File name:

IronTools.exe

Full analysis: https://app.any.run/tasks/649ec9e8-776d-4971-ae28-cf7abb609820
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: January 29, 2025, 10:06:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
xmrig
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

549B6E109640780E6EE7C3B3581EE2E8

SHA1:

F02DF59F9FCE5A3ED31AA89315C8D5C2233D090D

SHA256:

59F830F769E1D725A77297470FD0F20DCA0E431145BDDCA8708B06D308536A5B

SSDEEP:

98304:La1eH0Kqe1gtYThpb9wetMgO54xXpLF96F1v18zV8TC60lcsOjGoYoTB:nHNYXXyXpLQv1+mTCluUoN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • IronTools.exe (PID: 4204)
      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • IronTools.exe (PID: 5936)
      • fhljncvpwetq.exe (PID: 3688)

    • Adds extension to the Windows Defender exclusion list

      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 4144)
      • cmd.exe (PID: 5752)
      • cmd.exe (PID: 3436)

    • XMRIG has been detected (YARA)

      • conhost.exe (PID: 2796)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2192)

  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 848)

    • Starts POWERSHELL.EXE for commands execution

      • IronTools.exe (PID: 4204)
      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)

    • Script adds exclusion path to Windows Defender

      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)

    • Script adds exclusion extension to Windows Defender

      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)

    • Manipulates environment variables

      • powershell.exe (PID: 6904)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 3420)
      • powershell.exe (PID: 4912)

    • Stops a currently running service

      • sc.exe (PID: 5540)
      • sc.exe (PID: 936)
      • sc.exe (PID: 6312)
      • sc.exe (PID: 2356)
      • sc.exe (PID: 6436)
      • sc.exe (PID: 6468)
      • sc.exe (PID: 3560)
      • sc.exe (PID: 6836)
      • sc.exe (PID: 1876)
      • sc.exe (PID: 5156)
      • sc.exe (PID: 6004)
      • sc.exe (PID: 6224)
      • sc.exe (PID: 3680)
      • sc.exe (PID: 3536)
      • sc.exe (PID: 1192)
      • sc.exe (PID: 4972)
      • sc.exe (PID: 4160)
      • sc.exe (PID: 3552)
      • sc.exe (PID: 3608)
      • sc.exe (PID: 5720)
      • sc.exe (PID: 3524)
      • sc.exe (PID: 6296)

    • Executable content was dropped or overwritten

      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6644)
      • sc.exe (PID: 6016)
      • sc.exe (PID: 6184)

    • Uses powercfg.exe to modify the power settings

      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)

    • Creates a new Windows service

      • sc.exe (PID: 6856)

    • Executes as Windows Service

      • fhljncvpwetq.exe (PID: 3840)
      • fhljncvpwetq.exe (PID: 3688)

    • Starts CMD.EXE for commands execution

      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)
      • IronTools.exe (PID: 6464)

    • Process uninstalls Windows update

      • wusa.exe (PID: 5604)
      • wusa.exe (PID: 4984)
      • wusa.exe (PID: 5008)
      • wusa.exe (PID: 8)

    • Drops a system driver (possible attempt to evade defenses)

      • fhljncvpwetq.exe (PID: 3840)
      • fhljncvpwetq.exe (PID: 3688)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2192)

    • Starts SC.EXE for service management

      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 2132)
      • fhljncvpwetq.exe (PID: 3688)
      • IronTools.exe (PID: 6464)

    • Reads security settings of Internet Explorer

      • SecHealthUI.exe (PID: 6148)

  • INFO

    • The sample compiled with english language support

      • IronTools.exe (PID: 4204)
      • IronTools.exe (PID: 6464)
      • IronTools.exe (PID: 2132)

    • Checks supported languages

      • IronTools.exe (PID: 4204)
      • IronTools.exe (PID: 6464)
      • fhljncvpwetq.exe (PID: 3840)
      • IronTools.exe (PID: 5936)
      • fhljncvpwetq.exe (PID: 3688)
      • SecHealthUI.exe (PID: 6148)

    • The executable file from the user directory is run by the Powershell process

      • IronTools.exe (PID: 6464)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6904)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 3420)
      • powershell.exe (PID: 4912)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6904)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 3420)
      • powershell.exe (PID: 4912)

    • Creates files in the program directory

      • IronTools.exe (PID: 6464)

    • The sample compiled with japanese language support

      • fhljncvpwetq.exe (PID: 3840)
      • fhljncvpwetq.exe (PID: 3688)

    • UPX packer has been detected

      • conhost.exe (PID: 2796)

    • Manual execution by a user

      • IronTools.exe (PID: 2132)
      • IronTools.exe (PID: 5936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:26 21:41:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 45568
InitializedDataSize: 5243392
UninitializedDataSize: -
EntryPoint: 0x1140
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 132.0.2957.127
ProductVersionNumber: 132.0.2957.127
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Edge
FileTitle: msedge_exe
FileDescription: Microsoft Edge
FileVersion: 132,0,2957,127
LegalCopyright: Copyright Microsoft Corporation. All rights reserved.
LegalTrademark: -
ProductName: Microsoft Corporation
ProductVersion: 132,0,2957,127
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
258
Monitored processes
120
Malicious processes
8
Suspicious processes
5

Behavior graph

Click at the process to see the details
start irontools.exe no specs powershell.exe no specs conhost.exe no specs irontools.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs fhljncvpwetq.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs wusa.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #XMRIG conhost.exe #MINER svchost.exe rundll32.exe no specs irontools.exe irontools.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs fhljncvpwetq.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sechealthui.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\wusa.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
204C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -EmbeddingC:\Windows\System32\SecurityHealthHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Security Health Host
Exit code:
0
Version:
4.18.1907.16384 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\securityhealthhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\admin\AppData\Local\Temp\IronTools.exe" -Verb runAsC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeIronTools.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-ac 0C:\Windows\System32\powercfg.exefhljncvpwetq.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
936C:\WINDOWS\system32\sc.exe stop bitsC:\Windows\System32\sc.exeIronTools.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
936\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
28 473
Read events
28 469
Write events
4
Delete events
0

Modification events

(PID) Process:(6464) IronTools.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
(PID) Process:(3840) fhljncvpwetq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
(PID) Process:(2132) IronTools.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
(PID) Process:(3688) fhljncvpwetq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
Executable files
4
Suspicious files
4
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
6904powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sogz5iv1.vyj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
848powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vyre4vny.lil.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7040powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_arnrex2h.duv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7040powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:7137F53D9F5698566384B56F1A992FC7
SHA256:FBD0D8541361AF637D1B32A167F5AC016F1C3CCEBB96BC872F3A201B745F7210
6464IronTools.exeC:\ProgramData\ojwcbqodajfe\fhljncvpwetq.exeexecutable
MD5:549B6E109640780E6EE7C3B3581EE2E8
SHA256:59F830F769E1D725A77297470FD0F20DCA0E431145BDDCA8708B06D308536A5B
6904powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d5npkykw.vhh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7040powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_pjkp4eju.0eo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7040powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_t5gwkedh.413.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3420powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f1oel5k5.srz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3420powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vppwmfog.vee.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
64
DNS requests
35
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.78.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2440
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2440
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6156
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.21.65.154:443
Akamai International B.V.
NL
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
836
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
95.101.78.42:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
1176
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 95.101.78.42
  • 95.101.78.32
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.19.80.35
  • 2.19.80.27
  • 2.19.80.50
  • 2.19.80.32
  • 2.19.80.56
  • 2.19.80.51
  • 2.19.80.42
  • 2.19.80.33
  • 2.19.80.40
  • 2.19.80.18
  • 2.19.80.123
  • 2.19.80.122
  • 2.19.80.120
  • 2.19.80.8
  • 2.19.80.19
  • 2.19.80.17
  • 2.19.80.129
  • 2.19.80.24
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
  • 20.199.58.43
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
5064
SearchApp.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IronTools.exe