File name:

wininit.exe

Full analysis: https://app.any.run/tasks/503433c0-b9f2-44b8-9cc5-0e301152fc07
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 20:39:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
nanocore
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

180CA74FBA5C4C543EBD9F9F91C327B8

SHA1:

C8BE72F37A0401DFAEFBA2A2BC0F8D82B9446817

SHA256:

D7CFF825F5646C6193712CDB25D267850B3198DB1B8709F0A411645F0763F9E4

SSDEEP:

6144:6NFfUMuzkIM5jiap0UuLWHYtbI1vEr55sbasrI/F:6NFaXPAuLPtbI1K55O/rE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • wininit.exe (PID: 1480)
      • wininit.exe (PID: 6852)

    • Uses Task Scheduler to run other applications

      • wininit.exe (PID: 1480)

    • NANOCORE has been detected (YARA)

      • wininit.exe (PID: 1480)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • wininit.exe (PID: 6852)
      • wininit.exe (PID: 1480)

    • Executable content was dropped or overwritten

      • wininit.exe (PID: 6852)
      • wininit.exe (PID: 1480)

    • Reads security settings of Internet Explorer

      • wininit.exe (PID: 6852)

    • Application launched itself

      • wininit.exe (PID: 6852)

  • INFO

    • Reads the machine GUID from the registry

      • wininit.exe (PID: 6852)
      • wininit.exe (PID: 1480)
      • lanhost.exe (PID: 5900)

    • Launching a file from a Registry key

      • wininit.exe (PID: 6852)
      • wininit.exe (PID: 1480)

    • Checks supported languages

      • wininit.exe (PID: 6852)
      • lanhost.exe (PID: 5900)
      • wininit.exe (PID: 1480)

    • Process checks whether UAC notifications are on

      • wininit.exe (PID: 6852)
      • wininit.exe (PID: 1480)

    • Creates files or folders in the user directory

      • wininit.exe (PID: 6852)
      • wininit.exe (PID: 1480)

    • Reads the computer name

      • wininit.exe (PID: 6852)
      • wininit.exe (PID: 1480)
      • lanhost.exe (PID: 5900)

    • Process checks computer location settings

      • wininit.exe (PID: 6852)

    • Create files in a temporary directory

      • wininit.exe (PID: 1480)

    • Checks proxy server information

      • slui.exe (PID: 5552)

    • Reads the software policy settings

      • slui.exe (PID: 5552)

    • Creates files in the program directory

      • wininit.exe (PID: 1480)

    • Manual execution by a user

      • lanhost.exe (PID: 5900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(1480) wininit.exe
KeyboardLoggingTrue
BuildTime2025-06-21 20:10:44.329000
Version1.2.2.0
Mutex7118dcef-05cd-4cbf-8a52-6eca47fce4f5
DefaultGroupelijah
PrimaryConnectionHostcomputernewb.com
BackupConnectionHostcollabvm.org
ConnectionPort80
RunOnStartupTrue
RequestElevationTrue
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlTrue
SetCriticalProcessTrue
PreventSystemSleepTrue
ActivateAwayModeTrue
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:22 00:49:37+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 116736
InitializedDataSize: 90624
UninitializedDataSize: -
EntryPoint: 0x1e792
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wininit.exe #NANOCORE wininit.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs lanhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1480"C:\Users\admin\AppData\Local\Temp\wininit.exe" C:\Users\admin\AppData\Local\Temp\wininit.exe
wininit.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\wininit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Nanocore
(PID) Process(1480) wininit.exe
KeyboardLoggingTrue
BuildTime2025-06-21 20:10:44.329000
Version1.2.2.0
Mutex7118dcef-05cd-4cbf-8a52-6eca47fce4f5
DefaultGroupelijah
PrimaryConnectionHostcomputernewb.com
BackupConnectionHostcollabvm.org
ConnectionPort80
RunOnStartupTrue
RequestElevationTrue
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlTrue
SetCriticalProcessTrue
PreventSystemSleepTrue
ActivateAwayModeTrue
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
2996\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5552C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5900"C:\Program Files (x86)\LAN Host\lanhost.exe"C:\Program Files (x86)\LAN Host\lanhost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files (x86)\lan host\lanhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6004"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\admin\AppData\Local\Temp\tmp5B30.tmp"C:\Windows\SysWOW64\schtasks.exewininit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6852"C:\Users\admin\AppData\Local\Temp\wininit.exe" C:\Users\admin\AppData\Local\Temp\wininit.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wininit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7164"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\admin\AppData\Local\Temp\tmp5AE1.tmp"C:\Windows\SysWOW64\schtasks.exewininit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 708
Read events
1 705
Write events
2
Delete events
1

Modification events

(PID) Process:(6852) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LAN Host
Value:
C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\LAN Host\lanhost.exe
(PID) Process:(1480) wininit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LAN Host
Value:
C:\Program Files (x86)\LAN Host\lanhost.exe
(PID) Process:(1480) wininit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:LAN Host
Value:
C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\LAN Host\lanhost.exe
Executable files
2
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6852wininit.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\LAN Host\lanhost.exeexecutable
MD5:180CA74FBA5C4C543EBD9F9F91C327B8
SHA256:D7CFF825F5646C6193712CDB25D267850B3198DB1B8709F0A411645F0763F9E4
1480wininit.exeC:\Program Files (x86)\LAN Host\lanhost.exeexecutable
MD5:180CA74FBA5C4C543EBD9F9F91C327B8
SHA256:D7CFF825F5646C6193712CDB25D267850B3198DB1B8709F0A411645F0763F9E4
1480wininit.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\task.dattext
MD5:70F12F67CB2887A2278F8DF0EBFC978B
SHA256:5174A7DC2A31A0D55B2AAC06C731566D17C771B5F6CFB0787C8A183F58FE66F3
1480wininit.exeC:\Users\admin\AppData\Local\Temp\tmp5B30.tmpxml
MD5:54865F98871478B2B88B7F8AA6100915
SHA256:287F7B4372926FF59BB9A14BDFC00AD63F92AF8EFDB2E14F6F6BAF31878FD44E
1480wininit.exeC:\Users\admin\AppData\Local\Temp\tmp5AE1.tmpxml
MD5:CAEF9D9C36DE96A9B11B2CAA4CBEE423
SHA256:BCC9312AF1CD34F0496ADDD5B41065DAEA014EEE937909752910332246637F30
6852wininit.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\run.datbinary
MD5:36134AB5995BCA2363A84DEA1C595867
SHA256:31ADA384705019001A33E1545799B8235188025BEED197D7CC9372D84A27A413
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
56
DNS requests
20
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5244
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
4860
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4860
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1480
wininit.exe
172.67.74.244:80
computernewb.com
CLOUDFLARENET
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5244
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2336
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5244
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1480
wininit.exe
188.114.97.3:80
collabvm.org
CLOUDFLARENET
NL
suspicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.74.206
whitelisted
computernewb.com
  • 172.67.74.244
  • 104.26.2.158
  • 104.26.3.158
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.4
  • 20.190.160.67
  • 20.190.160.3
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.64
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
collabvm.org
  • 188.114.97.3
  • 188.114.96.3
unknown
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
wininit.exe