File name:

HMC.Hackus.Mail.Checker.2.3.exe

Full analysis: https://app.any.run/tasks/da9a7eb5-d3c2-427d-88ce-5ad0b6ce9c48
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: June 26, 2025, 15:59:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
miner
winring0x64-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 16 sections
MD5:

8F0CB667A89337245D8C9692C413BCE6

SHA1:

065436A7F57FD22FA67402758CF8DE2EBD0D2259

SHA256:

E14B7E7DA9A94BF01408E7053BC7484DB3DDD267790DEB2F368C25D29BE8EEB4

SSDEEP:

98304:jqtwTkw2trTKWWOnMnfxGFNClwhfqnO5PjGE1qHgwT8E5eb+ndYft234vdmpHnpS:Sc5qbj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • cmd.exe (PID: 1944)
      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Adds path to the Windows Defender exclusion list

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)
      • cmd.exe (PID: 1944)

    • Executing a file with an untrusted certificate

      • x64.exe (PID: 6636)
      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Adds extension to the Windows Defender exclusion list

      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 1508)
      • cmd.exe (PID: 420)

    • Vulnerable driver has been detected

      • dkiszjdpbwqw.exe (PID: 3584)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)

    • Starts CMD.EXE for commands execution

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)
      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1944)
      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1944)
      • x64.exe (PID: 6636)
      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Executable content was dropped or overwritten

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)
      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Starts process via Powershell

      • powershell.exe (PID: 4828)

    • Starts SC.EXE for service management

      • x64.exe (PID: 6340)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4312)
      • sc.exe (PID: 2032)

    • Process uninstalls Windows update

      • wusa.exe (PID: 1096)
      • wusa.exe (PID: 2708)

    • Creates a new Windows service

      • sc.exe (PID: 1324)

    • Stops a currently running service

      • sc.exe (PID: 4520)

    • Manipulates environment variables

      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 6800)

    • Script adds exclusion extension to Windows Defender

      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Executes as Windows Service

      • dkiszjdpbwqw.exe (PID: 3584)

    • Drops a system driver (possible attempt to evade defenses)

      • dkiszjdpbwqw.exe (PID: 3584)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2200)

  • INFO

    • Reads the computer name

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)

    • Checks supported languages

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)
      • x64.exe (PID: 6636)
      • x64.exe (PID: 6340)
      • dkiszjdpbwqw.exe (PID: 3584)

    • Creates files in the program directory

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)
      • x64.exe (PID: 6340)

    • Process checks computer location settings

      • HMC.Hackus.Mail.Checker.2.3.exe (PID: 7052)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4040)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 6800)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4040)
      • powershell.exe (PID: 3936)
      • powershell.exe (PID: 6800)

    • UPX packer has been detected

      • x64.exe (PID: 6340)

    • The sample compiled with japanese language support

      • dkiszjdpbwqw.exe (PID: 3584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.3)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:24 19:45:59+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit
PEType: PE32
LinkerVersion: 2.28
CodeSize: 650752
InitializedDataSize: 6199808
UninitializedDataSize: 3072
EntryPoint: 0x1300
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
31
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start hmc.hackus.mail.checker.2.3.exe cmd.exe conhost.exe no specs powershell.exe no specs x64.exe no specs powershell.exe no specs conhost.exe no specs x64.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT dkiszjdpbwqw.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wusa.exe no specs explorer.exe #MINER svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420C:\WINDOWS\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\cmd.exedkiszjdpbwqw.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\wusa.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
1324C:\WINDOWS\system32\sc.exe create "UESOKLOO" binpath= "C:\ProgramData\xoipmwfzeasl\dkiszjdpbwqw.exe" start= "auto"C:\Windows\System32\sc.exex64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1508C:\WINDOWS\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\cmd.exex64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"C:\WINDOWS\SysWOW64\cmd.exe" /C powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'C:\Windows\SysWOW64\cmd.exe
HMC.Hackus.Mail.Checker.2.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2032C:\WINDOWS\system32\sc.exe start "UESOKLOO"C:\Windows\System32\sc.exex64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1053
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2368explorer.exeC:\Windows\explorer.exe
dkiszjdpbwqw.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
Total events
21 490
Read events
21 488
Write events
2
Delete events
0

Modification events

(PID) Process:(6340) x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
(PID) Process:(3584) dkiszjdpbwqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:writeName:DontOfferThroughWUAU
Value:
1
Executable files
3
Suspicious files
2
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
4828powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:7AF9911A06ACE782DC495D2CED08BB2F
SHA256:771FB56650E944A61EFC8FEA4000AF70E2A2D487BA70785CF0DBE03D327B0861
4040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sayxhxcs.mc5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ars14fap.ro2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6800powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_b0lqim3o.coe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4828powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u5bxhhjq.ylw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6340x64.exeC:\ProgramData\xoipmwfzeasl\dkiszjdpbwqw.exeexecutable
MD5:305E81B0A24023DEF6C4491632CC27E5
SHA256:9884297F9D9BD14BF7BAB495865D6A2B6B655CF3468B9B10AD9A946B312D2F1F
6800powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_a2qhm2ue.n4c.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6800powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5C3CCE922B08272E676ADA7EEB796338
SHA256:CE64D54F387E51F0ACEB14B2FF5D653539FC61EB1EFF8EDA7BBC9B8E6E94A76F
3584dkiszjdpbwqw.exeC:\Windows\Temp\xmpccjuogsbt.sysexecutable
MD5:0C0195C48B6B8582FA6F6373032118DA
SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
6800powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_epz0vyqo.qyj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
16
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7020
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1036
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1036
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
756
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
7020
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7020
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.130
  • 40.126.32.138
  • 20.190.160.65
  • 20.190.160.5
  • 20.190.160.128
  • 20.190.160.22
  • 20.190.160.64
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HMC.Hackus.Mail.Checker.2.3.exe