File name:

6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe

Full analysis: https://app.any.run/tasks/07e0cbb3-67ba-4386-baa9-18c7aae733c1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 31, 2026, 18:09:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
loader
auto-reg
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

22923359B0FFFD89C56688F9CE365C4C

SHA1:

B29E09921C84F9322761B9E58FB5FBE7B9EACB55

SHA256:

6650052939AA7E4FE49C9D1AFF74319C46506EFE341F6D9E6D9900CDB7E40C91

SSDEEP:

3072:FPlPgWnqEZxzGy53yuIeAWygtN1VYQcXd1bIw0lvznM+DFb74SW:FPlPEQgSiUAxEN4N1Ew0lA5SW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)

    • GENERIC has been found (auto)

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • updat.exe (PID: 8364)

    • Changes the autorun value in the registry

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • updat.exe (PID: 8364)

    • The process drops C-runtime libraries

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • updat.exe (PID: 8364)

    • Executable content was dropped or overwritten

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • updat.exe (PID: 8364)

    • Mutex name with non-standard characters

      • updat.exe (PID: 8364)
      • updat.exe (PID: 8080)

  • INFO

    • Disables trace logs

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)

    • Checks proxy server information

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • slui.exe (PID: 4756)

    • Checks supported languages

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • updat.exe (PID: 8364)
      • updat.exe (PID: 8080)

    • Reads the computer name

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • updat.exe (PID: 8364)

    • Reads the machine GUID from the registry

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)

    • The sample compiled with english language support

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
      • updat.exe (PID: 8364)

    • Creates files or folders in the user directory

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)

    • Reads security settings of Internet Explorer

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)

    • Process checks computer location settings

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)

    • Manual execution by a user

      • updat.exe (PID: 8080)

    • UPX packer has been detected

      • updat.exe (PID: 8364)

    • Launching a file from a Registry key

      • 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe (PID: 3516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:01:08 18:44:55+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware
PEType: PE32
LinkerVersion: 6
CodeSize: 38400
InitializedDataSize: 68608
UninitializedDataSize: -
EntryPoint: 0xb5be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 143.0.3650.139
ProductVersionNumber: 143.0.3650.139
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 143.0.3650.139
ProductVersion: 143.0.3650.139
FileDescription: Microsoft Edge
CompanyName: Microsoft Corporation
OriginalFileName: msedge_exe
ProductName: Microsoft Edge
LegalCopyright: Copyright Microsoft Corporation. All rights reserved.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GENERIC 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe mspaint.exe no specs #GENERIC updat.exe updat.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3516"C:\Users\admin\Desktop\6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe" C:\Users\admin\Desktop\6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
143.0.3650.139
Modules
Images
c:\users\admin\desktop\6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4756C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8080"C:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\updat.exe" /minimizedC:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\updat.exeexplorer.exe
User:
admin
Company:
Guangzhou Jinhong Network Media Co., Ltd.
Integrity Level:
MEDIUM
Description:
YY
Exit code:
1
Version:
9.42.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft\windowsupdate\cache\wu_20260131_ef286063@27\updat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
8364"C:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\updat.exe" C:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\updat.exe
6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe
User:
admin
Company:
Guangzhou Jinhong Network Media Co., Ltd.
Integrity Level:
MEDIUM
Description:
YY
Version:
9.42.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft\windowsupdate\cache\wu_20260131_ef286063@27\updat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
8792"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\image.jpg"C:\Windows\SysWOW64\mspaint.exe6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
9 350
Read events
9 332
Write events
18
Delete events
0

Modification events

(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3516) 6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
8
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
35166650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeC:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\updat.logbinary
MD5:543023ACE4F10B736C4C4109E005F0EF
SHA256:8DDCFA1240702D7CD4A776710362C0EE1EAEB0D7F833962D6A03BB9E6B826CB4
35166650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeC:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\crashreport.dllexecutable
MD5:30917B5ABB991DF495827A9D7C7EBCBC
SHA256:F871F59618C9D4BF9D39CD8E7C2784BB6A2C37678D9E0630602830CDAD14186A
35166650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeC:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\image.jpgimage
MD5:4DE8079431D85D3A37FD77FB26E8328F
SHA256:0CE9B137F378211A4F6BA43BAE5E7056D577D757441671028B94B46A05B2B0C1
35166650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeC:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\vcruntime140.dllexecutable
MD5:4113057339D9E4E376BDED9074D20C17
SHA256:8E08575492175E042F093F325B07A5C14CA71E7C581474838DB3D48F5AAB1312
8364updat.exeC:\Users\admin\Music\B54C6754@27\DDD4900D.exeexecutable
MD5:64B07B1C385CF94A3559E323009F7641
SHA256:393ED141ACA95973D948B0BECD128AC19B7140FA66F80400C15CC48C2FBFE454
35166650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeC:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\updat.exeexecutable
MD5:64B07B1C385CF94A3559E323009F7641
SHA256:393ED141ACA95973D948B0BECD128AC19B7140FA66F80400C15CC48C2FBFE454
8364updat.exeC:\Users\admin\Music\B54C6754@27\msvcp140.dllexecutable
MD5:7E8BDD2C2304E204B44A3BEC09D66062
SHA256:E4C71980DBB4A1E1A86816687AFDAEA043B639B531135FC4516FB2429FE623FC
8364updat.exeC:\Users\admin\Music\B54C6754@27\updat.logbinary
MD5:543023ACE4F10B736C4C4109E005F0EF
SHA256:8DDCFA1240702D7CD4A776710362C0EE1EAEB0D7F833962D6A03BB9E6B826CB4
35166650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exeC:\Users\admin\AppData\Local\Microsoft\WindowsUpdate\Cache\WU_20260131_ef286063@27\msvcp140.dllexecutable
MD5:7E8BDD2C2304E204B44A3BEC09D66062
SHA256:E4C71980DBB4A1E1A86816687AFDAEA043B639B531135FC4516FB2429FE623FC
8364updat.exeC:\Users\admin\Music\B54C6754@27\vcruntime140.dllexecutable
MD5:4113057339D9E4E376BDED9074D20C17
SHA256:8E08575492175E042F093F325B07A5C14CA71E7C581474838DB3D48F5AAB1312
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
56
DNS requests
26
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8400
RUXIMICS.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
3344
svchost.exe
GET
200
23.48.23.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8400
RUXIMICS.exe
GET
200
23.48.23.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.48.23.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
3344
svchost.exe
GET
200
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
unknown
text
3.41 Kb
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
4816
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
356
svchost.exe
POST
200
40.126.32.76:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
3344
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8400
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.13:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3344
svchost.exe
23.48.23.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
8400
RUXIMICS.exe
23.48.23.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.48.23.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
www.bing.com
  • 92.123.104.13
  • 92.123.104.63
  • 92.123.104.5
  • 92.123.104.9
  • 92.123.104.66
  • 92.123.104.4
  • 92.123.104.12
  • 92.123.104.62
  • 92.123.104.6
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.35
  • 23.48.23.11
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.66
  • 20.190.160.128
  • 20.190.160.4
  • 20.190.160.132
  • 40.126.32.68
  • 20.190.160.20
  • 20.190.160.3
whitelisted
yyupdats.s3.ap-southeast-1.amazonaws.com
  • 52.219.132.111
  • 3.5.151.112
  • 52.219.129.63
  • 3.5.151.213
  • 3.5.147.15
  • 3.5.149.147
  • 3.5.149.72
  • 52.219.132.3
unknown
wk.goldeyeuu.io
  • 185.135.79.200
unknown
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted

Threats

PID
Process
Class
Message
3344
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
A suspicious filename was detected
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Misc activity
ET INFO Packed Executable Download
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6650052939aa7e4fe49c9d1aff74319c46506efe341f6d9e6d9900cdb7e40c91.exe