File name:

MobaXterm_Portable_v24.4.zip

Full analysis: https://app.any.run/tasks/26d5c031-79e1-4722-b823-b3ac1482220a
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 09, 2025, 05:16:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
delphi
xor-url
generic
icmp
stealer
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

2883566CB63F0F0ED1826D061A34D3C1

SHA1:

B944C0D9ADD8C2904A1F4F670033A67013839602

SHA256:

070BD3F3C97D8F3F082CFDD285D149C8DB043695CC5CB5038DF2F1E3C9590BDA

SSDEEP:

393216:mwsCkxn/0daB2+iD2RYjMO11lyhi3355R9zaZDb8q4Ew0:YaaDiSNm1MhURs80

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 516)

    • XORed URL has been found (YARA)

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

    • Actions looks like stealing of personal data

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

    • Steals credentials from Web Browsers

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tmp.exe (PID: 4520)

    • The process creates files with name similar to system file names

      • tmp.exe (PID: 4520)

    • There is functionality for communication over UDP network (YARA)

      • tmp.exe (PID: 4520)

    • There is functionality for taking screenshot (YARA)

      • tmp.exe (PID: 4520)
      • XWin_MobaX.exe (PID: 6256)

    • There is functionality for sending ICMP (YARA)

      • tmp.exe (PID: 4520)

    • Reads security settings of Internet Explorer

      • tmp.exe (PID: 4520)
      • WinRAR.exe (PID: 3112)

    • Connects to unusual port

      • MobaXterm_Portable_v24.4.exe (PID: 6748)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3112)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3112)

  • INFO

    • Checks supported languages

      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • tmp.exe (PID: 4520)
      • XWin_MobaX.exe (PID: 6256)
      • xkbcomp_w32.exe (PID: 2536)
      • MpCmdRun.exe (PID: 3540)

    • Manual execution by a user

      • MobaXterm_Portable_v24.4.exe (PID: 4932)
      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • tmp.exe (PID: 4520)
      • notepad.exe (PID: 6180)
      • WinRAR.exe (PID: 3112)
      • OpenWith.exe (PID: 5560)
      • OpenWith.exe (PID: 6232)
      • OpenWith.exe (PID: 3736)
      • OpenWith.exe (PID: 7156)

    • Reads the machine GUID from the registry

      • tmp.exe (PID: 4520)

    • Reads the computer name

      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • tmp.exe (PID: 4520)
      • XWin_MobaX.exe (PID: 6256)
      • MpCmdRun.exe (PID: 3540)

    • Creates files or folders in the user directory

      • tmp.exe (PID: 4520)

    • Create files in a temporary directory

      • tmp.exe (PID: 4520)
      • XWin_MobaX.exe (PID: 6256)
      • xkbcomp_w32.exe (PID: 2536)
      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • MpCmdRun.exe (PID: 3540)

    • Reads mouse settings

      • tmp.exe (PID: 4520)

    • Compiled with Borland Delphi (YARA)

      • MobaXterm_Portable_v24.4.exe (PID: 6748)
      • tmp.exe (PID: 4520)
      • notepad.exe (PID: 6180)
      • XWin_MobaX.exe (PID: 6256)
      • slui.exe (PID: 2880)
      • conhost.exe (PID: 868)

    • The sample compiled with english language support

      • tmp.exe (PID: 4520)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6180)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5560)
      • OpenWith.exe (PID: 6232)
      • OpenWith.exe (PID: 7156)
      • OpenWith.exe (PID: 3736)

    • Process checks computer location settings

      • tmp.exe (PID: 4520)

    • Checks proxy server information

      • slui.exe (PID: 2880)

    • Reads the software policy settings

      • slui.exe (PID: 2880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6748) MobaXterm_Portable_v24.4.exe
Decrypted-URLs (1)http://aliyunsst.com/143?file=webstore.txt
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:07:08 12:27:56
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MobaXterm_Portable_v24.4/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
18
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs mobaxterm_portable_v24.4.exe no specs mobaxterm_portable_v24.4.exe tmp.exe no specs winrar.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs xwin_mobax.exe no specs xkbcomp_w32.exe no specs conhost.exe no specs rundll32.exe no specs openwith.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
868\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2404C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR3112.12950\Rar$Scan122477.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2536"C:\Users\admin\AppData\Local\Temp\Mxt244\bin\xkbcomp_w32.exe" -w 1 "-RC:\Users\admin\AppData\Local\Temp\Mxt244\usr\share\X11\xkb" -xkm "C:\Users\admin\AppData\Local\Temp\Mxt244\var\log\xwin\xkb_a03720" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" "C:\Users\admin\AppData\Local\Temp\Mxt244\var\log\xwin\server-0.xkm"C:\Users\admin\AppData\Local\Temp\Mxt244\bin\xkbcomp_w32.exeXWin_MobaX.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mxt244\bin\xkbcomp_w32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3112"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\MobaXterm backup.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3540"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3112.12950"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
3736"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\mobaxtermC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4520"C:\Users\admin\Desktop\tmp.exe" C:\Users\admin\Desktop\tmp.exeexplorer.exe
User:
admin
Company:
Mobatek
Integrity Level:
MEDIUM
Description:
MobaXterm
Version:
24.4.0.5258
Modules
Images
c:\users\admin\desktop\tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4932"C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.exe" C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.exeexplorer.exe
User:
admin
Company:
Mobatek
Integrity Level:
MEDIUM
Description:
MobaXterm
Exit code:
3221226540
Version:
25.2.0.5296
Modules
Images
c:\users\admin\desktop\mobaxterm_portable_v24.4.exe
c:\windows\system32\ntdll.dll
Total events
11 049
Read events
10 699
Write events
337
Delete events
13

Modification events

(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\MobaXterm_Portable_v24.4.zip
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
42
Suspicious files
86
Text files
470
Unknown types
121

Dropped files

PID
Process
Filename
Type
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\passwdcsv
MD5:B6FFF995136BFB25F6C79C4B4FAAAEC0
SHA256:B3274D304D93E980D6C60EF969EB8119AD6717CA1AE3526B8328EE692D066DE9
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\profiletext
MD5:02E89B83EF4CD072D9A1F64D0C47FD55
SHA256:3361E6334B4958186B6D95A3BF7168C29C25F89CDCE8D90CC1A9AFA95AD2EF0D
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\ftpbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\fstabcsv
MD5:64C841DF1575360D492E87DC63144FF5
SHA256:2B51A2DDA1D2DB7315282EC473DD454F8CF8DE8D20344B9E0F2DA9059FC55913
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\telnetbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\sshbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\httpbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\nfsbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\etc\init.d\tftpbinary
MD5:2A2FCE224C91755D043CFD460CB7EBC2
SHA256:CAABB53C134A5727836D7669AB5063AFAECD37E1225F5F3A6810AEF441BAFF20
4520tmp.exeC:\Users\admin\AppData\Local\Temp\Mxt244\bin\MobaListPortstext
MD5:BC32355ECB78CAC7589E9EB70632097C
SHA256:52470DA1497B8D81FAC8CCFAA33FE2762F83020E4E125A1B8339EED63214A788
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
54
DNS requests
26
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
3720
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3720
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
6748
MobaXterm_Portable_v24.4.exe
GET
47.239.17.147:80
http://aliyunsst.com/143?file=webstore.txt
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3720
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6876
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.65
  • 20.190.160.66
  • 20.190.160.132
  • 20.190.160.5
  • 40.126.32.133
  • 20.190.160.2
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.128
  • 40.126.32.72
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
aliyunsst.com
  • 47.239.17.147
unknown
web-360store.oss-cn-beijing.aliyuncs.com
  • 39.103.20.89
unknown
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MobaXterm_Portable_v24.4.zip