File name:

WinCrack.exe

Full analysis: https://app.any.run/tasks/aedad0b2-a939-4bd5-ae9b-10ba10880753
Verdict: Malicious activity
Analysis date: April 25, 2025, 20:30:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qrcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

71BA1B4BA5D9B525BFD0565E12846B5F

SHA1:

0F5300AAF57F473BD1ED3283DFB6E12A3A007F9E

SHA256:

F898D4C0B2666E6B01AD5EB8123E582C5276B0EF72491C466D7C118216DE66A6

SSDEEP:

98304:QFP/dmCxbC5HU5yx+VC5bix0FHOFqBoIB7Bpej90N1S0xLJEladseTtcbFcsWyHS:Yj7AU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • WinCrack.exe (PID: 7700)

    • Deletes shadow copies

      • cmd.exe (PID: 8032)

    • UAC/LUA settings modification

      • WinCrack.exe (PID: 7700)

    • Starts REAGENTC.EXE to disable the Windows Recovery Environment

      • ReAgentc.exe (PID: 7896)

    • Disables Windows Defender

      • WinCrack.exe (PID: 7700)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinCrack.exe (PID: 7700)
      • msmgr.exe (PID: 4508)

    • Changes the desktop background image

      • WinCrack.exe (PID: 7700)

    • Executable content was dropped or overwritten

      • WinCrack.exe (PID: 7700)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 5408)
      • msmgr.exe (PID: 4508)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8116)

    • There is functionality for taking screenshot (YARA)

      • WinCrack.exe (PID: 7700)

    • Uses WMIC.EXE to obtain user accounts information

      • cmd.exe (PID: 7248)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 3620)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 5980)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 5980)

    • The process checks if it is being run in the virtual environment

      • icacls.exe (PID: 5916)

    • The system shut down or reboot

      • cmd.exe (PID: 7248)

    • Reads the date of Windows installation

      • msmgr.exe (PID: 4508)

    • Start notepad (likely ransomware note)

      • msmgr.exe (PID: 4508)

  • INFO

    • Checks supported languages

      • WinCrack.exe (PID: 7700)
      • ShellExperienceHost.exe (PID: 5408)
      • msmgr.exe (PID: 4508)

    • Reads the machine GUID from the registry

      • WinCrack.exe (PID: 7700)
      • msmgr.exe (PID: 4508)

    • Process checks whether UAC notifications are on

      • WinCrack.exe (PID: 7700)

    • Changes file name

      • cmd.exe (PID: 7248)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7240)

    • Reads the computer name

      • ShellExperienceHost.exe (PID: 5408)
      • PLUGScheduler.exe (PID: 3620)
      • WinCrack.exe (PID: 7700)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 3620)

    • Application launched itself

      • msedge.exe (PID: 5764)

    • Process checks computer location settings

      • msmgr.exe (PID: 4508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2058:09:21 05:30:56+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 4818944
InitializedDataSize: 99840
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: WinCrack.exe
LegalCopyright:
OriginalFileName: WinCrack.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
323
Monitored processes
76
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wincrack.exe cmd.exe no specs conhost.exe no specs reagentc.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs shellexperiencehost.exe no specs shutdown.exe no specs plugscheduler.exe no specs msmgr.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs takeown.exe no specs takeown.exe no specs iexplore.exe no specs msedge.exe icacls.exe no specs msedge.exe no specs regedit.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mblctr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs calc.exe no specs msedge.exe no specs mspaint.exe no specs regedit.exe no specs mblctr.exe no specs calc.exe no specs regedit.exe no specs wordpad.exe no specs mobsync.exe no specs notepad.exe no specs calc.exe no specs msedge.exe no specs msedge.exe no specs mobsync.exe no specs msedge.exe no specs notepad.exe no specs regedit.exe no specs calc.exe no specs notepad.exe no specs mstsc.exe no specs mblctr.exe no specs wordpad.exe no specs mobsync.exe no specs mobsync.exe no specs taskmgr.exe no specs msiexec.exe no specs msedge.exe no specs mmc.exe no specs msedge.exe no specs mblctr.exe no specs wincrack.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6004 --field-trial-handle=1992,i,9283604046132442250,14855267912029185802,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
WinCrack
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
628"C:\Windows\System32\notepad.exe" C:\Windows\System32\notepad.exemsmgr.exe
User:
WinCrack
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
860"C:\Windows\regedit.exe" C:\Windows\regedit.exemsmgr.exe
User:
WinCrack
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2652"C:\Windows\System32\mstsc.exe" C:\Windows\System32\mstsc.exemsmgr.exe
User:
WinCrack
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Connection
Version:
10.0.19041.3636 (WinBuild.160101.0800)
3620"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
3620"C:\WINDOWS\system32\mmc.exe" "C:\Windows\System32\gpedit.msc" C:\Windows\System32\mmc.exemsmgr.exe
User:
WinCrack
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
10.0.19041.1 (WinBuild.160101.0800)
3656"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exemsmgr.exe
User:
WinCrack
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.19041.1 (WinBuild.160101.0800)
3996"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x264,0x268,0x26c,0x240,0x274,0x7ffd62bf5fd8,0x7ffd62bf5fe4,0x7ffd62bf5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
WinCrack
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Version:
122.0.2365.59
4508C:\WINDOWS\system32\msmgr.exeC:\Windows\System32\msmgr.exewinlogon.exe
User:
WinCrack
Integrity Level:
HIGH
Description:
Version:
0.0.0.0
4688shutdown /f /r /t 0C:\Windows\System32\shutdown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
231
Text files
41
Unknown types
9

Dropped files

PID
Process
Filename
Type
7700WinCrack.exeC:\Windows\System32\bg.bmp
MD5:
SHA256:
7896ReAgentc.exeC:\Windows\System32\Recovery\Winre.wim
MD5:
SHA256:
7896ReAgentc.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Recovery\BCDbinary
MD5:E77A7B4B135D9904916A353A35FCA414
SHA256:E832F32E81899D436A0FB8814126795251A3E96F09E556389488933A43DAD4D2
7700WinCrack.exeC:\Windows\System32\msmgr.exeexecutable
MD5:71BA1B4BA5D9B525BFD0565E12846B5F
SHA256:F898D4C0B2666E6B01AD5EB8123E582C5276B0EF72491C466D7C118216DE66A6
3620PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.047.etlbinary
MD5:FED961067F664B5381B65A534B7AB728
SHA256:652F31A8284AE812D1D9D24192BC800976BF74C240591C6AC443A28C4709FB7C
3620PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.046.etlbinary
MD5:A7A21FBC9D00F33F186B34A50E170C13
SHA256:64CAC91E46D4FC832958232A658431CBF9D8D9F265653ACA2BEB32428D4688EC
3620PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.050.etletl
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
3620PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.037.etlbinary
MD5:B787593A02A4E0A601164A65952D0CB9
SHA256:3594AD496D8E1771BCC3E8B6F68B4C2B4190A9A331FB43F068A7DF4E1894E2CF
7896ReAgentc.exeC:\Windows\Panther\UnattendGC\diagerr.xmltext
MD5:3A8D2D92D67445734789F82D6E6D90A6
SHA256:E80AA5A43C517844228A67E8A49E30EE8CF68979E54BA0A3FE660C80978808C6
3620PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.042.etlbinary
MD5:C1F87CF12DD702D2185E703BA004D216
SHA256:9D993487866C9538DC19F281A6346E1796E7478C7C164D61437AF6E698C66125
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
48
DNS requests
39
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4380
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4380
RUXIMICS.exe
GET
200
92.123.22.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
OPTIONS
200
2.16.168.201:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
POST
204
2.23.227.215:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
13.107.253.45:443
https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable
unknown
binary
16.0 Kb
whitelisted
GET
200
52.109.76.240:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3
unknown
xml
179 Kb
whitelisted
POST
204
2.23.227.208:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
768 b
whitelisted
GET
200
2.23.227.208:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
unknown
html
129 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4380
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4380
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4380
RUXIMICS.exe
92.123.22.101:80
www.microsoft.com
AKAMAI-AS
AT
whitelisted
224.0.0.252:5355
whitelisted
5764
msedge.exe
224.0.0.251:5353
unknown
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 92.123.22.101
whitelisted
self.events.data.microsoft.com
  • 13.89.179.11
  • 20.42.73.25
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
www.bing.com
  • 2.17.22.11
  • 2.17.22.40
  • 2.17.22.43
  • 2.17.22.33
  • 95.101.79.131
  • 95.101.79.128
  • 2.17.22.41
  • 95.101.79.130
  • 2.17.22.35
  • 2.17.22.67
  • 2.17.22.26
  • 2.17.22.59
  • 2.17.22.48
  • 2.17.22.58
  • 2.17.22.34
  • 2.17.22.42
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WinCrack.exe