File name:

MobaXterm_Portable_v24.4.zip

Full analysis: https://app.any.run/tasks/26d5c031-79e1-4722-b823-b3ac1482220a
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 09, 2025, 05:16:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
delphi
xor-url
generic
icmp
stealer
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

2883566CB63F0F0ED1826D061A34D3C1

SHA1:

B944C0D9ADD8C2904A1F4F670033A67013839602

SHA256:

070BD3F3C97D8F3F082CFDD285D149C8DB043695CC5CB5038DF2F1E3C9590BDA

SSDEEP:

393216:mwsCkxn/0daB2+iD2RYjMO11lyhi3355R9zaZDb8q4Ew0:YaaDiSNm1MhURs80

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 516)

    • XORed URL has been found (YARA)

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

    • Actions looks like stealing of personal data

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

    • Steals credentials from Web Browsers

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tmp.exe (PID: 4520)

    • The process creates files with name similar to system file names

      • tmp.exe (PID: 4520)

    • There is functionality for taking screenshot (YARA)

      • tmp.exe (PID: 4520)
      • XWin_MobaX.exe (PID: 6256)

    • There is functionality for communication over UDP network (YARA)

      • tmp.exe (PID: 4520)

    • There is functionality for sending ICMP (YARA)

      • tmp.exe (PID: 4520)

    • Reads security settings of Internet Explorer

      • tmp.exe (PID: 4520)
      • WinRAR.exe (PID: 3112)

    • Connects to unusual port

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3112)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3112)

  • INFO

    • Manual execution by a user

      • MobaXterm_Portable_v24.4.exe (PID: 4932)
      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • notepad.exe (PID: 6180)
      • tmp.exe (PID: 4520)
      • OpenWith.exe (PID: 7156)
      • OpenWith.exe (PID: 6232)
      • WinRAR.exe (PID: 3112)
      • OpenWith.exe (PID: 3736)
      • OpenWith.exe (PID: 5560)

    • Checks supported languages

      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • tmp.exe (PID: 4520)
      • XWin_MobaX.exe (PID: 6256)
      • xkbcomp_w32.exe (PID: 2536)
      • MpCmdRun.exe (PID: 3540)

    • Reads the computer name

      • tmp.exe (PID: 4520)
      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • XWin_MobaX.exe (PID: 6256)
      • MpCmdRun.exe (PID: 3540)

    • Reads mouse settings

      • tmp.exe (PID: 4520)

    • Reads the machine GUID from the registry

      • tmp.exe (PID: 4520)

    • Compiled with Borland Delphi (YARA)

      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • notepad.exe (PID: 6180)
      • XWin_MobaX.exe (PID: 6256)
      • slui.exe (PID: 2880)
      • conhost.exe (PID: 868)
      • tmp.exe (PID: 4520)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6180)

    • The sample compiled with english language support

      • tmp.exe (PID: 4520)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5560)
      • OpenWith.exe (PID: 7156)
      • OpenWith.exe (PID: 6232)
      • OpenWith.exe (PID: 3736)

    • Process checks computer location settings

      • tmp.exe (PID: 4520)

    • Create files in a temporary directory

      • XWin_MobaX.exe (PID: 6256)
      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • xkbcomp_w32.exe (PID: 2536)
      • tmp.exe (PID: 4520)
      • MpCmdRun.exe (PID: 3540)

    • Creates files or folders in the user directory

      • tmp.exe (PID: 4520)

    • Reads the software policy settings

      • slui.exe (PID: 2880)

    • Checks proxy server information

      • slui.exe (PID: 2880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6748) MobaXterm_Portable_v24.4.exe
Decrypted-URLs (1)http://aliyunsst.com/143?file=webstore.txt
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:07:08 12:27:56
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MobaXterm_Portable_v24.4/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
18
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs mobaxterm_portable_v24.4.exe no specs mobaxterm_portable_v24.4.exe tmp.exe no specs winrar.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs xwin_mobax.exe no specs xkbcomp_w32.exe no specs conhost.exe no specs rundll32.exe no specs openwith.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
868\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2404C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR3112.12950\Rar$Scan122477.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2536"C:\Users\admin\AppData\Local\Temp\Mxt244\bin\xkbcomp_w32.exe" -w 1 "-RC:\Users\admin\AppData\Local\Temp\Mxt244\usr\share\X11\xkb" -xkm "C:\Users\admin\AppData\Local\Temp\Mxt244\var\log\xwin\xkb_a03720" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" "C:\Users\admin\AppData\Local\Temp\Mxt244\var\log\xwin\server-0.xkm"C:\Users\admin\AppData\Local\Temp\Mxt244\bin\xkbcomp_w32.exeXWin_MobaX.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mxt244\bin\xkbcomp_w32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3112"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\MobaXterm backup.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3540"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3112.12950"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
3736"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\mobaxtermC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4520"C:\Users\admin\Desktop\tmp.exe" C:\Users\admin\Desktop\tmp.exeexplorer.exe
User:
admin
Company:
Mobatek
Integrity Level:
MEDIUM
Description:
MobaXterm
Version:
24.4.0.5258
Modules
Images
c:\users\admin\desktop\tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4932"C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.exe" C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.exeexplorer.exe
User:
admin
Company:
Mobatek
Integrity Level:
MEDIUM
Description:
MobaXterm
Exit code:
3221226540
Version:
25.2.0.5296
Modules
Images
c:\users\admin\desktop\mobaxterm_portable_v24.4.exe
c:\windows\system32\ntdll.dll
Total events
11 049
Read events
10 699
Write events
337
Delete events
13

Modification events

(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
42
Suspicious files
86
Text files
470
Unknown types
121

Dropped files

PID
Process
Filename
Type
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\passwdcsv
MD5:B6FFF995136BFB25F6C79C4B4FAAAEC0
SHA256:B3274D304D93E980D6C60EF969EB8119AD6717CA1AE3526B8328EE692D066DE9
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\ftpbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\baseprofiletext
MD5:7D0FB66333FE2DDAF38BC069496703FA
SHA256:D53E0DACB1DA5163E92CFE2789720ADF04C14F67FF88CEE2D0EF87CA6BE98E91
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\tftpbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\nfsbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\httpbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\bin\MobaListPortstext
MD5:BC32355ECB78CAC7589E9EB70632097C
SHA256:52470DA1497B8D81FAC8CCFAA33FE2762F83020E4E125A1B8339EED63214A788
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\nsswitch.conftext
MD5:5A76145CB2E0BD7CABAC55C6E941F3F7
SHA256:C83DC30523FEDB6298ABE4A492EC03CE74B3EDF1679A69F23B6B901620925B1B
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\sshbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\vncbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
54
DNS requests
26
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3720
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
6748
MobaXterm_Portable_v24.4.exe
GET
47.239.17.147:80
http://aliyunsst.com/143?file=webstore.txt
unknown
unknown
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
3720
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3720
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6876
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.65
  • 20.190.160.66
  • 20.190.160.132
  • 20.190.160.5
  • 40.126.32.133
  • 20.190.160.2
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.128
  • 40.126.32.72
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
aliyunsst.com
  • 47.239.17.147
unknown
web-360store.oss-cn-beijing.aliyuncs.com
  • 39.103.20.89
unknown
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MobaXterm_Portable_v24.4.zip