 (WinBuild.160101.0800)
InternalName: mobsync.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: mobsync.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.4355
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
311
Monitored processes
172
Malicious processes
15
Suspicious processes
10

Behavior graph

Click at the process to see the details
start launcher.exe no specs sppextcomobj.exe no specs slui.exe launcher.exe conhost.exe no specs sessionuserhost.exe sessionuserhost.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe sc.exe no specs conhost.exe no specs reagentc.exe no specs vssadmin.exe no specs schtasks.exe no specs vssvc.exe no specs cmd.exe no specs conhost.exe no specs fltmc.exe no specs controlhost.exe sessionhost.exe #SALATSTEALER applicationframehost.exe userhost.exe powershell.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs applicationframehost.exe no specs sc.exe no specs schtasks.exe no specs applicationframehost.exe no specs reagentc.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powershell.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT lxwvsyozcpiw.exe powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powershell.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs ydmehmmzlokc.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs wusa.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs dialer.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs powershell.exe no specs conhost.exe no specs slui.exe no specs powershell.exe no specs conhost.exe no specs slui.exe no specs #MINER svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
496C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-ac 0C:\Windows\System32\powercfg.exeuserhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664"C:\Users\admin\AppData\Local\Temp\launcher.exe"C:\Users\admin\AppData\Local\Temp\launcher.exe
launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.4355 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
716C:\WINDOWS\system32\sc.exe stop wuauservC:\Windows\System32\sc.exeuserhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
744wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\wusa.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
744C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-dc 0C:\Windows\System32\powercfg.exeydmehmmzlokc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
776C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeuserhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
776C:\WINDOWS\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\cmd.exelxwvsyozcpiw.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
776C:\WINDOWS\system32\powercfg.exe /x -standby-timeout-ac 0C:\Windows\System32\powercfg.exeydmehmmzlokc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
Total events
68 889
Read events
68 782
Write events
46
Delete events
61

Modification events

(PID) Process:(664) launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(664) launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(664) launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4776) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(4776) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(4776) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(4776) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(4776) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(4776) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(4776) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:delete keyName:(default)
Value:
Executable files
17
Suspicious files
12
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
4776ReAgentc.exeC:\Windows\System32\Recovery\Winre.wim
MD5:
SHA256:
664launcher.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ef2f38b19a54318e7da3f8085279eda3fe267edcad90798e268abe020687046f7363f3db7d88b6f9[1]executable
MD5:1D3C63150A4BD51070A87CABD5BC8A35
SHA256:BEFCE08D63D99CB9697AE37A487D91C175A576DAD115FEAB48ECCB383D434FEB
664launcher.exeC:\ProgramData\sessionuserhost.exeexecutable
MD5:1D3C63150A4BD51070A87CABD5BC8A35
SHA256:BEFCE08D63D99CB9697AE37A487D91C175A576DAD115FEAB48ECCB383D434FEB
4224powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_04wldqiy.iy0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4224powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jpulnyln.bz3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7000sessionuserhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\RfEfXv2A[1].txtbinary
MD5:821C148C7C6E6955BB67A43369597923
SHA256:B7E88157F735A0030DEF611DA71893503C08D5EC06702D3BD4C7837909704960
7000sessionuserhost.exeC:\ProgramData\config.jsonbinary
MD5:821C148C7C6E6955BB67A43369597923
SHA256:B7E88157F735A0030DEF611DA71893503C08D5EC06702D3BD4C7837909704960
7000sessionuserhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\6adc1e14c896571371bc6e1c4f7763c7dd67d22a0fa376726207bab855d42dfae89552cc17559ca3[1]executable
MD5:A9685E8B7A75C33CD5493E2AC0EBA44A
SHA256:FE7A972A8066772AF8933EF066BDD6088ACF59EC2DFFF0AF591175195418613D
7000sessionuserhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\562c49e27f7a7477a95dd6395b5c40c92bdd2d5db251a59e06ccdee1da5b56ffc59c77d8a220e991[1]executable
MD5:B839AB181E21330402E79B5596485221
SHA256:816BFD1772B6EAC091826E530A2D155D8F15E28A2BF2A4B6BCAE37F0A2B7346E
4224powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3EF7CD7047E4F8F41E142E68F00D62F0
SHA256:6DAC8A4360374A1E7495D839C7BAE005F2932AF6680F15F7BA07DF2759D31B2D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
49
DNS requests
24
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
868 b
whitelisted
5796
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
868 b
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
664
launcher.exe
GET
200
104.21.48.1:80
http://uffyaa.ru/PacketgeoDbbaseFlowerDatalifeLocalpublicDownloads/ef2f38b19a54318e7da3f8085279eda3fe267edcad90798e268abe020687046f7363f3db7d88b6f9
unknown
executable
1.32 Mb
malicious
7468
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
7468
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
407 b
whitelisted
7000
sessionuserhost.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r4.crl
US
binary
530 b
whitelisted
7000
sessionuserhost.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/gsr1.crl
US
binary
1.70 Kb
whitelisted
7000
sessionuserhost.exe
GET
200
104.21.48.1:80
http://uffyaa.ru/PacketgeoDbbaseFlowerDatalifeLocalpublicDownloads/6adc1e14c896571371bc6e1c4f7763c7dd67d22a0fa376726207bab855d42dfae89552cc17559ca3
unknown
executable
2.75 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6456
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5796
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5796
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
664
launcher.exe
104.21.48.1:80
uffyaa.ru
CLOUDFLARENET
malicious
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.186.46
whitelisted
uffyaa.ru
  • 104.21.48.1
  • 104.21.112.1
  • 104.21.64.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.80.1
malicious
login.live.com
  • 20.190.159.75
  • 40.126.31.128
  • 20.190.159.4
  • 40.126.31.67
  • 40.126.31.0
  • 40.126.31.129
  • 20.190.159.68
  • 40.126.31.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
664
launcher.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
7000
sessionuserhost.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7000
sessionuserhost.exe
Misc activity
ET INFO Packed Executable Download
2196
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
launcher.exe