File name:

tester24.exe

Full analysis: https://app.any.run/tasks/2798fcfa-e18a-449c-b16f-422f7440d306
Verdict: Malicious activity
Analysis date: June 22, 2025, 09:04:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
auto-reg
uac
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

D6523A9E76765E2CA19B6C4BF90F1537

SHA1:

470FFA8636DFCCABF5A9CEDD8D897676F19ADB34

SHA256:

950AA0E3E3F8C7784A72FFE9590E8B37240CF41DE147D48276B783A4F079FC69

SSDEEP:

98304:0C3CpAEVpbKQdLKbLylu/ZUmTv4I9XLDbenkuA83wpYp2tw9v4MWn7cBU4+rWbO2:R2dS881mwmNuEM491+jg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables Windows Defender

      • reg.exe (PID: 4768)

    • Disables task manager

      • reg.exe (PID: 2464)

    • Changes the autorun value in the registry

      • reg.exe (PID: 6900)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 4088)

    • Antivirus name has been found in the command line (generic signature)

      • sfc.exe (PID: 5732)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • tester24.exe (PID: 2148)

    • Process drops python dynamic module

      • tester24.exe (PID: 2148)

    • The process drops C-runtime libraries

      • tester24.exe (PID: 2148)

    • Starts CMD.EXE for commands execution

      • tester24.exe (PID: 4172)
      • cmd.exe (PID: 7432)
      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 9812)
      • cmd.exe (PID: 536)

    • Application launched itself

      • tester24.exe (PID: 2148)
      • ClipUp.exe (PID: 1472)
      • cmd.exe (PID: 7432)
      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 9812)
      • cmd.exe (PID: 536)

    • Changes the desktop background image

      • reg.exe (PID: 1192)
      • reg.exe (PID: 2368)
      • reg.exe (PID: 4824)
      • reg.exe (PID: 2216)
      • reg.exe (PID: 4768)
      • reg.exe (PID: 6220)
      • explorer.exe (PID: 7404)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2132)
      • cmd.exe (PID: 4868)
      • cmd.exe (PID: 6344)
      • cmd.exe (PID: 3788)
      • cmd.exe (PID: 5124)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 3672)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 3584)
      • cmd.exe (PID: 6636)
      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 5532)
      • cmd.exe (PID: 3644)

    • Loads Python modules

      • tester24.exe (PID: 4172)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 4192)

    • Found strings related to reading or modifying Windows Defender settings

      • tester24.exe (PID: 4172)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6656)
      • tester24.exe (PID: 4172)

    • Reads security settings of Internet Explorer

      • tester24.exe (PID: 4172)
      • StartMenuExperienceHost.exe (PID: 2220)
      • StartMenuExperienceHost.exe (PID: 8928)
      • wmplayer.exe (PID: 1720)

    • Reads the date of Windows installation

      • tester24.exe (PID: 4172)
      • StartMenuExperienceHost.exe (PID: 2220)
      • StartMenuExperienceHost.exe (PID: 8928)
      • SearchApp.exe (PID: 5156)

    • Executes as Windows Service

      • dllhost.exe (PID: 3668)
      • msdtc.exe (PID: 1488)
      • FXSSVC.exe (PID: 5396)
      • VSSVC.exe (PID: 9764)

    • Process uses IPCONFIG to get network configuration information

      • tester24.exe (PID: 4172)

    • There is functionality for taking screenshot (YARA)

      • tester24.exe (PID: 2148)
      • tester24.exe (PID: 4172)

    • The process executes via Task Scheduler

      • ShellAppRuntime.exe (PID: 2228)
      • explorer.exe (PID: 7404)

    • Uses QWINSTA.EXE to read information about user sessions on remote desktops

      • tester24.exe (PID: 4172)

    • Detected use of alternative data streams (AltDS)

      • WFS.exe (PID: 7396)

    • The process exported the data from the registry

      • WSCollect.exe (PID: 8160)

    • Executes application which crashes

      • WWAHost.exe (PID: 6364)
      • WWAHost.exe (PID: 8540)
      • MoUsoCoreWorker.exe (PID: 8928)
      • WpcMon.exe (PID: 10564)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 2296)
      • WerFault.exe (PID: 8568)

    • Executable content was dropped or overwritten

      • tester24.exe (PID: 2148)

    • Write to the desktop.ini file (may be used to cloak folders)

      • WFS.exe (PID: 7396)

    • Creates file in the systems drive root

      • bootcfg.exe (PID: 8476)

    • Uses TIMEOUT.EXE to delay execution

      • tester24.exe (PID: 4172)

    • The process checks if it is being run in the virtual environment

      • mmc.exe (PID: 10120)

    • Reads Microsoft Outlook installation path

      • mmc.exe (PID: 10120)

    • Process copies executable file

      • tester24.exe (PID: 4172)

    • Reads Internet Explorer settings

      • mmc.exe (PID: 10120)

    • Uses QUSER.EXE to read information about current user sessions

      • tester24.exe (PID: 4172)

    • Uses NLTEST.EXE to test domain trust

      • tester24.exe (PID: 4172)

    • Uses ICACLS.EXE to modify access control lists

      • tester24.exe (PID: 4172)

    • SQL CE related mutex has been found

      • unregmp2.exe (PID: 8288)

  • INFO

    • Reads the computer name

      • tester24.exe (PID: 2148)
      • tester24.exe (PID: 4172)
      • SearchApp.exe (PID: 5668)
      • StartMenuExperienceHost.exe (PID: 2220)
      • TextInputHost.exe (PID: 8012)
      • EoAExperiences.exe (PID: 7472)
      • SearchApp.exe (PID: 5156)
      • StartMenuExperienceHost.exe (PID: 8928)
      • tpmvscmgrsvr.exe (PID: 6016)
      • agentactivationruntimestarter.exe (PID: 10084)
      • tpmvscmgrsvr.exe (PID: 9672)
      • wmplayer.exe (PID: 1720)
      • setup_wm.exe (PID: 8236)

    • Checks supported languages

      • tester24.exe (PID: 2148)
      • tester24.exe (PID: 4172)
      • TpmTool.exe (PID: 1148)
      • StartMenuExperienceHost.exe (PID: 2220)
      • SearchApp.exe (PID: 5668)
      • TextInputHost.exe (PID: 8012)
      • EoAExperiences.exe (PID: 7472)
      • StartMenuExperienceHost.exe (PID: 8928)
      • SearchApp.exe (PID: 5156)
      • perfmon.exe (PID: 2728)
      • agentactivationruntimestarter.exe (PID: 10084)
      • tpmvscmgrsvr.exe (PID: 6016)
      • EoAExperiences.exe (PID: 6528)
      • tpmvscmgrsvr.exe (PID: 9672)
      • wmplayer.exe (PID: 1720)
      • setup_wm.exe (PID: 8236)

    • Create files in a temporary directory

      • tester24.exe (PID: 2148)
      • ClipUp.exe (PID: 5676)
      • ddodiag.exe (PID: 4236)
      • WSCollect.exe (PID: 8160)
      • WFS.exe (PID: 7396)
      • reg.exe (PID: 7700)
      • reg.exe (PID: 7772)
      • unregmp2.exe (PID: 11156)

    • The sample compiled with english language support

      • tester24.exe (PID: 2148)

    • Launching a file from a Registry key

      • reg.exe (PID: 6900)

    • Process checks computer location settings

      • tester24.exe (PID: 4172)
      • StartMenuExperienceHost.exe (PID: 2220)
      • SearchApp.exe (PID: 5668)
      • StartMenuExperienceHost.exe (PID: 8928)
      • SearchApp.exe (PID: 5156)
      • setup_wm.exe (PID: 8236)
      • wmplayer.exe (PID: 1720)

    • Disables trace logs

      • rasphone.exe (PID: 3652)
      • FXSSVC.exe (PID: 5396)
      • cmdl32.exe (PID: 8424)
      • rasphone.exe (PID: 9988)

    • Creates files in the program directory

      • RMActivate_ssp_isv.exe (PID: 1472)
      • FXSSVC.exe (PID: 5396)
      • wermgr.exe (PID: 8428)
      • mmc.exe (PID: 8360)
      • DTUHandler.exe (PID: 5688)
      • mmc.exe (PID: 8652)
      • mmc.exe (PID: 10384)
      • unregmp2.exe (PID: 8288)

    • Reads security settings of Internet Explorer

      • verifier.exe (PID: 7076)
      • ComputerDefaults.exe (PID: 4088)
      • FileHistory.exe (PID: 2292)
      • certreq.exe (PID: 2756)
      • LaunchTM.exe (PID: 7744)
      • mmc.exe (PID: 8360)
      • CompMgmtLauncher.exe (PID: 8380)
      • explorer.exe (PID: 7404)
      • mmc.exe (PID: 10120)
      • mmc.exe (PID: 8652)
      • CompMgmtLauncher.exe (PID: 6956)
      • mmc.exe (PID: 10384)
      • unregmp2.exe (PID: 11156)

    • Checks transactions between databases Windows and Oracle

      • mtstocom.exe (PID: 6172)
      • dllhost.exe (PID: 3668)
      • msdtc.exe (PID: 1488)
      • UserAccountControlSettings.exe (PID: 504)
      • mmc.exe (PID: 10384)

    • PyInstaller has been detected (YARA)

      • tester24.exe (PID: 2148)
      • tester24.exe (PID: 4172)

    • Creates files or folders in the user directory

      • RMActivate_isv.exe (PID: 4832)
      • WerFault.exe (PID: 2296)
      • WerFault.exe (PID: 8568)
      • WerFault.exe (PID: 9052)
      • explorer.exe (PID: 7404)
      • mmc.exe (PID: 10120)
      • WerFault.exe (PID: 10636)
      • unregmp2.exe (PID: 8288)

    • Checks proxy server information

      • SearchApp.exe (PID: 5668)
      • WerFault.exe (PID: 2296)
      • WerFault.exe (PID: 8568)
      • WerFault.exe (PID: 9052)
      • SearchApp.exe (PID: 5156)
      • explorer.exe (PID: 7404)
      • mmc.exe (PID: 10120)
      • WerFault.exe (PID: 10636)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 5668)
      • SearchApp.exe (PID: 5156)

    • Reads the software policy settings

      • SearchApp.exe (PID: 5668)
      • WerFault.exe (PID: 2296)
      • WerFault.exe (PID: 8568)
      • WerFault.exe (PID: 9052)
      • SearchApp.exe (PID: 5156)
      • WerFault.exe (PID: 10636)

    • Reads Environment values

      • SearchApp.exe (PID: 5668)
      • SearchApp.exe (PID: 5156)

    • Encodes the UEFI Secure Boot certificates

      • SecureBootEncodeUEFI.exe (PID: 9292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:22 08:58:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
632
Monitored processes
468
Malicious processes
6
Suspicious processes
7

Behavior graph

Click at the process to see the details
start tester24.exe tester24.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs uevappmonitor.exe no specs tapiunattend.exe no specs tpmtool.exe no specs conhost.exe no specs proquota.exe no specs tracerpt.exe no specs conhost.exe no specs rmactivate_ssp_isv.exe no specs conhost.exe no specs vssvc.exe no specs tabcal.exe no specs phoneactivate.exe no specs arp.exe no specs conhost.exe no specs shrpubw.exe no specs rasphone.exe no specs wsl.exe no specs conhost.exe no specs wpnpinst.exe no specs omadmclient.exe no specs upprinterinstaller.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs secinit.exe no specs locationnotificationwindows.exe no specs mtstocom.exe no specs conhost.exe no specs dllhost.exe no specs psr.exe no specs msdtc.exe no specs psr.exe no specs sgrmbroker.exe no specs verifier.exe no specs conhost.exe no specs verifiergui.exe no specs conhost.exe no specs sigverif.exe no specs computerdefaults.exe no specs clipup.exe no specs conhost.exe no specs clipup.exe no specs conhost.exe no specs dmnotificationbroker.exe no specs query.exe no specs conhost.exe no specs snippingtool.exe no specs rmactivate_isv.exe no specs conhost.exe no specs shellappruntime.exe no specs shellappruntime.exe no specs dmomacpmo.exe no specs icsentitlementhost.exe no specs conhost.exe no specs wudfhost.exe no specs startmenuexperiencehost.exe no specs winrs.exe no specs conhost.exe no specs searchapp.exe filehistory.exe no specs winrshost.exe no specs conhost.exe no specs logman.exe no specs conhost.exe no specs rmclient.exe no specs printfilterpipelinesvc.exe no specs compattelrunner.exe no specs conhost.exe no specs ktmutil.exe no specs conhost.exe no specs upgraderesultsui.exe no specs sfc.exe no specs conhost.exe no specs newdev.exe no specs ddodiag.exe no specs msra.exe no specs msra.exe no specs wallpaperhost.exe no specs netbtugc.exe no specs conhost.exe no specs certreq.exe no specs conhost.exe no specs lpremove.exe no specs conhost.exe no specs tiworker.exe no specs bdeuisrv.exe no specs qwinsta.exe no specs conhost.exe no specs searchfilterhost.exe no specs conhost.exe no specs wsmanhttpconfig.exe no specs conhost.exe no specs pathping.exe no specs conhost.exe no specs comppkgsrv.exe no specs rmactivate.exe no specs conhost.exe no specs launchtm.exe no specs taskmgr.exe no specs icsentitlementhost.exe no specs conhost.exe no specs microsoftedgedevtools.exe no specs sdiagnhost.exe no specs conhost.exe no specs textinputhost.exe no specs synchost.exe no specs werfaultsecure.exe no specs efsui.exe no specs vssadmin.exe no specs conhost.exe no specs upgraderesultsui.exe no specs mfpmp.exe no specs eoaexperiences.exe no specs eoaexperiences.exe no specs mspaint.exe no specs easeofaccessdialog.exe no specs easeofaccessdialog.exe no specs msra.exe no specs msra.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs tstheme.exe no specs tstheme.exe no specs wscollect.exe no specs conhost.exe no specs wsmanhttpconfig.exe no specs conhost.exe no specs wfs.exe no specs msconfig.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs rpcping.exe no specs conhost.exe no specs eap3host.exe no specs cliconfg.exe no specs fxssvc.exe no specs wwahost.exe werfault.exe gpupdate.exe no specs conhost.exe no specs dism.exe conhost.exe no specs cttunesvr.exe no specs bootcfg.exe no specs conhost.exe no specs comp.exe no specs conhost.exe no specs msra.exe no specs msra.exe no specs pinenrollmentbroker.exe no specs dashost.exe no specs conhost.exe no specs inputswitchtoasthandler.exe no specs conhost.exe no specs uevappmonitor.exe no specs control.exe no specs infdefaultinstall.exe no specs logagent.exe no specs bootsect.exe no specs conhost.exe no specs authhost.exe no specs cmdl32.exe no specs axinstui.exe no specs wermgr.exe no specs securityhealthhost.exe no specs securityhealthservice.exe no specs conhost.exe no specs wwahost.exe werfault.exe remoteapplifetimemanager.exe no specs djoin.exe no specs conhost.exe no specs mousocoreworker.exe werfault.exe ie4ushowie.exe no specs compmgmtlauncher.exe no specs sihost.exe no specs mmc.exe explorer.exe no specs explorer.exe no specs displayswitch.exe no specs displayswitch.exe no specs tcpsvcs.exe no specs conhost.exe no specs chkntfs.exe no specs conhost.exe no specs vdsldr.exe no specs uimgrbroker.exe no specs useraccountcontrolsettings.exe no specs %systemroot%\System32\UserAccountControlSettings.dll no specs %systemroot%\System32\UserAccountControlSettings.dll no specs startmenuexperiencehost.exe no specs phoneactivate.exe no specs timeout.exe no specs conhost.exe no specs searchapp.exe taskkill.exe no specs conhost.exe no specs ntoskrnl.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs snmptrap.exe no specs conhost.exe no specs chkntfs.exe no specs conhost.exe no specs mavinject.exe no specs gamepanel.exe no specs rdpinput.exe no specs rdpinput.exe no specs bdeuisrv.exe no specs sppsvc.exe no specs winbiodatamodeloobe.exe no specs gamebarpresencewriter.exe no specs searchfilterhost.exe no specs conhost.exe no specs mobsync.exe no specs systempropertiesprotection.exe no specs vssvc.exe no specs esentutl.exe conhost.exe no specs secedit.exe no specs conhost.exe no specs query.exe no specs conhost.exe no specs cipher.exe no specs conhost.exe no specs winrtnetmuahostserver.exe no specs upgraderesultsui.exe no specs securebootencodeuefi.exe no specs conhost.exe no specs wsl.exe no specs conhost.exe no specs newdev.exe no specs provlaunch.exe no specs conhost.exe no specs remoteapplifetimemanager.exe no specs genvalobj.exe no specs tpmvscmgrsvr.exe no specs appvdllsurrogate.exe no specs conhost.exe no specs deviceproperties.exe no specs assignedaccessguard.exe no specs bitlockerdeviceencryption.exe no specs wkspbroker.exe no specs netcfg.exe no specs conhost.exe no specs bdeunlock.exe no specs systray.exe no specs dtuhandler.exe no specs rwinsta.exe no specs conhost.exe no specs slui.exe no specs provlaunch.exe no specs conhost.exe no specs xcopy.exe no specs conhost.exe no specs manage-bde.exe no specs conhost.exe no specs perfmon.exe no specs mmc.exe no specs runlegacycplelevated.exe no specs wlanext.exe no specs conhost.exe no specs upprinterinstaller.exe no specs conhost.exe no specs bootim.exe no specs quser.exe no specs conhost.exe no specs dllhost.exe no specs mrinfo.exe no specs conhost.exe no specs convert.exe no specs conhost.exe no specs fontdrvhost.exe no specs wifitask.exe no specs winsat.exe no specs conhost.exe no specs agentactivationruntimestarter.exe no specs setupugc.exe no specs setupcl.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tpmvscmgrsvr.exe no specs verifiergui.exe no specs conhost.exe no specs iscsicli.exe no specs conhost.exe no specs searchfilterhost.exe no specs conhost.exe no specs rasphone.exe no specs bitlockerwizardelev.exe no specs presentationsettings.exe no specs comppkgsrv.exe no specs fsiso.exe no specs securityhealthsystray.exe no specs agentservice.exe no specs qwinsta.exe no specs conhost.exe no specs systemsettingsbroker.exe no specs ucsvc.exe no specs refsutil.exe no specs conhost.exe no specs windowsactiondialog.exe no specs rmactivate_ssp.exe no specs conhost.exe no specs compmgmtlauncher.exe no specs appidcertstorecheck.exe no specs conhost.exe no specs mmc.exe easpolicymanagerbrokerhost.exe no specs wsqmcons.exe no specs windows.media.backgroundplayback.exe no specs ndkping.exe no specs conhost.exe no specs pathping.exe no specs conhost.exe no specs sessionmsg.exe no specs replace.exe no specs conhost.exe no specs eap3host.exe no specs fsutil.exe no specs conhost.exe no specs legacynetuxhost.exe no specs diskperf.exe no specs conhost.exe no specs bdechangepin.exe no specs applytrustoffline.exe no specs conhost.exe no specs ndadmin.exe no specs lockapphost.exe no specs cttune.exe no specs bdeunlock.exe no specs aitstatic.exe no specs conhost.exe no specs timeout.exe no specs conhost.exe no specs sxstrace.exe no specs conhost.exe no specs ctfmon.exe no specs ctfmon.exe no specs systempropertiesremote.exe no specs dcomcnfg.exe no specs mmc.exe comp.exe no specs conhost.exe no specs mpnotify.exe no specs wpcmon.exe werfault.exe wmpdmc.exe no specs scriptrunner.exe no specs conhost.exe no specs wininit.exe no specs wuauclt.exe no specs nltest.exe no specs conhost.exe no specs grpconv.exe no specs edpcleanup.exe no specs dwwin.exe no specs easpolicymanagerbrokerhost.exe no specs lodctr.exe no specs conhost.exe no specs at.exe no specs conhost.exe no specs eoaexperiences.exe no specs eoaexperiences.exe no specs fsavailux.exe no specs djoin.exe no specs conhost.exe no specs pcwrun.exe no specs tzsync.exe conhost.exe no specs sessionmsg.exe no specs newdev.exe no specs tokenbrokercookies.exe no specs ntoskrnl.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs rmactivate_ssp.exe no specs conhost.exe no specs systempropertiesdataexecutionprevention.exe no specs certenrollctrl.exe no specs djoin.exe no specs conhost.exe no specs windowsactiondialog.exe no specs rdpinput.exe no specs rdpinput.exe no specs msspellcheckinghost.exe no specs wallpaperhost.exe no specs pkgmgr.exe no specs services.exe no specs upgradesubscription.exe no specs cacls.exe no specs conhost.exe no specs tzutil.exe no specs conhost.exe no specs appvnice.exe no specs conhost.exe no specs systemsettingsremovedevice.exe no specs dvdplay.exe no specs wmplayer.exe no specs setup_wm.exe no specs unregmp2.exe no specs tracerpt.exe no specs conhost.exe no specs unregmp2.exe no specs logoff.exe no specs conhost.exe no specs tester24.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
416"C:\Windows\System32\proquota.exe" C:\Windows\System32\proquota.exetester24.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ProQuota
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\proquota.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
480"C:\Windows\System32\UpgradeSubscription.exe" C:\Windows\System32\UpgradeSubscription.exetester24.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Upgrade to Subscription tool
Exit code:
0
Version:
10.0.14393.0 (rs1_release.160715-1616)
Modules
Images
c:\windows\system32\upgradesubscription.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
504"C:\Users\admin\Desktop\tester24.exe" C:\Users\admin\Desktop\tester24.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\tester24.exe
c:\windows\system32\ntdll.dll
504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRMActivate_ssp_isv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
504"C:\Windows\System32\UserAccountControlSettings.exe" C:\Windows\System32\UserAccountControlSettings.exetester24.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
UserAccountControlSettings
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\useraccountcontrolsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
536"C:\Windows\System32\wuauclt.exe" C:\Windows\System32\wuauclt.exetester24.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wuauclt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
536C:\WINDOWS\system32\cmd.exe /c startC:\Windows\System32\cmd.exetester24.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
640"C:\Windows\System32\secinit.exe" C:\Windows\System32\secinit.exetester24.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Security Init
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\secinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
760RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,TrueC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
984"C:\Windows\System32\TapiUnattend.exe" C:\Windows\System32\TapiUnattend.exetester24.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows(TM) Telephony Unattend Action
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tapiunattend.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
116 125
Read events
115 110
Write events
813
Delete events
202

Modification events

(PID) Process:(2368) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:WallpaperStyle
Value:
0
(PID) Process:(1192) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
(PID) Process:(3480) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Colors
Operation:writeName:Background
Value:
0 0 0
(PID) Process:(4768) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(3668) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:TileWallpaper
Value:
0
(PID) Process:(2464) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(4824) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
Operation:writeName:NoChangingWallPaper
Value:
1
(PID) Process:(6900) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Tester24
Value:
tester24.exe
(PID) Process:(2216) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
Operation:writeName:NoChangingWallpaper
Value:
1
(PID) Process:(6220) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:Wallpaper
Value:
Executable files
60
Suspicious files
80
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\_bz2.pydexecutable
MD5:51CA0713F8FD5F142625A44DF7ED7100
SHA256:8768315B1E0E81CCD0D96C3D6A863803F5DD1DE6AF849285C439D61ABD32B647
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\_ctypes.pydexecutable
MD5:429CB0177D5AB205F289D0CC830549FF
SHA256:6E804ED42CCA2EB401A896FE9542201D4D77DF22ACBD935A3C56DC68530DAE33
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\_hashlib.pydexecutable
MD5:692837EB1FCB73EF33A1474B18DFC7CD
SHA256:D674D53F7E2F906FBAF0D19AB871F9CFF53956D40B3CE003A2B4B44B549D4B92
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\_lzma.pydexecutable
MD5:0D549F688E0B2424B549AFCAC58D5FA7
SHA256:80DF30ED0F2C532C07EA7FDC44836E40A8EBD9E7611365A1A26989147E1A4210
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:9F746F4F7D845F063FEA3C37DCEBC27C
SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:226A5983AE2CBBF0C1BDA85D65948ABC
SHA256:591358EB4D1531E9563EE0813E4301C552CE364C912CE684D16576EABF195DC3
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\_socket.pydexecutable
MD5:1AD8628499A107382153348A14A1DFC7
SHA256:7A20FE96274F554CC527C65F42A8DE9CF0C201852BEDDDC12E44D9106BAB728F
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-fibers-l1-1-1.dllexecutable
MD5:050A30A687E7A2FA6F086A0DB89AA131
SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429
2148tester24.exeC:\Users\admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:416AA8314222DB6CBB3760856BE13D46
SHA256:39095F59C41D76EC81BB2723D646FDE4C148E7CC3402F4980D2ADE95CB9C84F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
79
TCP/UDP connections
46
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6356
RUXIMICS.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6356
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.201:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
binary
21.3 Kb
whitelisted
GET
200
2.16.241.218:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.09 Kb
whitelisted
GET
200
2.16.241.205:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
unknown
html
129 Kb
whitelisted
POST
204
2.16.241.218:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6356
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6356
RUXIMICS.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6356
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.15
  • 184.24.77.37
  • 184.24.77.27
  • 184.24.77.17
  • 184.24.77.23
  • 184.24.77.19
  • 184.24.77.31
  • 184.24.77.14
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
  • 2.16.241.205
whitelisted
win1910.ipv6.microsoft.com
  • 40.74.3.100
whitelisted
pnrpv2.ipv6.microsoft.com
  • 2a01:111:f100:2004::8975:67d0
whitelisted
pnrpv21.ipv6.microsoft.com
  • 2a01:111:f100:2004::8975:67d0
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.20
  • 20.42.65.92
  • 20.189.173.22
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
Process
Message
Dism.exe
PID=8260 TID=8264 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=8260 TID=8264 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=8260 TID=8264 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=8260 TID=8264 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=8260 TID=8264 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=8260 TID=8264 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
Dism.exe
PID=8260 TID=8264 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
Dism.exe
PID=8260 TID=8264 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
Dism.exe
PID=8260 TID=8264 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider
mmc.exe
ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
tester24.exe