analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe

Full analysis: https://app.any.run/tasks/36914c70-075a-46de-8d7f-538c8a06d8d4
Verdict: Malicious activity
Analysis date: May 20, 2024, 12:38:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5:

D9B10475F33905DECB604C690E5D17C0

SHA1:

1728FDBF0AC8FAFF1F66902B0A5D5D8DD08C2544

SHA256:

9539620D8E139D97EF9A29CA267BFE913D9BB0CC1E821696B7B9E554E7AE6A85

SSDEEP:

49152:Rn8+gCN4iigiORdg5aIwC+AlcpfVEnmcKxY/O1u:18zW4kB6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6320)
      • 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe (PID: 6708)

    • Connects to the CnC server

      • 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe (PID: 6708)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe (PID: 6708)

    • Starts itself from another location

      • 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe (PID: 6708)

    • Potential Corporate Privacy Violation

      • 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe (PID: 6708)

  • INFO

    • Checks supported languages

      • 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe (PID: 6708)
      • vNKqfeQ.exe (PID: 6832)
      • DpZcssX.exe (PID: 6788)
      • SZnBlpj.exe (PID: 6812)
      • vEyoduB.exe (PID: 6980)
      • IZDFdLS.exe (PID: 6896)
      • VUjDiUB.exe (PID: 6848)
      • oMaqAah.exe (PID: 7040)
      • xYxfelF.exe (PID: 7020)
      • JiqpOGJ.exe (PID: 7000)
      • wXhsrKh.exe (PID: 6936)
      • Meiqran.exe (PID: 6956)
      • eQNEzGX.exe (PID: 6916)
      • hpZyZSv.exe (PID: 7064)
      • USVafTD.exe (PID: 7124)
      • dZCvyjh.exe (PID: 7104)
      • FOedSzY.exe (PID: 7144)
      • YDavLDh.exe (PID: 6100)
      • urlBvIA.exe (PID: 2528)
      • XhwQKLX.exe (PID: 7164)
      • JCYBMbf.exe (PID: 2524)
      • nLyTfYV.exe (PID: 712)
      • XtRiqRq.exe (PID: 3640)
      • lLaOxSi.exe (PID: 5004)
      • RyqKzOS.exe (PID: 5180)
      • jYpaIkn.exe (PID: 2736)
      • uXQBYVX.exe (PID: 1172)
      • rwZxgag.exe (PID: 5032)
      • jUGhBHC.exe (PID: 1712)
      • CXFSnXR.exe (PID: 472)
      • nIIJycr.exe (PID: 2472)
      • aMPTcXl.exe (PID: 6868)
      • cNWJsHH.exe (PID: 7080)
      • MqkpYDB.exe (PID: 5244)
      • nrwhorM.exe (PID: 3692)
      • GHdvcAk.exe (PID: 6164)
      • BrhnqcJ.exe (PID: 3688)
      • UoEDzTP.exe (PID: 4012)
      • iXtuCYZ.exe (PID: 4148)
      • dXnuMlA.exe (PID: 1492)
      • HDwFXsl.exe (PID: 4380)
      • YXrSjoi.exe (PID: 5256)
      • gvxkggY.exe (PID: 3728)
      • YuqzgmZ.exe (PID: 6056)
      • zFgWVDN.exe (PID: 6220)
      • aKmpcNc.exe (PID: 2592)
      • gulRvMJ.exe (PID: 6152)
      • mabCvFW.exe (PID: 4708)
      • PCktjiY.exe (PID: 2312)
      • rEIqHvP.exe (PID: 6500)
      • TfAHtsL.exe (PID: 5784)
      • ccfHJgr.exe (PID: 6488)
      • NVnuHaG.exe (PID: 1440)
      • hlnqBGk.exe (PID: 6440)
      • XSflXQx.exe (PID: 6688)
      • tPBOKUJ.exe (PID: 6420)
      • gRmySgn.exe (PID: 6676)
      • JDvtwfA.exe (PID: 2396)
      • XqmBhUw.exe (PID: 6576)
      • ZApmMqL.exe (PID: 6660)
      • lnxKElb.exe (PID: 1412)
      • htLYYzn.exe (PID: 6256)
      • GZYGVin.exe (PID: 3040)
      • orKTeWe.exe (PID: 6388)
      • nzVtFhh.exe (PID: 1116)
      • qmRAKib.exe (PID: 6732)
      • YlOvIhn.exe (PID: 6368)
      • LPDlqLg.exe (PID: 6892)
      • FeaLUQt.exe (PID: 6464)
      • PCdhuJs.exe (PID: 3732)
      • TcQRfnC.exe (PID: 780)
      • bMkoKOy.exe (PID: 6636)
      • gSEFWfg.exe (PID: 6452)
      • nmYvLDW.exe (PID: 6416)
      • InkQBOU.exe (PID: 6620)
      • yrmGjcU.exe (PID: 7228)
      • uLRtfpM.exe (PID: 7208)
      • jgOxgqS.exe (PID: 3172)
      • jWonddk.exe (PID: 6332)
      • lxuWHqA.exe (PID: 7288)
      • oyEZceY.exe (PID: 7308)
      • pgacDDw.exe (PID: 7348)
      • kfQsJKj.exe (PID: 7328)
      • dnmnBzW.exe (PID: 7248)
      • AaRLauz.exe (PID: 1276)
      • CiuuugO.exe (PID: 7188)
      • gVhdUDp.exe (PID: 7268)
      • VrxQqfo.exe (PID: 7408)
      • lmXxmzj.exe (PID: 7368)
      • uEyQivZ.exe (PID: 7388)
      • vxQKSeu.exe (PID: 7448)
      • FkWHFKd.exe (PID: 7428)
      • NdOFMhD.exe (PID: 7488)
      • hJApecD.exe (PID: 7468)
      • wxBZOMJ.exe (PID: 7508)
      • UXSKYkZ.exe (PID: 920)
      • ZUShdRI.exe (PID: 7652)
      • dwhttWv.exe (PID: 7752)
      • rClOylq.exe (PID: 7852)
      • jmlXpPc.exe (PID: 7616)
      • mgDZJfq.exe (PID: 7576)
      • QgNYtMj.exe (PID: 7832)
      • MupicPy.exe (PID: 7556)
      • WHikqIl.exe (PID: 7772)
      • kIYKaDr.exe (PID: 7528)
      • gorihjh.exe (PID: 7892)
      • sAZlweh.exe (PID: 7712)
      • LwZjglM.exe (PID: 7672)
      • TpIcRZl.exe (PID: 7732)
      • ncjCGNd.exe (PID: 7812)
      • nkNHYHB.exe (PID: 7692)
      • sZXCJgL.exe (PID: 7636)
      • yyufWkn.exe (PID: 7872)
      • LTFmOcE.exe (PID: 7596)
      • ZsTIDiE.exe (PID: 7912)
      • VimwWvW.exe (PID: 7952)
      • bTXWOSn.exe (PID: 8012)
      • bAPjvxd.exe (PID: 8072)
      • tLCrPPB.exe (PID: 8052)
      • ONtHMmF.exe (PID: 7792)
      • mtfUIHK.exe (PID: 8092)
      • JXDBhql.exe (PID: 8132)
      • NFFyojX.exe (PID: 8172)
      • JCtiRmx.exe (PID: 8236)
      • rtVNpHg.exe (PID: 8336)
      • AtGIvbL.exe (PID: 8296)
      • PPqjjXV.exe (PID: 7932)
      • lopbwbD.exe (PID: 8376)
      • DHJuORf.exe (PID: 8032)
      • zkNcSbu.exe (PID: 7992)
      • DbkINyQ.exe (PID: 8316)
      • nboORLd.exe (PID: 8112)
      • PjuFKvC.exe (PID: 7972)
      • XsjlYmO.exe (PID: 8152)
      • RwKtUbp.exe (PID: 2680)
      • aBUhXMO.exe (PID: 8196)
      • WBMaHen.exe (PID: 8216)
      • CsDCSZT.exe (PID: 8256)
      • SuYJWqk.exe (PID: 8276)
      • JSYmeiL.exe (PID: 8396)
      • MPpSeHc.exe (PID: 8416)
      • nzxwdAa.exe (PID: 8464)
      • PMDYyqW.exe (PID: 8436)
      • hMKyynu.exe (PID: 8488)
      • YDSslUz.exe (PID: 8356)
      • hhSBiPg.exe (PID: 8544)
      • NTxnAAR.exe (PID: 8604)
      • uxxLAWe.exe (PID: 8628)
      • Kwksosq.exe (PID: 8572)
      • KnTOrUU.exe (PID: 8512)
      • CAdwYwa.exe (PID: 8664)
      • qGPoAdJ.exe (PID: 8756)
      • JrxOlnL.exe (PID: 8820)
      • RmLQmMX.exe (PID: 8852)
      • jQOQHni.exe (PID: 8788)
      • ZvKJtiP.exe (PID: 8944)
      • JZqQGiW.exe (PID: 8884)
      • ujjPwpe.exe (PID: 8912)
      • NrNBUXD.exe (PID: 8972)
      • CleeTod.exe (PID: 9004)
      • sdbkpDv.exe (PID: 9036)
      • pFqxveT.exe (PID: 9068)
      • yVlNnYK.exe (PID: 9100)
      • LcuBPjk.exe (PID: 9128)
      • FMSIipn.exe (PID: 9152)
      • wPYSMDS.exe (PID: 4340)
      • TtJzoTu.exe (PID: 9188)
      • uKKRxjZ.exe (PID: 9244)
      • URyHqNI.exe (PID: 9268)
      • vpdHZxi.exe (PID: 9296)
      • nYRaslJ.exe (PID: 9328)
      • cLCkjkg.exe (PID: 9352)
      • yxYwxPg.exe (PID: 9380)
      • LVkTzAU.exe (PID: 9404)
      • vkQxJpR.exe (PID: 9488)
      • iRJWXTR.exe (PID: 9432)
      • pYnpyUf.exe (PID: 9512)
      • vKHcVdf.exe (PID: 9460)
      • eVSoFTW.exe (PID: 8696)
      • gjrTDTI.exe (PID: 8728)
      • XECmrTg.exe (PID: 9560)
      • PNqBXdb.exe (PID: 9532)
      • asXVYeS.exe (PID: 9584)
      • zJvVLge.exe (PID: 9640)
      • ythCQXq.exe (PID: 9704)
      • CvplAOi.exe (PID: 9660)
      • DzubiLP.exe (PID: 9680)
      • kjXeICj.exe (PID: 9608)
      • VcSDxAC.exe (PID: 9752)
      • QyWFtBa.exe (PID: 9776)
      • PbdCouz.exe (PID: 9820)
      • cgkhPkh.exe (PID: 9728)
      • ZWoBZGJ.exe (PID: 9800)
      • ejBNFkQ.exe (PID: 9940)
      • YDCCBtB.exe (PID: 9844)
      • JBFtpQA.exe (PID: 9916)
      • jCsklHr.exe (PID: 9964)
      • EcXXkpY.exe (PID: 9988)
      • KPDpowv.exe (PID: 10012)
      • YBIYOHv.exe (PID: 10036)
      • JWGKENG.exe (PID: 10060)
      • qRoKdpf.exe (PID: 10108)
      • xoVRpYc.exe (PID: 10156)
      • cAfxoml.exe (PID: 10084)
      • oWjJYbR.exe (PID: 10132)
      • jUBDbjk.exe (PID: 9892)
      • GXhSuXt.exe (PID: 9868)
      • PRsMFxI.exe (PID: 10180)
      • UWZGcSh.exe (PID: 10208)
      • VgMMweN.exe (PID: 10232)
      • hNRbnsf.exe (PID: 5556)
      • rmKUopX.exe (PID: 10296)
      • UmggnWg.exe (PID: 10276)
      • uGJqXpV.exe (PID: 10324)
      • OysXvDJ.exe (PID: 10344)
      • xAZrvPg.exe (PID: 10392)
      • OztPCFB.exe (PID: 10464)
      • eXVJSnc.exe (PID: 1788)
      • qNkljED.exe (PID: 10248)
      • ChpPqwZ.exe (PID: 10564)
      • bYwImiW.exe (PID: 10536)
      • spYIeVm.exe (PID: 10612)
      • TFplaXK.exe (PID: 10636)
      • ztmskTT.exe (PID: 10684)
      • OiJBhsB.exe (PID: 10708)
      • qvxJaSm.exe (PID: 10780)
      • nEvDzia.exe (PID: 10756)
      • CUKtnPo.exe (PID: 10808)
      • alDSrvI.exe (PID: 10828)
      • kzxtWRO.exe (PID: 10372)
      • HbsLbnk.exe (PID: 10588)
      • QqbzRun.exe (PID: 10900)
      • ifaPJUh.exe (PID: 10440)
      • xXORvhc.exe (PID: 10416)
      • sBBCJDv.exe (PID: 10512)
      • iezrkcf.exe (PID: 10972)
      • fKjnzSU.exe (PID: 10660)
      • vnwzYvR.exe (PID: 10948)
      • dlzGlWm.exe (PID: 10488)
      • OaoJUje.exe (PID: 10996)
      • AagaicD.exe (PID: 11068)
      • SLRwkWl.exe (PID: 11016)
      • iEnCrjt.exe (PID: 11044)
      • neRnuAF.exe (PID: 11092)
      • JlBsqLV.exe (PID: 11116)
      • TrvhTGu.exe (PID: 11140)
      • UnZKgfO.exe (PID: 11212)
      • XblExzu.exe (PID: 10852)
      • DdIUHZj.exe (PID: 11188)
      • uqWVKqr.exe (PID: 10924)
      • cvIXNER.exe (PID: 10876)
      • hXFdenL.exe (PID: 10732)
      • grKTgdK.exe (PID: 11236)
      • eyAFbbk.exe (PID: 11164)
      • mvaQami.exe (PID: 11296)
      • MCcWsxA.exe (PID: 11344)
      • WDpkqZO.exe (PID: 11316)
      • mTcWzkM.exe (PID: 11416)
      • KlzOkQF.exe (PID: 11272)
      • Ikllelw.exe (PID: 11392)
      • lPtrtVC.exe (PID: 11464)
      • ohwferF.exe (PID: 11368)
      • XcIkYyM.exe (PID: 11536)
      • HaXOrND.exe (PID: 11560)
      • uTskepg.exe (PID: 11444)
      • ighLeWf.exe (PID: 11708)
      • JPbaqgh.exe (PID: 11608)
      • IgxYcWQ.exe (PID: 11584)
      • ceBZAQX.exe (PID: 11684)
      • vHTRimK.exe (PID: 11780)
      • dYHIMlj.exe (PID: 11512)
      • dGTBpJU.exe (PID: 11660)
      • fmUtYzt.exe (PID: 11732)
      • zyElUeR.exe (PID: 11800)
      • mPjKQrS.exe (PID: 11824)
      • UXbEMlg.exe (PID: 11756)
      • NcUtKee.exe (PID: 11488)
      • XGEPCmB.exe (PID: 11256)
      • wTpQuey.exe (PID: 11852)
      • pRVUOkh.exe (PID: 11900)
      • aCKztPW.exe (PID: 11876)
      • yklsdyM.exe (PID: 12044)
      • ZKMPQrR.exe (PID: 11948)
      • yIDXhXz.exe (PID: 11636)
      • JVdNRVr.exe (PID: 12092)
      • fIisDPv.exe (PID: 11996)
      • Fwhzato.exe (PID: 11972)
      • vDXGWys.exe (PID: 12020)
      • GvsqSOJ.exe (PID: 12072)
      • ZRaBFDp.exe (PID: 11924)
      • LkARITM.exe (PID: 12140)
      • gohaALg.exe (PID: 12300)
      • KigGOvu.exe (PID: 6264)
      • HKNUOaE.exe (PID: 12192)
      • PwMIQIR.exe (PID: 12116)
      • LnYkDoD.exe (PID: 12236)
      • YhmNajB.exe (PID: 12216)
      • TibSLgA.exe (PID: 12260)
      • yNISfGu.exe (PID: 12324)
      • RFoUhqz.exe (PID: 12396)
      • LZZfeel.exe (PID: 12372)
      • qiUMSmG.exe (PID: 12496)
      • GyhoXUV.exe (PID: 12444)
      • oKSyDTg.exe (PID: 12348)
      • VQYykpE.exe (PID: 12472)
      • vKIUJao.exe (PID: 12520)
      • IgRtXjA.exe (PID: 12420)
      • qzkNghD.exe (PID: 12636)
      • ghkyltP.exe (PID: 12764)
      • hXcgcby.exe (PID: 12588)
      • kRbkGxe.exe (PID: 12544)
      • ZNegNUY.exe (PID: 12612)
      • rKxJxAQ.exe (PID: 12740)
      • sGhRAFG.exe (PID: 12788)
      • oLOSnnw.exe (PID: 12664)
      • oLBSKTQ.exe (PID: 12716)
      • pViNIyx.exe (PID: 12836)
      • xbHlqUn.exe (PID: 12812)
      • aUQBIPe.exe (PID: 12888)
      • WkcaAPy.exe (PID: 12936)
      • aLWzzDA.exe (PID: 12960)
      • eBkybAZ.exe (PID: 12912)
      • SOAXEIB.exe (PID: 12864)
      • QEJmJhn.exe (PID: 12164)
      • dbXTeTF.exe (PID: 12688)
      • JPuqCoC.exe (PID: 12568)

    • Reads the computer name

      • 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe (PID: 6708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (39.6)
.exe | Win64 Executable (generic) (26.3)
.exe | UPX compressed Win32 Executable (25.8)
.exe | Win32 Executable (generic) (4.3)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x9a338
UninitializedDataSize: 3190784
InitializedDataSize: 4096
CodeSize: 278528
LinkerVersion: 14.22
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware, No debug
TimeStamp: 2019:08:29 00:43:41+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
445
Monitored processes
330
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe conhost.exe no specs dpzcssx.exe no specs sznblpj.exe no specs vnkqfeq.exe no specs vujdiub.exe no specs amptcxl.exe no specs izdfdls.exe no specs eqnezgx.exe no specs wxhsrkh.exe no specs meiqran.exe no specs veyodub.exe no specs jiqpogj.exe no specs xyxfelf.exe no specs omaqaah.exe no specs hpzyzsv.exe no specs cnwjshh.exe no specs dzcvyjh.exe no specs usvaftd.exe no specs foedszy.exe no specs xhwqklx.exe no specs llaoxsi.exe no specs xtriqrq.exe no specs ryqkzos.exe no specs urlbvia.exe no specs ydavldh.exe no specs jcybmbf.exe no specs nlytfyv.exe no specs jypaikn.exe no specs rwzxgag.exe no specs uxqbyvx.exe no specs jughbhc.exe no specs cxfsnxr.exe no specs niijycr.exe no specs brhnqcj.exe no specs mqkpydb.exe no specs dxnumla.exe no specs nrwhorm.exe no specs ixtucyz.exe no specs gvxkggy.exe no specs ghdvcak.exe no specs uoedztp.exe no specs yxrsjoi.exe no specs hdwfxsl.exe no specs zfgwvdn.exe no specs yuqzgmz.exe no specs gulrvmj.exe no specs akmpcnc.exe no specs lnxkelb.exe no specs htlyyzn.exe no specs jwonddk.exe no specs mabcvfw.exe no specs tpbokuj.exe no specs nvnuhag.exe no specs pcktjiy.exe no specs gzygvin.exe no specs hlnqbgk.exe no specs tfahtsl.exe no specs jgoxgqs.exe no specs reiqhvp.exe no specs ccfhjgr.exe no specs xqmbhuw.exe no specs jdvtwfa.exe no specs nzvtfhh.exe no specs xsflxqx.exe no specs grmysgn.exe no specs zapmmql.exe no specs qmrakib.exe no specs bmkokoy.exe no specs inkqbou.exe no specs orktewe.exe no specs nmyvldw.exe no specs gsefwfg.exe no specs fealuqt.exe no specs ylovihn.exe no specs lpdlqlg.exe no specs pcdhujs.exe no specs uxskykz.exe no specs aarlauz.exe no specs tcqrfnc.exe no specs ciuuugo.exe no specs ulrtfpm.exe no specs yrmgjcu.exe no specs dnmnbzw.exe no specs gvhdudp.exe no specs lxuwhqa.exe no specs oyezcey.exe no specs kfqsjkj.exe no specs pgacddw.exe no specs lmxxmzj.exe no specs ueyqivz.exe no specs vrxqqfo.exe no specs fkwhfkd.exe no specs vxqkseu.exe no specs hjapecd.exe no specs ndofmhd.exe no specs wxbzomj.exe no specs kiykadr.exe no specs mupicpy.exe no specs mgdzjfq.exe no specs ltfmoce.exe no specs jmlxppc.exe no specs szxcjgl.exe no specs zushdri.exe no specs lwzjglm.exe no specs nknhyhb.exe no specs sazlweh.exe no specs tpicrzl.exe no specs dwhttwv.exe no specs whikqil.exe no specs onthmmf.exe no specs ncjcgnd.exe no specs qgnytmj.exe no specs rcloylq.exe no specs yyufwkn.exe no specs gorihjh.exe no specs zstidie.exe no specs ppqjjxv.exe no specs vimwwvw.exe no specs pjufkvc.exe no specs zkncsbu.exe no specs btxwosn.exe no specs dhjuorf.exe no specs tlcrppb.exe no specs bapjvxd.exe no specs mtfuihk.exe no specs nboorld.exe no specs jxdbhql.exe no specs xsjlymo.exe no specs nffyojx.exe no specs rwktubp.exe no specs abuhxmo.exe no specs wbmahen.exe no specs jctirmx.exe no specs csdcszt.exe no specs suyjwqk.exe no specs atgivbl.exe no specs dbkinyq.exe no specs rtvnphg.exe no specs ydssluz.exe no specs lopbwbd.exe no specs jsymeil.exe no specs mppsehc.exe no specs pmdyyqw.exe no specs nzxwdaa.exe no specs hmkyynu.exe no specs kntoruu.exe no specs hhsbipg.exe no specs kwksosq.exe no specs ntxnaar.exe no specs uxxlawe.exe no specs cadwywa.exe no specs evsoftw.exe no specs gjrtdti.exe no specs qgpoadj.exe no specs jqoqhni.exe no specs jrxolnl.exe no specs rmlqmmx.exe no specs jzqqgiw.exe no specs ujjpwpe.exe no specs zvkjtip.exe no specs nrnbuxd.exe no specs cleetod.exe no specs sdbkpdv.exe no specs pfqxvet.exe no specs yvlnnyk.exe no specs lcubpjk.exe no specs fmsiipn.exe no specs ttjzotu.exe no specs wpysmds.exe no specs ukkrxjz.exe no specs uryhqni.exe no specs vpdhzxi.exe no specs nyraslj.exe no specs clckjkg.exe no specs yxywxpg.exe no specs lvktzau.exe no specs irjwxtr.exe no specs vkhcvdf.exe no specs vkqxjpr.exe no specs pynpyuf.exe no specs pnqbxdb.exe no specs xecmrtg.exe no specs asxvyes.exe no specs kjxeicj.exe no specs zjvvlge.exe no specs cvplaoi.exe no specs dzubilp.exe no specs ythcqxq.exe no specs cgkhpkh.exe no specs vcsdxac.exe no specs qywftba.exe no specs zwobzgj.exe no specs pbdcouz.exe no specs ydccbtb.exe no specs gxhsuxt.exe no specs jubdbjk.exe no specs jbftpqa.exe no specs ejbnfkq.exe no specs jcsklhr.exe no specs ecxxkpy.exe no specs kpdpowv.exe no specs ybiyohv.exe no specs jwgkeng.exe no specs cafxoml.exe no specs qrokdpf.exe no specs owjjybr.exe no specs xovrpyc.exe no specs prsmfxi.exe no specs uwzgcsh.exe no specs vgmmwen.exe no specs exvjsnc.exe no specs hnrbnsf.exe no specs qnkljed.exe no specs umggnwg.exe no specs rmkuopx.exe no specs ugjqxpv.exe no specs oysxvdj.exe no specs kzxtwro.exe no specs xazrvpg.exe no specs xxorvhc.exe no specs ifapjuh.exe no specs oztpcfb.exe no specs dlzglwm.exe no specs sbbcjdv.exe no specs bywimiw.exe no specs chppqwz.exe no specs hbslbnk.exe no specs spyievm.exe no specs tfplaxk.exe no specs fkjnzsu.exe no specs ztmsktt.exe no specs oijbhsb.exe no specs hxfdenl.exe no specs nevdzia.exe no specs qvxjasm.exe no specs cuktnpo.exe no specs aldsrvi.exe no specs xblexzu.exe no specs cvixner.exe no specs qqbzrun.exe no specs uqwvkqr.exe no specs vnwzyvr.exe no specs iezrkcf.exe no specs oaojuje.exe no specs slrwkwl.exe no specs iencrjt.exe no specs aagaicd.exe no specs nernuaf.exe no specs jlbsqlv.exe no specs trvhtgu.exe no specs eyafbbk.exe no specs ddiuhzj.exe no specs unzkgfo.exe no specs grktgdk.exe no specs xgepcmb.exe no specs klzokqf.exe no specs mvaqami.exe no specs wdpkqzo.exe no specs mccwsxa.exe no specs ohwferf.exe no specs ikllelw.exe no specs mtcwzkm.exe no specs utskepg.exe no specs lptrtvc.exe no specs ncutkee.exe no specs dyhimlj.exe no specs xcikyym.exe no specs haxornd.exe no specs igxycwq.exe no specs jpbaqgh.exe no specs yidxhxz.exe no specs dgtbpju.exe no specs cebzaqx.exe no specs ighlewf.exe no specs fmutyzt.exe no specs uxbemlg.exe no specs vhtrimk.exe no specs zyeluer.exe no specs mpjkqrs.exe no specs wtpquey.exe no specs ackztpw.exe no specs prvuokh.exe no specs zrabfdp.exe no specs zkmpqrr.exe no specs fwhzato.exe no specs fiisdpv.exe no specs vdxgwys.exe no specs yklsdym.exe no specs gvsqsoj.exe no specs jvdnrvr.exe no specs pwmiqir.exe no specs lkaritm.exe no specs qejmjhn.exe no specs hknuoae.exe no specs yhmnajb.exe no specs lnykdod.exe no specs tibslga.exe no specs kiggovu.exe no specs gohaalg.exe no specs ynisfgu.exe no specs oksydtg.exe no specs lzzfeel.exe no specs rfouhqz.exe no specs igrtxja.exe no specs gyhoxuv.exe no specs vqyykpe.exe no specs qiumsmg.exe no specs vkiujao.exe no specs krbkgxe.exe no specs jpuqcoc.exe no specs hxcgcby.exe no specs znegnuy.exe no specs qzknghd.exe no specs olosnnw.exe no specs dbxtetf.exe no specs olbsktq.exe no specs rkxjxaq.exe no specs ghkyltp.exe no specs sghrafg.exe no specs xbhlqun.exe no specs pviniyx.exe no specs soaxeib.exe no specs auqbipe.exe no specs ebkybaz.exe no specs wkcaapy.exe no specs alwzzda.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6320"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\win32u.dll
6328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6708"C:\Users\admin\Desktop\9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe" C:\Users\admin\Desktop\9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6788C:\Windows\System\DpZcssX.exeC:\Windows\System\DpZcssX.exe9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system\dpzcssx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6812C:\Windows\System\SZnBlpj.exeC:\Windows\System\SZnBlpj.exe9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system\sznblpj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6832C:\Windows\System\vNKqfeQ.exeC:\Windows\System\vNKqfeQ.exe9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system\vnkqfeq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6848C:\Windows\System\VUjDiUB.exeC:\Windows\System\VUjDiUB.exe9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system\vujdiub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6868C:\Windows\System\aMPTcXl.exeC:\Windows\System\aMPTcXl.exe9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system\amptcxl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6896C:\Windows\System\IZDFdLS.exeC:\Windows\System\IZDFdLS.exe9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system\izdfdls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
15 967
Read events
15 959
Write events
8
Delete events
0

Modification events

(PID) Process:(6320) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6320) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6320) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6320) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
325
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6320powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5:
SHA256:
67089539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exeC:\Windows\System\wXhsrKh.exeexecutable
MD5:7EF409EE45546399DCEFAF7E745BB6F4
SHA256:E6D3D9788393B598AB5698E58FC7AF3E56ED41481ED9EED3057BF19DADDEB80E
67089539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exeC:\Windows\System\vEyoduB.exeexecutable
MD5:C6B10F5EB84B62500577E20BF7F68C75
SHA256:18AE64A7C25028809B8532B01211D85ED6D227F37A17435DC60E33143615F32D
67089539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exeC:\Windows\System\xYxfelF.exeexecutable
MD5:0C58177D33E261F3F8CD649BF9F33FBA
SHA256:B8B5516D6FF52F9752EA3230991BA062A0534D3A9A9231D4F6BB88DC67795678
6320powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D61E70D758CA1ABD092826F8F8FB6591
SHA256:DFC6E2A9BD85F12ACD1B5B86A4F00806965D0E4A1CB62B6DCD5355A2F836BF64
6320powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fnxcgm5l.f2n.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
67089539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exeC:\Windows\System\hpZyZSv.exeexecutable
MD5:EE378DDC6E7590C0A470BBA4FBE7822B
SHA256:50DA9CCCC51AF716BE74E2EAE2A0D768AC80502C8F1E920DC2808DC6417B1C36
6320powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\46C5JVSSQ8VIHXRV4BJ9.tempbinary
MD5:5011518D440BF02A845830FF75CEA7B2
SHA256:A3C067CD2467BECE95FDE7420E90C73C0471F2AE8C6E9B4AB77FC3F1353F14A8
67089539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exeC:\Windows\System\DpZcssX.exeexecutable
MD5:7FE8A7BB25EA2898B7EEF8DD9F4AF0E3
SHA256:DB02F1E3DC8629EEEF2E5ED405E96C1387D2BF970498F6D1DA976D5B2BB35EFF
67089539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exeC:\Windows\System\VUjDiUB.exeexecutable
MD5:738A8970626746C6226E637ABF9DA76E
SHA256:926C1061D0EEE06047D7B58939BCC51476198DE658A1B0FAB24F76817C6627BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5524
RUXIMICS.exe
GET
200
2.18.97.123:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1744
svchost.exe
GET
200
2.18.97.123:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.18.97.123:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1744
svchost.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5524
RUXIMICS.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2908
OfficeClickToRun.exe
POST
200
13.89.179.9:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5524
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
2.16.164.24:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5524
RUXIMICS.exe
2.16.164.24:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1744
svchost.exe
2.16.164.24:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5524
RUXIMICS.exe
2.18.97.123:80
www.microsoft.com
Akamai International B.V.
FR
unknown
5140
MoUsoCoreWorker.exe
2.18.97.123:80
www.microsoft.com
Akamai International B.V.
FR
unknown
1744
svchost.exe
2.18.97.123:80
www.microsoft.com
Akamai International B.V.
FR
unknown
1744
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.24
  • 2.16.164.72
  • 2.16.164.51
  • 2.16.164.18
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 2.18.97.123
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.168.117.169
whitelisted

Threats

PID
Process
Class
Message
6708
9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
6708
9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
6708
9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
6708
9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
6708
9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe