File name:

WickedR6.rar

Full analysis: https://app.any.run/tasks/766a5a06-fd6c-4046-bac5-ee027b25d796
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: June 01, 2025, 02:13:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
pastebin
telegram
exfiltration
stealer
delphi
miner
winring0x64-sys
vuln-driver
crypto-regex
ims-api
generic
auto-startup
upx
xmrig
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

7637D921CEE677D4E4635B3010734A32

SHA1:

B55B6AFFE9EE508C3478536AA8884169EDA10B59

SHA256:

EB46847E75D84B358A4B872B3840305665BE9AB7DAF8F18918FEA6BC0CDCDF4A

SSDEEP:

98304:tIOFCuVgZpyDrhk5C7Urfgg722KzKPhp10LONs08apZdkewP/zqpNZBjiAIx2oL9:ntL2V3Wpqy5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealers network behavior

      • Applications.exe (PID: 1472)

    • Attempting to use instant messaging service

      • Applications.exe (PID: 1472)

    • Adds extension to the Windows Defender exclusion list

      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 6572)
      • cmd.exe (PID: 4736)

    • Changes Windows Defender settings

      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Application was injected by another process

      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1444)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2068)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 2624)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 2776)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 3104)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 1572)
      • dllhost.exe (PID: 5880)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 2112)
      • svchost.exe (PID: 4508)
      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 4952)
      • RuntimeBroker.exe (PID: 6160)
      • ApplicationFrameHost.exe (PID: 6952)
      • svchost.exe (PID: 6608)
      • ctfmon.exe (PID: 956)
      • RuntimeBroker.exe (PID: 1036)
      • svchost.exe (PID: 1684)
      • winlogon.exe (PID: 6648)
      • dwm.exe (PID: 6568)
      • svchost.exe (PID: 6024)
      • sihost.exe (PID: 4984)
      • uhssvc.exe (PID: 648)
      • svchost.exe (PID: 4544)
      • dllhost.exe (PID: 6896)
      • explorer.exe (PID: 5492)
      • svchost.exe (PID: 4348)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 1560)
      • WmiPrvSE.exe (PID: 7884)
      • svchost.exe (PID: 4740)
      • svchost.exe (PID: 1568)
      • svchost.exe (PID: 7532)
      • SppExtComObj.Exe (PID: 7812)
      • svchost.exe (PID: 3132)
      • RuntimeBroker.exe (PID: 5368)
      • svchost.exe (PID: 6544)
      • svchost.exe (PID: 4916)
      • dllhost.exe (PID: 6176)
      • audiodg.exe (PID: 6168)
      • UserOOBEBroker.exe (PID: 1248)
      • slui.exe (PID: 7048)
      • svchost.exe (PID: 1268)
      • WmiPrvSE.exe (PID: 4408)

    • Runs injected code in another process

      • dialer.exe (PID: 7852)
      • dialer.exe (PID: 7000)

    • Vulnerable driver has been detected

      • EdgeBrowser.exe (PID: 3396)

    • XMRIG has been detected (YARA)

      • dialer.exe (PID: 4976)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • Create files in the Startup directory

      • svchost.exe (PID: 8164)

  • SUSPICIOUS

    • Reads the BIOS version

      • Wicked R6.exe (PID: 1852)

    • Executable content was dropped or overwritten

      • Wicked R6.exe (PID: 1852)
      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Reads security settings of Internet Explorer

      • Wicked R6.exe (PID: 1852)
      • Applications.exe (PID: 1472)

    • Starts POWERSHELL.EXE for commands execution

      • Application.exe (PID: 2268)
      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Starts process via Powershell

      • powershell.exe (PID: 2152)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • The process connected to a server suspected of theft

      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • There is functionality for taking screenshot (YARA)

      • UR.exe (PID: 4696)

    • Script adds exclusion extension to Windows Defender

      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Starts CMD.EXE for commands execution

      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)
      • Applications.exe (PID: 1472)

    • Stops a currently running service

      • sc.exe (PID: 7872)
      • sc.exe (PID: 8144)
      • sc.exe (PID: 8172)
      • sc.exe (PID: 5504)
      • sc.exe (PID: 7788)
      • sc.exe (PID: 960)
      • sc.exe (PID: 7880)
      • sc.exe (PID: 6668)
      • sc.exe (PID: 6632)
      • sc.exe (PID: 7948)
      • sc.exe (PID: 7560)

    • Process uninstalls Windows update

      • wusa.exe (PID: 7676)
      • wusa.exe (PID: 5868)

    • Starts SC.EXE for service management

      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Uses powercfg.exe to modify the power settings

      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Creates a new Windows service

      • sc.exe (PID: 5988)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7308)
      • sc.exe (PID: 2064)

    • Found regular expressions for crypto-addresses (YARA)

      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • Manipulates environment variables

      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7340)

    • Script adds exclusion path to Windows Defender

      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)

    • Executes as Windows Service

      • EdgeBrowser.exe (PID: 3396)

    • The process creates files with name similar to system file names

      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • Starts itself from another location

      • Applications.exe (PID: 1472)

    • Executing commands from ".cmd" file

      • Applications.exe (PID: 1472)

    • Drops a system driver (possible attempt to evade defenses)

      • EdgeBrowser.exe (PID: 3396)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4496)

  • INFO

    • Checks supported languages

      • Wicked R6.exe (PID: 1852)
      • Applications.exe (PID: 1472)
      • UR.exe (PID: 4696)
      • Application.exe (PID: 2268)
      • Application.exe (PID: 8164)
      • EdgeBrowser.exe (PID: 3396)
      • uhssvc.exe (PID: 648)
      • svchost.exe (PID: 8164)

    • Reads the software policy settings

      • lsass.exe (PID: 756)
      • Applications.exe (PID: 1472)
      • slui.exe (PID: 7048)
      • slui.exe (PID: 5376)
      • svchost.exe (PID: 8164)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Reads the machine GUID from the registry

      • Wicked R6.exe (PID: 1852)
      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • Reads the computer name

      • Wicked R6.exe (PID: 1852)
      • UR.exe (PID: 4696)
      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • Manual execution by a user

      • Wicked R6.exe (PID: 1852)

    • Create files in a temporary directory

      • Wicked R6.exe (PID: 1852)
      • Applications.exe (PID: 1472)

    • Process checks computer location settings

      • Wicked R6.exe (PID: 1852)
      • Applications.exe (PID: 1472)

    • The sample compiled with english language support

      • Wicked R6.exe (PID: 1852)
      • Application.exe (PID: 8164)

    • The executable file from the user directory is run by the Powershell process

      • Application.exe (PID: 8164)

    • Disables trace logs

      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • Checks proxy server information

      • Applications.exe (PID: 1472)
      • slui.exe (PID: 5376)
      • svchost.exe (PID: 8164)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)

    • Compiled with Borland Delphi (YARA)

      • UR.exe (PID: 4696)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7340)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7340)

    • Creates files in the program directory

      • Application.exe (PID: 8164)
      • MoUsoCoreWorker.exe (PID: 5496)

    • The sample compiled with japanese language support

      • EdgeBrowser.exe (PID: 3396)

    • Creates files or folders in the user directory

      • Applications.exe (PID: 1472)
      • svchost.exe (PID: 8164)
      • explorer.exe (PID: 5492)

    • UPX packer has been detected

      • dialer.exe (PID: 4976)

    • Launch of the file from Startup directory

      • svchost.exe (PID: 8164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(1472) Applications.exe
Telegram-Tokens (1)7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
Telegram-Info-Links
7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
Get info about bothttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/getMe
Get incoming updateshttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/getUpdates
Get webhookhttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
End-PointsendDocument
Args
(PID) Process(8164) svchost.exe
Telegram-Tokens (1)7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
Telegram-Info-Links
7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
Get info about bothttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/getMe
Get incoming updateshttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/getUpdates
Get webhookhttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
End-PointsendDocum
Args
Token7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
End-PointsendDoc
Args
Token7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc
End-PointsendDocument
Args
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 1121400
UncompressedSize: 4719616
OperatingSystem: Win32
ArchivedFileName: Wicked R6/spoofer.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
162
Malicious processes
97
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs wicked r6.exe ur.exe no specs ur.exe applications.exe application.exe no specs powershell.exe no specs conhost.exe no specs application.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT edgebrowser.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs wusa.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs dialer.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs #XMRIG dialer.exe slui.exe svchost.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe #MINER svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe runtimebroker.exe explorer.exe mousocoreworker.exe dllhost.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe slui.exe svchost.exe sppextcomobj.exe wmiprvse.exe

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
616timeout 6 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
960C:\WINDOWS\system32\sc.exe stop eventlogC:\Windows\System32\sc.exeApplication.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1051
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1036C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
1044C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
41 619
Read events
41 463
Write events
139
Delete events
17

Modification events

(PID) Process:(6036) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6036) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(956) ctfmon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Input\TypingInsights
Operation:writeName:Insights
Value:
02000000071DE8C131CC8360A3D6D9C1330A686B165ABA2E235F5A5C
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010015000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000110000000000000067007200650065006E006C006F0061006E002E006A00700067003E00200020000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000120000000000000062006F00790073007300650072006900650073002E007200740066003E00200020000000140000000000000062007200650061006B0068006900670068006500730074002E0070006E0067003E00200020000000140000000000000064006F006700730065006C0065006300740069006F006E002E007200740066003E002000200000000E00000000000000670075006900640065006D002E007200740066003E00200020000000140000000000000070006100720074006E00650072007300680069006C006C002E007200740066003E002000200000001100000000000000720061006300650066006F0075006E0064002E007200740066003E002000200000001000000000000000730061006E00630061006E006F006E002E0070006E0067003E002000200000000F00000000000000730061007400740069006D0065002E006A00700067003E00200020000000140000000000000073007000650063006900650073006D006F00640065006C002E007200740066003E00200020000000140000000000000074006F007000690063007A00650061006C0061006E0064002E007200740066003E002000200000001400000000000000770065006400640069006E0067006D0061007400630068002E0070006E0067003E0020002000000010000000000000005700690063006B0065006400520036002E007200610072003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001500000000000000000000000000000000000000803F0000404009000000803F000080400A000000803F0000A0400B000000000000008040040000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F1300000000000000803F01000000000000000040020000000000000040400300000000000000A04005000000803F0000000006000000803F0000803F07000000803F00000040080000004040000000401400
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
60B73B6800000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000070346
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(6036) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6036) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6036) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
5
Suspicious files
32
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
1852Wicked R6.exeC:\Users\admin\AppData\Local\Temp\Applications.exeexecutable
MD5:7BAB53A21E99B5BDF183074D0CF31C4F
SHA256:AC532262429C8915526AF3AE640E9A742BF2DE4EAFBE321314FC2B51EE83E27E
1772svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:9CFDAD5CC6F4E46480677F142F898A27
SHA256:7DFEF0B79DF985C6680B9111E2BC263F7A0A0267D7DF079DF1EA8FC9E76447B5
1852Wicked R6.exeC:\Users\admin\AppData\Local\Temp\UR.exeexecutable
MD5:ACF8907CE64638007FB5514265812C67
SHA256:9FE5FB74600E204A4739A0ED262F16AB6C7EB9F970F61D6315A8E5010F9BC3D4
1772svchost.exeC:\Windows\Prefetch\WINRAR.EXE-94E7D80C.pfbinary
MD5:25971C316ED8CEDFD09337634F5A700B
SHA256:63CF0B1873ED924B06C2BFF58198FE225309B9D3E3E22017B95378B92B766D6E
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGSchedulerxml
MD5:1E0FD17505DF7FDD52708C59FCD5284C
SHA256:B374CE865F05A467798DE01B77F9AEEA861325CF274390D4C06753E77CDA564D
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
1772svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:5CE99A092289F60CAFC3B5937A86656D
SHA256:5EB2EC393E223B44D12DCFAEBDD6C56F8B409EA998430D230F56DECDB363FDBD
1772svchost.exeC:\Windows\Prefetch\APPLICATION.EXE-248E1482.pfbinary
MD5:4D7D7112FEBBBC4BEFCA73108E5DFD2D
SHA256:76B427C5BB1C30F0369C73044683BC3F638611A0E3AF371365BF292994A1C2CC
1852Wicked R6.exeC:\Users\admin\AppData\Local\Temp\Application.exeexecutable
MD5:3DDF5FCE992B391E6C523FAEFCFDE2F2
SHA256:6924FBBFFE66F52385926DCCFD5BDEA19531282E3BD7EF85F0093EBB658ED49C
1772svchost.exeC:\Windows\Prefetch\SPPEXTCOMOBJ.EXE-BB03B3D6.pfbinary
MD5:EB523F1D0A859B4CFC8081CEDF3E35D4
SHA256:AC030967B897E3EC258B40669A7F88C84017B04A6E20A5638A46FB3BC6DA242A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
29
DNS requests
12
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8032
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8032
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
401
149.154.167.99:443
https://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/sendDocument
unknown
binary
58 b
whitelisted
GET
200
172.67.25.94:443
https://pastebin.com/raw/FAce9mqZ
unknown
text
46 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
104.22.68.199:443
https://pastebin.com/raw/FAce9mqZ
unknown
text
46 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
401
149.154.167.99:443
https://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/sendDocument
unknown
binary
58 b
whitelisted
POST
401
149.154.167.99:443
https://api.telegram.org/bot7575818475:AAEcwXbcuoIY9iIwpSLG717y9bzz3yuU7dc/sendDocument
unknown
binary
58 b
whitelisted
GET
200
104.22.69.199:443
https://pastebin.com/raw/FAce9mqZ
unknown
text
46 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
8032
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
8032
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
8032
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1472
Applications.exe
104.22.69.199:443
pastebin.com
CLOUDFLARENET
whitelisted
1472
Applications.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
7048
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4976
dialer.exe
46.4.28.18:443
pool.hashvault.pro
Hetzner Online GmbH
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
pastebin.com
  • 104.22.69.199
  • 104.22.68.199
  • 172.67.25.94
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
pool.hashvault.pro
  • 46.4.28.18
  • 185.240.242.141
whitelisted
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
1472
Applications.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
1472
Applications.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
1472
Applications.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Telegram
A Network Trojan was detected
ET HUNTING PNG in HTTP POST (Outbound)
2196
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
8164
svchost.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
8164
svchost.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WickedR6.rar