File name:

Spreaderr.exe

Full analysis: https://app.any.run/tasks/8e1407df-a5ae-444a-abac-d9dec1017ada
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 15, 2025, 22:47:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
python
loader
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C43A6A34C03876E4AF1E5ED7AA765209

SHA1:

0D9195C095274050CCE9F43BF25E1334C4861FCE

SHA256:

40A852133AD5E7A078D3429BF91A09E16A0B4845FD2328F7FE45E0F16B1ED264

SSDEEP:

3072:RDlNLyjRALW0gGCr7kffvhJ0ZDAHEio6aO:7AKLW0hCr7kx7BaO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • DfIl1.exe (PID: 2604)
      • DfIl1.exe (PID: 6260)
      • DfIl1.exe (PID: 7132)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DfIl1.exe (PID: 2604)
      • DfIl1.exe (PID: 7132)

    • Changes the autorun value in the registry

      • DfIl3.exe (PID: 3964)

    • RANSOMWARE has been detected

      • Spreaderr.exe (PID: 2080)

    • Loads dropped or rewritten executable

      • conhost.exe (PID: 2216)
      • powershell.exe (PID: 3820)
      • regsvr32.exe (PID: 3936)
      • DfIl2.exe (PID: 6980)
      • DfIl2.exe (PID: 5188)
      • WmiPrvSE.exe (PID: 2632)
      • conhost.exe (PID: 6400)
      • powershell.exe (PID: 7008)
      • conhost.exe (PID: 5252)
      • WaaSMedicAgent.exe (PID: 3780)
      • MusNotificationUx.exe (PID: 5560)
      • svchost.exe (PID: 4860)
      • RUXIMICS.exe (PID: 5080)
      • MusNotifyIcon.exe (PID: 6368)
      • regsvr32.exe (PID: 3476)
      • conhost.exe (PID: 5548)
      • SIHClient.exe (PID: 5020)
      • powershell.exe (PID: 1932)
      • DfIl2.exe (PID: 4824)
      • DfIl2.exe (PID: 5552)
      • consent.exe (PID: 6868)
      • Taskmgr.exe (PID: 3580)
      • rundll32.exe (PID: 7060)

    • Runs injected code in another process

      • regsvr32.exe (PID: 3936)

    • Application was injected by another process

      • explorer.exe (PID: 4772)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Spreaderr.exe (PID: 2080)
      • DfIl3.exe (PID: 3964)
      • rdsrb.exe (PID: 3752)
      • Spreaderr.exe (PID: 6380)

    • Process drops legitimate windows executable

      • Spreaderr.exe (PID: 2080)
      • DfIl2.exe (PID: 6980)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)

    • Starts a Microsoft application from unusual location

      • DfIl1.exe (PID: 2076)
      • DfIl1.exe (PID: 2604)
      • DfIl1.exe (PID: 6260)
      • DfIl1.exe (PID: 7132)

    • Application launched itself

      • DfIl1.exe (PID: 2076)
      • DfIl2.exe (PID: 6980)
      • DfIl1.exe (PID: 6260)
      • DfIl2.exe (PID: 4824)

    • Executable content was dropped or overwritten

      • DfIl1.exe (PID: 2604)
      • Spreaderr.exe (PID: 2080)
      • DfIl3.exe (PID: 3964)
      • DfIl2.exe (PID: 6980)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)

    • Starts POWERSHELL.EXE for commands execution

      • regsvr32.exe (PID: 3936)
      • regsvr32.exe (PID: 3476)

    • Creates file in the systems drive root

      • Spreaderr.exe (PID: 2080)
      • Spreaderr.exe (PID: 6380)

    • Process drops python dynamic module

      • DfIl2.exe (PID: 6980)
      • DfIl2.exe (PID: 4824)

    • Potential Corporate Privacy Violation

      • Spreaderr.exe (PID: 2080)
      • Spreaderr.exe (PID: 6380)

    • Starts itself from another location

      • DfIl3.exe (PID: 3964)

    • Loads Python modules

      • DfIl2.exe (PID: 5188)
      • DfIl2.exe (PID: 5552)

    • Connects to the server without a host name

      • rdsrb.exe (PID: 3752)
      • explorer.exe (PID: 4772)
      • Spreaderr.exe (PID: 6380)

    • The process drops C-runtime libraries

      • DfIl2.exe (PID: 6980)
      • DfIl2.exe (PID: 4824)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 3936)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 3936)

    • Process requests binary or script from the Internet

      • Spreaderr.exe (PID: 6380)

  • INFO

    • The sample compiled with english language support

      • Spreaderr.exe (PID: 2080)
      • DfIl2.exe (PID: 6980)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)

    • Checks proxy server information

      • Spreaderr.exe (PID: 2080)
      • rdsrb.exe (PID: 3752)
      • explorer.exe (PID: 4772)
      • Spreaderr.exe (PID: 6380)

    • Checks supported languages

      • Spreaderr.exe (PID: 2080)
      • DfIl1.exe (PID: 2076)
      • DfIl1.exe (PID: 2604)
      • DfIl2.exe (PID: 6980)
      • DfIl3.exe (PID: 3964)
      • DfIl2.exe (PID: 5188)
      • rdsrb.exe (PID: 3752)
      • RUXIMICS.exe (PID: 5080)
      • DfIl1.exe (PID: 6260)
      • Spreaderr.exe (PID: 6380)
      • DfIl1.exe (PID: 7132)
      • DfIl2.exe (PID: 4824)
      • DfIl3.exe (PID: 3952)
      • DfIl2.exe (PID: 5552)

    • Reads the computer name

      • Spreaderr.exe (PID: 2080)
      • DfIl2.exe (PID: 6980)
      • DfIl3.exe (PID: 3964)
      • rdsrb.exe (PID: 3752)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)
      • DfIl3.exe (PID: 3952)

    • Create files in a temporary directory

      • DfIl1.exe (PID: 2076)
      • DfIl1.exe (PID: 2604)
      • Spreaderr.exe (PID: 2080)
      • DfIl2.exe (PID: 6980)
      • DfIl1.exe (PID: 6260)
      • Spreaderr.exe (PID: 6380)
      • DfIl1.exe (PID: 7132)
      • DfIl2.exe (PID: 4824)

    • Creates files or folders in the user directory

      • DfIl1.exe (PID: 2604)
      • Spreaderr.exe (PID: 2080)
      • explorer.exe (PID: 4772)
      • Spreaderr.exe (PID: 6380)

    • Reads the machine GUID from the registry

      • DfIl3.exe (PID: 3964)
      • DfIl2.exe (PID: 5188)
      • DfIl2.exe (PID: 5552)

    • Creates files in the program directory

      • DfIl3.exe (PID: 3964)
      • MusNotificationUx.exe (PID: 5560)
      • RUXIMICS.exe (PID: 5080)
      • MusNotifyIcon.exe (PID: 6368)

    • Process checks computer location settings

      • DfIl3.exe (PID: 3964)

    • Launching a file from a Registry key

      • DfIl3.exe (PID: 3964)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • Taskmgr.exe (PID: 3580)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3820)
      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 1932)

    • Reads the software policy settings

      • WaaSMedicAgent.exe (PID: 3780)
      • SIHClient.exe (PID: 5020)
      • consent.exe (PID: 6868)

    • Reads the time zone

      • MusNotificationUx.exe (PID: 5560)
      • MusNotifyIcon.exe (PID: 6368)
      • WmiPrvSE.exe (PID: 2632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:15 22:49:46+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 52736
InitializedDataSize: 36864
UninitializedDataSize: -
EntryPoint: 0x1c64
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
38
Malicious processes
10
Suspicious processes
8

Behavior graph

Click at the process to see the details
start THREAT spreaderr.exe dfil1.exe no specs dfil1.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs dfil2.exe dfil3.exe dfil2.exe no specs rdsrb.exe wmiprvse.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs waasmedicagent.exe no specs svchost.exe no specs ruximics.exe no specs musnotificationux.exe no specs musnotifyicon.exe no specs #DIAMOTRIX explorer.exe spreaderr.exe dfil1.exe no specs dfil1.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs sihclient.exe dfil2.exe dfil3.exe no specs dfil2.exe no specs taskmgr.exe no specs consent.exe no specs taskmgr.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1932"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:googlechromebusiness.msi \"\\?\C:\Users\admin\AppData\Local\LightBlue_2.pfx\"' }) { exit 0 } else { exit 1 }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
2076"C:\Users\admin\AppData\Local\Temp\DfIl1.exe"C:\Users\admin\AppData\Local\Temp\DfIl1.exeSpreaderr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker Unlock
Exit code:
2
Version:
10.0.19041.1
Modules
Images
c:\users\admin\appdata\local\temp\dfil1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2080"C:\Users\admin\AppData\Local\Temp\Spreaderr.exe" C:\Users\admin\AppData\Local\Temp\Spreaderr.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\spreaderr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
2216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2604"C:\Users\admin\AppData\Local\Temp\DfIl1.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\DfIl1.exe
DfIl1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker Unlock
Exit code:
0
Version:
10.0.19041.1
Modules
Images
c:\users\admin\appdata\local\temp\dfil1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2632C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\System32\wbem\WmiPrvSE.exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Provider Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2664"C:\WINDOWS\system32\regsvr32.exe" /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\LightBlue_2.pfx"C:\Windows\SysWOW64\regsvr32.exeDfIl1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3396"C:\WINDOWS\system32\regsvr32.exe" /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\LightBlue_2.pfx"C:\Windows\SysWOW64\regsvr32.exeDfIl1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3476 /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\LightBlue_2.pfx"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3580"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
Total events
41 717
Read events
41 609
Write events
101
Delete events
7

Modification events

(PID) Process:(2080) Spreaderr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2080) Spreaderr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2080) Spreaderr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3964) DfIl3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:{65b178c
Value:
C:\ProgramData\rdsrb.exe /r
(PID) Process:(3964) DfIl3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
95DA766800000000
(PID) Process:(3964) DfIl3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3752) rdsrb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3752) rdsrb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3752) rdsrb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000150000000000000065006E00640069006E0067006D0065006D0062006500720073002E0070006E0067003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000001A00000000000000630061007400650067006F007200690065007300720065006C00650061007300650073002E0070006E0067003E00200020000000120000000000000063006C00690065006E007400730062006F0062002E006A00700067003E00200020000000120000000000000065006E007400720079006600720061006D0065002E007200740066003E00200020000000130000000000000069006E00730074006500610064006C006900660065002E007200740066003E002000200000000F000000000000006C006F00630061006C00610074002E0070006E0067003E0020002000000013000000000000006D0069006E0064006500630065006D006200650072002E006A00700067003E002000200000000F000000000000007000610073007400720075006E002E007200740066003E002000200000001400000000000000700072006500730065006E007400700061006E0065006C002E007200740066003E0020002000000011000000000000007400650065006E00730062006F00640079002E007200740066003E00200020000000150000000000000077006900740068006F0075007400730061006D0070006C0065002E007200740066003E00200020000000180000000000000044006F00630075006D0065006E007400730020004200610063006B00750070002E006C006E006B003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
Executable files
146
Suspicious files
55
Text files
7
Unknown types
1

Dropped files

PID
Process
Filename
Type
2604DfIl1.exeC:\Users\admin\AppData\Local\Temp\nsz4D94.tmp
MD5:
SHA256:
2076DfIl1.exeC:\Users\admin\AppData\Local\Temp\nsj4D36.tmpbinary
MD5:4E7BFB10BEBCD031F81BDC50FCD3E512
SHA256:885840411704897E5CC6B52365A582BED50F0917E2BC50A0A4722A3CB2738109
6980DfIl2.exeC:\Users\admin\AppData\Local\Temp\_MEI69802\_ctypes.pydexecutable
MD5:F1E33A8F6F91C2ED93DC5049DD50D7B8
SHA256:9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
3820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vpcsjz3z.n3r.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4d4bbzcp.0m1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2080Spreaderr.exeC:\Users\admin\AppData\Local\Temp\DfIl2.exeexecutable
MD5:52B2BD58647131A84488144B751046A2
SHA256:9F5A5D47A2283D639C8981D9672485B801DDFDB484F155EE05D3784BD5AD41F7
6980DfIl2.exeC:\Users\admin\AppData\Local\Temp\_MEI69802\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:B56D69079D2001C1B2AF272774B53A64
SHA256:F3A41D882544202B2E1BDF3D955458BE11FC7F76BA12668388A681870636F143
2080Spreaderr.exeC:\Users\admin\Desktop\Update.exeexecutable
MD5:C43A6A34C03876E4AF1E5ED7AA765209
SHA256:40A852133AD5E7A078D3429BF91A09E16A0B4845FD2328F7FE45E0F16B1ED264
6980DfIl2.exeC:\Users\admin\AppData\Local\Temp\_MEI69802\_hashlib.pydexecutable
MD5:A6448BC5E5DA21A222DE164823ADD45C
SHA256:3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
6980DfIl2.exeC:\Users\admin\AppData\Local\Temp\_MEI69802\VCRUNTIME140.dllexecutable
MD5:0E675D4A7A5B7CCD69013386793F68EB
SHA256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
23
DNS requests
15
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2080
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/bot.exe
unknown
malicious
2080
Spreaderr.exe
GET
176.46.157.65:80
http://176.46.157.65/zx.exe
unknown
unknown
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3752
rdsrb.exe
POST
200
176.46.157.65:80
http://176.46.157.65/zrwyca/getdata.php
unknown
unknown
1508
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4772
explorer.exe
POST
200
176.46.157.64:80
http://176.46.157.64/nzcwzue/pqrfxn.php
unknown
malicious
6380
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/bot.exe
unknown
malicious
6380
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/zx.exe
unknown
unknown
6380
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/zzz.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3720
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2080
Spreaderr.exe
176.46.157.65:80
IR
malicious
4
System
192.168.100.255:138
whitelisted
3752
rdsrb.exe
176.46.157.65:80
IR
unknown
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1508
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 23.3.109.244
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.4
  • 40.126.31.128
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.128
  • 40.126.31.73
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2080
Spreaderr.exe
A Network Trojan was detected
ET MALWARE Suspicious bot.exe Request
2080
Spreaderr.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2080
Spreaderr.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2080
Spreaderr.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2080
Spreaderr.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2080
Spreaderr.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
2080
Spreaderr.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2080
Spreaderr.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2080
Spreaderr.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2080
Spreaderr.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spreaderr.exe