File name:

MemeSense Crack.exe

Full analysis: https://app.any.run/tasks/27cb630f-a620-4563-a535-172f237fdca8
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 10:10:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8C7DC697B3BE09F1D66A29A31A8C6C46

SHA1:

B3DAF07A8634E244943B7E55322C31D40F3FA788

SHA256:

6E947E57938D8A76586839227EA7942A06E4BC597A7667769F753AC3ECAC42E3

SSDEEP:

98304:sKkI464ckHCW3TeG13wjLl86CjRR6cLz3zyt6rjfGKa7StGsZBdVlT+IzyxyDhNt:LmZimjhJ4iWIaRL3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MemeSense Crack.exe (PID: 2932)
      • updater.exe (PID: 7132)
      • updater.exe (PID: 2188)

    • Adds path to the Windows Defender exclusion list

      • explorer.exe (PID: 5016)

    • Application was injected by another process

      • winlogon.exe (PID: 692)
      • svchost.exe (PID: 452)
      • dwm.exe (PID: 588)
      • lsass.exe (PID: 760)
      • svchost.exe (PID: 1212)
      • svchost.exe (PID: 1372)
      • svchost.exe (PID: 1412)
      • svchost.exe (PID: 1284)
      • svchost.exe (PID: 1680)
      • svchost.exe (PID: 1492)
      • svchost.exe (PID: 1456)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1740)
      • svchost.exe (PID: 1916)
      • svchost.exe (PID: 1656)
      • svchost.exe (PID: 1664)
      • svchost.exe (PID: 1604)
      • svchost.exe (PID: 1928)
      • svchost.exe (PID: 1876)
      • svchost.exe (PID: 1944)
      • svchost.exe (PID: 2180)
      • svchost.exe (PID: 1032)
      • svchost.exe (PID: 1224)
      • svchost.exe (PID: 1088)
      • svchost.exe (PID: 2412)
      • svchost.exe (PID: 2284)
      • svchost.exe (PID: 2076)
      • svchost.exe (PID: 2524)
      • svchost.exe (PID: 2312)
      • svchost.exe (PID: 2912)
      • svchost.exe (PID: 2372)
      • svchost.exe (PID: 2436)
      • svchost.exe (PID: 2532)
      • svchost.exe (PID: 2600)
      • svchost.exe (PID: 2712)
      • spoolsv.exe (PID: 2640)
      • svchost.exe (PID: 2848)
      • svchost.exe (PID: 2236)
      • svchost.exe (PID: 3176)
      • svchost.exe (PID: 2832)
      • svchost.exe (PID: 3156)
      • svchost.exe (PID: 2948)
      • svchost.exe (PID: 3260)
      • svchost.exe (PID: 3540)
      • svchost.exe (PID: 3268)
      • svchost.exe (PID: 3296)
      • dasHost.exe (PID: 3404)
      • svchost.exe (PID: 3952)
      • sihost.exe (PID: 4504)
      • svchost.exe (PID: 4924)
      • svchost.exe (PID: 4528)
      • svchost.exe (PID: 4204)
      • svchost.exe (PID: 3640)
      • svchost.exe (PID: 4348)
      • svchost.exe (PID: 4572)
      • svchost.exe (PID: 4280)
      • ctfmon.exe (PID: 4756)
      • svchost.exe (PID: 4716)
      • explorer.exe (PID: 5016)
      • dllhost.exe (PID: 5652)
      • svchost.exe (PID: 4668)
      • RuntimeBroker.exe (PID: 5504)
      • svchost.exe (PID: 3348)
      • RuntimeBroker.exe (PID: 5248)
      • RuntimeBroker.exe (PID: 2108)
      • MoUsoCoreWorker.exe (PID: 6012)
      • ApplicationFrameHost.exe (PID: 824)
      • svchost.exe (PID: 4372)
      • svchost.exe (PID: 6104)
      • svchost.exe (PID: 6988)
      • dllhost.exe (PID: 4216)
      • svchost.exe (PID: 4888)
      • svchost.exe (PID: 6660)
      • svchost.exe (PID: 6212)
      • uhssvc.exe (PID: 6796)
      • UserOOBEBroker.exe (PID: 5328)
      • svchost.exe (PID: 6840)
      • svchost.exe (PID: 2092)
      • svchost.exe (PID: 7144)
      • OfficeClickToRun.exe (PID: 4132)
      • svchost.exe (PID: 4424)
      • svchost.exe (PID: 6208)
      • RuntimeBroker.exe (PID: 5776)
      • slui.exe (PID: 1328)
      • slui.exe (PID: 1156)
      • taskhostw.exe (PID: 4792)
      • RUXIMICS.exe (PID: 6572)
      • UsoClient.exe (PID: 1296)
      • WaaSMedicAgent.exe (PID: 3336)
      • conhost.exe (PID: 4304)
      • RUXIMICS.exe (PID: 7640)
      • dllhost.exe (PID: 1132)
      • RuntimeBroker.exe (PID: 5592)
      • RuntimeBroker.exe (PID: 3600)
      • SppExtComObj.Exe (PID: 4068)
      • PLUGScheduler.exe (PID: 6836)
      • MusNotification.exe (PID: 6940)
      • sethc.exe (PID: 5320)
      • consent.exe (PID: 7040)
      • sethc.exe (PID: 3332)
      • audiodg.exe (PID: 6468)
      • sethc.exe (PID: 7728)
      • consent.exe (PID: 7756)
      • EaseOfAccessDialog.exe (PID: 6512)
      • consent.exe (PID: 7988)
      • sethc.exe (PID: 5032)
      • sethc.exe (PID: 8164)
      • consent.exe (PID: 6876)
      • EaseOfAccessDialog.exe (PID: 2348)
      • sethc.exe (PID: 6836)
      • sethc.exe (PID: 7752)
      • sethc.exe (PID: 2508)
      • consent.exe (PID: 1176)
      • sethc.exe (PID: 8084)
      • sethc.exe (PID: 5744)
      • consent.exe (PID: 4260)
      • sethc.exe (PID: 8104)
      • consent.exe (PID: 2100)
      • EaseOfAccessDialog.exe (PID: 7028)
      • sethc.exe (PID: 7976)
      • consent.exe (PID: 6308)
      • sethc.exe (PID: 5740)
      • sethc.exe (PID: 1772)
      • consent.exe (PID: 4340)
      • EaseOfAccessDialog.exe (PID: 6608)
      • consent.exe (PID: 8124)
      • consent.exe (PID: 5692)
      • consent.exe (PID: 2308)
      • consent.exe (PID: 1884)
      • EaseOfAccessDialog.exe (PID: 6364)
      • consent.exe (PID: 4152)
      • EaseOfAccessDialog.exe (PID: 6020)
      • EaseOfAccessDialog.exe (PID: 5700)
      • EaseOfAccessDialog.exe (PID: 2872)
      • EaseOfAccessDialog.exe (PID: 7664)
      • EaseOfAccessDialog.exe (PID: 7564)
      • EaseOfAccessDialog.exe (PID: 6464)
      • EaseOfAccessDialog.exe (PID: 4092)
      • EaseOfAccessDialog.exe (PID: 3336)
      • consent.exe (PID: 7588)
      • EaseOfAccessDialog.exe (PID: 7628)

    • Runs injected code in another process

      • dialer.exe (PID: 7116)
      • dialer.exe (PID: 7584)

    • Actions looks like stealing of personal data

      • svchost.exe (PID: 1664)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2284)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MemeSense Crack.exe (PID: 2932)
      • updater.exe (PID: 7132)
      • updater.exe (PID: 2188)
      • explorer.exe (PID: 5016)

    • Reads security settings of Internet Explorer

      • MemeSense Crack.exe (PID: 2932)
      • cli_gui.exe (PID: 2132)

    • Reads the date of Windows installation

      • MemeSense Crack.exe (PID: 2932)

    • Script adds exclusion path to Windows Defender

      • explorer.exe (PID: 5016)

    • Starts POWERSHELL.EXE for commands execution

      • explorer.exe (PID: 5016)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 5016)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 2376)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 4076)
      • cmd.exe (PID: 7664)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2188)

    • Drops a system driver (possible attempt to evade defenses)

      • updater.exe (PID: 2188)

    • Creates or modifies Windows services

      • WaaSMedicAgent.exe (PID: 3336)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2284)

    • Creates file in the systems drive root

      • explorer.exe (PID: 5016)

  • INFO

    • Checks supported languages

      • MemeSense Crack.exe (PID: 2932)
      • updater.exe (PID: 7132)
      • cli_gui.exe (PID: 2132)
      • PLUGScheduler.exe (PID: 6836)
      • RUXIMICS.exe (PID: 6572)
      • RUXIMICS.exe (PID: 7640)
      • updater.exe (PID: 2188)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5016)
      • sethc.exe (PID: 3332)
      • sethc.exe (PID: 5320)
      • sethc.exe (PID: 7728)
      • sethc.exe (PID: 8084)
      • sethc.exe (PID: 5032)
      • sethc.exe (PID: 8164)
      • sethc.exe (PID: 7752)
      • sethc.exe (PID: 6836)
      • sethc.exe (PID: 5744)
      • sethc.exe (PID: 7976)
      • sethc.exe (PID: 5740)
      • sethc.exe (PID: 2508)
      • sethc.exe (PID: 1772)
      • sethc.exe (PID: 8104)

    • Reads the computer name

      • MemeSense Crack.exe (PID: 2932)
      • cli_gui.exe (PID: 2132)
      • PLUGScheduler.exe (PID: 6836)

    • Create files in a temporary directory

      • MemeSense Crack.exe (PID: 2932)
      • updater.exe (PID: 7132)

    • Process checks computer location settings

      • MemeSense Crack.exe (PID: 2932)

    • Checks proxy server information

      • cli_gui.exe (PID: 2132)
      • slui.exe (PID: 6952)

    • Reads the software policy settings

      • WaaSMedicAgent.exe (PID: 3336)
      • lsass.exe (PID: 760)
      • OfficeClickToRun.exe (PID: 4132)
      • consent.exe (PID: 7040)
      • consent.exe (PID: 7988)
      • consent.exe (PID: 6876)
      • consent.exe (PID: 7756)
      • consent.exe (PID: 2100)
      • consent.exe (PID: 4260)
      • consent.exe (PID: 4340)
      • consent.exe (PID: 1176)
      • consent.exe (PID: 6308)
      • consent.exe (PID: 2308)
      • consent.exe (PID: 8124)
      • consent.exe (PID: 5692)
      • consent.exe (PID: 4152)
      • consent.exe (PID: 1884)
      • slui.exe (PID: 6952)
      • consent.exe (PID: 7588)

    • Manual execution by a user

      • powershell.exe (PID: 6676)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 4076)
      • dialer.exe (PID: 7116)
      • powershell.exe (PID: 1884)
      • schtasks.exe (PID: 8124)
      • powershell.exe (PID: 6076)
      • cmd.exe (PID: 2376)
      • cmd.exe (PID: 7664)
      • dialer.exe (PID: 7584)
      • powershell.exe (PID: 5392)
      • dialer.exe (PID: 256)
      • dialer.exe (PID: 5024)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6676)
      • powershell.exe (PID: 6076)

    • Creates files in the program directory

      • updater.exe (PID: 7132)
      • RUXIMICS.exe (PID: 7640)
      • MoUsoCoreWorker.exe (PID: 6012)
      • updater.exe (PID: 2188)

    • Reads the machine GUID from the registry

      • OfficeClickToRun.exe (PID: 4132)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 4132)

    • Checks transactions between databases Windows and Oracle

      • explorer.exe (PID: 5016)

    • Drops the executable file immediately after the start

      • explorer.exe (PID: 5016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:14 07:32:31+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 8482816
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x6100fc
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
244
Monitored processes
189
Malicious processes
133
Suspicious processes
16

Behavior graph

Click at the process to see the details
start memesense crack.exe cli_gui.exe no specs conhost.exe no specs updater.exe waasmedicagent.exe conhost.exe slui.exe powershell.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe conhost.exe no specs dialer.exe powershell.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs ruximics.exe schtasks.exe conhost.exe no specs updater.exe powershell.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe conhost.exe no specs dialer.exe powershell.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs dialer.exe dialer.exe sethc.exe sethc.exe consent.exe audiodg.exe sethc.exe consent.exe sethc.exe easeofaccessdialog.exe consent.exe sethc.exe sethc.exe consent.exe sethc.exe sethc.exe easeofaccessdialog.exe sethc.exe consent.exe sethc.exe easeofaccessdialog.exe consent.exe sethc.exe consent.exe sethc.exe sethc.exe consent.exe sethc.exe consent.exe consent.exe easeofaccessdialog.exe consent.exe consent.exe easeofaccessdialog.exe consent.exe easeofaccessdialog.exe consent.exe easeofaccessdialog.exe easeofaccessdialog.exe easeofaccessdialog.exe easeofaccessdialog.exe easeofaccessdialog.exe easeofaccessdialog.exe easeofaccessdialog.exe easeofaccessdialog.exe consent.exe Shell Security Editor no specs svchost.exe dwm.exe winlogon.exe lsass.exe applicationframehost.exe svchost.exe svchost.exe dllhost.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe usoclient.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe #MINER svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe sppextcomobj.exe officeclicktorun.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe taskhostw.exe svchost.exe svchost.exe explorer.exe memesense crack.exe no specs runtimebroker.exe useroobebroker.exe runtimebroker.exe runtimebroker.exe dllhost.exe runtimebroker.exe mousocoreworker.exe svchost.exe svchost.exe svchost.exe ruximics.exe svchost.exe uhssvc.exe plugscheduler.exe svchost.exe musnotification.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
256C:\WINDOWS\System32\dialer.exeC:\Windows\System32\dialer.exe
explorer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Phone Dialer
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\temp\jkiahanfoyhg.tmp
c:\windows\system32\dialer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
452C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
484\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488powercfg /x -standby-timeout-dc 0C:\Windows\System32\powercfg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
588"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
692winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
704sc stop dosvcC:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
760C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
824C:\WINDOWS\system32\ApplicationFrameHost.exe -EmbeddingC:\Windows\System32\ApplicationFrameHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Application Frame Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\applicationframehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\win32u.dll
1032C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
211 094
Read events
210 123
Write events
863
Delete events
108

Modification events

(PID) Process:(5016) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000002E00720074006600
(PID) Process:(5016) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001B0180
Operation:writeName:VirtualDesktop
Value:
1000000030304456B6826A20153C39478F3B4E3026BED1E8
(PID) Process:(1284) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2AF3602-9179-4BAE-85B3-74A4EF5CF51F}
Operation:writeName:DynamicInfo
Value:
03000000BDCB09F80A59DA018C77B60644DFDA01000000000000000060DD360944DFDA01
(PID) Process:(1372) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:RefCount
Value:
0A000000
(PID) Process:(1372) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:RefCount
Value:
09000000
(PID) Process:(2932) MemeSense Crack.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2932) MemeSense Crack.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2932) MemeSense Crack.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2932) MemeSense Crack.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6212) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\AppData\Local\Temp\MemeSense Crack.exe
Value:
5341435001000000000000000700000028000000008092008C27820001000000000000000000000A5122000050BB64EDDDACD5010000000000000000
Executable files
10
Suspicious files
61
Text files
18
Unknown types
17

Dropped files

PID
Process
Filename
Type
2932MemeSense Crack.exeC:\Users\admin\AppData\Local\Temp\AC3BF.tmpexecutable
MD5:C46F14685E2BB0266704B217574FA23F
SHA256:4C22A9CE0EA00DE759BEADFF482088106D06D6C6BF93B833A743E999E775D636
1664svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:891DFD937C409B8416169E17AE7E255A
SHA256:53846797A44211C0437E2FD8E2D610B6A14BF1AEC49595319E844B9A25013B9A
2932MemeSense Crack.exeC:\Users\admin\AppData\Local\Temp\cli_gui.exeexecutable
MD5:82EE19ED134912BE0FE2000CAF6421C5
SHA256:B225ED38C3C08087B806AAD5609A4F1DDE1DD7CB3C3E99C235E72DC150159AAC
1664svchost.exeC:\Windows\Prefetch\UPDATER.EXE-C456A617.pfbinary
MD5:5B3DCC8885DF7E3C3C47D2BCB9B94BDF
SHA256:B63074ADFF74DDD94863C750C0EFF7BD7491DA073001A7142D486254CC9682FE
6676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ri2beyeh.kki.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1664svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-AD0331FB.pfbinary
MD5:8850CD66B53F207D6A2D34478FBA3C2A
SHA256:D423EA24132AE21C0124C5244EA0A22221D4E745126D82E983038853A621760F
1664svchost.exeC:\Windows\Prefetch\MEMESENSE CRACK.EXE-31F836A4.pfbinary
MD5:F913200EA2060161D60D6C6701147EDC
SHA256:7244788F3FD2403F3D070D827F940212470C0BD92ED5EA9A0BC93FBE9E88E05E
1664svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:6EEC1D18FAEB0C887F089ABA4FF40B94
SHA256:9106A1FFB34D76257035E6172700F38089628E307A86F1810F22BC2DC4966A1F
1664svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-6C525542.pfbinary
MD5:14ECD752A1FDC1CCEE7C897A3A0A4A2C
SHA256:146430B41BA92840DB8827547E5ED463FE3E9308DE7E5C7E95F5547BD2C604F8
1664svchost.exeC:\Windows\Prefetch\CLI_GUI.EXE-80C70FDA.pfbinary
MD5:2259D12FF74AE2E081B1FD28E80D8FB0
SHA256:04719FB61A70D63DF5B93C8763D24BCFF15569D54343AC84F3438858D448ACBE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
44
DNS requests
31
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7720
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
996
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
5368
SearchApp.exe
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5368
SearchApp.exe
92.123.104.33:443
www.bing.com
Akamai International B.V.
DE
unknown
1156
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6572
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1328
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 92.123.104.33
  • 92.123.104.60
  • 92.123.104.64
  • 92.123.104.17
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.59
  • 92.123.104.7
  • 92.123.104.6
  • 92.123.104.61
  • 92.123.104.63
whitelisted
google.com
  • 142.250.184.206
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MemeSense Crack.exe