File name:

6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe

Full analysis: https://app.any.run/tasks/ee7f2788-e4fc-49fe-b5df-70f77e6d770f
Verdict: Malicious activity
Analysis date: March 16, 2024, 15:33:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xmrig
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

C22FCD1A23D0F202CD0602F15CA4A3D1

SHA1:

E3F5A2CA3265ECFC9E36CE4EEF23FB3D41CBF99D

SHA256:

6B8277813999B908FC38ECA68DB5249FE0B76A8F652CB1A5A21D073247ED7DC4

SSDEEP:

49152:IVIC8dqVA7aZ2nUxr/gnpfey/Unv526GlrIGOalQ253bjoEygWC:zC8d1eZ+sjAMR2xIG1lJdoG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 2456)
      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Adds extension to the Windows Defender exclusion list

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Application was injected by another process

      • lsass.exe (PID: 780)
      • svchost.exe (PID: 624)
      • winlogon.exe (PID: 684)
      • svchost.exe (PID: 492)
      • svchost.exe (PID: 1096)
      • dwm.exe (PID: 488)
      • svchost.exe (PID: 1504)
      • svchost.exe (PID: 1224)
      • svchost.exe (PID: 1216)
      • svchost.exe (PID: 1240)
      • svchost.exe (PID: 1440)
      • svchost.exe (PID: 1420)
      • svchost.exe (PID: 1372)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 1548)
      • svchost.exe (PID: 1292)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2324)
      • svchost.exe (PID: 2332)
      • svchost.exe (PID: 2040)
      • svchost.exe (PID: 2316)
      • svchost.exe (PID: 2244)
      • svchost.exe (PID: 2160)
      • svchost.exe (PID: 2636)
      • svchost.exe (PID: 2896)
      • svchost.exe (PID: 2856)
      • spoolsv.exe (PID: 2548)
      • svchost.exe (PID: 2408)
      • svchost.exe (PID: 2820)
      • svchost.exe (PID: 3044)
      • svchost.exe (PID: 3016)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1920)
      • svchost.exe (PID: 1864)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 2936)
      • OfficeClickToRun.exe (PID: 2904)
      • svchost.exe (PID: 2984)
      • svchost.exe (PID: 4260)
      • svchost.exe (PID: 2972)
      • svchost.exe (PID: 3720)
      • svchost.exe (PID: 3384)
      • svchost.exe (PID: 3344)
      • svchost.exe (PID: 3060)
      • svchost.exe (PID: 3128)
      • svchost.exe (PID: 3796)
      • svchost.exe (PID: 3068)
      • sihost.exe (PID: 4236)
      • svchost.exe (PID: 3756)
      • svchost.exe (PID: 4104)
      • svchost.exe (PID: 1172)
      • svchost.exe (PID: 4424)
      • dasHost.exe (PID: 4072)
      • svchost.exe (PID: 4688)
      • svchost.exe (PID: 2928)
      • UserOOBEBroker.exe (PID: 4116)
      • svchost.exe (PID: 4452)
      • svchost.exe (PID: 4304)
      • explorer.exe (PID: 4780)
      • svchost.exe (PID: 4828)
      • svchost.exe (PID: 5024)
      • dllhost.exe (PID: 6028)
      • RuntimeBroker.exe (PID: 5424)
      • RuntimeBroker.exe (PID: 2680)
      • ApplicationFrameHost.exe (PID: 5776)
      • dllhost.exe (PID: 5448)
      • RuntimeBroker.exe (PID: 5172)
      • MoUsoCoreWorker.exe (PID: 1280)
      • svchost.exe (PID: 5312)
      • svchost.exe (PID: 6268)
      • svchost.exe (PID: 6036)
      • svchost.exe (PID: 6012)
      • svchost.exe (PID: 3996)
      • ctfmon.exe (PID: 4524)
      • svchost.exe (PID: 4636)
      • slui.exe (PID: 904)
      • svchost.exe (PID: 6820)
      • svchost.exe (PID: 6716)
      • WmiPrvSE.exe (PID: 632)
      • SppExtComObj.Exe (PID: 6152)
      • slui.exe (PID: 4744)
      • RuntimeBroker.exe (PID: 4756)
      • WmiPrvSE.exe (PID: 2912)
      • RuntimeBroker.exe (PID: 5320)
      • svchost.exe (PID: 6580)
      • taskhostw.exe (PID: 4640)
      • slui.exe (PID: 2084)
      • WmiPrvSE.exe (PID: 1488)
      • slui.exe (PID: 7088)
      • RuntimeBroker.exe (PID: 1912)

    • Runs injected code in another process

      • dialer.exe (PID: 6616)
      • dialer.exe (PID: 4168)

    • Creates a writable file in the system directory

      • powershell.exe (PID: 6548)

    • XMRIG has been detected (YARA)

      • dialer.exe (PID: 6180)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 2456)
      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Powershell scripting: start process

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 2456)

    • Script adds exclusion extension to Windows Defender

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Starts CMD.EXE for commands execution

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Script adds exclusion path to Windows Defender

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Process uninstalls Windows update

      • wusa.exe (PID: 4728)
      • wusa.exe (PID: 5128)

    • Starts SC.EXE for service management

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Executable content was dropped or overwritten

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Executes as Windows Service

      • rlvsnekjfckr.exe (PID: 6956)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 6548)

    • Process drops legitimate windows executable

      • svchost.exe (PID: 6036)

    • Drops a system driver (possible attempt to evade defenses)

      • rlvsnekjfckr.exe (PID: 6956)

  • INFO

    • The executable file from the user directory is run by the Powershell process

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)

    • Checks supported languages

      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)
      • rlvsnekjfckr.exe (PID: 6956)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 1280)
      • 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe (PID: 6556)

    • Creates a writable file in the system directory

      • lsass.exe (PID: 780)

    • Reads the software policy settings

      • lsass.exe (PID: 780)
      • slui.exe (PID: 904)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 1488)

    • Drops the executable file immediately after the start

      • svchost.exe (PID: 6036)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2904)

    • Create files in a temporary directory

      • RuntimeBroker.exe (PID: 1912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:03:13 16:01:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 33792
InitializedDataSize: 2836480
UninitializedDataSize: -
EntryPoint: 0x1140
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
140
Malicious processes
96
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe no specs powershell.exe no specs conhost.exe no specs 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs rlvsnekjfckr.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs dialer.exe no specs dialer.exe no specs #XMRIG dialer.exe wmiprvse.exe slui.exe no specs slui.exe runtimebroker.exe dwm.exe svchost.exe svchost.exe wmiprvse.exe winlogon.exe lsass.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe mousocoreworker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe useroobebroker.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe taskhostw.exe svchost.exe slui.exe runtimebroker.exe explorer.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe runtimebroker.exe runtimebroker.exe dllhost.exe applicationframehost.exe svchost.exe dllhost.exe svchost.exe sppextcomobj.exe svchost.exe svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
492C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
624C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
632C:\WINDOWS\system32\wbem\wmiprvse.exeC:\Windows\System32\wbem\WmiPrvSE.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Provider Host
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Exit code:
0
Version:
10.0.19041.1151 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
780C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Exit code:
0
Version:
10.0.19041.1266 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
66 950
Read events
66 387
Write events
360
Delete events
203

Modification events

(PID) Process:(1292) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D6818D1-A23C-4095-9034-EE069EC62FC2}
Operation:writeName:DynamicInfo
Value:
030000000775C8F3B070DA01DF6F1951B777DA0100000000000000003A9E7F54B777DA01
(PID) Process:(2936) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider
Operation:writeName:StartTime
Value:
3A07FE54B777DA01
(PID) Process:(3092) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3092) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3092) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3092) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6036) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\AppData\Local\Temp\6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe
Value:
534143500100000000000000070000002800000000D02B000000000001000000000000000000000A7320000050BB64EDDDACD5010000000000000000020000002800000000000000000000000000000000000000000000000000000000000000000000000100000001000000
(PID) Process:(6036) svchost.exeKey:\REGISTRY\A\{2c25de30-ebca-6847-f1b5-da700e1bb1e2}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(6036) svchost.exeKey:\REGISTRY\A\{2c25de30-ebca-6847-f1b5-da700e1bb1e2}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(6036) svchost.exeKey:\REGISTRY\A\{2c25de30-ebca-6847-f1b5-da700e1bb1e2}\Root\InventoryApplicationFile\6b8277813999b908|9f80deb4c2b60949
Operation:writeName:ProgramId
Value:
00063d1323c020228ea248ed526e8f5e0f1b0000ffff
Executable files
3
Suspicious files
21
Text files
18
Unknown types
21

Dropped files

PID
Process
Filename
Type
1784svchost.exeC:\Windows\Prefetch\SLUI.EXE-724E99D9.pfbinary
MD5:458185D15268D106430AFB771E7700E4
SHA256:696AF37FEA2FF72EB052555C7DA5DA6E0F6851D19E0B5B906AAA0581D7CB2748
1784svchost.exeC:\Windows\Prefetch\SPPEXTCOMOBJ.EXE-BB03B3D6.pfbinary
MD5:08E3ED96D50E63D8473A7290EDB58C6F
SHA256:6ED47132D58626239A8CA95624821F10E2942275CA16E5181D91FE882EC86ABF
1784svchost.exeC:\Windows\Prefetch\6B8277813999B908FC38ECA68DB52-301EAAAD.pfbinary
MD5:8F5B9BB3AA43C27E533CB133845614C9
SHA256:CF6440AB12FF8B5055D7E7D5BC67B3DA4E291B8396C88B8A4948A717F7E7C4DA
1784svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-AD0331FB.pfbinary
MD5:068C99F404D02507A470BA8E9ECC780D
SHA256:47A640CE3A019D15518914DE843359D5BDF8E27E1A3D3981827566038F31D5F5
780lsass.exeC:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c8e77c16-a5a5-4278-b86d-09cf52f51e49binary
MD5:A4ED02412E8BACEFD2EB996B322ECD5B
SHA256:9E2B2A3AA04E44D54471A9FEE20926A369346B04C2B9211998DDED713EC8EE36
1784svchost.exeC:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pfbinary
MD5:424DD6AE84F427C1C5FC7738FE8126CD
SHA256:B0CC89C518EFC9D8CB693E9E5FEE96C8699E10C148A9E052A18B0022FA818623
3092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j3rmrah2.nha.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1784svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:1571A592B48716CD3120F38C990E3F60
SHA256:B1E5EE8BA33A511409A3D014FBA33BF219D8F2836F599AC3A32A5DB2BB8BFBA3
3996svchost.exeC:\WINDOWS\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:07E4E0923C1CE414F054BAE6177D1049
SHA256:3DCC2CF2C6B2020C5EA9794B9AC798C9CE174811CD66EDE84C972088C2837FA2
3996svchost.exeC:\WINDOWS\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:923CA9E10B2C87A1B897DDF3501253CC
SHA256:240F20AA884F745FA03FACB78BE521E606274D5AA94423FF645E739F98517924
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
29
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
312 b
unknown
4680
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
6120
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1280
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3996
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1528
backgroundTaskHost.exe
104.126.37.161:443
www.bing.com
Akamai International B.V.
DE
unknown
1528
backgroundTaskHost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4680
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4680
backgroundTaskHost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.161
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.160
  • 104.126.37.130
  • 104.126.37.162
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.179
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
pool.hashvault.pro
  • 95.179.241.203
  • 45.76.89.70
unknown
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.20
  • 20.190.160.22
  • 40.126.32.140
  • 40.126.32.138
  • 40.126.32.136
whitelisted
licensing.mp.microsoft.com
  • 20.123.104.105
whitelisted

Threats

PID
Process
Class
Message
2160
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4.exe