File name:

RunAsTI64.exe

Full analysis: https://app.any.run/tasks/ac665a6e-e162-4e81-af6d-b7e944e85b73
Verdict: Malicious activity
Analysis date: July 26, 2025, 13:27:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

9B9F954F38F4987F1735F2A4AE15DDE0

SHA1:

2B63E22649BC554E360871ED3F8F83CC50E70987

SHA256:

BF365D7D5BC3076E5A7F41BB9F0B9E9BEB58AE900BFFCB3BBB10B575C08D66DB

SSDEEP:

98304:Z4XM5lNJ4oVVlA4kEm2O0uh68QqoBXSCXPGms1lw3F0YmKDSd0ujR58Vq84wE8hQ:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5476)

    • Application launched itself

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5476)

    • Reads the date of Windows installation

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5476)

    • Executable content was dropped or overwritten

      • RunAsTI64.exe (PID: 5556)
      • RunAsTI64.exe (PID: 2028)

    • Starts CMD.EXE for commands execution

      • RunAsTI64.exe (PID: 5556)
      • RunFromToken64.exe (PID: 6796)
      • RunAsTI64.exe (PID: 2028)
      • RunFromToken64.exe (PID: 2692)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3852)
      • cmd.exe (PID: 1324)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1132)
      • sc.exe (PID: 5240)

  • INFO

    • The sample compiled with english language support

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5556)
      • RunAsTI64.exe (PID: 2028)

    • Reads mouse settings

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5556)
      • RunFromToken64.exe (PID: 6796)
      • RunAsTI64.exe (PID: 5476)
      • RunFromToken64.exe (PID: 2692)
      • RunAsTI64.exe (PID: 2028)

    • Checks supported languages

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5556)
      • RunAsTI64.exe (PID: 5476)
      • RunAsTI64.exe (PID: 2028)
      • RunFromToken64.exe (PID: 6796)
      • RunFromToken64.exe (PID: 2692)

    • Reads the computer name

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5556)
      • RunAsTI64.exe (PID: 5476)
      • RunFromToken64.exe (PID: 6796)
      • RunFromToken64.exe (PID: 2692)
      • RunAsTI64.exe (PID: 2028)

    • Process checks computer location settings

      • RunAsTI64.exe (PID: 7140)
      • RunAsTI64.exe (PID: 5476)

    • Create files in a temporary directory

      • RunAsTI64.exe (PID: 5556)
      • RunAsTI64.exe (PID: 2028)

    • Manual execution by a user

      • RunAsTI64.exe (PID: 5476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:09:28 08:02:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 12
CodeSize: 689152
InitializedDataSize: 2193920
UninitializedDataSize: -
EntryPoint: 0x2fb2c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 3.3.14.5
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 1.0.0.1
Comments: Start program with same privileges as TrustedInstaller
FileDescription: Start program with same privileges as TrustedInstaller
ProductVersion: 3.3.14.5
LegalCopyright: ©1999-2018 Jonathan Bennett & AutoIt Team
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
23
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start runasti64.exe no specs conhost.exe no specs runasti64.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs runfromtoken64.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs runasti64.exe no specs conhost.exe no specs runasti64.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs runfromtoken64.exe conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1132sc start trustedinstallerC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRunAsTI64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324cmd.exe /c sc start trustedinstallerC:\Windows\System32\cmd.exeRunAsTI64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1056
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2028"C:\Users\admin\Desktop\RunAsTI64.exe" !C:\Users\admin\Desktop\RunAsTI64.exe
RunAsTI64.exe
User:
admin
Integrity Level:
HIGH
Description:
Start program with same privileges as TrustedInstaller
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\runasti64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2312\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRunFromToken64.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2464cmd.exeC:\Windows\System32\cmd.exeRunFromToken64.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
2692C:\Users\admin\AppData\Local\Temp\RunFromToken64.exe trustedinstaller.exe 1 cmd.exeC:\Users\admin\AppData\Local\Temp\RunFromToken64.exe
RunAsTI64.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Start a program based on the privileges from a given process' token
Exit code:
0
Version:
1.0.0.3
Modules
Images
c:\users\admin\appdata\local\temp\runfromtoken64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3852cmd.exe /c sc start trustedinstallerC:\Windows\System32\cmd.exeRunAsTI64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRunFromToken64.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4688\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 165
Read events
1 165
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5556RunAsTI64.exeC:\Users\admin\AppData\Local\Temp\RunFromToken64.exeexecutable
MD5:64746CBC92ABBB261097A7FA6EECD278
SHA256:2E62931ADA755F4F09E4F7ED05C21C6681FF011992458F4344FEDDD9FCDFC960
2028RunAsTI64.exeC:\Users\admin\AppData\Local\Temp\RunFromToken64.exeexecutable
MD5:64746CBC92ABBB261097A7FA6EECD278
SHA256:2E62931ADA755F4F09E4F7ED05C21C6681FF011992458F4344FEDDD9FCDFC960
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
37
DNS requests
14
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1864
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6024
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6656
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
6656
SIHClient.exe
13.95.31.18:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.160.131
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.66
  • 20.190.160.67
  • 40.126.32.133
  • 40.126.32.74
  • 20.190.160.132
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
  • 2603:1030:7::106
whitelisted
18.31.95.13.in-addr.arpa
unknown
6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
self.events.data.microsoft.com
  • 52.168.117.174
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RunAsTI64.exe