File name:

SecuriteInfo.com.Variant.Lazy.512783.16091.11801

Full analysis: https://app.any.run/tasks/f8aafc49-06f8-43c2-947a-07b8225e62a7
Verdict: Malicious activity
Analysis date: June 25, 2025, 06:44:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

0AD2C87806A9E1A4BC037679741859B0

SHA1:

814AC80E64387AA07805286B921A97B5698B9C8A

SHA256:

9A6B1C09DC5F09B769689DAE1841B08BD99E712F80B9D1D14299DE8E330BBF41

SSDEEP:

1536:rm/dx5JZHzembY/1sUfMkV38tnxl/Z6bODhtSfUJ1mqlzr:redx5JZHhbY/O2AnD/kStkfUJ1mqlzr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Uses sleep to delay execution (POWERSHELL)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)
      • powershell.exe (PID: 4540)

    • Starts a new process with hidden mode (POWERSHELL)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Checks a user's role membership (POWERSHELL)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 304)
      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Process uses IPCONFIG to clear DNS cache

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Removes files via Powershell

      • powershell.exe (PID: 4540)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 4540)

    • Starts POWERSHELL.EXE for commands execution

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Reads the date of Windows installation

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

  • INFO

    • Reads the computer name

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Checks supported languages

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Create files in a temporary directory

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Reads Environment values

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Checks whether the specified file exists (POWERSHELL)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Reads the software policy settings

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)
      • slui.exe (PID: 620)

    • Checks proxy server information

      • slui.exe (PID: 620)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4540)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Found Base64 encoded access to UAC via PowerShell (YARA)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)

    • Process checks computer location settings

      • SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe (PID: 7120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (62)
.exe | Win64 Executable (generic) (23.3)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:24 18:40:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 50688
InitializedDataSize: 69120
UninitializedDataSize: -
EntryPoint: 0xe4be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Professional Helper and processing utility
CompanyName: Digital Media Solutions
FileDescription: Helper Pro
FileVersion: 1.2.0.0
InternalName: Helper.exe
LegalCopyright: Copyright c 2025 Digital Media Solutions
OriginalFileName: Helper.exe
ProductName: Helper Professional
ProductVersion: 1.2.0.0
AssemblyVersion: 1.2.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start securiteinfo.com.variant.lazy.512783.16091.11801.exe conhost.exe no specs certutil.exe no specs ipconfig.exe no specs powershell.exe no specs conhost.exe no specs slui.exe securiteinfo.com.variant.lazy.512783.16091.11801.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\WINDOWS\system32\certutil.exe" -addstore -f Root C:\Users\admin\AppData\Local\Temp\certificate.cerC:\Windows\System32\certutil.exeSecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
620C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4120"C:\WINDOWS\system32\ipconfig.exe" /flushdnsC:\Windows\System32\ipconfig.exeSecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
4540"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Sleep 2; Remove-Item '' -Force C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7032"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeexplorer.exe
User:
admin
Company:
Digital Media Solutions
Integrity Level:
MEDIUM
Description:
Helper Pro
Exit code:
3221226540
Version:
1.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.variant.lazy.512783.16091.11801.exe
c:\windows\system32\ntdll.dll
7120"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exe
explorer.exe
User:
admin
Company:
Digital Media Solutions
Integrity Level:
HIGH
Description:
Helper Pro
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.variant.lazy.512783.16091.11801.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
16 807
Read events
16 794
Write events
9
Delete events
4

Modification events

(PID) Process:(304) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:(304) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:(304) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:writeName:Name
Value:
szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL
(PID) Process:(304) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD
Value:
(PID) Process:(304) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD
Operation:writeName:Blob
Value:
030000000100000014000000EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD2000000001000000C3050000308205BF308203A7A003020102021437458A5F1A7D854DF1ED39F7621F017BC226E3C6300D06092A864886F70D01010B0500306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F72697479205833301E170D3235303630343136353532355A170D3335303630323136353532355A306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F7269747920583330820222300D06092A864886F70D01010105000382020F003082020A0282020100B015D4654C18FF84A8221467A323801866A87BD7D6EFE414F77C476D54405DC684741182B92A8296B9D82CB6FDEC79E3AAF2B619A77D4A21539959A7F63D27FC506670B201A0212E981C09E2FDDC38BC0CB9C1F8932C7F127AE03A501B449F7AF8EA0FA4256D0EE19DAAB09C97D5550CC5B8778BEC81CD05BD8E6A3C39766D24C355F27706879244EE3F2D76E894124404AB573CE7B40B8A29BEB718BFF86260045504754350EE22C1E1ED664C66DEDCBCCADE2BF6161D8AECC8CF2D533CA4CB43A0CEDE363FEEE459CC864F6F9BFB1F3F4411EAFF95FA887FDA319EA29DED0BA5F93856DAB22144362810CE2C40864845014198343A24B8CB86C2543BAF6C40FE96726ED8D6EE1C333CA2845D5560A14FE5754FBC6266068163EBE0907B5009C99339310B7F0447B59D130F86E7745D943210F3BBB77FC02C6F4D5454F56EFB1CCD015C55B88717226882D6CC5B5EDB80DE202FAACAB3B665140BC00E3429E9F307ECBD3D5C512F18DDAB389E95DFD7FE7D0056F7C009B6B40F42F965DADF2E5D4108C7383F0857BA0011FE8174A4172B451674BE3F115D762B6469A2FB0082F7861FD10FC28C5C4FE5B11FC06BA14CF96557A8612AD0E682BDC940EBC70A433006AC5C4BAA405885824CE5F41BBA6E62A73868D8F7BC9BE2EFFFF8DA6DBD0346A8DCDFF54F1AD050B767E63B281B6D49E1F10FE0557B1B0F4A734EF6D358490203010001A3533051301D0603551D0E041604141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3301F0603551D230418301680141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3300F0603551D130101FF040530030101FF300D06092A864886F70D01010B050003820201005453E7394419C1806E49E48BB712293EA462E59305E33502F806447769F0CBE84E57864481D2F323D09EA78C2AB9737C503F6586067837FC2FF744E3023D2F96BC6ED9CC6A8A63EE9114EEC5D41F2D9559026BE24545A250C901C788D4CE1C2BAC1FE7AA408D940F749EC4ED82784B9240B8B11D1FACF355AD6E86C57EDBAC08682EDCD64C762260E8C3045B7982740724622EF419DBD77E8519AEC99B68D9693F08564B3750BDEAB748AF39EF3EC48F6ED4FC69A98281D2C444E680DFD456FA43C6899900C893BD84066F2FF971C286DA27DC5203593004692FA250D24A01FDDAE04A3958E3DDF48D663D7B4DC458D5EE872F96271A17C5F7314B700C52AFE10B515EC823D790C3CFC1BAAC26DAAA0CA5D5F1BBAB66DB3827ABB6B59B2753AD129BE978260F6C05979A229DF3CAE0695851BC2F2585BD017A403E1C1DBBA17F1773E3F03677CD06D4BF2C5AF2C878352864BB9F21200A8ED03370E6285EA126DDE4A1F16E0D3715D3BACEE88E52CE23E09E7EC5D28165DDC916BA2B623C18A42FC8F41C76E231BF02D7FBD652A17B664852A26FF83B02BDA463BA3B57B5AAB227C1AFD3814CFD6802A4E1B3AA0A27D27E70891DC4994F6025D2D38525C7CCA2CB4237C1AE3219E7A8EFB411988D9801B61130538BCE2C4BABACEDF25CF43F5E07D7EB5C8444FEB37D8F2E6BD4901E1B253235BADF5FDCA91D8357C9566D7056
(PID) Process:(7120) SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD
Value:
(PID) Process:(7120) SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD
Operation:writeName:Blob
Value:
0F0000000100000020000000A5CB28E1C46AA8DB19625445D1AF07DB2FDA87867DB1ACDCE523F103B72445C7030000000100000014000000EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD2000000001000000C3050000308205BF308203A7A003020102021437458A5F1A7D854DF1ED39F7621F017BC226E3C6300D06092A864886F70D01010B0500306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F72697479205833301E170D3235303630343136353532355A170D3335303630323136353532355A306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F7269747920583330820222300D06092A864886F70D01010105000382020F003082020A0282020100B015D4654C18FF84A8221467A323801866A87BD7D6EFE414F77C476D54405DC684741182B92A8296B9D82CB6FDEC79E3AAF2B619A77D4A21539959A7F63D27FC506670B201A0212E981C09E2FDDC38BC0CB9C1F8932C7F127AE03A501B449F7AF8EA0FA4256D0EE19DAAB09C97D5550CC5B8778BEC81CD05BD8E6A3C39766D24C355F27706879244EE3F2D76E894124404AB573CE7B40B8A29BEB718BFF86260045504754350EE22C1E1ED664C66DEDCBCCADE2BF6161D8AECC8CF2D533CA4CB43A0CEDE363FEEE459CC864F6F9BFB1F3F4411EAFF95FA887FDA319EA29DED0BA5F93856DAB22144362810CE2C40864845014198343A24B8CB86C2543BAF6C40FE96726ED8D6EE1C333CA2845D5560A14FE5754FBC6266068163EBE0907B5009C99339310B7F0447B59D130F86E7745D943210F3BBB77FC02C6F4D5454F56EFB1CCD015C55B88717226882D6CC5B5EDB80DE202FAACAB3B665140BC00E3429E9F307ECBD3D5C512F18DDAB389E95DFD7FE7D0056F7C009B6B40F42F965DADF2E5D4108C7383F0857BA0011FE8174A4172B451674BE3F115D762B6469A2FB0082F7861FD10FC28C5C4FE5B11FC06BA14CF96557A8612AD0E682BDC940EBC70A433006AC5C4BAA405885824CE5F41BBA6E62A73868D8F7BC9BE2EFFFF8DA6DBD0346A8DCDFF54F1AD050B767E63B281B6D49E1F10FE0557B1B0F4A734EF6D358490203010001A3533051301D0603551D0E041604141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3301F0603551D230418301680141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3300F0603551D130101FF040530030101FF300D06092A864886F70D01010B050003820201005453E7394419C1806E49E48BB712293EA462E59305E33502F806447769F0CBE84E57864481D2F323D09EA78C2AB9737C503F6586067837FC2FF744E3023D2F96BC6ED9CC6A8A63EE9114EEC5D41F2D9559026BE24545A250C901C788D4CE1C2BAC1FE7AA408D940F749EC4ED82784B9240B8B11D1FACF355AD6E86C57EDBAC08682EDCD64C762260E8C3045B7982740724622EF419DBD77E8519AEC99B68D9693F08564B3750BDEAB748AF39EF3EC48F6ED4FC69A98281D2C444E680DFD456FA43C6899900C893BD84066F2FF971C286DA27DC5203593004692FA250D24A01FDDAE04A3958E3DDF48D663D7B4DC458D5EE872F96271A17C5F7314B700C52AFE10B515EC823D790C3CFC1BAAC26DAAA0CA5D5F1BBAB66DB3827ABB6B59B2753AD129BE978260F6C05979A229DF3CAE0695851BC2F2585BD017A403E1C1DBBA17F1773E3F03677CD06D4BF2C5AF2C878352864BB9F21200A8ED03370E6285EA126DDE4A1F16E0D3715D3BACEE88E52CE23E09E7EC5D28165DDC916BA2B623C18A42FC8F41C76E231BF02D7FBD652A17B664852A26FF83B02BDA463BA3B57B5AAB227C1AFD3814CFD6802A4E1B3AA0A27D27E70891DC4994F6025D2D38525C7CCA2CB4237C1AE3219E7A8EFB411988D9801B61130538BCE2C4BABACEDF25CF43F5E07D7EB5C8444FEB37D8F2E6BD4901E1B253235BADF5FDCA91D8357C9566D7056
(PID) Process:(7120) SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD
Operation:writeName:Blob
Value:
1400000001000000140000001C6BDF2131BD543DF50BCC04741CCE3036AA4FF3030000000100000014000000EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD0F0000000100000020000000A5CB28E1C46AA8DB19625445D1AF07DB2FDA87867DB1ACDCE523F103B72445C72000000001000000C3050000308205BF308203A7A003020102021437458A5F1A7D854DF1ED39F7621F017BC226E3C6300D06092A864886F70D01010B0500306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F72697479205833301E170D3235303630343136353532355A170D3335303630323136353532355A306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F7269747920583330820222300D06092A864886F70D01010105000382020F003082020A0282020100B015D4654C18FF84A8221467A323801866A87BD7D6EFE414F77C476D54405DC684741182B92A8296B9D82CB6FDEC79E3AAF2B619A77D4A21539959A7F63D27FC506670B201A0212E981C09E2FDDC38BC0CB9C1F8932C7F127AE03A501B449F7AF8EA0FA4256D0EE19DAAB09C97D5550CC5B8778BEC81CD05BD8E6A3C39766D24C355F27706879244EE3F2D76E894124404AB573CE7B40B8A29BEB718BFF86260045504754350EE22C1E1ED664C66DEDCBCCADE2BF6161D8AECC8CF2D533CA4CB43A0CEDE363FEEE459CC864F6F9BFB1F3F4411EAFF95FA887FDA319EA29DED0BA5F93856DAB22144362810CE2C40864845014198343A24B8CB86C2543BAF6C40FE96726ED8D6EE1C333CA2845D5560A14FE5754FBC6266068163EBE0907B5009C99339310B7F0447B59D130F86E7745D943210F3BBB77FC02C6F4D5454F56EFB1CCD015C55B88717226882D6CC5B5EDB80DE202FAACAB3B665140BC00E3429E9F307ECBD3D5C512F18DDAB389E95DFD7FE7D0056F7C009B6B40F42F965DADF2E5D4108C7383F0857BA0011FE8174A4172B451674BE3F115D762B6469A2FB0082F7861FD10FC28C5C4FE5B11FC06BA14CF96557A8612AD0E682BDC940EBC70A433006AC5C4BAA405885824CE5F41BBA6E62A73868D8F7BC9BE2EFFFF8DA6DBD0346A8DCDFF54F1AD050B767E63B281B6D49E1F10FE0557B1B0F4A734EF6D358490203010001A3533051301D0603551D0E041604141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3301F0603551D230418301680141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3300F0603551D130101FF040530030101FF300D06092A864886F70D01010B050003820201005453E7394419C1806E49E48BB712293EA462E59305E33502F806447769F0CBE84E57864481D2F323D09EA78C2AB9737C503F6586067837FC2FF744E3023D2F96BC6ED9CC6A8A63EE9114EEC5D41F2D9559026BE24545A250C901C788D4CE1C2BAC1FE7AA408D940F749EC4ED82784B9240B8B11D1FACF355AD6E86C57EDBAC08682EDCD64C762260E8C3045B7982740724622EF419DBD77E8519AEC99B68D9693F08564B3750BDEAB748AF39EF3EC48F6ED4FC69A98281D2C444E680DFD456FA43C6899900C893BD84066F2FF971C286DA27DC5203593004692FA250D24A01FDDAE04A3958E3DDF48D663D7B4DC458D5EE872F96271A17C5F7314B700C52AFE10B515EC823D790C3CFC1BAAC26DAAA0CA5D5F1BBAB66DB3827ABB6B59B2753AD129BE978260F6C05979A229DF3CAE0695851BC2F2585BD017A403E1C1DBBA17F1773E3F03677CD06D4BF2C5AF2C878352864BB9F21200A8ED03370E6285EA126DDE4A1F16E0D3715D3BACEE88E52CE23E09E7EC5D28165DDC916BA2B623C18A42FC8F41C76E231BF02D7FBD652A17B664852A26FF83B02BDA463BA3B57B5AAB227C1AFD3814CFD6802A4E1B3AA0A27D27E70891DC4994F6025D2D38525C7CCA2CB4237C1AE3219E7A8EFB411988D9801B61130538BCE2C4BABACEDF25CF43F5E07D7EB5C8444FEB37D8F2E6BD4901E1B253235BADF5FDCA91D8357C9566D7056
(PID) Process:(7120) SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD
Operation:writeName:Blob
Value:
190000000100000010000000CCB377385FC6F2C640DFFEAC91D4E2740F0000000100000020000000A5CB28E1C46AA8DB19625445D1AF07DB2FDA87867DB1ACDCE523F103B72445C7030000000100000014000000EEEA33A1DB1C76FD5E9832A3DD6A835B371E17DD1400000001000000140000001C6BDF2131BD543DF50BCC04741CCE3036AA4FF32000000001000000C3050000308205BF308203A7A003020102021437458A5F1A7D854DF1ED39F7621F017BC226E3C6300D06092A864886F70D01010B0500306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F72697479205833301E170D3235303630343136353532355A170D3335303630323136353532355A306F310B300906035504061302555331163014060355040A0C0D4C6574277320456E637279707431233021060355040B0C1A4C6574277320456E637279707420417574686F726974792058333123302106035504030C1A4C6574277320456E637279707420417574686F7269747920583330820222300D06092A864886F70D01010105000382020F003082020A0282020100B015D4654C18FF84A8221467A323801866A87BD7D6EFE414F77C476D54405DC684741182B92A8296B9D82CB6FDEC79E3AAF2B619A77D4A21539959A7F63D27FC506670B201A0212E981C09E2FDDC38BC0CB9C1F8932C7F127AE03A501B449F7AF8EA0FA4256D0EE19DAAB09C97D5550CC5B8778BEC81CD05BD8E6A3C39766D24C355F27706879244EE3F2D76E894124404AB573CE7B40B8A29BEB718BFF86260045504754350EE22C1E1ED664C66DEDCBCCADE2BF6161D8AECC8CF2D533CA4CB43A0CEDE363FEEE459CC864F6F9BFB1F3F4411EAFF95FA887FDA319EA29DED0BA5F93856DAB22144362810CE2C40864845014198343A24B8CB86C2543BAF6C40FE96726ED8D6EE1C333CA2845D5560A14FE5754FBC6266068163EBE0907B5009C99339310B7F0447B59D130F86E7745D943210F3BBB77FC02C6F4D5454F56EFB1CCD015C55B88717226882D6CC5B5EDB80DE202FAACAB3B665140BC00E3429E9F307ECBD3D5C512F18DDAB389E95DFD7FE7D0056F7C009B6B40F42F965DADF2E5D4108C7383F0857BA0011FE8174A4172B451674BE3F115D762B6469A2FB0082F7861FD10FC28C5C4FE5B11FC06BA14CF96557A8612AD0E682BDC940EBC70A433006AC5C4BAA405885824CE5F41BBA6E62A73868D8F7BC9BE2EFFFF8DA6DBD0346A8DCDFF54F1AD050B767E63B281B6D49E1F10FE0557B1B0F4A734EF6D358490203010001A3533051301D0603551D0E041604141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3301F0603551D230418301680141C6BDF2131BD543DF50BCC04741CCE3036AA4FF3300F0603551D130101FF040530030101FF300D06092A864886F70D01010B050003820201005453E7394419C1806E49E48BB712293EA462E59305E33502F806447769F0CBE84E57864481D2F323D09EA78C2AB9737C503F6586067837FC2FF744E3023D2F96BC6ED9CC6A8A63EE9114EEC5D41F2D9559026BE24545A250C901C788D4CE1C2BAC1FE7AA408D940F749EC4ED82784B9240B8B11D1FACF355AD6E86C57EDBAC08682EDCD64C762260E8C3045B7982740724622EF419DBD77E8519AEC99B68D9693F08564B3750BDEAB748AF39EF3EC48F6ED4FC69A98281D2C444E680DFD456FA43C6899900C893BD84066F2FF971C286DA27DC5203593004692FA250D24A01FDDAE04A3958E3DDF48D663D7B4DC458D5EE872F96271A17C5F7314B700C52AFE10B515EC823D790C3CFC1BAAC26DAAA0CA5D5F1BBAB66DB3827ABB6B59B2753AD129BE978260F6C05979A229DF3CAE0695851BC2F2585BD017A403E1C1DBBA17F1773E3F03677CD06D4BF2C5AF2C878352864BB9F21200A8ED03370E6285EA126DDE4A1F16E0D3715D3BACEE88E52CE23E09E7EC5D28165DDC916BA2B623C18A42FC8F41C76E231BF02D7FBD652A17B664852A26FF83B02BDA463BA3B57B5AAB227C1AFD3814CFD6802A4E1B3AA0A27D27E70891DC4994F6025D2D38525C7CCA2CB4237C1AE3219E7A8EFB411988D9801B61130538BCE2C4BABACEDF25CF43F5E07D7EB5C8444FEB37D8F2E6BD4901E1B253235BADF5FDCA91D8357C9566D7056
(PID) Process:(7120) SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
Operation:writeName:DnsOverHttpsMode
Value:
off
Executable files
0
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7120SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wpaloo1r.igb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4540powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ailn34el.53m.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7120SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeC:\Users\admin\AppData\Local\Temp\certificate.certext
MD5:04A48E3D805A2443F9164C0EBA528C3B
SHA256:07465A55A5B0A178DF5844AC20979B472BE2BF369F785CD1B72170902D9ED19A
4540powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a24iezqi.evr.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7120SecuriteInfo.com.Variant.Lazy.512783.16091.11801.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oysejyic.ld5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4540powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:EA3B6D518A766951C851738BDF372F44
SHA256:0B7256FFF50C72614F9C6D7EA71AFF67FB58386CA72B87952E167EC999FDD732
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
28
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4168
svchost.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6472
SIHClient.exe
GET
200
2.18.174.85:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6472
SIHClient.exe
GET
200
2.18.174.85:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2940
svchost.exe
GET
200
184.24.44.214:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1564
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2200
svchost.exe
224.0.0.252:5355
whitelisted
2200
svchost.exe
224.0.0.251:5353
unknown
4168
svchost.exe
20.190.147.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.18.174.85
whitelisted
login.live.com
  • 20.190.147.0
  • 20.190.177.149
  • 20.190.177.20
  • 20.190.177.85
  • 20.190.177.83
  • 20.190.147.7
  • 20.190.177.148
  • 20.190.147.3
whitelisted
ocsp.digicert.com
  • 23.210.252.238
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
client.wns.windows.com
  • 172.166.106.148
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Variant.Lazy.512783.16091.11801