File name:

updater.exe

Full analysis: https://app.any.run/tasks/adeabe24-fe47-4555-9f69-0ce37b322c02
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: September 14, 2024, 13:19:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
xor-url
generic
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

8CD62E3ECE85C4C3E9F6F7C816256ADF

SHA1:

9712769BE3F755C5ECBE68D38800A3A8ECDAF324

SHA256:

39EBCDBB6993787BE2ED9D2B6668B9EE2707CA483A66B51D1302BFC610BA021B

SSDEEP:

98304:EZMjbTOb8WILrIw70f1e9UNJrPDiJFZUlSQtE8pzjQgBnsoS9L/kC62QKoMl0F+k:CKrYcWjUmUqn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • explorer.exe (PID: 4552)

    • Application was injected by another process

      • winlogon.exe (PID: 684)
      • lsass.exe (PID: 768)
      • svchost.exe (PID: 476)
      • svchost.exe (PID: 1208)
      • dwm.exe (PID: 852)
      • svchost.exe (PID: 1036)
      • svchost.exe (PID: 1408)
      • svchost.exe (PID: 1200)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 1272)
      • svchost.exe (PID: 1508)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 1472)
      • svchost.exe (PID: 1620)
      • svchost.exe (PID: 1588)
      • svchost.exe (PID: 1816)
      • svchost.exe (PID: 1600)
      • svchost.exe (PID: 1796)
      • svchost.exe (PID: 1628)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2160)
      • svchost.exe (PID: 2000)
      • svchost.exe (PID: 1864)
      • svchost.exe (PID: 2304)
      • svchost.exe (PID: 2788)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 1872)
      • svchost.exe (PID: 2184)
      • svchost.exe (PID: 2312)
      • svchost.exe (PID: 2496)
      • svchost.exe (PID: 2412)
      • svchost.exe (PID: 2692)
      • spoolsv.exe (PID: 2592)
      • svchost.exe (PID: 2344)
      • svchost.exe (PID: 2968)
      • svchost.exe (PID: 3200)
      • svchost.exe (PID: 2072)
      • svchost.exe (PID: 3020)
      • svchost.exe (PID: 3340)
      • svchost.exe (PID: 3220)
      • svchost.exe (PID: 3888)
      • svchost.exe (PID: 3548)
      • dasHost.exe (PID: 3692)
      • sihost.exe (PID: 4112)
      • svchost.exe (PID: 3408)
      • svchost.exe (PID: 3260)
      • svchost.exe (PID: 3496)
      • svchost.exe (PID: 4332)
      • svchost.exe (PID: 4300)
      • ctfmon.exe (PID: 4356)
      • svchost.exe (PID: 4532)
      • explorer.exe (PID: 4552)
      • svchost.exe (PID: 3012)
      • svchost.exe (PID: 3056)
      • OfficeClickToRun.exe (PID: 2656)
      • svchost.exe (PID: 3084)
      • MoUsoCoreWorker.exe (PID: 2120)
      • svchost.exe (PID: 5416)
      • svchost.exe (PID: 4140)
      • dllhost.exe (PID: 3312)
      • RuntimeBroker.exe (PID: 4244)
      • RuntimeBroker.exe (PID: 5560)
      • svchost.exe (PID: 4324)
      • dllhost.exe (PID: 5568)
      • RuntimeBroker.exe (PID: 776)
      • ApplicationFrameHost.exe (PID: 4052)
      • svchost.exe (PID: 4808)
      • svchost.exe (PID: 5256)
      • UserOOBEBroker.exe (PID: 2744)
      • svchost.exe (PID: 3032)
      • svchost.exe (PID: 5236)
      • svchost.exe (PID: 5036)
      • svchost.exe (PID: 6868)
      • svchost.exe (PID: 4184)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 420)
      • svchost.exe (PID: 1824)
      • svchost.exe (PID: 6120)
      • dllhost.exe (PID: 4424)
      • uhssvc.exe (PID: 536)
      • svchost.exe (PID: 6904)

    • Runs injected code in another process

      • dialer.exe (PID: 4064)
      • dialer.exe (PID: 6460)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2256)

    • XORed URL has been found (YARA)

      • dialer.exe (PID: 4876)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • explorer.exe (PID: 4552)

    • Script adds exclusion path to Windows Defender

      • explorer.exe (PID: 4552)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 4552)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1840)
      • cmd.exe (PID: 6556)

    • Executable content was dropped or overwritten

      • updater.exe (PID: 532)
      • updater.exe (PID: 1480)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 5600)
      • cmd.exe (PID: 5552)

    • The process executes via Task Scheduler

      • updater.exe (PID: 1480)

    • Drops a system driver (possible attempt to evade defenses)

      • updater.exe (PID: 1480)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2256)

  • INFO

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 2120)
      • updater.exe (PID: 532)
      • updater.exe (PID: 1480)

    • Checks supported languages

      • updater.exe (PID: 532)
      • updater.exe (PID: 1480)

    • Reads the time zone

      • svchost.exe (PID: 2692)

    • Reads the software policy settings

      • lsass.exe (PID: 768)

    • Manual execution by a user

      • powershell.exe (PID: 3660)
      • cmd.exe (PID: 1840)
      • cmd.exe (PID: 5600)
      • dialer.exe (PID: 4064)
      • powershell.exe (PID: 5372)
      • schtasks.exe (PID: 2724)
      • powershell.exe (PID: 6992)
      • cmd.exe (PID: 6556)
      • dialer.exe (PID: 6460)
      • cmd.exe (PID: 5552)
      • powershell.exe (PID: 5468)
      • dialer.exe (PID: 6704)
      • dialer.exe (PID: 4876)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3660)
      • powershell.exe (PID: 6992)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3660)
      • powershell.exe (PID: 5372)
      • powershell.exe (PID: 6992)
      • powershell.exe (PID: 5468)

    • Create files in a temporary directory

      • updater.exe (PID: 532)

    • The process uses the downloaded file

      • powershell.exe (PID: 5468)
      • powershell.exe (PID: 6992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:09:22 09:13:45+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.38
CodeSize: 109568
InitializedDataSize: 6015488
UninitializedDataSize: 9216
EntryPoint: 0x14b0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 1.3.177.11
ProductVersionNumber: 1.3.177.11
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Edge Update
FileTitle: Microsoft Edge Update Setup
FileDescription: Microsoft Edge Update Setup
FileVersion: 1,3,177,11
LegalCopyright: Copyright Microsoft Corporation
LegalTrademark: -
ProductName: Microsoft Corporation
ProductVersion: 1,3,177,11
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
124
Malicious processes
85
Suspicious processes
2

Behavior graph

Click at the process to see the details
start updater.exe powershell.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe conhost.exe no specs dialer.exe powershell.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs schtasks.exe conhost.exe no specs updater.exe powershell.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe conhost.exe no specs dialer.exe powershell.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs dialer.exe #XOR-URL dialer.exe svchost.exe svchost.exe uhssvc.exe winlogon.exe lsass.exe runtimebroker.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe mousocoreworker.exe svchost.exe svchost.exe #MINER svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe officeclicktorun.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe applicationframehost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe ctfmon.exe dllhost.exe svchost.exe explorer.exe svchost.exe updater.exe no specs svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe dllhost.exe svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
420C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhostsC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
476C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
532"C:\Users\admin\Desktop\updater.exe" C:\Users\admin\Desktop\updater.exe
explorer.exe
User:
admin
Company:
Microsoft Edge Update
Integrity Level:
HIGH
Description:
Microsoft Edge Update Setup
Exit code:
0
Version:
1,3,177,11
Modules
Images
c:\users\admin\desktop\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
536"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
768C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
852"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1036C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1148sc stop dosvcC:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
42 117
Read events
41 674
Write events
241
Delete events
202

Modification events

(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:ProgramId
Value:
00069b904f97e761ac5bb63d08eba7fad3d900000904
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:FileId
Value:
00009712769be3f755c5ecbe68d38800a3a8ecdaf324
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\desktop\updater.exe
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:LongPathHash
Value:
updater.exe|22af5dedca4e612b
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:Name
Value:
updater.exe
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:OriginalFileName
Value:
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:Publisher
Value:
microsoft edge update
(PID) Process:(5236) svchost.exeKey:\REGISTRY\A\{43ff8600-7624-9b9f-5731-31bad97dea78}\Root\InventoryApplicationFile\updater.exe|22af5dedca4e612b
Operation:writeName:Version
Value:
1,3,177,11
Executable files
6
Suspicious files
42
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
1316svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Workxml
MD5:C6086D02F8CE044F5FA07A98303DC7EB
SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
1316svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Workxml
MD5:5FADF13CCFBDCC5DD728380F7A615B28
SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
1620svchost.exeC:\Windows\Prefetch\WAASMEDICAGENT.EXE-ED0D7511.pfbinary
MD5:9FCEB7ACD3C6914AB30C5CF09018C78F
SHA256:9E8F9350372590BF4C7FE3AFFB36823C68F553AAEA08F06EDC4C153DF860D416
1316svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGSchedulerxml
MD5:1E0FD17505DF7FDD52708C59FCD5284C
SHA256:B374CE865F05A467798DE01B77F9AEEA861325CF274390D4C06753E77CDA564D
1620svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-6C525542.pfbinary
MD5:16AD18DE2B8516E03527971F7E742833
SHA256:9D4BB5B53A5DB84D148F7255338DC4B265E122535CCC1CC9DF1FF9956357B101
1620svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-AD0331FB.pfbinary
MD5:0A13C6E35AFEA7C76ACBE9EFE5FCDE9D
SHA256:ACEAF29FC4EEE44C8387BCE5EA7A2C9A4C68C66882ABFC5A364861688E23E3C0
1620svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:8F029E67FB57358ECBAB197D33BD0152
SHA256:F1B0CC264E07B2AEE68BE37E8435516CD79A4811E8B0789F56FF032241A21E61
1620svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-0C2D202C.pfbinary
MD5:6C2ABA8F5EA019D527383914BB5E3756
SHA256:DD82CE9D0526E32A1B61CBCB3D4ADB9AA023E2A4AEA30521652319EBDF1D27F6
1620svchost.exeC:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pfbinary
MD5:61060EB24E330721F59DBC2114525181
SHA256:1709F16AD7360C997CC60AB85425A215AE3E9BDE19B0C15F9DBB0DCEAFD3E664
1620svchost.exeC:\Windows\Prefetch\UPDATER.EXE-39633815.pfbinary
MD5:BD622EC92706E045B68730FC8223A9C9
SHA256:57116DBFD22F7D3A68B2E39B209A25CB6582E0DE95ACDC0611D8655CAB6843A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
5
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6012
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6012
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6264
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6012
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6012
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
pool.hashvault.pro
  • 45.76.89.70
  • 95.179.241.203
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
updater.exe