File name:

2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe

Full analysis: https://app.any.run/tasks/a6143e49-8059-4ee6-828e-c05cbe693c52
Verdict: Malicious activity
Analysis date: October 03, 2025, 16:33:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

5DF6E476E5C3BB294A746EC082FC8477

SHA1:

CC7E1A73D536C105631D62DA5E548CF2506DF5A1

SHA256:

2DC11639ACE6FEF6CB67214381FA5BD0C52651E0A31B8E1D1CB07BFB6A12D26D

SSDEEP:

98304:mca5XKeS+XyrBqP2Kh5fQJyozGkBMyiS3BhuskZAeYzRRap4apj3YQCsU/Jb6h/2:NxDED5Cq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • Connects to the CnC server

      • svchost.exe (PID: 2428)

    • M0YV has been detected (SURICATA)

      • svchost.exe (PID: 2428)

    • M0YV has been detected (YARA)

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • Process drops legitimate windows executable

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • Executable content was dropped or overwritten

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • There is functionality for taking screenshot (YARA)

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

  • INFO

    • The sample compiled with english language support

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • Creates files or folders in the user directory

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)
      • BackgroundTransferHost.exe (PID: 8112)

    • Reads the computer name

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • Checks supported languages

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • Checks proxy server information

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)
      • slui.exe (PID: 8116)
      • BackgroundTransferHost.exe (PID: 8112)

    • Reads the machine GUID from the registry

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)

    • Reads the software policy settings

      • 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe (PID: 2572)
      • BackgroundTransferHost.exe (PID: 8112)
      • slui.exe (PID: 8116)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 2168)
      • BackgroundTransferHost.exe (PID: 764)
      • BackgroundTransferHost.exe (PID: 8112)
      • BackgroundTransferHost.exe (PID: 6904)
      • BackgroundTransferHost.exe (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2017:07:16 15:47:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 8512000
InitializedDataSize: 4502528
UninitializedDataSize: -
EntryPoint: 0x76cc94
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 1.7.13.0
ProductVersionNumber: 1.7.13.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Based on the original Media Player Classic v6.4.9.0 © Gabest
CompanyName: MPC-HC Team
FileDescription: MPC-HC
FileVersion: 1.7.13 (e37826845)
InternalName: mpc-hc
LegalCopyright: Copyright © 2002-2017 all contributors, see Authors.txt
OriginalFileName: mpc-hc64.exe
ProductName: MPC-HC
ProductVersion: 1.7.13 (e37826845)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
756"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
764"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2168"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2428C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2572"C:\Users\admin\Desktop\2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe" C:\Users\admin\Desktop\2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
explorer.exe
User:
admin
Company:
MPC-HC Team
Integrity Level:
MEDIUM
Description:
MPC-HC
Version:
1.7.13 (e37826845)
Modules
Images
c:\users\admin\desktop\2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\uxtheme.dll
2896"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4472"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x125c460,0x125c46c,0x125c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6904"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
8112"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
8116C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
13 170
Read events
13 142
Write events
26
Delete events
2

Modification events

(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC
Operation:writeName:ExePath
Value:
C:\Users\admin\Desktop\2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Settings
Operation:writeName:AudioBoost
Value:
0
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Filters\0000
Operation:delete keyName:(default)
Value:
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Internal Filters
Operation:writeName:TRA_WMV
Value:
0
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Settings\FullscreenAutoChangeMode
Operation:writeName:Enable
Value:
0
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Settings\FullscreenAutoChangeMode
Operation:writeName:ApplyDefaultModeAtFSExit
Value:
1
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Settings\FullscreenAutoChangeMode
Operation:writeName:RestoreResAfterExit
Value:
1
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Settings\FullscreenAutoChangeMode
Operation:writeName:Delay
Value:
0
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Settings
Operation:writeName:DisableSubtitleAnimation
Value:
0
(PID) Process:(2572) 2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeKey:HKEY_CURRENT_USER\SOFTWARE\MPC-HC\MPC-HC\Settings
Operation:writeName:SubtitleRenderer
Value:
0
Executable files
7
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
8112BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\ec74e570-1422-4449-a9c5-149b406500a2.down_data
MD5:
SHA256:
25722dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:09A08AE45BDA5DD429B73A50278BC9A4
SHA256:FF6993BFAFB0E7A9AA6590E562FFEC3CAD3D9D318A0C25941A32B393371A8623
25722dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:B5823C8189DC2CD2CCF80DEEB546FAD7
SHA256:346B34156446538EFF0A1205DB161A96C518F44251D1F25435351616AD30F9E8
25722dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:71F549CC39C9FD8680E8D09DD61A05FE
SHA256:616AAB87A8C92262B5C51FCF4B73B99885F297573ED7B0B6E4A52E17EA5759D8
8112BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\32753cc3-5bda-40b5-909c-4e40d48ecefc.590d37f7-af17-4eb7-bbaf-1286e40eed40.down_metabinary
MD5:8730A8DA71D490CD5447761FAF866A98
SHA256:3686F0CC9CBCF83D90055399A75FA05FFD236CA7C6E652A1DCC58D72B3DCB62E
25722dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:91D84038C6F2C9773F889453F32E1E09
SHA256:A6608F14A44072AA2D9872D83C9C2DFA5C0FC7F39AFC9C795BD3ABAF47368C56
25722dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:CD5D11621EC5F1A5E725854C371B902E
SHA256:6922DD702872936C46253042C827935CAD7727CD71C43ACBACC2AF3DB89147E9
25722dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:E8741970874CD665CC0E613DB6D8D3EF
SHA256:6CCD3F3189F6DCC52E121CE2C36189F7BF912C33A7876B946B3E620B8C925360
25722dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexecutable
MD5:9AC6786FD4B49C7F0BE92E20E9F8B536
SHA256:8838B6C00962EEABB7EE0C9C28E8E9819767D27791F12C312365658C8EE59A9A
8112BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\ec74e570-1422-4449-a9c5-149b406500a2.590d37f7-af17-4eb7-bbaf-1286e40eed40.down_metabinary
MD5:8730A8DA71D490CD5447761FAF866A98
SHA256:3686F0CC9CBCF83D90055399A75FA05FFD236CA7C6E652A1DCC58D72B3DCB62E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
88
DNS requests
59
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
200
44.244.22.128:80
http://pywolwnvd.biz/nenuyleppkki
US
malicious
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
200
50.16.27.236:80
http://ssbzmoy.biz/hwlqwbftgvrkak
US
unknown
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/rihhvtywasgvwwl
US
malicious
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
200
172.233.219.78:80
http://przvgke.biz/kx
US
binary
4.31 Kb
unknown
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
200
172.233.219.78:80
http://przvgke.biz/tyypreyemrxuuyiu
US
binary
4.35 Kb
unknown
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
200
50.16.27.236:80
http://knjghuig.biz/uadrofarmwcaciu
US
malicious
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
302
192.64.119.165:80
http://anpmnmxo.biz/v
US
unknown
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
GET
403
91.195.240.19:80
http://www.anpmnmxo.biz/v
DE
html
93 b
unknown
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
POST
302
192.64.119.165:80
http://anpmnmxo.biz/x
US
unknown
GET
200
172.66.132.235:443
https://mpc-hc.org/version.txt
US
text
8 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2168
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6016
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
95.100.100.130:443
www.bing.com
Akamai International B.V.
PT
whitelisted
4
System
192.168.100.255:138
whitelisted
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
44.244.22.128:80
pywolwnvd.biz
AMAZON-02
US
malicious
6016
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
50.16.27.236:80
ssbzmoy.biz
AMAZON-AES
US
malicious
5948
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
3.229.117.57:80
npukfztj.biz
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 95.100.100.130
  • 95.100.100.113
  • 95.100.100.129
  • 95.100.100.121
  • 95.100.100.114
whitelisted
google.com
  • 216.58.206.46
whitelisted
pywolwnvd.biz
  • 44.244.22.128
malicious
ssbzmoy.biz
  • 50.16.27.236
unknown
cvgrf.biz
  • 44.244.22.128
malicious
npukfztj.biz
  • 3.229.117.57
malicious
przvgke.biz
  • 172.233.219.78
  • 172.237.146.8
  • 172.233.219.49
  • 172.233.219.123
  • 172.237.146.38
  • 172.237.146.25
unknown
zlenh.biz
unknown
knjghuig.biz
  • 50.16.27.236
malicious

Threats

PID
Process
Class
Message
2428
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2428
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/m0yv CnC related domain (zlenh .biz)
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
Misc activity
ET INFO Namecheap URL Forward
2572
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe
Misc activity
ET INFO Namecheap URL Forward
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2dc11639ace6fef6cb67214381fa5bd0c52651e0a31b8e1d1cb07bfb6a12d26d.exe