File name:

ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe

Full analysis: https://app.any.run/tasks/245db680-2a0b-420d-99ba-b881e7a33a3a
Verdict: Malicious activity
Analysis date: May 19, 2024, 16:59:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

BB9E44C4F1E985399723FB6EE3BDF99E

SHA1:

8ACA80796EA6D39FCD2960653A4E1317AFC55D02

SHA256:

CE6F2518C4ACAC57D81C8E44F4AADC6AB6DB69C01811C3DFCF076C29182D4B0C

SSDEEP:

98304:NwAfdSzYERkRpLqrOlhAPK9amZrKCQjcXw7ChAHGRMZHZFhVBSxNVg3CpDhUJpxg:FaVAsBEx9Xl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • powershell.exe (PID: 6392)
      • HpsrSpoof.exe (PID: 6896)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)
      • conhost_sft.exe (PID: 6456)

    • Adds path to the Windows Defender exclusion list

      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • HpsrSpoof.exe (PID: 6896)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • Reads the date of Windows installation

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • HpsrSpoof.exe (PID: 6896)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • Starts POWERSHELL.EXE for commands execution

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • BASE64 encoded PowerShell command has been detected

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • HpsrSpoof.exe (PID: 6896)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)
      • conhost_sft.exe (PID: 6456)

    • Base64-obfuscated command line is found

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)

    • Drops a system driver (possible attempt to evade defenses)

      • HpsrSpoof.exe (PID: 6896)

    • Starts CMD.EXE for commands execution

      • HpsrSpoof.exe (PID: 6896)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • Executed via WMI

      • schtasks.exe (PID: 2684)
      • schtasks.exe (PID: 4920)
      • schtasks.exe (PID: 4544)
      • schtasks.exe (PID: 5012)
      • schtasks.exe (PID: 1428)
      • schtasks.exe (PID: 1108)
      • schtasks.exe (PID: 5800)
      • schtasks.exe (PID: 116)
      • schtasks.exe (PID: 4108)
      • schtasks.exe (PID: 6272)
      • schtasks.exe (PID: 472)
      • schtasks.exe (PID: 3172)
      • schtasks.exe (PID: 3740)
      • schtasks.exe (PID: 4360)
      • schtasks.exe (PID: 6256)

    • The process creates files with name similar to system file names

      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • Script adds exclusion path to Windows Defender

      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • Executing commands from a ".bat" file

      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)
      • HpsrSpoof.exe (PID: 6896)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4500)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 4500)

    • Read disk information to detect sandboxing environments

      • DevManView.exe (PID: 1848)
      • DevManView.exe (PID: 2540)
      • DevManView.exe (PID: 712)
      • DevManView.exe (PID: 3044)
      • DevManView.exe (PID: 3956)
      • DevManView.exe (PID: 4108)
      • DevManView.exe (PID: 896)
      • DevManView.exe (PID: 4288)
      • DevManView.exe (PID: 3692)
      • DevManView.exe (PID: 6328)
      • DevManView.exe (PID: 3712)
      • DevManView.exe (PID: 6240)
      • DevManView.exe (PID: 1016)
      • DevManView.exe (PID: 7024)
      • DevManView.exe (PID: 2288)

  • INFO

    • Checks supported languages

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)
      • conhost_sft.exe (PID: 6996)
      • HpsrSpoof.exe (PID: 6896)
      • Volumeid64.exe (PID: 7128)
      • chcp.com (PID: 6784)
      • DevManView.exe (PID: 2540)
      • DevManView.exe (PID: 3956)
      • DevManView.exe (PID: 1848)
      • DevManView.exe (PID: 3044)
      • DevManView.exe (PID: 712)
      • DevManView.exe (PID: 4108)
      • DevManView.exe (PID: 4288)
      • DevManView.exe (PID: 896)
      • DevManView.exe (PID: 3692)
      • DevManView.exe (PID: 3712)
      • DevManView.exe (PID: 6240)
      • DevManView.exe (PID: 6328)
      • DevManView.exe (PID: 7024)
      • DevManView.exe (PID: 2288)
      • AMIDEWINx64.exe (PID: 4432)
      • AMIDEWINx64.exe (PID: 6300)
      • DevManView.exe (PID: 1016)
      • AMIDEWINx64.exe (PID: 6748)
      • AMIDEWINx64.exe (PID: 428)
      • AMIDEWINx64.exe (PID: 4960)
      • AMIDEWINx64.exe (PID: 6808)
      • AMIDEWINx64.exe (PID: 5996)
      • AMIDEWINx64.exe (PID: 6288)
      • conhost_sft.exe (PID: 6456)
      • AMIDEWINx64.exe (PID: 6200)
      • AMIDEWINx64.exe (PID: 7064)
      • AMIDEWINx64.exe (PID: 4988)
      • AMIDEWINx64.exe (PID: 5852)
      • AMIDEWINx64.exe (PID: 6632)
      • AMIDEWINx64.exe (PID: 6872)
      • AMIDEWINx64.exe (PID: 6848)
      • AMIDEWINx64.exe (PID: 6184)
      • AMIDEWINx64.exe (PID: 3496)
      • AMIDEWINx64.exe (PID: 4384)
      • AMIDEWINx64.exe (PID: 1720)

    • Reads the computer name

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)
      • HpsrSpoof.exe (PID: 6896)
      • DevManView.exe (PID: 2540)
      • DevManView.exe (PID: 3956)
      • DevManView.exe (PID: 3044)
      • DevManView.exe (PID: 712)
      • DevManView.exe (PID: 1848)
      • DevManView.exe (PID: 4108)
      • DevManView.exe (PID: 4288)
      • DevManView.exe (PID: 896)
      • DevManView.exe (PID: 3692)
      • Volumeid64.exe (PID: 7128)
      • DevManView.exe (PID: 6240)
      • DevManView.exe (PID: 3712)
      • DevManView.exe (PID: 6328)
      • DevManView.exe (PID: 7024)
      • AMIDEWINx64.exe (PID: 6300)
      • AMIDEWINx64.exe (PID: 4432)
      • DevManView.exe (PID: 2288)
      • DevManView.exe (PID: 1016)
      • AMIDEWINx64.exe (PID: 428)
      • AMIDEWINx64.exe (PID: 4960)
      • AMIDEWINx64.exe (PID: 6748)
      • AMIDEWINx64.exe (PID: 6808)
      • AMIDEWINx64.exe (PID: 5996)
      • AMIDEWINx64.exe (PID: 6200)
      • AMIDEWINx64.exe (PID: 7064)
      • AMIDEWINx64.exe (PID: 6288)
      • AMIDEWINx64.exe (PID: 4988)
      • AMIDEWINx64.exe (PID: 5852)
      • AMIDEWINx64.exe (PID: 6872)
      • AMIDEWINx64.exe (PID: 6632)
      • conhost_sft.exe (PID: 6456)
      • AMIDEWINx64.exe (PID: 4384)
      • AMIDEWINx64.exe (PID: 1720)
      • AMIDEWINx64.exe (PID: 3496)
      • AMIDEWINx64.exe (PID: 6848)
      • AMIDEWINx64.exe (PID: 6184)

    • Process checks computer location settings

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)
      • HpsrSpoof.exe (PID: 6896)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • Creates files or folders in the user directory

      • ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe (PID: 6652)

    • Creates files in the program directory

      • HpsrSpoof.exe (PID: 6896)
      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • Reads the machine GUID from the registry

      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)
      • conhost_sft.exe (PID: 6456)

    • Reads product name

      • Volumeid64.exe (PID: 7128)

    • Reads Environment values

      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)
      • Volumeid64.exe (PID: 7128)
      • conhost_sft.exe (PID: 6456)

    • Create files in a temporary directory

      • sp_componentbrowserFontDriverPerf.exe (PID: 6956)

    • NirSoft software is detected

      • DevManView.exe (PID: 2540)
      • DevManView.exe (PID: 3956)
      • DevManView.exe (PID: 712)
      • DevManView.exe (PID: 3044)
      • DevManView.exe (PID: 1848)
      • DevManView.exe (PID: 4108)
      • DevManView.exe (PID: 896)
      • DevManView.exe (PID: 3692)
      • DevManView.exe (PID: 4288)
      • DevManView.exe (PID: 3712)
      • DevManView.exe (PID: 6328)
      • DevManView.exe (PID: 6240)
      • DevManView.exe (PID: 7024)
      • DevManView.exe (PID: 2288)
      • DevManView.exe (PID: 1016)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6284)
      • powershell.exe (PID: 6264)
      • powershell.exe (PID: 6224)
      • powershell.exe (PID: 6324)
      • powershell.exe (PID: 6204)
      • powershell.exe (PID: 6816)

    • Manual execution by a user

      • powershell.exe (PID: 6188)

    • Checks proxy server information

      • conhost_sft.exe (PID: 6456)

    • Reads the software policy settings

      • conhost_sft.exe (PID: 6456)

    • Disables trace logs

      • conhost_sft.exe (PID: 6456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 6586368
UninitializedDataSize: -
EntryPoint: 0x1019700
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileTitle: HWID Spoofer
FileDescription: -
FileVersion: 1,2,0,0
LegalCopyright: -
LegalTrademark: -
ProductName: -
ProductVersion: 1,2,0,0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
228
Monitored processes
112
Malicious processes
7
Suspicious processes
15

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe powershell.exe no specs conhost.exe no specs hpsrspoof.exe conhost.exe no specs sp_componentbrowserfontdriverperf.exe conhost_sft.exe no specs cmd.exe no specs conhost.exe no specs volumeid64.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs cmd.exe no specs conhost.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs rundll32.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs conhost_sft.exe powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs cmd.exe no specs conhost.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs cmd.exe no specs conhost.exe no specs amidewinx64.exe no specs cmd.exe no specs conhost.exe no specs amidewinx64.exe no specs cmd.exe no specs conhost.exe no specs amidewinx64.exe no specs cmd.exe no specs conhost.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\found.000\dir0001.chk\Idle.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
364"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SLC:\Windows\System32\cmd.exeHpsrSpoof.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
16
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
428C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 54570HP-TRGT20085SLC:\ProgramData\Microsoft\Windows\AMIDEWINx64.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
218
Modules
Images
c:\programdata\microsoft\windows\amidewinx64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
472schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
712C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
DevManView
Exit code:
0
Version:
1.75
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
896C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
DevManView
Exit code:
0
Version:
1.75
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1016C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
DevManView
Exit code:
0
Version:
1.75
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1108schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\found.000\dir0000.chk\explorer.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
122 148
Read events
122 089
Write events
59
Delete events
0

Modification events

(PID) Process:(6392) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6392) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6392) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6392) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6652) ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6652) ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6652) ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6652) ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6896) HpsrSpoof.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6896) HpsrSpoof.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
30
Suspicious files
3
Text files
29
Unknown types
1

Dropped files

PID
Process
Filename
Type
6392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z4FHL5C9JZY1R8MTGK6V.temp
MD5:
SHA256:
6392powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:0BE3A3FE34F6F5591E221620F48A867F
SHA256:90C86780A9A97A5E35C76C84A247ACCAEEB92472C77926DF1E2082B8D52C6389
6392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yog2ymqd.rkz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6896HpsrSpoof.exeC:\ProgramData\Microsoft\Windows\DevManView.cfgini
MD5:43B37D0F48BAD1537A4DE59FFDA50FFE
SHA256:FC258DFB3E49BE04041AC24540EF544192C2E57300186F777F301D586F900288
6896HpsrSpoof.exeC:\ProgramData\Microsoft\Windows\SerialC.battext
MD5:7E5B8087C82A0372A9C89F0B71F7DEE2
SHA256:9AFA8616B253CE734C5BE06D41FB20B398488EB62D1B093F732857AE3D09029E
6652ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exeC:\Users\admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exeexecutable
MD5:547C9F5CA62183622587BD980B3487B0
SHA256:FC553A09F397D4D405362AA8AEEEDE9487F16D12C9726F3EFD1D15CF3B11244A
6896HpsrSpoof.exeC:\ProgramData\Microsoft\Windows\DevManView.chmchm
MD5:FCB3C9E1524CAFB62E98A4883C72E53D
SHA256:94D08A83B3B3509FA17860BCDDD6ED038BE29F3BD99251433E235111A8F381EC
6896HpsrSpoof.exeC:\ProgramData\Microsoft\Windows\DevManView.exeexecutable
MD5:33D7A84F8EF67FD005F37142232AE97E
SHA256:A1BE60039F125080560EDF1EEBEE5B6D9E2D6039F5F5AC478E6273E05EDADB4B
6956sp_componentbrowserFontDriverPerf.exeC:\Users\admin\Desktop\eCJAYeRF.logexecutable
MD5:E9CE850DB4350471A62CC24ACB83E859
SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
6896HpsrSpoof.exeC:\ProgramData\Microsoft\Windows\amifldrv64.sysexecutable
MD5:785045F8B25CD2E937DDC6B09DEBE01A
SHA256:37073E42FFA0322500F90CD7E3C8D02C4CDD695D31C77E81560ABEC20BFB68BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5612
svchost.exe
GET
200
2.20.71.230:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5228
RUXIMICS.exe
GET
200
2.20.71.230:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5228
RUXIMICS.exe
GET
200
23.49.245.164:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.20.71.230:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5612
svchost.exe
GET
200
23.49.245.164:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.49.245.164:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
404
104.20.4.235:443
https://pastebin.com/raw/qivZa09c
unknown
html
687 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
5612
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5228
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5612
svchost.exe
2.20.71.230:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5228
RUXIMICS.exe
2.20.71.230:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
2.20.71.230:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5612
svchost.exe
23.49.245.164:80
www.microsoft.com
AKAMAI-AS
PT
unknown
5228
RUXIMICS.exe
23.49.245.164:80
www.microsoft.com
AKAMAI-AS
PT
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.20.71.230
  • 2.20.71.152
whitelisted
www.microsoft.com
  • 23.49.245.164
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
pastebin.com
  • 172.67.19.24
  • 104.20.3.235
  • 104.20.4.235
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ce6f2518c4acac57d81c8e44f4aadc6ab6db69c01811c3dfcf076c29182d4b0c.exe