File name:

BuildName.exe

Full analysis: https://app.any.run/tasks/93e11989-434d-4840-95c9-d7315a8d6211
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 04:15:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netreactor
redline
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

D45BA66B46DB96D4717A37333E6B70EC

SHA1:

B48DD55786B027BA7027A7E1EDE466CCD37947D2

SHA256:

66C16B04A6A7935125A7683287EFF56279745668F607DE09D1D370114ADB877F

SSDEEP:

24576:7iECtx0kUzwlHw8QQLqrmCVuD4dTCqT2VD:7XCtx0kUzwlHw8QQLqrmCVuD4dTCqT2d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • BuildName.exe (PID: 7372)
      • Yq5VwiQXjsF7I8c.exe (PID: 7532)

    • REDLINE has been detected (YARA)

      • RegSvcs.exe (PID: 8092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BuildName.exe (PID: 7468)

    • Connects to unusual port

      • RegSvcs.exe (PID: 8092)

  • INFO

    • Create files in a temporary directory

      • BuildName.exe (PID: 7468)

    • Creates files or folders in the user directory

      • BuildName.exe (PID: 7468)

    • The sample compiled with english language support

      • BuildName.exe (PID: 7468)

    • Checks supported languages

      • BuildName.exe (PID: 7468)
      • Yq5VwiQXjsF7I8c.exe (PID: 7532)
      • RegSvcs.exe (PID: 8092)

    • Reads the computer name

      • Yq5VwiQXjsF7I8c.exe (PID: 7532)
      • RegSvcs.exe (PID: 8092)

    • Reads the machine GUID from the registry

      • Yq5VwiQXjsF7I8c.exe (PID: 7532)
      • RegSvcs.exe (PID: 8092)

    • .NET Reactor protector has been detected

      • Yq5VwiQXjsF7I8c.exe (PID: 7532)

    • Disables trace logs

      • RegSvcs.exe (PID: 8092)

    • Checks proxy server information

      • RegSvcs.exe (PID: 8092)
      • slui.exe (PID: 4756)

    • Reads the software policy settings

      • slui.exe (PID: 4756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:01 02:44:18+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x35d8
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.7.2.4
ProductVersionNumber: 4.7.2.4
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: xMnFWuahOSwO6CU
CompanyName: Utility
FileDescription: PQMjTNlTQAxAavI
FileVersion: 4.7.2.4
LegalCopyright: o_WCVn2PY50bzqv
LegalTrademarks: iWRn
OriginalFileName: BuildName.exe
ProductName: HotKey
ProductVersion: 7.6.2.7
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start buildname.exe santacheker.exe no specs yq5vwiqxjsf7i8c.exe no specs #REDLINE regsvcs.exe slui.exe buildname.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4756C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7372"C:\Users\admin\Desktop\BuildName.exe" C:\Users\admin\Desktop\BuildName.exeexplorer.exe
User:
admin
Company:
Utility
Integrity Level:
MEDIUM
Description:
PQMjTNlTQAxAavI
Exit code:
3221226540
Version:
4.7.2.4
Modules
Images
c:\users\admin\desktop\buildname.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7468"C:\Users\admin\Desktop\BuildName.exe" C:\Users\admin\Desktop\BuildName.exe
explorer.exe
User:
admin
Company:
Utility
Integrity Level:
HIGH
Description:
PQMjTNlTQAxAavI
Exit code:
0
Version:
4.7.2.4
Modules
Images
c:\users\admin\desktop\buildname.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7500C:\Users\admin\AppData\Roaming\SantaCheker.exeC:\Users\admin\AppData\Roaming\SantaCheker.exeBuildName.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\santacheker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7532C:\Users\admin\AppData\Roaming\Yq5VwiQXjsF7I8c.exeC:\Users\admin\AppData\Roaming\Yq5VwiQXjsF7I8c.exeBuildName.exe
User:
admin
Integrity Level:
HIGH
Description:
Installer for PingPlotter
Exit code:
0
Version:
5.19.1.8408
Modules
Images
c:\users\admin\appdata\roaming\yq5vwiqxjsf7i8c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
8092"{path}"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Yq5VwiQXjsF7I8c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
5 182
Read events
5 168
Write events
14
Delete events
0

Modification events

(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7468BuildName.exeC:\Users\admin\AppData\Roaming\SantaCheker.exeexecutable
MD5:C66DB5575287B5B780EFC46D05A571CB
SHA256:A2A9A850A0276F78081074FD79DB333542B8836F7DB864825C721FC9D059E7CD
7468BuildName.exeC:\Users\admin\AppData\Roaming\Yq5VwiQXjsF7I8c.exeexecutable
MD5:0B8EB1B32760824A98190B6435738651
SHA256:EB51D6932AB55AC518C8AA12DEC36ACF3331D2715F8B826A67CED40C27BAA14A
7468BuildName.exeC:\Users\admin\AppData\Local\Temp\nsoBFB9.tmpbinary
MD5:A69C9445D9C519031FFE7A5C4D161D66
SHA256:EACF8660EDBEDEB935BA76267FA435BC34EC256944B25146BBAA6CF2A34B6645
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
52
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6656
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6656
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.73
  • 40.126.31.67
  • 40.126.31.129
  • 40.126.31.71
  • 40.126.31.3
  • 20.190.159.0
  • 20.190.159.131
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BuildName.exe