File name:

KingWordsv0.2_.exe

Full analysis: https://app.any.run/tasks/0628b302-6a78-40e5-81bb-3955cceee0f7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 14:40:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
loader
stealer
clipper
diamotrix
python
yero
worm
arch-doc
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

EB9A4D1CEB87ACB799B6CB938AB8BD70

SHA1:

353C1D90C50917FB6562368BF70B936E754853C0

SHA256:

0AF23FC9EAF1973AE5742C427A5954DD4BFB906ECBD981B4A46C9FA927FD6DA2

SSDEEP:

98304:sppkU6AyTXOkOM860ZXVNTFwzCfCG+zZ:q1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • explorer.exe (PID: 4772)
      • firefox.exe (PID: 3964)
      • firefox.exe (PID: 4512)

    • Changes the autorun value in the registry

      • fgsdfgerds.exe (PID: 3092)
      • vbcvgfdgdf.exe (PID: 4860)
      • explorer.exe (PID: 4772)

    • Runs injected code in another process

      • vbcvgfdgdf.exe (PID: 4860)

    • Actions looks like stealing of personal data

      • sdgfxcvxc.exe (PID: 6612)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)

    • YERO has been detected

      • systmdrv.exe (PID: 4104)

    • Loads dropped or rewritten executable

      • tmp1077.exe (PID: 2228)
      • conhost.exe (PID: 768)
      • WaaSMedicAgent.exe (PID: 4576)
      • MusNotifyIcon.exe (PID: 2288)
      • tmp2176.exe (PID: 3196)
      • WINWORD.EXE (PID: 1800)
      • notepad.exe (PID: 4236)
      • notepad.exe (PID: 6140)
      • notepad.exe (PID: 1812)
      • tmp2176.exe (PID: 5908)
      • WINWORD.EXE (PID: 2804)
      • SIHClient.exe (PID: 4880)
      • ai.exe (PID: 6684)
      • notepad.exe (PID: 4824)
      • backgroundTaskHost.exe (PID: 6380)
      • RuntimeBroker.exe (PID: 4760)
      • backgroundTaskHost.exe (PID: 1136)
      • WINWORD.EXE (PID: 3836)
      • rundll32.exe (PID: 4752)
      • svchost.exe (PID: 1816)
      • dllhost.exe (PID: 6380)
      • slui.exe (PID: 3564)

    • Connects to the CnC server

      • sdgfxcvxc.exe (PID: 6612)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • KingWordsv0.2_.exe (PID: 3900)
      • fgsdfgerds.exe (PID: 3092)
      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)

    • Reads the date of Windows installation

      • KingWordsv0.2_.exe (PID: 3900)
      • fgsdfgerds.exe (PID: 3092)
      • systmdrv.exe (PID: 4104)

    • Executable content was dropped or overwritten

      • KingWordsv0.2_.exe (PID: 3900)
      • vbcvgfdgdf.exe (PID: 4860)
      • systmdrv.exe (PID: 4104)
      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)
      • fgsdfgerds.exe (PID: 3092)

    • Reads security settings of Internet Explorer

      • KingWordsv0.2_.exe (PID: 3900)
      • KingWords v0.2.exe (PID: 2552)
      • systmdrv.exe (PID: 4104)
      • fgsdfgerds.exe (PID: 3092)
      • sdgfxcvxc.exe (PID: 6612)

    • Reads Microsoft Outlook installation path

      • KingWords v0.2.exe (PID: 2552)

    • Reads Internet Explorer settings

      • KingWords v0.2.exe (PID: 2552)

    • Connects to unusual port

      • sdgfxcvxc.exe (PID: 6612)

    • Process requests binary or script from the Internet

      • systmdrv.exe (PID: 4104)

    • Connects to the server without a host name

      • explorer.exe (PID: 4772)
      • systmdrv.exe (PID: 4104)
      • sdgfxcvxc.exe (PID: 6612)

    • Starts itself from another location

      • fgsdfgerds.exe (PID: 3092)

    • Potential Corporate Privacy Violation

      • systmdrv.exe (PID: 4104)

    • Application launched itself

      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)

    • Process drops python dynamic module

      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)

    • The process drops C-runtime libraries

      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)

    • Loads Python modules

      • tmp1077.exe (PID: 2228)
      • tmp2176.exe (PID: 5908)

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 4772)

    • Contacting a server suspected of hosting an CnC

      • sdgfxcvxc.exe (PID: 6612)

    • Found regular expressions for crypto-addresses (YARA)

      • systmdrv.exe (PID: 4104)

  • INFO

    • The sample compiled with english language support

      • KingWordsv0.2_.exe (PID: 3900)
      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)
      • fgsdfgerds.exe (PID: 3092)

    • Reads the machine GUID from the registry

      • vbcvgfdgdf.exe (PID: 4860)
      • KingWords v0.2.exe (PID: 2552)
      • bbeecafdaeec.exe (PID: 5968)
      • vbcvgfdgdf.exe (PID: 7120)
      • tmp1077.exe (PID: 2228)
      • tmp2176.exe (PID: 5908)

    • Reads the computer name

      • KingWordsv0.2_.exe (PID: 3900)
      • sdgfxcvxc.exe (PID: 6612)
      • KingWords v0.2.exe (PID: 2552)
      • systmdrv.exe (PID: 4104)
      • fgsdfgerds.exe (PID: 3092)
      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)
      • vbcvgfdgdf.exe (PID: 4860)

    • Creates files or folders in the user directory

      • KingWordsv0.2_.exe (PID: 3900)
      • fgsdfgerds.exe (PID: 3092)
      • KingWords v0.2.exe (PID: 2552)
      • systmdrv.exe (PID: 4104)
      • sdgfxcvxc.exe (PID: 6612)

    • Checks supported languages

      • fgsdfgerds.exe (PID: 3092)
      • KingWordsv0.2_.exe (PID: 3900)
      • KingWords v0.2.exe (PID: 2552)
      • RUXIMICS.exe (PID: 2632)
      • systmdrv.exe (PID: 4104)
      • bbeecafdaeec.exe (PID: 5968)
      • systmdrv.exe (PID: 1128)
      • vbcvgfdgdf.exe (PID: 7120)
      • tmp1077.exe (PID: 7056)
      • tmp1077.exe (PID: 2228)
      • tmp2176.exe (PID: 3196)
      • sdgfxcvxc.exe (PID: 6612)
      • vbcvgfdgdf.exe (PID: 4860)
      • tmp2176.exe (PID: 5908)

    • Launching a file from a Registry key

      • fgsdfgerds.exe (PID: 3092)
      • vbcvgfdgdf.exe (PID: 4860)
      • explorer.exe (PID: 4772)

    • Process checks computer location settings

      • KingWordsv0.2_.exe (PID: 3900)
      • fgsdfgerds.exe (PID: 3092)
      • systmdrv.exe (PID: 4104)

    • Creates files in the program directory

      • vbcvgfdgdf.exe (PID: 4860)
      • RUXIMICS.exe (PID: 2632)
      • MusNotificationUx.exe (PID: 5264)
      • MusNotifyIcon.exe (PID: 2288)
      • sdgfxcvxc.exe (PID: 6612)

    • Create files in a temporary directory

      • sdgfxcvxc.exe (PID: 6612)
      • systmdrv.exe (PID: 4104)
      • tmp1077.exe (PID: 7056)
      • tmp2176.exe (PID: 3196)

    • Checks proxy server information

      • KingWords v0.2.exe (PID: 2552)
      • explorer.exe (PID: 4772)
      • systmdrv.exe (PID: 4104)
      • sdgfxcvxc.exe (PID: 6612)
      • slui.exe (PID: 3564)

    • Reads the software policy settings

      • KingWords v0.2.exe (PID: 2552)
      • WaaSMedicAgent.exe (PID: 4576)
      • SIHClient.exe (PID: 4880)
      • slui.exe (PID: 3564)

    • Reads the time zone

      • MusNotificationUx.exe (PID: 5264)
      • MusNotifyIcon.exe (PID: 2288)
      • WmiPrvSE.exe (PID: 3936)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 4236)
      • notepad.exe (PID: 1812)
      • explorer.exe (PID: 4772)
      • notepad.exe (PID: 6140)
      • notepad.exe (PID: 4824)
      • backgroundTaskHost.exe (PID: 1136)
      • backgroundTaskHost.exe (PID: 6380)
      • rundll32.exe (PID: 4752)

    • Reads Microsoft Office registry keys

      • rundll32.exe (PID: 4752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:20 19:00:02+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 55808
InitializedDataSize: 2020864
UninitializedDataSize: -
EntryPoint: 0x1dfc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.2.1.1
ProductVersionNumber: 3.1.1.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Ioxcv
FileVersion: 6.0.0.0
InternalName: Ioxcv.exe
LegalCopyright: (C) 2026
OriginalFileName: Ioxcv.exe
ProductName: Ioxcv
ProductVersion: 2.2.2.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
38
Malicious processes
9
Suspicious processes
4

Behavior graph

Click at the process to see the details
start kingwordsv0.2_.exe fgsdfgerds.exe sdgfxcvxc.exe vbcvgfdgdf.exe kingwords v0.2.exe #YERO systmdrv.exe #DIAMOTRIX explorer.exe bbeecafdaeec.exe no specs systmdrv.exe no specs vbcvgfdgdf.exe no specs tmp1077.exe tmp1077.exe no specs ruximics.exe no specs wmiprvse.exe no specs musnotificationux.exe no specs conhost.exe no specs waasmedicagent.exe no specs musnotifyicon.exe no specs tmp2176.exe tmp2176.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs winword.exe winword.exe no specs sihclient.exe ai.exe no specs notepad.exe no specs backgroundtaskhost.exe no specs runtimebroker.exe no specs backgroundtaskhost.exe no specs winword.exe no specs rundll32.exe no specs Thumbnail Cache Out of Proc Server no specs slui.exe svchost.exe no specs firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
768\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWaaSMedicAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Users\admin\AppData\Roaming\systmdrv.exe" C:\Users\admin\AppData\Roaming\systmdrv.exefgsdfgerds.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Exit code:
0
Version:
10.0.19041.4842 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\roaming\systmdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1136"C:\WINDOWS\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProviderC:\Windows\System32\backgroundTaskHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Background Task Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtaskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
1800"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\authorforms.rtf /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
1812"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Windows_Info.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1816C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauservC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2228"C:\Users\admin\AppData\Local\Temp\tmp1077.exe" C:\Users\admin\AppData\Local\Temp\tmp1077.exetmp1077.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tmp1077.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2288%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 0C:\Windows\System32\MusNotifyIcon.exeMusNotification.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MusNotifyIcon.exe
Exit code:
0
Version:
10.0.19041.3693 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\musnotifyicon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2552"C:\Users\admin\Desktop\KingWords v0.2.exe" C:\Users\admin\Desktop\KingWords v0.2.exe
KingWordsv0.2_.exe
User:
admin
Integrity Level:
MEDIUM
Description:
KingWords_2
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\kingwords v0.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2632%ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetworkC:\Program Files\RUXIM\RUXIMICS.exePLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\ruximics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
Total events
52 377
Read events
51 720
Write events
623
Delete events
34

Modification events

(PID) Process:(3092) fgsdfgerds.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Systmdrv
Value:
C:\Users\admin\AppData\Roaming\systmdrv.exe
(PID) Process:(4860) vbcvgfdgdf.exeKey:HKEY_CURRENT_USER\SOFTWARE\bbeecafdaeec
Operation:writeName:CurrentPath
Value:
C:\Users\admin\AppData\Roaming\vbcvgfdgdf.exe
(PID) Process:(4860) vbcvgfdgdf.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:bbeecafdaeec
Value:
"C:\ProgramData\bbeecafdaeec.exe"
(PID) Process:(3900) KingWordsv0.2_.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
80C4566800000000
(PID) Process:(3900) KingWordsv0.2_.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010016000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000140000000000000063006C00690065006E00740069006E0063006500730074002E007200740066003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C000000150000000000000061006400640072006500730073007300610066006500740079002E007200740066003E00200020000000130000000000000061007500740068006F00720066006F0072006D0073002E007200740066003E00200020000000120000000000000066006900720073007400610062006F00760065002E007200740066003E002000200000001200000000000000660072006F006D0070006100720065006E0074002E006A00700067003E002000200000001200000000000000660075006C006C007900730074006100720073002E007200740066003E002000200000001200000000000000670065007400740069006E0067006400690065002E006A00700067003E00200020000000110000000000000072006F0075006E00640066006900730068002E007200740066003E002000200000001000000000000000730061006C00650073006100690064002E006A00700067003E002000200000001300000000000000730065006300750072006900740079007200730073002E0070006E0067003E002000200000001300000000000000730074006100740069006F006E0074006F006F006C002E007200740066003E0020002000000013000000000000007300750063006300650073007300730065006C0066002E0070006E0067003E002000200000001400000000000000740072006100640065006D00610072006B007300610064002E006A00700067003E002000200000000F0000000000000079006F0075006E006700620065002E0070006E0067003E0020002000000016000000000000004B0069006E00670057006F00720064007300760030002E0032005F002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001600000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F130000004040000000401400000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000040401500
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010017000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000140000000000000063006C00690065006E00740069006E0063006500730074002E007200740066003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C000000150000000000000061006400640072006500730073007300610066006500740079002E007200740066003E00200020000000130000000000000061007500740068006F00720066006F0072006D0073002E007200740066003E00200020000000120000000000000066006900720073007400610062006F00760065002E007200740066003E002000200000001200000000000000660072006F006D0070006100720065006E0074002E006A00700067003E002000200000001200000000000000660075006C006C007900730074006100720073002E007200740066003E002000200000001200000000000000670065007400740069006E0067006400690065002E006A00700067003E00200020000000110000000000000072006F0075006E00640066006900730068002E007200740066003E002000200000001000000000000000730061006C00650073006100690064002E006A00700067003E002000200000001300000000000000730065006300750072006900740079007200730073002E0070006E0067003E002000200000001300000000000000730074006100740069006F006E0074006F006F006C002E007200740066003E0020002000000013000000000000007300750063006300650073007300730065006C0066002E0070006E0067003E002000200000001400000000000000740072006100640065006D00610072006B007300610064002E006A00700067003E002000200000000F0000000000000079006F0075006E006700620065002E0070006E0067003E0020002000000016000000000000004B0069006E00670057006F00720064007300760030002E0032005F002E006500780065003E0020002000000016000000000000004B0069006E00670057006F007200640073002000760030002E0032002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001700000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F130000004040000000401400000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F07000000404000004040150000004040000080401600
(PID) Process:(2552) KingWords v0.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2552) KingWords v0.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
144
Suspicious files
210
Text files
37
Unknown types
2

Dropped files

PID
Process
Filename
Type
6612sdgfxcvxc.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Software_Info.txttext
MD5:AAB1B59AF386F4F63F9007EF79B3D07A
SHA256:1EB2569F1A69183A48F7D93B4AFB8BFF9D7972FB160D3649EEBD67B2C986ED1F
3900KingWordsv0.2_.exeC:\Users\admin\AppData\Roaming\fgsdfgerds.exeexecutable
MD5:E9C28F27DDC04C563B80B013A2140B4C
SHA256:82ABA7497BE6CC024E37E74DE4DA89E6EC7E7A0EB3A447546AAEE762E159BA2A
2632RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.050.etlbinary
MD5:C1F87CF12DD702D2185E703BA004D216
SHA256:9D993487866C9538DC19F281A6346E1796E7478C7C164D61437AF6E698C66125
3092fgsdfgerds.exeC:\Users\admin\AppData\Roaming\systmdrv.exeexecutable
MD5:E9C28F27DDC04C563B80B013A2140B4C
SHA256:82ABA7497BE6CC024E37E74DE4DA89E6EC7E7A0EB3A447546AAEE762E159BA2A
6612sdgfxcvxc.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Chrome_History.txt
MD5:
SHA256:
6612sdgfxcvxc.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\System_Info.txtbinary
MD5:70A3F753DC5253F784331BE4410F50C8
SHA256:217C77B8C6DFA08CF5BA90549ED2A95C0D7A4D4EAED20C5DC4F741F7701A6972
6612sdgfxcvxc.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Edge_History.txt
MD5:
SHA256:
6612sdgfxcvxc.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Chrome_Downloads.txt
MD5:
SHA256:
6612sdgfxcvxc.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Edge_Downloads.txt
MD5:
SHA256:
6612sdgfxcvxc.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Directories.txttext
MD5:58FF950188AD52D103ACC8FB14612315
SHA256:EB48C9F4A2774038CA4CBB4CF0BD07040A03C90CCA8CDB713BF04BFF5A68649C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
116
TCP/UDP connections
123
DNS requests
35
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5900
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5900
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
200
192.200.102.154:443
https://keywordshitter.com/
unknown
html
163 Kb
whitelisted
GET
200
192.200.102.154:443
https://keywordshitter.com/static/images/banner/keywordshitter.webp
unknown
POST
200
20.190.160.65:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
4772
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
GET
200
192.200.102.154:443
https://keywordshitter.com/static/images/banner/keywordshitter-40.webp
unknown
image
7.16 Kb
whitelisted
4104
systmdrv.exe
GET
200
185.156.72.8:80
http://185.156.72.8/1.exe
unknown
malicious
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5900
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5900
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5900
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2336
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4644
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6612
sdgfxcvxc.exe
185.156.72.89:27015
Tov Vaiz Partner
RU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.5
  • 20.190.160.132
  • 40.126.32.72
  • 40.126.32.74
  • 40.126.32.140
  • 20.190.160.3
  • 20.190.160.17
whitelisted
keywordshitter.com
  • 192.200.102.154
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
  • 52.111.236.23
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
4104
systmdrv.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
4104
systmdrv.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
4104
systmdrv.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
4104
systmdrv.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
4104
systmdrv.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
4104
systmdrv.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
4104
systmdrv.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
4104
systmdrv.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
4104
systmdrv.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KingWordsv0.2_.exe