File name:

services64.exe

Full analysis: https://app.any.run/tasks/f153ec64-c9d1-4497-835b-8209258d008e
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: July 12, 2024, 16:27:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
amadey
botnet
stealer
upx
silentcryptominer
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

C8A50A6F1F73DF72DE866F6131346E69

SHA1:

37D99D5A8254CEAD586931F8B0C9B4CF031E0B4D

SHA256:

59E6A5009CE5E9547078DB7F964BB8FC10EE999DD35B7E9243F119DB8337AA8D

SSDEEP:

98304:Z2po3+iAbH4f0m/QqLh6mhaRgiSaFa7aOb356EGMGVUHMLXCGnns2lB89CwpEgCZ:9a/dGqlLymIwubawejGFuqVUiO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • services64.exe (PID: 5396)
      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Adds extension to the Windows Defender exclusion list

      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Modifies hosts file to block updates

      • services64.exe (PID: 240)

    • Application was injected by another process

      • svchost.exe (PID: 1040)
      • dwm.exe (PID: 852)
      • lsass.exe (PID: 768)
      • winlogon.exe (PID: 684)
      • svchost.exe (PID: 320)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1400)
      • svchost.exe (PID: 1312)
      • svchost.exe (PID: 1172)
      • svchost.exe (PID: 1360)
      • svchost.exe (PID: 1100)
      • svchost.exe (PID: 1180)
      • svchost.exe (PID: 1620)
      • svchost.exe (PID: 1532)
      • svchost.exe (PID: 1464)
      • svchost.exe (PID: 1608)
      • svchost.exe (PID: 1600)
      • svchost.exe (PID: 1744)
      • svchost.exe (PID: 1060)
      • svchost.exe (PID: 1984)
      • svchost.exe (PID: 2384)
      • svchost.exe (PID: 2376)
      • svchost.exe (PID: 2424)
      • svchost.exe (PID: 2696)
      • svchost.exe (PID: 2168)
      • svchost.exe (PID: 2280)
      • svchost.exe (PID: 2348)
      • spoolsv.exe (PID: 2544)
      • svchost.exe (PID: 2956)
      • svchost.exe (PID: 2948)
      • svchost.exe (PID: 2732)
      • svchost.exe (PID: 2592)
      • svchost.exe (PID: 1752)
      • svchost.exe (PID: 1836)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 1900)
      • svchost.exe (PID: 2092)
      • svchost.exe (PID: 3032)
      • svchost.exe (PID: 3000)
      • svchost.exe (PID: 2900)
      • svchost.exe (PID: 3608)
      • svchost.exe (PID: 3056)
      • svchost.exe (PID: 2816)
      • svchost.exe (PID: 2760)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3368)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 3884)
      • OfficeClickToRun.exe (PID: 3040)
      • svchost.exe (PID: 4824)
      • explorer.exe (PID: 4612)
      • svchost.exe (PID: 3732)
      • svchost.exe (PID: 1488)
      • dasHost.exe (PID: 3948)
      • svchost.exe (PID: 4032)
      • svchost.exe (PID: 4344)
      • svchost.exe (PID: 4384)
      • svchost.exe (PID: 4184)
      • sihost.exe (PID: 4156)
      • svchost.exe (PID: 4228)
      • svchost.exe (PID: 6004)
      • uhssvc.exe (PID: 2656)
      • svchost.exe (PID: 5588)
      • ctfmon.exe (PID: 4404)
      • svchost.exe (PID: 4548)
      • RuntimeBroker.exe (PID: 5796)
      • dllhost.exe (PID: 6084)
      • RuntimeBroker.exe (PID: 5088)
      • RuntimeBroker.exe (PID: 5256)
      • dllhost.exe (PID: 5352)
      • UserOOBEBroker.exe (PID: 844)
      • ApplicationFrameHost.exe (PID: 1028)
      • svchost.exe (PID: 3028)
      • UsoClient.exe (PID: 5652)
      • PLUGScheduler.exe (PID: 564)
      • svchost.exe (PID: 2536)
      • MusNotification.exe (PID: 1112)
      • svchost.exe (PID: 4804)
      • svchost.exe (PID: 3092)
      • svchost.exe (PID: 1196)
      • dllhost.exe (PID: 6096)
      • svchost.exe (PID: 3644)
      • audiodg.exe (PID: 1096)
      • UsoClient.exe (PID: 4784)
      • WmiPrvSE.exe (PID: 5252)
      • RUXIMICS.exe (PID: 3828)
      • MoUsoCoreWorker.exe (PID: 2340)
      • svchost.exe (PID: 3656)
      • WmiPrvSE.exe (PID: 6568)
      • UsoClient.exe (PID: 6696)
      • RUXIMICS.exe (PID: 6632)

    • Runs injected code in another process

      • dialer.exe (PID: 1644)
      • dialer.exe (PID: 3068)

    • Creates a writable file in the system directory

      • powershell.exe (PID: 4316)

    • Connects to the CnC server

      • dialer.exe (PID: 3560)

    • SILENTCRYPTOMINER has been detected (SURICATA)

      • dialer.exe (PID: 3560)

      • dialer.exe (PID: 3560)

  • SUSPICIOUS

    • Powershell scripting: start process

      • services64.exe (PID: 5396)

    • Starts POWERSHELL.EXE for commands execution

      • services64.exe (PID: 5396)
      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Script adds exclusion extension to Windows Defender

      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Script adds exclusion path to Windows Defender

      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Starts CMD.EXE for commands execution

      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Process uninstalls Windows update

      • wusa.exe (PID: 2080)
      • wusa.exe (PID: 2252)

    • Uses powercfg.exe to modify the power settings

      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Starts SC.EXE for service management

      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Executable content was dropped or overwritten

      • services64.exe (PID: 240)
      • WindowsAutHost (PID: 3924)

    • Executes as Windows Service

      • WindowsAutHost (PID: 3924)

    • Drops a system driver (possible attempt to evade defenses)

      • WindowsAutHost (PID: 3924)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2168)
      • dialer.exe (PID: 3560)

    • Potential Corporate Privacy Violation

      • dialer.exe (PID: 3560)

    • Checks Windows Trust Settings

      • OfficeClickToRun.exe (PID: 3040)

      • dialer.exe (PID: 3560)

  • INFO

    • Checks supported languages

      • services64.exe (PID: 240)
      • services64.exe (PID: 5396)
      • PLUGScheduler.exe (PID: 564)
      • RUXIMICS.exe (PID: 3828)
      • WindowsAutHost (PID: 3924)
      • RUXIMICS.exe (PID: 6632)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4072)
      • powershell.exe (PID: 4316)

    • Creates files in the program directory

      • services64.exe (PID: 240)
      • RUXIMICS.exe (PID: 6632)
      • MoUsoCoreWorker.exe (PID: 2340)

    • Creates a writable file in the system directory

      • svchost.exe (PID: 3032)

    • Reads the computer name

      • PLUGScheduler.exe (PID: 564)

    • Reads the software policy settings

      • RUXIMICS.exe (PID: 3828)
      • OfficeClickToRun.exe (PID: 3040)

    • Reads the machine GUID from the registry

      • RUXIMICS.exe (PID: 3828)
      • OfficeClickToRun.exe (PID: 3040)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3040)

    • UPX packer has been detected

      • dialer.exe (PID: 3560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:03 14:47:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 46592
InitializedDataSize: 5435904
UninitializedDataSize: -
EntryPoint: 0x11b7b1e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
154
Malicious processes
97
Suspicious processes
1

Behavior graph

Click at the process to see the details
start services64.exe no specs powershell.exe no specs conhost.exe no specs services64.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs windowsauthost powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs dialer.exe no specs THREAT dialer.exe wmiprvse.exe ruximics.exe usoclient.exe svchost.exe plugscheduler.exe winlogon.exe lsass.exe useroobebroker.exe dwm.exe applicationframehost.exe svchost.exe svchost.exe audiodg.exe svchost.exe musnotification.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe mousocoreworker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ruximics.exe svchost.exe dashost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe usoclient.exe svchost.exe svchost.exe runtimebroker.exe runtimebroker.exe dllhost.exe svchost.exe usoclient.exe runtimebroker.exe svchost.exe dllhost.exe dllhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
240"C:\Users\admin\Desktop\services64.exe" C:\Users\admin\Desktop\services64.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\services64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
320C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
448C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-dc 0C:\Windows\System32\powercfg.exeWindowsAutHost
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
564"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
768C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
844C:\Windows\System32\oobe\UserOOBEBroker.exe -EmbeddingC:\Windows\System32\oobe\UserOOBEBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
User OOBE Broker
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\oobe\useroobebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
852"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
37 574
Read events
37 363
Write events
163
Delete events
48

Modification events

(PID) Process:(4612) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(5588) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\Desktop\services64.exe
Value:
5341435001000000000000000700000028000000000A0E010000000001000000000000000000000A7320000050BB64EDDDACD5010000000000000000
(PID) Process:(5588) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\Desktop\services64.exe
Value:
5341435001000000000000000700000028000000000A0E010000000001000000000000000000000A7320000050BB64EDDDACD50100000000000000000200000028000000000000000000000000000000000000000000000000000000DF070000000000000100000001000000
(PID) Process:(5588) svchost.exeKey:\REGISTRY\A\{cbf859d4-d98c-fd7b-6033-c012b9b88a38}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(5588) svchost.exeKey:\REGISTRY\A\{cbf859d4-d98c-fd7b-6033-c012b9b88a38}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(5588) svchost.exeKey:\REGISTRY\A\{cbf859d4-d98c-fd7b-6033-c012b9b88a38}\Root\InventoryApplicationFile\services64.exe|2e4e2afde1f8e215
Operation:writeName:ProgramId
Value:
000614a5885019d47546172882b4bb55f3de0000ffff
(PID) Process:(5588) svchost.exeKey:\REGISTRY\A\{cbf859d4-d98c-fd7b-6033-c012b9b88a38}\Root\InventoryApplicationFile\services64.exe|2e4e2afde1f8e215
Operation:writeName:FileId
Value:
000037d99d5a8254cead586931f8b0c9b4cf031e0b4d
(PID) Process:(5588) svchost.exeKey:\REGISTRY\A\{cbf859d4-d98c-fd7b-6033-c012b9b88a38}\Root\InventoryApplicationFile\services64.exe|2e4e2afde1f8e215
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\desktop\services64.exe
(PID) Process:(5588) svchost.exeKey:\REGISTRY\A\{cbf859d4-d98c-fd7b-6033-c012b9b88a38}\Root\InventoryApplicationFile\services64.exe|2e4e2afde1f8e215
Operation:writeName:LongPathHash
Value:
services64.exe|2e4e2afde1f8e215
(PID) Process:(5588) svchost.exeKey:\REGISTRY\A\{cbf859d4-d98c-fd7b-6033-c012b9b88a38}\Root\InventoryApplicationFile\services64.exe|2e4e2afde1f8e215
Operation:writeName:Name
Value:
services64.exe
Executable files
2
Suspicious files
56
Text files
13
Unknown types
11

Dropped files

PID
Process
Filename
Type
2340MoUsoCoreWorker.exeC:\WINDOWS\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:84552A004AE0D265F143BE19BBC7C213
SHA256:746C55535D2AADB1B9AF529EDD7D4D00401CCDC08D20FABC17A901228942A816
1608svchost.exeC:\Windows\Prefetch\SERVICES64.EXE-F455637A.pfbinary
MD5:FAC394B6C95A263ACAB7098B0F654195
SHA256:1E98E9C5FEC598F9FF4E3C2CA201C4DDA82F9F778D98570A047ABDD6BAAFEB82
3624powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xpq1yoav.zht.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1608svchost.exeC:\WINDOWS\Prefetch\WAASMEDICAGENT.EXE-ED0D7511.pfbinary
MD5:F45CE1605EB2D0C055969EA1B75E91AE
SHA256:403B3482EC821E4E349F91557B2147BC319C323049EFF430047941641BCCA97E
1608svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-0C2D202C.pfbinary
MD5:EC89F2E87ED54481D0D909397F07DA84
SHA256:8DB988F9E81CA39EAE9CFFA0215CFE4D598A0FB50B42EDDFC60A1FD326AE62EA
3624powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qgsesjtu.ceu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
240services64.exeC:\WINDOWS\system32\drivers\etc\hoststext
MD5:D720A734B2CBDE357E6361121AFAEFD0
SHA256:BF6F1889D0C694B623C2FC9C6B7A96E31239EB7FAD1E3E5ED09D046684320634
3032svchost.exeC:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
MD5:
SHA256:
240services64.exeC:\ProgramData\WindowsServices\WindowsAutHostexecutable
MD5:C8A50A6F1F73DF72DE866F6131346E69
SHA256:59E6A5009CE5E9547078DB7F964BB8FC10EE999DD35B7E9243F119DB8337AA8D
4316powershell.exeC:\WINDOWS\TEMP\__PSScriptPolicyTest_vxtpjnew.o1t.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
9
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2340
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2340
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3560
dialer.exe
POST
31.31.198.106:80
http://slkpanelgopnikbeats.pro/api/endpoint.php
unknown
unknown
3560
dialer.exe
POST
31.31.198.106:80
http://slkpanelgopnikbeats.pro/api/endpoint.php
unknown
unknown
3560
dialer.exe
POST
31.31.198.106:80
http://slkpanelgopnikbeats.pro/api/endpoint.php
unknown
unknown
POST
200
20.189.173.15:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2088
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3828
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2340
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2340
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2340
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2088
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3560
dialer.exe
45.76.89.70:80
pool.hashvault.pro
AS-CHOOPA
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
pool.hashvault.pro
  • 45.76.89.70
  • 95.179.241.203
whitelisted
slkpanelgopnikbeats.pro
  • 31.31.198.106
unknown
self.events.data.microsoft.com
  • 20.189.173.18
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
3560
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3560
dialer.exe
A Network Trojan was detected
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
3560
dialer.exe
Crypto Currency Mining Activity Detected
MINER [ANY.RUN] SilentCryptoMiner HTTP Request to UnamWebPanel
3560
dialer.exe
Crypto Currency Mining Activity Detected
ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
3560
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3560
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3560
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3560
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3560
dialer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
services64.exe