File name:

Week8.exe

Full analysis: https://app.any.run/tasks/acf7dffb-6bb8-426c-936c-97659ec3363a
Verdict: Malicious activity
Analysis date: March 24, 2025, 21:25:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 10 sections
MD5:

A07EA73AAEBE8BE23DEE196BDE83E083

SHA1:

0309273EB6BF0909143C656E286C05E40497FFF8

SHA256:

F5158ADA735739AEE5BC2B07A92368F2817DA2A3E16C1FCE0BA365BEDF54E6D0

SSDEEP:

98304:5PzhFlmzDfDLAGV4wk0Uya7m40cpckcHeC/FHdW62QfYjuPyicDglq2CM1oBj3xO:MyEy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • Week8.exe (PID: 6816)

    • Changes the autorun value in the registry

      • Week8.exe (PID: 6816)

  • SUSPICIOUS

    • Modifies hosts file to alter network resolution

      • Week8.exe (PID: 6816)

    • Executable content was dropped or overwritten

      • Week8.exe (PID: 6816)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 3604)
      • PLUGScheduler.exe (PID: 4112)

  • INFO

    • Checks supported languages

      • Week8.exe (PID: 6816)
      • PLUGScheduler.exe (PID: 4112)
      • malware_fun.exe (PID: 3888)
      • malware_fun.exe (PID: 5360)

    • The sample compiled with english language support

      • Week8.exe (PID: 6816)

    • Creates files or folders in the user directory

      • Week8.exe (PID: 6816)

    • Autorun file from Startup directory

      • Week8.exe (PID: 6816)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 3604)
      • PLUGScheduler.exe (PID: 4112)

    • Reads the computer name

      • PLUGScheduler.exe (PID: 3604)

    • Manual execution by a user

      • malware_fun.exe (PID: 5360)
      • malware_fun.exe (PID: 3888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:17 20:08:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.3
CodeSize: 9728
InitializedDataSize: 4313088
UninitializedDataSize: 2560
EntryPoint: 0x14e0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: University of Arizona
FileDescription: Spring 2025 Week 8 Malware Analysis
FileVersion: 1.0.0.0
InternalName: week8.exe
LegalCopyright: © 2025 Michael Galde. All rights reserved.
OriginalFileName: week8.exe
ProductName: Week8
ProductVersion: 1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
387
Monitored processes
10
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start week8.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs plugscheduler.exe no specs malware_fun.exe no specs conhost.exe no specs plugscheduler.exe no specs malware_fun.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemalware_fun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWeek8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1512C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3604"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll
3888"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware_fun.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware_fun.exeexplorer.exe
User:
admin
Company:
University of Arizona
Integrity Level:
MEDIUM
Description:
Spring 2025 Week 8 Malware Analysis
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\malware_fun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
4112"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
5332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemalware_fun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5360"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware_fun.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware_fun.exeexplorer.exe
User:
admin
Company:
University of Arizona
Integrity Level:
MEDIUM
Description:
Spring 2025 Week 8 Malware Analysis
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\malware_fun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6816"C:\Users\admin\AppData\Local\Temp\Week8.exe" C:\Users\admin\AppData\Local\Temp\Week8.exe
explorer.exe
User:
admin
Company:
University of Arizona
Integrity Level:
MEDIUM
Description:
Spring 2025 Week 8 Malware Analysis
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\week8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
319
Read events
316
Write events
3
Delete events
0

Modification events

(PID) Process:(6816) Week8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SuspiciousEntry
Value:
What are you looking for?
(PID) Process:(5360) malware_fun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SuspiciousEntry
Value:
What are you looking for?
(PID) Process:(3888) malware_fun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SuspiciousEntry
Value:
What are you looking for?
Executable files
1
Suspicious files
90
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
3604PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.047.etlbinary
MD5:FED961067F664B5381B65A534B7AB728
SHA256:652F31A8284AE812D1D9D24192BC800976BF74C240591C6AC443A28C4709FB7C
6816Week8.exeC:\Users\admin\Desktop\warning.jpgimage
MD5:2460EC9D6B5EB63F10ACFEE2DB48F7F6
SHA256:9CA23A8C3A6CAFBD706131533C71ADA5D6832F575741007B5BE1B4AA39F7008F
6816Week8.exeC:\Users\admin\Desktop\hello_STUDENTS_41.454binary
MD5:4D896E094EC6C588FD2F2EC2C3C3BE4B
SHA256:4A0590ED26ED8132008274DEFD00E98562A617642BD02956649F1A6E45B3AA04
3604PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.046.etlbinary
MD5:A7A21FBC9D00F33F186B34A50E170C13
SHA256:64CAC91E46D4FC832958232A658431CBF9D8D9F265653ACA2BEB32428D4688EC
6816Week8.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware_fun.exeexecutable
MD5:A07EA73AAEBE8BE23DEE196BDE83E083
SHA256:F5158ADA735739AEE5BC2B07A92368F2817DA2A3E16C1FCE0BA365BEDF54E6D0
3604PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.048.etlbinary
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671
SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970
3604PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.049.etlbinary
MD5:5EA68411BF8E9EAF4621BAF73F61449E
SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7
3604PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.037.etlbinary
MD5:B787593A02A4E0A601164A65952D0CB9
SHA256:3594AD496D8E1771BCC3E8B6F68B4C2B4190A9A331FB43F068A7DF4E1894E2CF
3604PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.044.etlbinary
MD5:B53B2070E686FFB1FBC8B06994E7C8D7
SHA256:A3ABD06F4E40CB700B1908AB6BCD2E27455E13EF076E0BF2345BB2FA369EF802
3604PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.042.etlbinary
MD5:C1F87CF12DD702D2185E703BA004D216
SHA256:9D993487866C9538DC19F281A6346E1796E7478C7C164D61437AF6E698C66125
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
51
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1532
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7572
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4864
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7572
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5184
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
20.197.71.89:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1532
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1532
backgroundTaskHost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.193
  • 23.48.23.150
  • 23.48.23.161
  • 23.48.23.149
  • 23.48.23.138
  • 23.48.23.160
  • 23.48.23.139
  • 23.48.23.146
  • 23.48.23.147
whitelisted
client.wns.windows.com
  • 20.197.71.89
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.66
  • 20.190.160.128
  • 20.190.160.67
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.133
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Week8.exe