File name:

Spreaderr.exe

Full analysis: https://app.any.run/tasks/8e1407df-a5ae-444a-abac-d9dec1017ada
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 15, 2025, 22:47:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
python
loader
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C43A6A34C03876E4AF1E5ED7AA765209

SHA1:

0D9195C095274050CCE9F43BF25E1334C4861FCE

SHA256:

40A852133AD5E7A078D3429BF91A09E16A0B4845FD2328F7FE45E0F16B1ED264

SSDEEP:

3072:RDlNLyjRALW0gGCr7kffvhJ0ZDAHEio6aO:7AKLW0hCr7kx7BaO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • DfIl1.exe (PID: 2604)
      • DfIl1.exe (PID: 6260)
      • DfIl1.exe (PID: 7132)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DfIl1.exe (PID: 2604)
      • DfIl1.exe (PID: 7132)

    • RANSOMWARE has been detected

      • Spreaderr.exe (PID: 2080)

    • Changes the autorun value in the registry

      • DfIl3.exe (PID: 3964)

    • Loads dropped or rewritten executable

      • conhost.exe (PID: 2216)
      • regsvr32.exe (PID: 3936)
      • powershell.exe (PID: 3820)
      • DfIl2.exe (PID: 6980)
      • DfIl2.exe (PID: 5188)
      • conhost.exe (PID: 6400)
      • WmiPrvSE.exe (PID: 2632)
      • powershell.exe (PID: 7008)
      • conhost.exe (PID: 5252)
      • MusNotificationUx.exe (PID: 5560)
      • svchost.exe (PID: 4860)
      • RUXIMICS.exe (PID: 5080)
      • MusNotifyIcon.exe (PID: 6368)
      • WaaSMedicAgent.exe (PID: 3780)
      • DfIl2.exe (PID: 4824)
      • conhost.exe (PID: 5548)
      • SIHClient.exe (PID: 5020)
      • powershell.exe (PID: 1932)
      • regsvr32.exe (PID: 3476)
      • DfIl2.exe (PID: 5552)
      • rundll32.exe (PID: 7060)
      • consent.exe (PID: 6868)
      • Taskmgr.exe (PID: 3580)

    • Application was injected by another process

      • explorer.exe (PID: 4772)

    • Runs injected code in another process

      • regsvr32.exe (PID: 3936)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Spreaderr.exe (PID: 2080)
      • DfIl3.exe (PID: 3964)
      • rdsrb.exe (PID: 3752)
      • Spreaderr.exe (PID: 6380)

    • Process drops legitimate windows executable

      • Spreaderr.exe (PID: 2080)
      • DfIl2.exe (PID: 6980)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)

    • Starts a Microsoft application from unusual location

      • DfIl1.exe (PID: 2076)
      • DfIl1.exe (PID: 2604)
      • DfIl1.exe (PID: 6260)
      • DfIl1.exe (PID: 7132)

    • Application launched itself

      • DfIl1.exe (PID: 2076)
      • DfIl2.exe (PID: 6980)
      • DfIl1.exe (PID: 6260)
      • DfIl2.exe (PID: 4824)

    • Potential Corporate Privacy Violation

      • Spreaderr.exe (PID: 2080)
      • Spreaderr.exe (PID: 6380)

    • Executable content was dropped or overwritten

      • Spreaderr.exe (PID: 2080)
      • DfIl1.exe (PID: 2604)
      • DfIl2.exe (PID: 6980)
      • DfIl3.exe (PID: 3964)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)

    • Starts POWERSHELL.EXE for commands execution

      • regsvr32.exe (PID: 3936)
      • regsvr32.exe (PID: 3476)

    • Creates file in the systems drive root

      • Spreaderr.exe (PID: 2080)
      • Spreaderr.exe (PID: 6380)

    • Process drops python dynamic module

      • DfIl2.exe (PID: 6980)
      • DfIl2.exe (PID: 4824)

    • Starts itself from another location

      • DfIl3.exe (PID: 3964)

    • The process drops C-runtime libraries

      • DfIl2.exe (PID: 6980)
      • DfIl2.exe (PID: 4824)

    • Loads Python modules

      • DfIl2.exe (PID: 5188)
      • DfIl2.exe (PID: 5552)

    • Connects to the server without a host name

      • rdsrb.exe (PID: 3752)
      • explorer.exe (PID: 4772)
      • Spreaderr.exe (PID: 6380)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 3936)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 3936)

    • Process requests binary or script from the Internet

      • Spreaderr.exe (PID: 6380)

  • INFO

    • Reads the computer name

      • Spreaderr.exe (PID: 2080)
      • DfIl3.exe (PID: 3964)
      • DfIl2.exe (PID: 6980)
      • rdsrb.exe (PID: 3752)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)
      • DfIl3.exe (PID: 3952)

    • Checks proxy server information

      • Spreaderr.exe (PID: 2080)
      • rdsrb.exe (PID: 3752)
      • explorer.exe (PID: 4772)
      • Spreaderr.exe (PID: 6380)

    • Checks supported languages

      • Spreaderr.exe (PID: 2080)
      • DfIl1.exe (PID: 2076)
      • DfIl1.exe (PID: 2604)
      • DfIl2.exe (PID: 6980)
      • DfIl2.exe (PID: 5188)
      • DfIl3.exe (PID: 3964)
      • rdsrb.exe (PID: 3752)
      • RUXIMICS.exe (PID: 5080)
      • Spreaderr.exe (PID: 6380)
      • DfIl1.exe (PID: 6260)
      • DfIl1.exe (PID: 7132)
      • DfIl3.exe (PID: 3952)
      • DfIl2.exe (PID: 4824)
      • DfIl2.exe (PID: 5552)

    • Create files in a temporary directory

      • DfIl1.exe (PID: 2076)
      • DfIl2.exe (PID: 6980)
      • DfIl1.exe (PID: 2604)
      • Spreaderr.exe (PID: 2080)
      • DfIl1.exe (PID: 6260)
      • Spreaderr.exe (PID: 6380)
      • DfIl1.exe (PID: 7132)
      • DfIl2.exe (PID: 4824)

    • The sample compiled with english language support

      • Spreaderr.exe (PID: 2080)
      • DfIl2.exe (PID: 6980)
      • Spreaderr.exe (PID: 6380)
      • DfIl2.exe (PID: 4824)

    • Creates files or folders in the user directory

      • Spreaderr.exe (PID: 2080)
      • DfIl1.exe (PID: 2604)
      • explorer.exe (PID: 4772)
      • Spreaderr.exe (PID: 6380)

    • Creates files in the program directory

      • DfIl3.exe (PID: 3964)
      • MusNotificationUx.exe (PID: 5560)
      • RUXIMICS.exe (PID: 5080)
      • MusNotifyIcon.exe (PID: 6368)

    • Launching a file from a Registry key

      • DfIl3.exe (PID: 3964)

    • Process checks computer location settings

      • DfIl3.exe (PID: 3964)

    • Reads the machine GUID from the registry

      • DfIl2.exe (PID: 5188)
      • DfIl3.exe (PID: 3964)
      • DfIl2.exe (PID: 5552)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • Taskmgr.exe (PID: 3580)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3820)
      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 1932)

    • Reads the software policy settings

      • WaaSMedicAgent.exe (PID: 3780)
      • consent.exe (PID: 6868)
      • SIHClient.exe (PID: 5020)

    • Reads the time zone

      • MusNotifyIcon.exe (PID: 6368)
      • MusNotificationUx.exe (PID: 5560)
      • WmiPrvSE.exe (PID: 2632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:15 22:49:46+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 52736
InitializedDataSize: 36864
UninitializedDataSize: -
EntryPoint: 0x1c64
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
38
Malicious processes
10
Suspicious processes
8

Behavior graph

Click at the process to see the details
start THREAT spreaderr.exe dfil1.exe no specs dfil1.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs dfil2.exe dfil3.exe dfil2.exe no specs rdsrb.exe wmiprvse.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs waasmedicagent.exe no specs svchost.exe no specs ruximics.exe no specs musnotificationux.exe no specs musnotifyicon.exe no specs #DIAMOTRIX explorer.exe spreaderr.exe dfil1.exe no specs dfil1.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs sihclient.exe dfil2.exe dfil3.exe no specs dfil2.exe no specs taskmgr.exe no specs consent.exe no specs taskmgr.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1932"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:googlechromebusiness.msi \"\\?\C:\Users\admin\AppData\Local\LightBlue_2.pfx\"' }) { exit 0 } else { exit 1 }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
2076"C:\Users\admin\AppData\Local\Temp\DfIl1.exe"C:\Users\admin\AppData\Local\Temp\DfIl1.exeSpreaderr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker Unlock
Exit code:
2
Version:
10.0.19041.1
Modules
Images
c:\users\admin\appdata\local\temp\dfil1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2080"C:\Users\admin\AppData\Local\Temp\Spreaderr.exe" C:\Users\admin\AppData\Local\Temp\Spreaderr.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\spreaderr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
2216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2604"C:\Users\admin\AppData\Local\Temp\DfIl1.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\DfIl1.exe
DfIl1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker Unlock
Exit code:
0
Version:
10.0.19041.1
Modules
Images
c:\users\admin\appdata\local\temp\dfil1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2632C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\System32\wbem\WmiPrvSE.exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Provider Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2664"C:\WINDOWS\system32\regsvr32.exe" /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\LightBlue_2.pfx"C:\Windows\SysWOW64\regsvr32.exeDfIl1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3396"C:\WINDOWS\system32\regsvr32.exe" /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\LightBlue_2.pfx"C:\Windows\SysWOW64\regsvr32.exeDfIl1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3476 /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\LightBlue_2.pfx"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3580"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
Total events
41 717
Read events
41 609
Write events
101
Delete events
7

Modification events

(PID) Process:(2080) Spreaderr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2080) Spreaderr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2080) Spreaderr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3964) DfIl3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:{65b178c
Value:
C:\ProgramData\rdsrb.exe /r
(PID) Process:(3964) DfIl3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
95DA766800000000
(PID) Process:(3964) DfIl3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3752) rdsrb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3752) rdsrb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3752) rdsrb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000150000000000000065006E00640069006E0067006D0065006D0062006500720073002E0070006E0067003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000001A00000000000000630061007400650067006F007200690065007300720065006C00650061007300650073002E0070006E0067003E00200020000000120000000000000063006C00690065006E007400730062006F0062002E006A00700067003E00200020000000120000000000000065006E007400720079006600720061006D0065002E007200740066003E00200020000000130000000000000069006E00730074006500610064006C006900660065002E007200740066003E002000200000000F000000000000006C006F00630061006C00610074002E0070006E0067003E0020002000000013000000000000006D0069006E0064006500630065006D006200650072002E006A00700067003E002000200000000F000000000000007000610073007400720075006E002E007200740066003E002000200000001400000000000000700072006500730065006E007400700061006E0065006C002E007200740066003E0020002000000011000000000000007400650065006E00730062006F00640079002E007200740066003E00200020000000150000000000000077006900740068006F0075007400730061006D0070006C0065002E007200740066003E00200020000000180000000000000044006F00630075006D0065006E007400730020004200610063006B00750070002E006C006E006B003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
Executable files
146
Suspicious files
55
Text files
7
Unknown types
1

Dropped files

PID
Process
Filename
Type
2604DfIl1.exeC:\Users\admin\AppData\Local\Temp\nsz4D94.tmp
MD5:
SHA256:
2604DfIl1.exeC:\Users\admin\AppData\Local\LightBlue_2.pfxexecutable
MD5:4EA18C413EA1B8930CB2FA763A8887AE
SHA256:0CECF566B98CBAA8E28E08E9BCA3F74550DB827E08E7425E1373AE4508926D31
3820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vpcsjz3z.n3r.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2080Spreaderr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\zzz[1].exeexecutable
MD5:E4A64028EEFFEDE63D9056A9CD09F65C
SHA256:77A403EA9E22B029C2DC5D2F606FF7928AFDD077E27B40B1B0EFC444BF062E9C
6980DfIl2.exeC:\Users\admin\AppData\Local\Temp\_MEI69802\VCRUNTIME140.dllexecutable
MD5:0E675D4A7A5B7CCD69013386793F68EB
SHA256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
2080Spreaderr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\zx[1].exeexecutable
MD5:52B2BD58647131A84488144B751046A2
SHA256:9F5A5D47A2283D639C8981D9672485B801DDFDB484F155EE05D3784BD5AD41F7
2080Spreaderr.exeC:\Users\admin\AppData\Local\Temp\DfIl2.exeexecutable
MD5:52B2BD58647131A84488144B751046A2
SHA256:9F5A5D47A2283D639C8981D9672485B801DDFDB484F155EE05D3784BD5AD41F7
6980DfIl2.exeC:\Users\admin\AppData\Local\Temp\_MEI69802\_socket.pydexecutable
MD5:D6BAE4B430F349AB42553DC738699F0E
SHA256:587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
6980DfIl2.exeC:\Users\admin\AppData\Local\Temp\_MEI69802\_hashlib.pydexecutable
MD5:A6448BC5E5DA21A222DE164823ADD45C
SHA256:3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
2080Spreaderr.exeC:\Users\admin\AppData\Local\Temp\DfIl3.exeexecutable
MD5:E4A64028EEFFEDE63D9056A9CD09F65C
SHA256:77A403EA9E22B029C2DC5D2F606FF7928AFDD077E27B40B1B0EFC444BF062E9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
23
DNS requests
15
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2080
Spreaderr.exe
GET
176.46.157.65:80
http://176.46.157.65/zx.exe
unknown
unknown
2080
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/bot.exe
unknown
malicious
3752
rdsrb.exe
POST
200
176.46.157.65:80
http://176.46.157.65/zrwyca/getdata.php
unknown
unknown
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1508
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6380
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/bot.exe
unknown
malicious
6380
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/zx.exe
unknown
unknown
4772
explorer.exe
POST
200
176.46.157.64:80
http://176.46.157.64/nzcwzue/pqrfxn.php
unknown
malicious
6380
Spreaderr.exe
GET
200
176.46.157.65:80
http://176.46.157.65/zzz.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3720
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2080
Spreaderr.exe
176.46.157.65:80
IR
malicious
4
System
192.168.100.255:138
whitelisted
3752
rdsrb.exe
176.46.157.65:80
IR
unknown
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1508
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 23.3.109.244
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.4
  • 40.126.31.128
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.128
  • 40.126.31.73
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2080
Spreaderr.exe
A Network Trojan was detected
ET MALWARE Suspicious bot.exe Request
2080
Spreaderr.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2080
Spreaderr.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2080
Spreaderr.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2080
Spreaderr.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2080
Spreaderr.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
2080
Spreaderr.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2080
Spreaderr.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2080
Spreaderr.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2080
Spreaderr.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spreaderr.exe