File name:

2025-04-29_eabd7e90d191229e9f06259385739ada_

Full analysis: https://app.any.run/tasks/ac61e2fd-436a-4166-8116-bb5a796de4e4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 02:06:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
arch-exec
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 18 sections
MD5:

EABD7E90D191229E9F06259385739ADA

SHA1:

2B9C7B9733D1BF6BF22185F1E74CA508D0454F04

SHA256:

70CCDDE4074C4162E3D33382B9A5D1A2B6CAD9BA8CEABAC486026530E5F5E89B

SSDEEP:

49152:9ZP2YPjblV47h66o66pufJJ6NjyzYa5r5MqmN2d0M9NcfrF:flBQ6Njyz1r5MqmN2d0M9NcfrF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 7332)
      • cmd.exe (PID: 7788)
      • wscript.exe (PID: 7772)
      • wscript.exe (PID: 7916)
      • InGlockZ.exe (PID: 5640)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7388)
      • powershell.exe (PID: 7868)
      • powershell.exe (PID: 8096)
      • powershell.exe (PID: 2148)
      • powershell.exe (PID: 7908)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7388)
      • powershell.exe (PID: 7868)
      • powershell.exe (PID: 7908)
      • powershell.exe (PID: 8096)
      • powershell.exe (PID: 5204)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7908)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7908)

  • SUSPICIOUS

    • Working with threads in the GNU C Compiler (GCC) libraries related mutex has been found

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)

    • Reads the date of Windows installation

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)
      • InGlockZ.exe (PID: 5640)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 7332)
      • wscript.exe (PID: 7772)
      • wscript.exe (PID: 7916)

    • The process executes VB scripts

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7332)
      • wscript.exe (PID: 7772)
      • wscript.exe (PID: 7916)

    • Reads security settings of Internet Explorer

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)
      • InGlockZ.exe (PID: 5640)

    • The process executes Powershell scripts

      • cmd.exe (PID: 7788)
      • wscript.exe (PID: 7332)
      • wscript.exe (PID: 7916)
      • wscript.exe (PID: 7772)
      • InGlockZ.exe (PID: 5640)
      • powershell.exe (PID: 7868)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7788)
      • wscript.exe (PID: 7772)
      • wscript.exe (PID: 7332)
      • wscript.exe (PID: 7916)
      • powershell.exe (PID: 7868)
      • InGlockZ.exe (PID: 5640)

    • Starts CMD.EXE for commands execution

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)
      • Zip_unCompress.exe (PID: 7400)

    • Executing commands from ".cmd" file

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 7908)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 8096)

    • Application launched itself

      • powershell.exe (PID: 7868)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7916)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7788)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7908)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 8096)
      • csc.exe (PID: 1300)
      • powershell.exe (PID: 5204)
      • Zip_unCompress.exe (PID: 7400)
      • extd.exe (PID: 900)

    • Executing commands from a ".bat" file

      • Zip_unCompress.exe (PID: 7400)

    • The executable file from the user directory is run by the CMD process

      • extd.exe (PID: 900)
      • extd.exe (PID: 7680)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1300)

  • INFO

    • Process checks computer location settings

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)
      • InGlockZ.exe (PID: 5640)

    • Checks supported languages

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)
      • InGlockZ.exe (PID: 5640)
      • cvtres.exe (PID: 4448)
      • csc.exe (PID: 1300)

    • Reads the computer name

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)
      • InGlockZ.exe (PID: 5640)

    • Reads Microsoft Office registry keys

      • 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe (PID: 7284)

    • Disables trace logs

      • powershell.exe (PID: 7388)
      • powershell.exe (PID: 7868)
      • powershell.exe (PID: 8096)
      • powershell.exe (PID: 5204)

    • Checks proxy server information

      • powershell.exe (PID: 7388)
      • powershell.exe (PID: 8096)
      • powershell.exe (PID: 7868)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7908)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7908)

    • Create files in a temporary directory

      • InGlockZ.exe (PID: 5640)
      • csc.exe (PID: 1300)
      • cvtres.exe (PID: 4448)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7908)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1300)

    • Manual execution by a user

      • OpenWith.exe (PID: 7700)
      • fPajgfngt0.exe (PID: 7928)
      • OpenWith.exe (PID: 7308)
      • OpenWith.exe (PID: 7464)
      • OpenWith.exe (PID: 7504)

    • UPX packer has been detected

      • Zip_unCompress.exe (PID: 7400)
      • fPajgfngt0.exe (PID: 7928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:28 15:09:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, Large address aware
PEType: PE32+
LinkerVersion: 2.24
CodeSize: 464896
InitializedDataSize: 675328
UninitializedDataSize: 6144
EntryPoint: 0x14d0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
32
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 2025-04-29_eabd7e90d191229e9f06259385739ada_.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs svchost.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe powershell.exe no specs wscript.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs timeout.exe no specs inglockz.exe no specs powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs zip_uncompress.exe cmd.exe no specs conhost.exe no specs extd.exe extd.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs fpajgfngt0.exe no specs openwith.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\WINDOWS\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\124C.tmp\124D.tmp\124E.bat C:\Users\admin\Desktop\Zip_unCompress.exe"C:\Windows\System32\cmd.exeZip_unCompress.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
900C:\Users\admin\AppData\Local\Temp\124C.tmp\124D.tmp\extd.exe "/unzip" "fPajgfngt0.zip" "C:\Users\admin/Desktop" "" "" "" "" "" "" C:\Users\admin\AppData\Local\Temp\124C.tmp\124D.tmp\extd.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\124c.tmp\124d.tmp\extd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1300"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\i11g2p3z.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
2148"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File background_changer_rn.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2772C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4220\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESF406.tmp" "c:\Users\admin\AppData\Local\Temp\CSC4A7A4735D5754579BBE21421AA434A4.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
4892timeout /t 1 /Nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5204"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Local\Temp\EFD0.tmp\EFD1.tmp\EFD2.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
InGlockZ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
Total events
41 326
Read events
41 323
Write events
3
Delete events
0

Modification events

(PID) Process:(7284) 2025-04-29_eabd7e90d191229e9f06259385739ada_.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
6
Suspicious files
51
Text files
31
Unknown types
0

Dropped files

PID
Process
Filename
Type
72842025-04-29_eabd7e90d191229e9f06259385739ada_.exeC:\Users\admin\executer.ps1text
MD5:83756272904DD4186EEA7117811D48EE
SHA256:5BA444BD893A971D842A4C4041E94172F66D5ACB3986DEE58E1E33FFBFD9E07C
7388powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_olty3yhb.ooh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7388powershell.exeC:\Users\admin\dirEncryption.ps1text
MD5:073808DCDFB549CB413DE3C44E7E9A51
SHA256:8F09E857827B8C59FEB50925292F3FB4128588FA9DB5F85B2885CBF05EA02458
72842025-04-29_eabd7e90d191229e9f06259385739ada_.exeC:\Users\admin\Desktop\@ChangeFhoto_rn@\installer-temp-DesktopChanger.ps1text
MD5:CA31A268228D61C22E45B990933FC39D
SHA256:B05A6F47F989FA5BBFC84CDB38D91F0C73283B993378A090D8CCDFDD5D667CC4
72842025-04-29_eabd7e90d191229e9f06259385739ada_.exeC:\Users\admin\Desktop\@HELP_HERE_TO_RESCUE_YOUR_FILES@.txttext
MD5:37CF35E422EB9CE73A6FCB78009DCD0D
SHA256:E93F16AA70AA3CA24E7F55D6AD118333E4EFBD7E89880C789011968314E065B3
7388powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A7EF3DBCBEB8590DCA994C498485402C
SHA256:760F6E29354DCB72FA505DE5DA25E50F0F8E6BEB14AD9175A038069D7C3483DF
72842025-04-29_eabd7e90d191229e9f06259385739ada_.exeC:\Users\admin\GamWWW\vbsExecInter.vbstext
MD5:94CBAA5ABE405E1C5625E083D4204DC5
SHA256:F5C3E23E03AFA55AD48AD717806272A021790755B7F4806E307F471B957A05CF
72842025-04-29_eabd7e90d191229e9f06259385739ada_.exeC:\Users\admin\GamWWW\Interface-Installer-powershell.ps1text
MD5:3854D2178F5BDF103F70C29D75218540
SHA256:66FD3F7DF3FFC77415BAD417B9B253AAEE8D166FE481653AA5B12B4CF259DED2
72842025-04-29_eabd7e90d191229e9f06259385739ada_.exeC:\Users\admin\temp-executer.vbstext
MD5:BDEC31AA4041C490E3C28D9CA20EE0CC
SHA256:84CBB472B3EBF316D00DAB06391AAA5BB26CD7B4FF005CCAAC4B3992C94384FE
72842025-04-29_eabd7e90d191229e9f06259385739ada_.exeC:\Users\admin\Desktop\@ChangeFhoto_rn@\EzXecutorQ.cmdtext
MD5:9B208162DB392380FE9B09A6E8DB8634
SHA256:E7379E5D62AC2A0B6799F592EE3F1DE8B471385C8BA0F1519C2BD40BC1C4DFDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
31
DNS requests
10
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6652
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6652
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8096
powershell.exe
GET
301
162.125.66.18:80
http://www.dropbox.com/scl/fi/x12vgqwql7b6yrzs7l9dc/InGlockZ.exe?rlkey=cfxikqyes9nr3kmqx5nzlbjhl&st=casxo0lm&dl=1
unknown
whitelisted
GET
200
18.245.31.94:443
https://gitea.com/asadopollo230/Repository1/raw/branch/main/dirEncryption.ps1
unknown
text
5.61 Kb
unknown
GET
200
18.245.31.94:443
https://gitea.com/asadopollo230/Repository1/raw/branch/main/background_changer_rn.ps1
unknown
text
4.38 Kb
unknown
GET
302
162.125.66.18:443
https://www.dropbox.com/scl/fi/43l5mveluue7r7g6imrvb/fPajgfngt0.zip?rlkey=hgjn139tsmbxs9o9xe8uxgjbv&st=joi01xy7&dl=1
unknown
text
17 b
whitelisted
GET
302
162.125.66.18:443
https://www.dropbox.com/scl/fi/x12vgqwql7b6yrzs7l9dc/InGlockZ.exe?rlkey=cfxikqyes9nr3kmqx5nzlbjhl&st=casxo0lm&dl=1
unknown
text
17 b
whitelisted
GET
200
162.125.66.15:443
https://uc8e9589c74cb9c07180fa15754b.dl.dropboxusercontent.com/cd/0/get/CouTMhKHn83J7BI8_qy-PUKN_lqJ2qjJDk0yLLyr0KFhgIFYCGw4yHToJ40RRzD3DK1s4BfVE4txQTybF8euqkGn1sWCEdookX1-PHJhaJpc_gfwp1cl4HiJ4auzzqyB4lRts3bKQvEkYUP_Mw2Po9Qk/file?dl=1
unknown
executable
53.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6652
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6652
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6652
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
gitea.com
  • 34.217.253.146
unknown
www.dropbox.com
  • 162.125.66.18
whitelisted
uc8e9589c74cb9c07180fa15754b.dl.dropboxusercontent.com
  • 162.125.66.15
whitelisted
uc8e601a385e64b3828b4b08a118.dl.dropboxusercontent.com
  • 162.125.66.15
whitelisted
uc31007719481816cb7d6b395423.dl.dropboxusercontent.com
  • 162.125.66.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO Self-Hosted Git Service Domain in DNS Lookup (gitea .com)
7388
powershell.exe
Potentially Bad Traffic
ET INFO Observed Self-Hosted Git Service Domain (gitea .com in TLS SNI)
Potentially Bad Traffic
ET INFO PS1 Powershell File Request
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7868
powershell.exe
Potentially Bad Traffic
ET INFO Observed Self-Hosted Git Service Domain (gitea .com in TLS SNI)
Potentially Bad Traffic
ET INFO PS1 Powershell File Request
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_eabd7e90d191229e9f06259385739ada_