File name:

YUB-X.exe

Full analysis: https://app.any.run/tasks/96c2bcbc-8644-493b-b320-74ffc5a756c3
Verdict: Malicious activity
Analysis date: March 07, 2026, 10:40:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

8B613F2599131CC482FABE05CC07DBF9

SHA1:

BAADE0CC929E38A15E7E43A691A4A8A7E29644F7

SHA256:

451AD89045C5932785C30F6C5A0C722D573A6F34B28C54B37B7DCE20304EFCA3

SSDEEP:

98304:rJqxHG0xL/G7DYVv92A/lye/KQzCAjcoD94Tl5KKzH0Ee1zIGCnjYq9COEUIKQ3/:UFYnrF0N7rBIAElSzuX35TnFW0fhXwp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • YUB-X.exe (PID: 7732)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • YUB-X.exe (PID: 7732)

    • There is functionality for taking screenshot (YARA)

      • YUB-X.exe (PID: 7732)

    • Application based on Rust

      • YUB-X.exe (PID: 7732)

    • Reads the computer name

      • YUB-X.exe (PID: 7732)

    • Creates files or folders in the user directory

      • YUB-X.exe (PID: 7732)

    • Checks proxy server information

      • slui.exe (PID: 1044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7732) YUB-X.exe
Decrypted-URLs (1)https://keyauth.win/api/1.3/(%
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:03:07 04:15:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 12436992
InitializedDataSize: 8231424
UninitializedDataSize: -
EntryPoint: 0x207382d
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: YUB-X
FileDescription: YUB-X
FileVersion: 1.3.0
ProductName: YUB-X
ProductVersion: 1.3.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL yub-x.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1044C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7732"C:\Users\admin\Desktop\YUB-X.exe" C:\Users\admin\Desktop\YUB-X.exe
explorer.exe
User:
admin
Company:
YUB-X
Integrity Level:
MEDIUM
Description:
YUB-X
Version:
1.3.0
Modules
Images
c:\users\admin\desktop\yub-x.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
xor-url
(PID) Process(7732) YUB-X.exe
Decrypted-URLs (1)https://keyauth.win/api/1.3/(%
Total events
3 543
Read events
3 543
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
22
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3344
RUXIMICS.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3656
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
1844
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
text
512 b
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
text
512 b
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
401 b
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
3656
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3344
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3344
RUXIMICS.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3656
svchost.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3656
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3656
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
  • 13.69.239.74
whitelisted
google.com
  • 192.178.203.113
  • 192.178.203.138
  • 192.178.203.139
  • 192.178.203.101
  • 192.178.203.102
  • 192.178.203.100
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted

Threats

PID
Process
Class
Message
3344
RUXIMICS.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
YUB-X.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
YUB-X.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
YUB-X.exe