| File name: | vgc.exe |
| Full analysis: | https://app.any.run/tasks/b58b1f4a-0fee-4e67-ad72-9c534904e2da |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 05, 2026, 22:35:43 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 6 sections |
| MD5: | 4DA1CB4EB48850B494A4905A7C05F779 |
| SHA1: | EEE764E9A27D1D58DABC0FB4702F636990B685D2 |
| SHA256: | 375FC4A97B6FC27FB02A8B29ED60DB92F14C5DD8C68C350A74BBC00815B71E2D |
| SSDEEP: | 12288:FKq2KS4wjjl+t0X+NSu/yveJEB7AhLa3qSLHoGpy+/uSquAZh12mlZDvfB5M2xG6:FKF |
MALICIOUS
No malicious indicators.SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 2392)
- cmd.exe (PID: 7660)
- cmd.exe (PID: 5132)
- cmd.exe (PID: 6988)
- cmd.exe (PID: 7060)
- cmd.exe (PID: 5816)
- cmd.exe (PID: 6696)
- cmd.exe (PID: 6832)
- cmd.exe (PID: 7080)
Executable content was dropped or overwritten
- vgc.exe (PID: 2304)
- cmd.exe (PID: 5132)
Drops a system driver (possible attempt to evade defenses)
- vgc.exe (PID: 2304)
- cmd.exe (PID: 5132)
Creates a new Windows service
- sc.exe (PID: 2988)
The system shut down or reboot
- cmd.exe (PID: 5132)
INFO
Reads the computer name
- vgc.exe (PID: 2304)
- vgc.exe (PID: 6864)
- vgc.exe (PID: 5400)
Checks supported languages
- vgc.exe (PID: 2304)
- vgc.exe (PID: 6864)
- vgc.exe (PID: 5400)
Reads security settings of Internet Explorer
- vgc.exe (PID: 2304)
Creates files or folders in the user directory
- WerFault.exe (PID: 1776)
- vgc.exe (PID: 2304)
- WerFault.exe (PID: 7164)
- WerFault.exe (PID: 7000)
Reads the machine GUID from the registry
- vgc.exe (PID: 2304)
Manual execution by a user
- cmd.exe (PID: 5132)
- vgc.exe (PID: 6864)
- vgc.exe (PID: 5400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2026:04:04 19:19:49+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.5 |
| CodeSize: | 353792 |
| InitializedDataSize: | 29184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x56608 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
277
Monitored processes
21
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1776 | C:\WINDOWS\system32\WerFault.exe -u -p 2304 -s 872 | C:\Windows\System32\WerFault.exe | vgc.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2304 | "C:\Users\admin\Desktop\vgc.exe" | C:\Users\admin\Desktop\vgc.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
| 2392 | C:\WINDOWS\system32\cmd.exe /c cls | C:\Windows\System32\cmd.exe | — | vgc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2988 | sc create system2 binPath= "C:\Windows\System32\netfwcore.sys" DisplayName= "ca2" start= boot tag= 2 type= kernel group= "System Reserved" | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3380 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | vgc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5132 | "C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Roaming\WinBar\png.bat" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5332 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | vgc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5400 | "C:\Users\admin\Desktop\vgc.exe" | C:\Users\admin\Desktop\vgc.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
| |||||||||||||||
| 5816 | C:\WINDOWS\system32\cmd.exe /c cls | C:\Windows\System32\cmd.exe | — | vgc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6076 | shutdown /r /t 3 /f | C:\Windows\System32\shutdown.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Shutdown and Annotation Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
12 727
Read events
12 712
Write events
9
Delete events
6
Modification events
| (PID) Process: | (2304) vgc.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2304) vgc.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2304) vgc.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7164) WerFault.exe | Key: | \REGISTRY\A\{98200de2-6ade-384d-e2a8-0e6c875aefd4}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (7164) WerFault.exe | Key: | \REGISTRY\A\{98200de2-6ade-384d-e2a8-0e6c875aefd4}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7000) WerFault.exe | Key: | \REGISTRY\A\{e68e43bd-8b57-95c0-e62c-5f9e48569357}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (7000) WerFault.exe | Key: | \REGISTRY\A\{e68e43bd-8b57-95c0-e62c-5f9e48569357}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
3
Suspicious files
14
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1776 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vgc.exe_c5649ecdcf90936fb89296b0b37d9a1651f2bc2_ff59ee20_c8556fe9-b91c-464b-aeee-16ee509852f0\Report.wer | — | |
MD5:— | SHA256:— | |||
| 2304 | vgc.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\10C8BDB0D7E5729D576C30C7920D43C5 | binary | |
MD5:D6CC13648BEB0EE65778F34266F88CEE | SHA256:9A29BED259C1117052661413482AAEEDF77FADEE23AE5E08A39408E6AB942416 | |||
| 7164 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vgc.exe_c5649ecdcf90936fb89296b0b37d9a1651f2bc2_ff59ee20_1ba6db2c-27bd-4616-8371-7beb59ad700d\Report.wer | — | |
MD5:— | SHA256:— | |||
| 2304 | vgc.exe | C:\Users\admin\AppData\Roaming\WinBar\netfwcore.sys | executable | |
MD5:8D2692C5A0915C19FE65F298D7100DA3 | SHA256:A4D3D3C794C6FD0C238B8E99D7480BD7255DF7F7C8F159E1A588E7A1A1D582AE | |||
| 1776 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE | binary | |
MD5:FC2FAE9740FDDB59440B94E791FACC05 | SHA256:BE10C9C5BB492A124F62A253BFF6E45C3DE654E3A923F252039C4E70CC76B09A | |||
| 1776 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785 | binary | |
MD5:BE2AA26973D0EBFD5C162BD2A472FB0E | SHA256:D7E815EE1120D83BE83B591535FDC7468D25BEE6617F9D0C7007CDF125C85A58 | |||
| 7164 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D7B.tmp.WERInternalMetadata.xml | xml | |
MD5:A2E7FDDFDBA4F3F74EDB329ADF86003C | SHA256:64F68BB82707401D4FE3A94F5B77ABE410BFC451DECCDD2942FDFEFDC7EEC4FA | |||
| 7000 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vgc.exe_c5649ecdcf90936fb89296b0b37d9a1651f2bc2_ff59ee20_cbe1e4d5-4662-45d3-93f9-34711ca9a03a\Report.wer | — | |
MD5:— | SHA256:— | |||
| 2304 | vgc.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\10C8BDB0D7E5729D576C30C7920D43C5 | binary | |
MD5:EA8B5804023FBEE8E6A36219FC6B1549 | SHA256:E27D46FAAF46DD93C449A97D93C8B42A17931D3642CFD83DD7CB306708B2AA79 | |||
| 2304 | vgc.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:7F924EAEA21BB91214FF7B4525F3BD29 | SHA256:E718475014C8F51A8F2746FBE90A7BFF516B65BEF36EE6340A5FC746BC5DFC32 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
40
DNS requests
30
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4680 | svchost.exe | GET | 304 | 51.104.136.2:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | — | — | whitelisted |
6844 | SIHClient.exe | GET | 304 | 74.178.240.61:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
6844 | SIHClient.exe | GET | 200 | 135.232.92.97:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
6844 | SIHClient.exe | GET | 200 | 74.178.240.61:443 | https://slscr.update.microsoft.com/sls/ping | US | — | — | whitelisted |
6844 | SIHClient.exe | GET | 304 | 74.178.240.61:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
— | — | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
— | — | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
2304 | vgc.exe | GET | 200 | 185.199.108.133:443 | https://raw.githubusercontent.com/zeynepgsm0-hue/Driver-Spoofer/refs/heads/main/netfwcore.sys | US | executable | 411 Kb | whitelisted |
5316 | svchost.exe | POST | 200 | 20.190.159.75:443 | https://login.live.com/RST2.srf | US | xml | 1.24 Kb | whitelisted |
5316 | svchost.exe | GET | 200 | 23.11.41.157:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D | NL | binary | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4680 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 48.192.1.65:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 23.52.181.212:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
3428 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6844 | SIHClient.exe | 74.178.240.61:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
raw.githubusercontent.com |
| whitelisted |
r12.c.lencr.org |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4680 | svchost.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2232 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
2304 | vgc.exe | Misc activity | ET INFO Observed UA-CPU Header |
2304 | vgc.exe | Misc activity | ET HUNTING EXE Downloaded from Github |
2304 | vgc.exe | Misc activity | HUNTING [ANY.RUN] .bat script file requested via HTTP |