File name:

3O6NF.exe

Full analysis: https://app.any.run/tasks/c679d5d3-c12c-46a3-b8c6-a05b5ad6c97f
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 18:25:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
auto-reg
backdoor
bdaejec
evasion
telegram
remote
xworm
crypto-regex
ims-api
generic
aspack
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 5 sections
MD5:

4D5DA271332C16C1A3C53B8693E956F1

SHA1:

AA1E3ECE9FD6A857B68CF19165B9B7B7E8759312

SHA256:

32A198E52F47CC9BAAEFE25AA44A9ACD056BFC9B7A5E1F21B0D51C74BEEEF7BE

SSDEEP:

12288:+ttnjIGbCbLmRxLvvdGNFitYDn/DB6fskFarHEmKSsgyzEHnoOi:+ttjIGbCbLmRxrvdG+eDn/DB6fskFary

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • 3O6NF.exe (PID: 8000)

    • Changes Windows Defender settings

      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)
      • cmd.exe (PID: 5988)

    • Changes powershell execution policy (Bypass)

      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)

    • Known privilege escalation attack

      • dllhost.exe (PID: 7832)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8068)
      • powershell.exe (PID: 6800)
      • powershell.exe (PID: 2800)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 7912)
      • powershell.exe (PID: 1276)

    • Adds path to the Windows Defender exclusion list

      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)

    • Changes the autorun value in the registry

      • 3O6NF.exe (PID: 8000)

    • BDAEJEC has been detected

      • iyMbXS.exe (PID: 7184)
      • izTLZKj.exe (PID: 7364)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 632)

    • Changes settings for real-time protection

      • powershell.exe (PID: 1388)

    • Adds process to the Windows Defender exclusion list

      • x69.exe (PID: 4164)

    • Uses Task Scheduler to run other applications

      • x69.exe (PID: 4164)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 2616)

    • XWORM has been detected (YARA)

      • x69.exe (PID: 4164)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 8176)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 5428)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7936)

    • XWORM has been detected (SURICATA)

      • x69.exe (PID: 4164)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7672)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 3O6NF.exe (PID: 7592)
      • 3O6NF.exe (PID: 8000)
      • iyMbXS.exe (PID: 7184)
      • izTLZKj.exe (PID: 7364)
      • x69Disable-winDefender.exe (PID: 7300)
      • x69.exe (PID: 4164)

    • Reads the date of Windows installation

      • 3O6NF.exe (PID: 7592)
      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • 3O6NF.exe (PID: 7592)

    • Starts POWERSHELL.EXE for commands execution

      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)
      • cmd.exe (PID: 5988)

    • Executable content was dropped or overwritten

      • 3O6NF.exe (PID: 8000)
      • Install.exe (PID: 6988)
      • x69Disable-winDefender.exe (PID: 7300)
      • iyMbXS.exe (PID: 7184)

    • Script adds exclusion path to Windows Defender

      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 6540)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 6540)
      • x69.exe (PID: 7756)
      • x69.exe (PID: 856)

    • Connects to unusual port

      • iyMbXS.exe (PID: 7184)
      • izTLZKj.exe (PID: 7364)
      • x69.exe (PID: 4164)

    • Found strings related to reading or modifying Windows Defender settings

      • x69Disable-winDefender.exe (PID: 7300)

    • Executing commands from a ".bat" file

      • x69Disable-winDefender.exe (PID: 7300)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • x69.exe (PID: 4164)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 7484)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 7484)

    • Starts CMD.EXE for commands execution

      • x69Disable-winDefender.exe (PID: 7300)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 5988)

    • Script adds exclusion process to Windows Defender

      • x69.exe (PID: 4164)

    • Script disables Windows Defender's behavior monitoring

      • cmd.exe (PID: 5988)

    • Found regular expressions for crypto-addresses (YARA)

      • x69.exe (PID: 4164)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • x69.exe (PID: 4164)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • x69.exe (PID: 4164)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 5988)

    • Executes application which crashes

      • powershell.exe (PID: 6228)

    • Contacting a server suspected of hosting an CnC

      • x69.exe (PID: 4164)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 5728)
      • cmd.exe (PID: 5988)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 1760)
      • schtasks.exe (PID: 7732)
      • schtasks.exe (PID: 7804)
      • schtasks.exe (PID: 7916)
      • schtasks.exe (PID: 7508)

    • Uses NETSH.EXE to change the status of the firewall

      • powershell.exe (PID: 6592)

  • INFO

    • Checks supported languages

      • 3O6NF.exe (PID: 7592)
      • 3O6NF.exe (PID: 8000)
      • Install.exe (PID: 6988)
      • x69.exe (PID: 660)
      • iyMbXS.exe (PID: 7184)
      • x69.exe (PID: 4164)
      • izTLZKj.exe (PID: 7364)
      • x69Disable-winDefender.exe (PID: 7300)
      • MpCmdRun.exe (PID: 632)

    • Process checks computer location settings

      • 3O6NF.exe (PID: 7592)
      • 3O6NF.exe (PID: 8000)
      • x69Disable-winDefender.exe (PID: 7300)
      • x69.exe (PID: 4164)

    • Reads the computer name

      • 3O6NF.exe (PID: 7592)
      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)
      • iyMbXS.exe (PID: 7184)
      • Install.exe (PID: 6988)
      • izTLZKj.exe (PID: 7364)
      • x69Disable-winDefender.exe (PID: 7300)
      • x69.exe (PID: 660)
      • MpCmdRun.exe (PID: 632)

    • Reads the machine GUID from the registry

      • 3O6NF.exe (PID: 7592)
      • 3O6NF.exe (PID: 8000)
      • x69.exe (PID: 4164)
      • Install.exe (PID: 6988)
      • x69.exe (PID: 660)

    • Disables trace logs

      • cmstp.exe (PID: 7716)
      • x69.exe (PID: 4164)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 7716)

    • Creates files or folders in the user directory

      • 3O6NF.exe (PID: 8000)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8068)
      • powershell.exe (PID: 6800)
      • powershell.exe (PID: 2800)
      • powershell.exe (PID: 6824)
      • powershell.exe (PID: 1388)
      • powershell.exe (PID: 2320)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8068)
      • powershell.exe (PID: 6800)
      • powershell.exe (PID: 2800)
      • powershell.exe (PID: 1388)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6824)

    • Auto-launch of the file from Registry key

      • 3O6NF.exe (PID: 8000)

    • Create files in a temporary directory

      • Install.exe (PID: 6988)
      • 3O6NF.exe (PID: 8000)
      • x69Disable-winDefender.exe (PID: 7300)
      • MpCmdRun.exe (PID: 632)

    • Checks proxy server information

      • iyMbXS.exe (PID: 7184)
      • izTLZKj.exe (PID: 7364)
      • x69.exe (PID: 4164)

    • Manual execution by a user

      • x69.exe (PID: 660)
      • x69Disable-winDefender.exe (PID: 7756)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6540)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7484)

    • Reads Environment values

      • x69.exe (PID: 4164)

    • Creates files in the program directory

      • dllhost.exe (PID: 7832)

    • Aspack has been detected

      • x69Disable-winDefender.exe (PID: 7300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(4164) x69.exe
C2grayhatfuckscammer.ddns.net:1177
Keys
AES<123422122>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexR4xNwrMdDFYsqDLe

ims-api

(PID) Process(4164) x69.exe
Telegram-Tokens (1)7717722960:AAFHZ9Cq4AyHmOVROQ_YIdw30ueBie2k3H0
Telegram-Info-Links
7717722960:AAFHZ9Cq4AyHmOVROQ_YIdw30ueBie2k3H0
Get info about bothttps://api.telegram.org/bot7717722960:AAFHZ9Cq4AyHmOVROQ_YIdw30ueBie2k3H0/getMe
Get incoming updateshttps://api.telegram.org/bot7717722960:AAFHZ9Cq4AyHmOVROQ_YIdw30ueBie2k3H0/getUpdates
Get webhookhttps://api.telegram.org/bot7717722960:AAFHZ9Cq4AyHmOVROQ_YIdw30ueBie2k3H0/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7717722960:AAFHZ9Cq4AyHmOVROQ_YIdw30ueBie2k3H0/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7717722960:AAFHZ9Cq4AyHmOVROQ_YIdw30ueBie2k3H0/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:18 16:48:24+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 46080
InitializedDataSize: 308736
UninitializedDataSize: -
EntryPoint: 0x5e00a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: x69ss.exe
LegalCopyright:
OriginalFileName: x69ss.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
223
Monitored processes
92
Malicious processes
8
Suspicious processes
10

Behavior graph

Click at the process to see the details
start 3o6nf.exe no specs cmstp.exe no specs CMSTPLUA 3o6nf.exe powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #XWORM x69.exe install.exe powershell.exe no specs conhost.exe no specs iymbxs.exe powershell.exe no specs conhost.exe no specs x69.exe no specs schtasks.exe no specs conhost.exe no specs x69disable-windefender.exe mshta.exe no specs iztlzkj.exe x69disable-windefender.exe no specs cmd.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs mpcmdrun.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs x69.exe no specs powershell.exe no specs slui.exe powershell.exe no specs reg.exe no specs powershell.exe werfault.exe no specs powershell.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs x69.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $trueC:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
660C:\Users\admin\AppData\Roaming\x69.exeC:\Users\admin\AppData\Roaming\x69.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\x69.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
672reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
856"C:\Users\admin\AppData\Roaming\x69.exe"C:\Users\admin\AppData\Roaming\x69.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\x69.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\pdh.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
1276"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\x69.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exex69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1388powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /DisableC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1764"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\admin\AppData\Roaming\x69.exe" /RL HIGHESTC:\Windows\System32\schtasks.exe3O6NF.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
139 154
Read events
139 068
Write events
75
Delete events
11

Modification events

(PID) Process:(7716) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7716) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7716) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7716) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7716) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7716) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7716) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7716) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(7832) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
(PID) Process:(7832) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:PF_AccessoriesName
Value:
Accessories
Executable files
7
Suspicious files
7
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
80003O6NF.exeC:\Users\admin\AppData\Roaming\x69Disable-winDefender.exeexecutable
MD5:22D6B7AB5C8A05162D36D2981B715C28
SHA256:3C5D72ABE1568EA0B2240A962FBEC40308E8C1B617DE16DA8A210DFA40913F7C
8068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_t1nc4kwx.yiu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6540powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_f4e1fblr.orz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xbfoxetb.tfc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8068powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:2E6FC9A75C017892EE1A30DFC07B111C
SHA256:E236E40D2B3F7E883515038E0E2CF0A0CA3558485296CDB0818618C6C10F10AE
6540powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_upzkmu0h.sja.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
80003O6NF.exeC:\Users\admin\AppData\Local\Temp\Install.exeexecutable
MD5:B89953DA384C6A80B03E5B3ABECE33C9
SHA256:0A2ADCDE049C859C6348047C85AC9206E0BE5EC335B6D6E411A8FEC90FB71E9B
6988Install.exeC:\Users\admin\AppData\Local\Temp\iyMbXS.exeexecutable
MD5:56B2C3810DBA2E939A8BB9FA36D3CF96
SHA256:4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
6800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bdpb3iar.cdq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7300x69Disable-winDefender.exeC:\Users\admin\AppData\Local\Temp\3C6.tmp\3C7.tmp\3C8.battext
MD5:2DF9441936169E60A9631BF730CD4273
SHA256:24AB289FE2D2DD6E86D9862BF5DAC0F6C78ACC444EB083152B3EAF84E041F95E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
33
DNS requests
10
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7184
iyMbXS.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
7184
iyMbXS.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7184
iyMbXS.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
7184
iyMbXS.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
7184
iyMbXS.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
7364
izTLZKj.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
4164
x69.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
7364
izTLZKj.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4628
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7184
iyMbXS.exe
3.229.117.57:799
ddos.dnsnb8.net
AMAZON-AES
US
malicious
7364
izTLZKj.exe
3.229.117.57:799
ddos.dnsnb8.net
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ddos.dnsnb8.net
  • 3.229.117.57
malicious
ip-api.com
  • 208.95.112.1
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
grayhatfuckscammer.ddns.net
  • 197.162.226.7
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Domain previously seen in multiple payload deliveries (ddos .dnsnb8 .net)
7184
iyMbXS.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
7184
iyMbXS.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
7184
iyMbXS.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
7184
iyMbXS.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4164
x69.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4164
x69.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3O6NF.exe