File name:

c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe

Full analysis: https://app.any.run/tasks/cab1bd6a-5bf0-41a5-a560-be0f9f1ec2af
Verdict: Malicious activity
Analysis date: January 06, 2026, 15:31:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

43DDA9D528B50353A4DD35EA5A7D59CA

SHA1:

F02AD87C2511332855D9CCEB55225AE1130ED50D

SHA256:

C22C31CBC198252B4370E37E19D238A11E7BDD2DAA3663CD710D7762D1C8BD19

SSDEEP:

49152:3sj8LlaqK/2z8LhfzLO88ST2aJ/G91LOEujqYjaeCgHEfH2BHQZE7FlzRH2Zi0J3:cj8LlMLYlhYjajyedydFZ5AP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)
      • winmgr21.exe (PID: 8036)

    • Uses Task Scheduler to run other applications

      • winmgr21.exe (PID: 8036)

  • SUSPICIOUS

    • Starts itself from another location

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)

    • Executable content was dropped or overwritten

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)

    • There is functionality for taking screenshot (YARA)

      • winmgr21.exe (PID: 8036)
      • winmgr21.exe (PID: 8072)
      • winmgr21.exe (PID: 5628)

    • Application launched itself

      • RegAsm.exe (PID: 8120)

    • The process executes via Task Scheduler

      • winmgr21.exe (PID: 7256)
      • winmgr21.exe (PID: 5628)

  • INFO

    • Checks supported languages

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)
      • winmgr21.exe (PID: 8036)
      • winmgr21.exe (PID: 8072)
      • RegAsm.exe (PID: 8120)
      • winmgr21.exe (PID: 7256)
      • winmgr21.exe (PID: 5628)

    • The sample compiled with chinese language support

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)

    • Reads mouse settings

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)
      • winmgr21.exe (PID: 8036)
      • winmgr21.exe (PID: 8072)
      • winmgr21.exe (PID: 7256)
      • winmgr21.exe (PID: 5628)

    • Launching a file from a Registry key

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)
      • winmgr21.exe (PID: 8036)

    • Creates files in the program directory

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)
      • winmgr21.exe (PID: 8036)

    • Reads the computer name

      • c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe (PID: 7596)
      • winmgr21.exe (PID: 8036)
      • winmgr21.exe (PID: 8072)
      • RegAsm.exe (PID: 8120)
      • winmgr21.exe (PID: 5628)
      • winmgr21.exe (PID: 7256)

    • Manual execution by a user

      • winmgr21.exe (PID: 8072)

    • The process uses AutoIt

      • winmgr21.exe (PID: 8036)
      • winmgr21.exe (PID: 8072)
      • winmgr21.exe (PID: 5628)

    • Reads the machine GUID from the registry

      • winmgr21.exe (PID: 8036)
      • RegAsm.exe (PID: 8120)

    • Checks proxy server information

      • slui.exe (PID: 7584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:01:15 16:09:54+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 529920
InitializedDataSize: 1667584
UninitializedDataSize: -
EntryPoint: 0x17850
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 9.0.0.0
ProductVersionNumber: 9.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: CHENGDU YIWO Tech Development Co., Ltd
FileDescription: EaseUS Data Recovery Wizard
FileVersion: 9.0.0
InternalName: Data Recovery Wizard
LegalCopyright: Copyright (c) 2004-2015 EaseUS.ALL RIGHTS RESERVED.
OriginalFileName: EaseUS Data Recovery Wizard
ProductName: EaseUS Data Recovery Wizard
ProductVersion: 9.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
62
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe winmgr21.exe winmgr21.exe no specs regasm.exe no specs schtasks.exe no specs conhost.exe no specs regasm.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs winmgr21.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs winmgr21.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424C:\WINDOWS\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr21.exe" /tr "C:\ProgramData\winmgr21.exe" /fC:\Windows\SysWOW64\schtasks.exewinmgr21.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2336\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2364C:\WINDOWS\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr21.exe" /tr "C:\ProgramData\winmgr21.exe" /fC:\Windows\SysWOW64\schtasks.exewinmgr21.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2428C:\WINDOWS\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr21.exe" /tr "C:\ProgramData\winmgr21.exe" /fC:\Windows\SysWOW64\schtasks.exewinmgr21.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2460C:\WINDOWS\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr21.exe" /tr "C:\ProgramData\winmgr21.exe" /fC:\Windows\SysWOW64\schtasks.exewinmgr21.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3044C:\WINDOWS\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr21.exe" /tr "C:\ProgramData\winmgr21.exe" /fC:\Windows\SysWOW64\schtasks.exewinmgr21.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 854
Read events
4 852
Write events
2
Delete events
0

Modification events

(PID) Process:(7596) c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:2
Value:
C:\ProgramData\winmgr21.exe
(PID) Process:(8036) winmgr21.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:2
Value:
C:\ProgramData\winmgr21.exe
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7596c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exeC:\ProgramData\winmgr21.exeexecutable
MD5:25BA349BFCD05C312BBFED493861F0E5
SHA256:C961D7133B55331A7683A80663A76DC00FEAC3E9A84DBC7704BADCC683D69E7F
7596c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exeC:\Users\admin\Desktop\c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe:Zone.Identifiertext
MD5:6C72A5FCDB3C81DCC440E3616F704C5D
SHA256:CCC0133D8F43D3021EB667F86AE939F7F8EC83E727B8334F9E0FACCCD6D01063
8036winmgr21.exeC:\ProgramData\winmgr21.exe:Zone.Identifiertext
MD5:6C72A5FCDB3C81DCC440E3616F704C5D
SHA256:CCC0133D8F43D3021EB667F86AE939F7F8EC83E727B8334F9E0FACCCD6D01063
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
40
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5492
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2952
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5492
RUXIMICS.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2212
svchost.exe
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
6724
SIHClient.exe
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
POST
200
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
unknown
6724
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
2952
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5492
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2952
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5492
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
2952
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 88.221.169.152
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.71
  • 40.126.31.128
  • 40.126.31.2
  • 20.190.159.71
  • 40.126.31.67
  • 40.126.31.3
  • 20.190.159.0
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 13.70.79.200
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c22c31cbc198252b4370e37e19d238a11e7bdd2daa3663cd710d7762d1c8bd19.exe