File name:

YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe

Full analysis: https://app.any.run/tasks/8c117b83-a481-44e5-b83d-fa3d12c3dc0c
Verdict: Malicious activity
Analysis date: August 25, 2025, 11:48:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
pastebin
winring0-sys
vuln-driver
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:

FF27614C0FAD9804243A553E00F48579

SHA1:

BC5980DB3EC2C3CE8150FB1581E8949BC95744AE

SHA256:

7D3989432C31D49150099EBE107A13425AB548E63F8F9064AD54FA10FCF5A877

SSDEEP:

98304:kVJAa284UGt7ON5K5FCu8Gg0Qs8NUFHDhCWb4AqMgaKV9luPqMXzQYg570DWGIat:0KCMISjp3TMVuwCN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5548)
      • powershell.exe (PID: 1204)

    • Changes Windows Defender settings

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Adds path to the Windows Defender exclusion list

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 4036)

    • Deletes shadow copies

      • cmd.exe (PID: 5288)

    • Uses Task Scheduler to run other applications

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Changes the Windows auto-update feature

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Starts REAGENTC.EXE to disable the Windows Recovery Environment

      • ReAgentc.exe (PID: 984)

    • Starts CMD.EXE for self-deleting

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Vulnerable driver has been detected

      • WmiPrvSE.exe (PID: 2612)
      • WmiPrvSE.exe (PID: 2612)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 2976)
      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Starts process via Powershell

      • powershell.exe (PID: 5548)
      • powershell.exe (PID: 1204)

    • Reads the BIOS version

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 2976)
      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)
      • WmiPrvSE.exe (PID: 2432)
      • WmiPrvSE.exe (PID: 6408)
      • WmiPrvSE.exe (PID: 2612)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 5616)
      • cmd.exe (PID: 5252)
      • net.exe (PID: 2188)
      • net.exe (PID: 4112)
      • cmd.exe (PID: 7104)
      • net.exe (PID: 7064)
      • net.exe (PID: 3740)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 1388)
      • net.exe (PID: 1180)

    • Starts a Microsoft application from unusual location

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 2976)
      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Starts CMD.EXE for commands execution

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 2976)
      • powershell.exe (PID: 5548)
      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)
      • WmiPrvSE.exe (PID: 2432)
      • powershell.exe (PID: 1204)
      • WmiPrvSE.exe (PID: 6408)
      • WmiPrvSE.exe (PID: 2612)

    • The executable file from the user directory is run by the CMD process

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Starts POWERSHELL.EXE for commands execution

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 2976)
      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)
      • WmiPrvSE.exe (PID: 2432)

    • Script adds exclusion path to Windows Defender

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6760)
      • sc.exe (PID: 1160)
      • sc.exe (PID: 1580)
      • sc.exe (PID: 3148)
      • sc.exe (PID: 2716)
      • sc.exe (PID: 6840)

    • Stops a currently running service

      • sc.exe (PID: 1192)
      • sc.exe (PID: 2128)
      • sc.exe (PID: 3740)
      • sc.exe (PID: 2612)
      • sc.exe (PID: 4768)
      • sc.exe (PID: 5500)

    • Starts SC.EXE for service management

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • The process deletes folder without confirmation

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Process uninstalls Windows update

      • wusa.exe (PID: 5764)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7076)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 7076)

    • Executable content was dropped or overwritten

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)
      • WmiPrvSE.exe (PID: 2612)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 1132)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6648)

    • Hides command output

      • cmd.exe (PID: 1164)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 5764)

    • The process executes via Task Scheduler

      • WmiPrvSE.exe (PID: 2612)

    • Drops a system driver (possible attempt to evade defenses)

      • WmiPrvSE.exe (PID: 2612)

    • Reads security settings of Internet Explorer

      • WmiPrvSE.exe (PID: 2612)

  • INFO

    • The sample compiled with english language support

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 2976)
      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)
      • WmiPrvSE.exe (PID: 2612)

    • Checks supported languages

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 2976)
      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)
      • WmiPrvSE.exe (PID: 6408)
      • WmiPrvSE.exe (PID: 2432)
      • WmiPrvSE.exe (PID: 2612)
      • WidgetService.exe (PID: 1568)

    • Process checks whether UAC notifications are on

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)
      • WmiPrvSE.exe (PID: 6408)
      • WmiPrvSE.exe (PID: 2612)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3388)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3388)

    • Creates files in the program directory

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Launching a file from Task Scheduler

      • YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe (PID: 6296)

    • Manual execution by a user

      • WmiPrvSE.exe (PID: 2432)

    • Reads the computer name

      • WmiPrvSE.exe (PID: 2612)
      • WidgetService.exe (PID: 1568)

    • Checks proxy server information

      • WmiPrvSE.exe (PID: 2612)
      • slui.exe (PID: 7156)

    • Reads the software policy settings

      • WmiPrvSE.exe (PID: 2612)
      • slui.exe (PID: 7156)

    • Reads the machine GUID from the registry

      • WmiPrvSE.exe (PID: 2612)

    • The sample compiled with japanese language support

      • WmiPrvSE.exe (PID: 2612)

    • Themida protector has been detected

      • WmiPrvSE.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2075:02:05 14:39:35+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 216576
InitializedDataSize: 4409344
UninitializedDataSize: -
EntryPoint: 0x826058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.26100.3323
ProductVersionNumber: 10.0.26100.3323
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: WMI Provider Host
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
InternalName: Wmiprvse.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Wmiprvse.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.26100.3323
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
226
Monitored processes
95
Malicious processes
6
Suspicious processes
6

Behavior graph

Click at the process to see the details
start yer2kp0jebhsddvcs9cwnhbkugdxcem9kqxlwfadhgmkyw7fzq.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs yer2kp0jebhsddvcs9cwnhbkugdxcem9kqxlwfadhgmkyw7fzq.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wusa.exe no specs cmd.exe no specs conhost.exe no specs reagentc.exe no specs takeown.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs timeout.exe no specs timeout.exe no specs wmiprvse.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs wmiprvse.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs schtasks.exe no specs THREAT wmiprvse.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs widgetservice.exe conhost.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWidgetService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
828\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
984reagentc.exe /disable C:\Windows\System32\ReAgentc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Recovery Agent
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reagentc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128powercfg /x -monitor-timeout-ac 0 C:\Windows\System32\powercfg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\bcrypt.dll
1132C:\WINDOWS\system32\net1 sessionC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\dsrole.dll
1132cmd.exe /c powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c && powercfg /x -standby-timeout-ac 0 && powercfg /x -standby-timeout-dc 0 && powercfg /x -hibernate-timeout-ac 0 && powercfg /x -hibernate-timeout-dc 0 && powercfg /x -monitor-timeout-ac 0 && powercfg /x -monitor-timeout-dc 0C:\Windows\System32\cmd.exeYEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1160sc.exe config wuauserv start= disabledC:\Windows\System32\sc.exeYEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
17 534
Read events
17 456
Write events
18
Delete events
60

Modification events

(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
1
(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAUShutdownOption
Value:
1
(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:AlwaysAutoRebootAtScheduledTime
Value:
0
(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoRebootWithLoggedOnUsers
Value:
1
(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:AutoInstallMinorUpdates
Value:
0
(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
Operation:writeName:DisableNotifications
Value:
1
(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
(PID) Process:(6296) YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableResetToFactoryDefault
Value:
1
(PID) Process:(984) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(984) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
Executable files
3
Suspicious files
6
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
984ReAgentc.exeC:\Windows\System32\Recovery\Winre.wim
MD5:
SHA256:
5548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z1q1rkte.kta.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
984ReAgentc.exeC:\Windows\Panther\UnattendGC\diagwrn.xmltext
MD5:E7D61F31E13255B53337512E2D6EDF08
SHA256:F5FD217C66A78E469FC33EE079506702CA14280B58FEFABFDEEE310F25E314FE
984ReAgentc.exeC:\Windows\Panther\UnattendGC\diagerr.xmltext
MD5:3A8D2D92D67445734789F82D6E6D90A6
SHA256:E80AA5A43C517844228A67E8A49E30EE8CF68979E54BA0A3FE660C80978808C6
6296YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exeC:\ProgramData\Microsoft\WinMSIPS.{208D2C60-3AEA-1069-A2D7-08002B30309D}\WmiPrvSE.exeexecutable
MD5:FF27614C0FAD9804243A553E00F48579
SHA256:7D3989432C31D49150099EBE107A13425AB548E63F8F9064AD54FA10FCF5A877
1204powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j5e5kc1b.jia.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1204powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cxaar0hg.ltr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2612WmiPrvSE.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\WinMSlPC.{208D2C60-3AEA-1069-A2D7-08002B30309D}\WinRing0x64.sysexecutable
MD5:0C0195C48B6B8582FA6F6373032118DA
SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
2612WmiPrvSE.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
2612WmiPrvSE.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\WinMSlPC.{208D2C60-3AEA-1069-A2D7-08002B30309D}\WidgetService.exeexecutable
MD5:86067BAE6312E30A934547AE91AF5951
SHA256:BEC8D98A6253BF25F33D90DD269AEFECC1B0120F82E1CC36D9693DA1ABFEA103
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
33
DNS requests
20
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2612
WmiPrvSE.exe
GET
200
172.217.18.3:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6540
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2612
WmiPrvSE.exe
GET
200
172.217.18.3:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
1728
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1728
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1380
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6540
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6540
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.132
  • 20.190.160.14
  • 20.190.160.67
  • 20.190.160.20
  • 20.190.160.128
  • 40.126.32.72
  • 20.190.160.64
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
pastebin.com
  • 104.20.29.150
  • 172.66.171.73
whitelisted
c.pki.goog
  • 172.217.18.3
whitelisted
bmw4i428.su
  • 104.21.41.248
  • 172.67.167.212
malicious
stellar-solutions-1945.su
  • 23.177.185.244
unknown

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
Potentially Bad Traffic
ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq.exe