File name:

WINSTA.dll

Full analysis: https://app.any.run/tasks/2fcecc50-4c41-4f3b-abc8-e058d6e30c21
Verdict: Malicious activity
Analysis date: April 24, 2025, 10:29:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (DLL) (console) x86-64, for MS Windows, 7 sections
MD5:

B316E5D12C3109012A0A9E520A4F619B

SHA1:

7232FB4A5C73EBDF896F9310008939E28A662423

SHA256:

329EB2CDE55F6552964E4238C277A31B27CF67AAD4A77BDACACE459ECC3C8C46

SSDEEP:

6144:CNPocvI4zZRSiHNd6BTk6ejJB0qh2r4ALoXuEu3PcRKYLt/g8vzLD1hHUGN2:Cq2ZLNdiTVG3C4A8XnuURKY5I0nzH72

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 2108)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 2108)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 6516)
      • schtasks.exe (PID: 2644)
      • schtasks.exe (PID: 4380)
      • schtasks.exe (PID: 5744)
      • schtasks.exe (PID: 6584)
      • schtasks.exe (PID: 872)
      • schtasks.exe (PID: 3268)
      • schtasks.exe (PID: 3332)
      • schtasks.exe (PID: 6048)
      • schtasks.exe (PID: 6228)
      • schtasks.exe (PID: 4016)
      • schtasks.exe (PID: 3968)
      • schtasks.exe (PID: 2656)

  • INFO

    • Manual execution by a user

      • AgentService.exe (PID: 3888)
      • cmd.exe (PID: 1056)
      • RdpSaUacHelper.exe (PID: 7000)
      • cmd.exe (PID: 2108)
      • schtasks.exe (PID: 6516)
      • schtasks.exe (PID: 1180)
      • schtasks.exe (PID: 5744)
      • schtasks.exe (PID: 4380)
      • schtasks.exe (PID: 6584)
      • schtasks.exe (PID: 3268)
      • schtasks.exe (PID: 3332)
      • schtasks.exe (PID: 2644)
      • schtasks.exe (PID: 6228)
      • schtasks.exe (PID: 2656)
      • schtasks.exe (PID: 4016)
      • schtasks.exe (PID: 872)
      • schtasks.exe (PID: 3968)
      • schtasks.exe (PID: 6048)

    • The sample compiled with english language support

      • rundll32.exe (PID: 5304)
      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 2108)

    • Checks proxy server information

      • slui.exe (PID: 6244)

    • Reads the software policy settings

      • slui.exe (PID: 6244)
      • slui.exe (PID: 6724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:12:07 15:28:48+00:00
ImageFileCharacteristics: Executable, Large address aware, DLL
PEType: PE32+
LinkerVersion: 6.11
CodeSize: 32256
InitializedDataSize: 577536
UninitializedDataSize: -
EntryPoint: 0x7150
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows command line
FileVersionNumber: 12.2.0.18007
ProductVersionNumber: 12.2.0.18007
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Citrix Systems, Inc.
FileDescription: Primary authenticator resources (en)
FileVersion: 12.2.0.18007
LegalCopyright: Copyright © 2017 Citrix Systems, Inc.
InternalName: PrimaryAuthModule.mui.dll
OriginalFileName: PrimaryAuthModule.mui.dll
ProductName: Citrix Receiver
ProductVersion: 12.2.0.18007
OLESelfRegister: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
38
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs sppextcomobj.exe no specs slui.exe agentservice.exe no specs cmd.exe conhost.exe no specs rdpsauachelper.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872C:\WINDOWS\system32\schtasks.exe /Query /TN "Zqdycvlapvhd"C:\Windows\System32\schtasks.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1056"C:\WINDOWS\system32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\YzH.cmdC:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1180"C:\WINDOWS\system32\schtasks.exe" /Create /F /TN "Zqdycvlapvhd" /TR "C:\Users\admin\AppData\Roaming\1qMw\RDPSAU~1.EXE" /SC minute /MO 60C:\Windows\System32\schtasks.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2108"C:\WINDOWS\system32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\20If4.cmdC:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2140C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2644C:\WINDOWS\system32\schtasks.exe /Query /TN "Zqdycvlapvhd"C:\Windows\System32\schtasks.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2656C:\WINDOWS\system32\schtasks.exe /Query /TN "Zqdycvlapvhd"C:\Windows\System32\schtasks.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 272
Read events
7 272
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108cmd.exeC:\Users\admin\AppData\Roaming\1qMw\WINSTA.dllexecutable
MD5:6F8CB7B2F38DA121EB5FFE3A5647808D
SHA256:170022E86B7D2E9E78BA9562DB33D89EE361F84123FAB08641BA44255FA3BE72
1056cmd.exeC:\Users\admin\AppData\Roaming\XZl3Ig\VERSION.dllexecutable
MD5:C829BDC4295CCBDE6C4823F7D58A4785
SHA256:7961B7B460FF512BDAD9FD5BFDEF83300675B42BE1E5201F5A601EBBFEC2A874
1056cmd.exeC:\Users\admin\AppData\Roaming\XZl3Ig\AgentService.exeexecutable
MD5:80D03B927F377DB880BAE59489E919B1
SHA256:AA65ECE073CFDF8513C2834D54E6B5546C02E6AD1783BF656374F8DC94F2FC42
2108cmd.exeC:\Users\admin\AppData\Roaming\1qMw\RdpSaUacHelper.exeexecutable
MD5:8A0CAB547C7C223CE7B5134DDEE08997
SHA256:B908DC8B0973E818461FDCA87508A2D1795C628A6516BB1F8550520298449E52
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
38
DNS requests
20
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5956
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5956
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6724
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.128
  • 20.190.160.22
  • 20.190.160.65
  • 20.190.160.20
  • 20.190.160.2
  • 40.126.32.68
  • 20.190.160.64
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
  • 2603:1030:800:5::bfee:a08d
whitelisted
15.164.165.52.in-addr.arpa
unknown
d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WINSTA.dll