File name:

SecuriteInfo.com.Win64.MalwareX-gen.9756.19322

Full analysis: https://app.any.run/tasks/cd113be0-1f12-4761-a0b3-49029de338c5
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 16:07:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
auto-reg
evasion
antivm
miner
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

4EDFA1364A6E703A3DE2F73DA22841C3

SHA1:

F90A1153F8D788A12A99F6D6BC36AB11382D3917

SHA256:

27E23AB71F60E78FB0705F42134EDC4F0E6B99B9F0C82A8238D59DBCDE2C7D14

SSDEEP:

12288:ywyAODLmjIskG3GhJL6SCpchCpNLCI+XgVs33yrES9JRDkltrU:ywyAObskG3GhJLWeC7eiwS/RDcU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds process to the Windows Defender exclusion list

      • WinTemp-v4.exe (PID: 7248)

    • Known privilege escalation attack

      • dllhost.exe (PID: 7196)

    • Changes Windows Defender settings

      • WinTemp-v4.exe (PID: 7248)

    • Uses Task Scheduler to autorun other applications

      • WinTemp-v4.exe (PID: 7248)

    • Starts REAGENTC.EXE to disable the Windows Recovery Environment

      • ReAgentc.exe (PID: 7084)

    • Changes the autorun value in the registry

      • WinTemp-v4.exe (PID: 7248)

    • MINER has been detected (SURICATA)

      • cmd.exe (PID: 8172)
      • cmd.exe (PID: 1748)

    • Connects to the CnC server

      • cmd.exe (PID: 8172)
      • cmd.exe (PID: 1748)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8156)
      • powershell.exe (PID: 6192)

    • Application was injected by another process

      • winlogon.exe (PID: 6648)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1260)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 1416)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3084)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 2776)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 3104)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 1572)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 2112)
      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 6608)
      • dwm.exe (PID: 6568)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 6024)
      • sihost.exe (PID: 4984)
      • svchost.exe (PID: 1772)
      • explorer.exe (PID: 5492)
      • svchost.exe (PID: 4952)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 860)
      • uhssvc.exe (PID: 648)
      • RuntimeBroker.exe (PID: 6160)
      • svchost.exe (PID: 1684)
      • RuntimeBroker.exe (PID: 1036)
      • svchost.exe (PID: 3956)
      • RuntimeBroker.exe (PID: 5368)
      • ctfmon.exe (PID: 956)
      • svchost.exe (PID: 4348)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 4916)
      • UserOOBEBroker.exe (PID: 1248)
      • audiodg.exe (PID: 6168)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 2616)
      • svchost.exe (PID: 7036)
      • svchost.exe (PID: 5592)
      • ApplicationFrameHost.exe (PID: 6952)
      • WmiPrvSE.exe (PID: 8020)
      • svchost.exe (PID: 7844)
      • svchost.exe (PID: 6544)
      • svchost.exe (PID: 6180)
      • WmiPrvSE.exe (PID: 7872)
      • svchost.exe (PID: 7984)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 4544)

    • Runs injected code in another process

      • powershell.exe (PID: 8156)
      • rHAGKQaf.exe (PID: 6148)
      • powershell.exe (PID: 6192)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exe (PID: 2140)
      • WinTemp-v4.exe (PID: 7248)
      • svchost.exe (PID: 6828)

    • Script adds exclusion path to Windows Defender

      • WinTemp-v4.exe (PID: 7248)

    • Script adds exclusion process to Windows Defender

      • WinTemp-v4.exe (PID: 7248)

    • Starts POWERSHELL.EXE for commands execution

      • WinTemp-v4.exe (PID: 7248)
      • cmd.exe (PID: 5868)
      • cmd.exe (PID: 8148)

    • There is functionality for VM detection VirtualBox (YARA)

      • WinTemp-v4.exe (PID: 7248)

    • There is functionality for VM detection VMWare (YARA)

      • WinTemp-v4.exe (PID: 7248)

    • Starts CMD.EXE for commands execution

      • WinTemp-v4.exe (PID: 7248)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 4120)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 1180)

    • Uses powercfg.exe to modify the power settings

      • WinTemp-v4.exe (PID: 7248)

    • Executes application which crashes

      • Win-v42.exe (PID: 7212)
      • Win-v43.exe (PID: 4488)
      • Win-v41.exe (PID: 5892)
      • Win-v41.exe (PID: 5344)

    • Reads security settings of Internet Explorer

      • WinTemp-v4.exe (PID: 7248)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • WinTemp-v4.exe (PID: 7248)

    • Connects to unusual port

      • WinTemp-v4.exe (PID: 7248)
      • cmd.exe (PID: 8172)
      • cmd.exe (PID: 1748)

    • Potential Corporate Privacy Violation

      • cmd.exe (PID: 8172)
      • cmd.exe (PID: 1748)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 8156)
      • powershell.exe (PID: 6192)

    • Executes as Windows Service

      • cmd.exe (PID: 5868)
      • cmd.exe (PID: 8148)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 5868)
      • cmd.exe (PID: 8148)

    • Hides command output

      • cmd.exe (PID: 7244)

  • INFO

    • Reads the software policy settings

      • lsass.exe (PID: 756)
      • WinTemp-v4.exe (PID: 7248)
      • slui.exe (PID: 7484)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 7844)

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exe (PID: 2140)
      • WinTemp-v4.exe (PID: 7248)

    • Create files in a temporary directory

      • SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exe (PID: 2140)
      • WinTemp-v4.exe (PID: 7248)
      • svchost.exe (PID: 6828)

    • Reads the time zone

      • MoUsoCoreWorker.exe (PID: 5496)
      • WmiPrvSE.exe (PID: 8020)

    • Checks supported languages

      • WinTemp-v4.exe (PID: 7248)
      • Win-v42.exe (PID: 7212)
      • SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exe (PID: 2140)
      • Win-v43.exe (PID: 4488)
      • uhssvc.exe (PID: 648)
      • Win-v41.exe (PID: 5892)
      • rHAGKQaf.exe (PID: 6148)
      • Win-v41.exe (PID: 5344)

    • Checks transactions between databases Windows and Oracle

      • SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exe (PID: 2140)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 7196)
      • winlogon.exe (PID: 6648)

    • Reads the computer name

      • SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exe (PID: 2140)
      • rHAGKQaf.exe (PID: 6148)
      • WinTemp-v4.exe (PID: 7248)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7280)
      • powershell.exe (PID: 8116)
      • powershell.exe (PID: 7944)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7280)
      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8116)

    • Auto-launch of the file from Registry key

      • WinTemp-v4.exe (PID: 7248)

    • Manual execution by a user

      • Win-v42.exe (PID: 7212)
      • Win-v43.exe (PID: 4488)

    • Checks proxy server information

      • WinTemp-v4.exe (PID: 7248)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 8048)
      • WinTemp-v4.exe (PID: 7248)
      • WerFault.exe (PID: 5112)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 8156)
      • powershell.exe (PID: 6192)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:16 13:39:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 286208
InitializedDataSize: 127488
UninitializedDataSize: -
EntryPoint: 0x1e580
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
148
Malicious processes
11
Suspicious processes
85

Behavior graph

Click at the process to see the details
start securiteinfo.com.win64.malwarex-gen.9756.19322.exe CMSTPLUA wintemp-v4.exe powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe wmiprvse.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reagentc.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs win-v42.exe cmd.exe no specs svchost.exe conhost.exe no specs ping.exe no specs werfault.exe no specs wmiprvse.exe svchost.exe win-v43.exe werfault.exe no specs #MINER cmd.exe svchost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs win-v41.exe no specs werfault.exe no specs svchost.exe rhagkqaf.exe no specs #MINER cmd.exe svchost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs win-v41.exe no specs werfault.exe no specs slui.exe no specs svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe runtimebroker.exe explorer.exe mousocoreworker.exe svchost.exe svchost.exe runtimebroker.exe audiodg.exe svchost.exe svchost.exe dwm.exe svchost.exe winlogon.exe applicationframehost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
856C:\WINDOWS\system32\WerFault.exe -u -p 5344 -s 424C:\Windows\System32\WerFault.exeWin-v41.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
1044C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1128icacls "C:\WINDOWS\System32\reagentc.exe" /grant Administrators:FC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
52 978
Read events
52 433
Write events
304
Delete events
241

Modification events

(PID) Process:(2996) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exe
Value:
5341435001000000000000000700000028000000003806000000000001000000000000000000000A7322000050BB64EDDDACD5010000000000000000
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator
Operation:delete valueName:EnhancedShutdownEnabled
Value:
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator
Operation:writeName:ShutdownFlyoutOptions
Value:
0
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
Operation:writeName:Preshutdown
Value:
0
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F0062000000000000000000000001000000FFFFFFFFFFFF0000
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator
Operation:writeName:SD
Value:
0100049C5C000000680000000000000014000000020048000300000000001400FF011F0001010000000000051200000000001400A900120001010000000000051300000000001800A900120001020000000000052000000020020000010100000000000512000000010100000000000512000000
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Operation:writeName:Index
Value:
3
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:writeName:Hash
Value:
3B6EE4045D97AA11A9FAE50DB375B526D55466B9856CF232E0B3DDF845CC6602
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:writeName:Schema
Value:
65538
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:delete valueName:Version
Value:
Executable files
10
Suspicious files
68
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
2140SecuriteInfo.com.Win64.MalwareX-gen.9756.19322.exeC:\Users\admin\AppData\Local\Temp\WinTemp-v4.exeexecutable
MD5:1DC65FB49C90452010D168A6BEA94B24
SHA256:D1AD67B9E6280F547F910A0D69BD37FAFED81E77FB0F8C1139869E18575D35E9
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Workxml
MD5:4838EE953DAB2C7A1BF57E0C6620A79D
SHA256:22C798E00C4793749EAC39CFB6EA3DD75112FD4453A3706E839038A64504D45D
7280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0wfuuprv.c5u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1772svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:BE199C1583011C8B566272CA63E06F2B
SHA256:02ACD7EDE45BE0F222511D86986FAC3356D73C03C20C5C10D352388F2EAA4261
6544svchost.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:6D863CF16994A4802B22D180E11EDF04
SHA256:CCFA34A0AE32BC9619785F148FCE10003BCD386732CED1FFCAD7AD1E81736CDD
1772svchost.exeC:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pfbinary
MD5:235A95D61A810CB63E64A805731C4D33
SHA256:2D6A964368DCA70FFB2589A8AF93FB9461CBE1B821F0871CCA0FA79E8F2AA61E
1772svchost.exeC:\Windows\Prefetch\DLLHOST.EXE-B5657A49.pfbinary
MD5:FD4D1A6D173C33A32A4D81D0D4DA606E
SHA256:B3D7CBCA1AF8181CD9DA73DF3250613C8D0A57FFBF99F4C7963458B8A4278081
6544svchost.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:6EB70917271BF7C528F37D54C34D089A
SHA256:792E17664C51684044CEA44F1AE241AD8719794B7A80F40D0325F284DBB58C2A
756lsass.exeC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferredbinary
MD5:EAB5D33C9A3F7F1182A4DAEB789BCD70
SHA256:CC83666BD5F2FD00A4C10592308B7ADCC7A4C3B5145C4F60F660BDB8338D485E
7280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pnbnwtba.4up.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
30
DNS requests
17
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7248
WinTemp-v4.exe
GET
200
184.24.77.75:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgXMGY89pMuzzKguSgn6fJ%2F%2BKg%3D%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7248
WinTemp-v4.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6480
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.12
  • 23.216.77.19
  • 23.216.77.21
  • 23.216.77.18
  • 23.216.77.43
  • 23.216.77.5
  • 23.216.77.7
  • 23.216.77.13
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.73
  • 20.190.159.128
  • 20.190.159.68
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.130
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
xai830k.com
  • 152.89.61.96
malicious
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r11.o.lencr.org
  • 184.24.77.75
  • 184.24.77.56
  • 184.24.77.62
  • 184.24.77.54
  • 184.24.77.48
  • 184.24.77.52
  • 184.24.77.53
  • 184.24.77.46
whitelisted

Threats

PID
Process
Class
Message
7248
WinTemp-v4.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7248
WinTemp-v4.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
8172
cmd.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
8172
cmd.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
1748
cmd.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
1748
cmd.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win64.MalwareX-gen.9756.19322