File name:

ComboToolByMrRoot.exe

Full analysis: https://app.any.run/tasks/8b2a499e-0ff5-4e63-b273-47106942a475
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 14:44:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
svcstealer
stealer
arch-doc
clipper
diamotrix
qrcode
delphi
inno
installer
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

4E9D85D349CA6B3414D2071A554FE80B

SHA1:

95BBCC3154A06DFB57A0E2026FBF4C57C692AE5F

SHA256:

73E55163698A92572DB5FEF830664E06E6C72FE68F1BE04E42EBB00577214AFB

SSDEEP:

98304:uIHLVIF8P3n1BLHxtD59KEKjSvDYgzQd+MKgk/wbg7hn5yTwu3yvfwCOcK+QQLAE:3ya2cFapdgaKYvXp5IqfqThLxJWy0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • retyrefdx.exe (PID: 6536)
      • fdxsdzer.exe (PID: 5532)
      • retyrefdx.exe (PID: 1800)
      • fdxsdzer.exe (PID: 2324)

    • Registers / Runs the DLL via REGSVR32.EXE

      • fdxsdzer.tmp (PID: 5504)
      • retyrefdx.tmp (PID: 4768)

    • Actions looks like stealing of personal data

      • bvcbcvdf.exe (PID: 1212)

    • Runs injected code in another process

      • regsvr32.exe (PID: 6636)

    • Application was injected by another process

      • explorer.exe (PID: 4772)

    • SVCSTEALER mutex has been found

      • bvcbcvdf.exe (PID: 1212)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)
      • bvcbcvdf.exe (PID: 1212)

    • Connects to the CnC server

      • bvcbcvdf.exe (PID: 1212)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • ComboToolByMrRoot.exe (PID: 2792)

    • Executable content was dropped or overwritten

      • ComboToolByMrRoot.exe (PID: 2792)
      • fdxsdzer.exe (PID: 2324)
      • fdxsdzer.tmp (PID: 4040)
      • retyrefdx.tmp (PID: 4528)
      • retyrefdx.exe (PID: 6536)
      • fdxsdzer.exe (PID: 5532)
      • retyrefdx.exe (PID: 1800)
      • fdxsdzer.tmp (PID: 5504)
      • retyrefdx.tmp (PID: 4768)

    • Reads the Windows owner or organization settings

      • fdxsdzer.tmp (PID: 4040)
      • retyrefdx.tmp (PID: 4528)
      • fdxsdzer.tmp (PID: 5504)
      • retyrefdx.tmp (PID: 4768)

    • Reads security settings of Internet Explorer

      • retyrefdx.tmp (PID: 4528)
      • fdxsdzer.tmp (PID: 4040)
      • ComboToolByMrRoot.exe (PID: 2792)
      • bvcbcvdf.exe (PID: 1212)

    • Starts POWERSHELL.EXE for commands execution

      • regsvr32.exe (PID: 6636)
      • regsvr32.exe (PID: 856)
      • regsvr32.exe (PID: 6936)
      • regsvr32.exe (PID: 6892)

    • Executes application which crashes

      • MEGA-CRIMSON-BRUTE.exe (PID: 3480)

    • Connects to unusual port

      • bvcbcvdf.exe (PID: 1212)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 6636)
      • regsvr32.exe (PID: 856)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 6636)
      • regsvr32.exe (PID: 856)

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 4772)

    • Contacting a server suspected of hosting an CnC

      • bvcbcvdf.exe (PID: 1212)

    • Connects to the server without a host name

      • bvcbcvdf.exe (PID: 1212)
      • explorer.exe (PID: 4772)

    • The process executes via Task Scheduler

      • regsvr32.exe (PID: 6936)
      • regsvr32.exe (PID: 1496)
      • regsvr32.exe (PID: 6892)
      • regsvr32.exe (PID: 6356)

  • INFO

    • Reads the computer name

      • ComboToolByMrRoot.exe (PID: 2792)
      • bvcbcvdf.exe (PID: 1212)
      • retyrefdx.tmp (PID: 4528)
      • fdxsdzer.tmp (PID: 4040)
      • fdxsdzer.tmp (PID: 5504)
      • retyrefdx.tmp (PID: 4768)
      • MEGA-CRIMSON-BRUTE.exe (PID: 3480)
      • fgedftgezr.exe (PID: 1160)

    • The sample compiled with english language support

      • ComboToolByMrRoot.exe (PID: 2792)

    • Checks supported languages

      • fdxsdzer.exe (PID: 2324)
      • fdxsdzer.tmp (PID: 4040)
      • fgedftgezr.exe (PID: 1160)
      • bvcbcvdf.exe (PID: 1212)
      • retyrefdx.exe (PID: 6536)
      • retyrefdx.tmp (PID: 4528)
      • retyrefdx.exe (PID: 1800)
      • fdxsdzer.tmp (PID: 5504)
      • MEGA-CRIMSON-BRUTE.exe (PID: 3480)
      • fdxsdzer.exe (PID: 5532)
      • retyrefdx.tmp (PID: 4768)
      • ComboToolByMrRoot.exe (PID: 2792)

    • Create files in a temporary directory

      • retyrefdx.exe (PID: 6536)
      • fdxsdzer.exe (PID: 2324)
      • fdxsdzer.tmp (PID: 4040)
      • retyrefdx.tmp (PID: 4528)
      • fdxsdzer.exe (PID: 5532)
      • retyrefdx.exe (PID: 1800)
      • fdxsdzer.tmp (PID: 5504)
      • bvcbcvdf.exe (PID: 1212)
      • retyrefdx.tmp (PID: 4768)

    • Creates files in the program directory

      • bvcbcvdf.exe (PID: 1212)

    • Process checks computer location settings

      • ComboToolByMrRoot.exe (PID: 2792)
      • fdxsdzer.tmp (PID: 4040)
      • retyrefdx.tmp (PID: 4528)

    • Creates files or folders in the user directory

      • fdxsdzer.tmp (PID: 5504)
      • retyrefdx.tmp (PID: 4768)
      • ComboToolByMrRoot.exe (PID: 2792)
      • bvcbcvdf.exe (PID: 1212)
      • WerFault.exe (PID: 728)

    • Reads the machine GUID from the registry

      • MEGA-CRIMSON-BRUTE.exe (PID: 3480)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 5644)
      • powershell.exe (PID: 7072)
      • powershell.exe (PID: 3836)
      • powershell.exe (PID: 2728)
      • powershell.exe (PID: 1932)

    • Manual execution by a user

      • notepad.exe (PID: 5900)
      • notepad.exe (PID: 4236)
      • rundll32.exe (PID: 6652)
      • rundll32.exe (PID: 2668)
      • notepad.exe (PID: 2324)
      • OpenWith.exe (PID: 5552)
      • rundll32.exe (PID: 6688)
      • OpenWith.exe (PID: 420)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5900)
      • explorer.exe (PID: 4772)
      • notepad.exe (PID: 2324)
      • notepad.exe (PID: 4236)
      • rundll32.exe (PID: 6688)

    • Detects InnoSetup installer (YARA)

      • fdxsdzer.exe (PID: 5532)
      • retyrefdx.exe (PID: 1800)
      • fdxsdzer.tmp (PID: 5504)

    • Compiled with Borland Delphi (YARA)

      • retyrefdx.exe (PID: 1800)
      • fdxsdzer.exe (PID: 5532)
      • fdxsdzer.tmp (PID: 5504)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 420)
      • rundll32.exe (PID: 6688)
      • OpenWith.exe (PID: 5552)
      • OpenWith.exe (PID: 6900)

    • Checks proxy server information

      • explorer.exe (PID: 4772)
      • bvcbcvdf.exe (PID: 1212)
      • WerFault.exe (PID: 728)
      • slui.exe (PID: 2512)

    • Reads the software policy settings

      • WerFault.exe (PID: 728)
      • slui.exe (PID: 2512)

    • Application based on Golang

      • fdxsdzer.tmp (PID: 5504)
      • regsvr32.exe (PID: 856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (38.1)
.exe | Win32 Executable MS Visual C++ (generic) (28.6)
.exe | Win64 Executable (generic) (25.3)
.exe | Win32 Executable (generic) (4.1)
.exe | Generic Win/DOS Executable (1.8)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:10 18:28:29+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 55808
InitializedDataSize: 14797824
UninitializedDataSize: -
EntryPoint: 0x1e18
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.2.1.1
ProductVersionNumber: 3.1.1.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Zevodp
FileVersion: 6.0.0.0
InternalName: Zevodp.exe
LegalCopyright: (C) 2026
OriginalFileName: Zevodp.exe
ProductName: Zevodp
ProductVersion: 2.2.2.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
173
Monitored processes
46
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start combotoolbymrroot.exe fdxsdzer.exe fgedftgezr.exe no specs #SVCSTEALER bvcbcvdf.exe retyrefdx.exe fdxsdzer.tmp retyrefdx.tmp fdxsdzer.exe retyrefdx.exe fdxsdzer.tmp mega-crimson-brute.exe retyrefdx.tmp regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs werfault.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs openwith.exe no specs openwith.exe no specs #DIAMOTRIX explorer.exe rundll32.exe no specs openwith.exe no specs slui.exe regsvr32.exe no specs powershell.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420"C:\WINDOWS\System32\OpenWith.exe" "C:\Users\admin\Desktop\Chrome_Login Data"C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
728C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3480 -s 1360C:\Windows\SysWOW64\WerFault.exe
MEGA-CRIMSON-BRUTE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
856 /s /i:googlechromebusiness.msi "C:\Users\admin\AppData\Local\8Blue_1.pfx"C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1160"C:\Users\admin\AppData\Roaming\fgedftgezr.exe" C:\Users\admin\AppData\Roaming\fgedftgezr.exeComboToolByMrRoot.exe
User:
admin
Company:
NewsApp
Integrity Level:
MEDIUM
Description:
NewsApp
Exit code:
0
Version:
8.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\fgedftgezr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1212"C:\Users\admin\AppData\Roaming\bvcbcvdf.exe" C:\Users\admin\AppData\Roaming\bvcbcvdf.exe
ComboToolByMrRoot.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\bvcbcvdf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1496"C:\WINDOWS\system32\regsvr32.EXE" /s /i:googlechromebusiness.msi "\\?\C:\Users\admin\AppData\Local\8Blue_1.pfx"C:\Windows\System32\regsvr32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1800"C:\Users\admin\AppData\Roaming\retyrefdx.exe" /VERYSILENTC:\Users\admin\AppData\Roaming\retyrefdx.exe
retyrefdx.tmp
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Windows SQM Consolidator Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\roaming\retyrefdx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1932"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:googlechromebusiness.msi \"\\?\C:\Users\admin\AppData\Local\9GreenYellow_5.pfx\"' }) { exit 0 } else { exit 1 }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2324"C:\Users\admin\AppData\Roaming\fdxsdzer.exe" C:\Users\admin\AppData\Roaming\fdxsdzer.exe
ComboToolByMrRoot.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Windows SQM Consolidator Setup
Exit code:
1
Version:
Modules
Images
c:\users\admin\appdata\roaming\fdxsdzer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
Total events
70 691
Read events
70 582
Write events
100
Delete events
9

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010017000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000100000000000000064006F0069006E00670074006F006F002E006A00700067003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C00000011000000000000006200750069006C00640066006C006F0077002E007200740066003E002000200000001600000000000000640069007300630075007300730064006900730065006100730065002E0070006E0067003E00200020000000170000000000000065006E00670069006E00650065006D0065007200670065006E00630079002E007200740066003E002000200000001000000000000000660072006F006D0067006500740073002E007200740066003E0020002000000017000000000000006F007000650072006100740069006E006700760061006C007500650073002E007200740066003E002000200000001B000000000000007000610079006D0065006E0074006D0061006E007500660061006300740075007200650072002E007200740066003E00200020000000150000000000000072006500670061007200640069006E00670067006500740073002E006A00700067003E0020002000000012000000000000007200650070006C0079006100640075006C0074002E007200740066003E002000200000001200000000000000720065007300740068006100760069006E0067002E006A00700067003E0020002000000018000000000000007300650061007200630068006500730063006F006C006F007200610064006F002E007200740066003E00200020000000120000000000000073006F00680061007200640077006100720065002E0070006E0067003E0020002000000012000000000000007300700065006500640063006900760069006C002E006A00700067003E002000200000001400000000000000760069007300690074006F00720073006500760065006E002E006A00700067003E00200020000000190000000000000043006F006D0062006F0054006F006F006C00420079004D00720052006F006F0074002E006500780065003E002000200000001A000000000000004D004500470041002D004300520049004D0053004F004E002D00420052005500540045002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001700000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F130000004040000000401400000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F07000000404000004040150000004040000080401600
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4528) retyrefdx.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
B0110000A4E330F7BAE2DB01
(PID) Process:(4528) retyrefdx.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
63E550F28470CD0CA79D912484C3B98C72B42F726B2433F8D4E8EAC05844EFE0
(PID) Process:(4528) retyrefdx.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(4528) retyrefdx.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:delete valueName:Sequence
Value:

(PID) Process:(4528) retyrefdx.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:delete valueName:SessionHash
Value:
炄್鶧⒑쎄貹둲爯⑫샪䑘
(PID) Process:(4528) retyrefdx.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:delete valueName:Owner
Value:
(PID) Process:(4528) retyrefdx.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:delete keyName:(default)
Value:
(PID) Process:(2792) ComboToolByMrRoot.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
17
Suspicious files
14
Text files
30
Unknown types
0

Dropped files

PID
Process
Filename
Type
1212bvcbcvdf.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\FTP Clients\FileZilla\layout.xmlxml
MD5:4526724CD149C14EF9D37D86F825B9F7
SHA256:138167D8F03D48E88DA0AEC3DF38F723BC1895822F75660CCCB5E994814BEE90
1212bvcbcvdf.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\FTP Clients\FileZilla\filezilla.xmlxml
MD5:32F683306CE4FA78157113BB9EACB51D
SHA256:16283B36975456118FBAC2A0CB0AB466C2D26E2B396DD938CDF129F2D3224570
2792ComboToolByMrRoot.exeC:\Users\admin\AppData\Roaming\fgedftgezr.exeexecutable
MD5:36AB10ACD362C095216BA709CEFD0768
SHA256:74B196BB5EF1E3AA1138A03B35233EF0C12E3EEF19A7E464B4A463DB5CB51596
2792ComboToolByMrRoot.exeC:\Users\admin\AppData\Roaming\bvcbcvdf.exeexecutable
MD5:B44E35F88F2129F70CD0747099A37188
SHA256:4FB926AA136FDBC02DEBFBB971363E7F2B7229D4D1A1E2A2E52149BDD1345943
2792ComboToolByMrRoot.exeC:\Users\admin\AppData\Roaming\fdxsdzer.exeexecutable
MD5:55D7D181E7D79EA27AE334D73B38EA7E
SHA256:2ABC2CC414F605707E43BC2D238B09AC082EDEF579177E4A998E0CC3CDCA0357
2792ComboToolByMrRoot.exeC:\Users\admin\AppData\Roaming\retyrefdx.exeexecutable
MD5:1E0AC29E2F8853FD799992BA03341B64
SHA256:BF88175E2A73E40D46D1344D37C3D5A83C40DF7E41FC722FE6E6B49942B01EE2
2792ComboToolByMrRoot.exeC:\Users\admin\Desktop\MEGA-CRIMSON-BRUTE.exeexecutable
MD5:86796DBA74D4B6A495B8E7AAEF49BD76
SHA256:9A619E4DAC3B1D74DCFB7906956B12233BA646A7E65D8CE2AC2F00F740C13DB2
5504fdxsdzer.tmpC:\Users\admin\AppData\Local\Temp\is-NTJK3.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
1212bvcbcvdf.exeC:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\FTP Clients\FileZilla\queue.sqlite3binary
MD5:814062819B4AEF158A726D9D50142008
SHA256:CA62AC5062DA0659D8E6FCA164A102D2D9F9EF8C4D461FCE5459560B4C30270E
4040fdxsdzer.tmpC:\Users\admin\AppData\Local\Temp\is-44QUB.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
55
DNS requests
18
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.25.50.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.25.50.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2524
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 184.25.50.8
  • 184.25.50.10
  • 2.18.121.139
  • 2.18.121.147
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.20
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
1212
bvcbcvdf.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
1212
bvcbcvdf.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1212
bvcbcvdf.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1212
bvcbcvdf.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M2
1212
bvcbcvdf.exe
Malware Command and Control Activity Detected
ET MALWARE SVCStealer CnC Checkin - Multiple Versions (POST)
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M1
1212
bvcbcvdf.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1212
bvcbcvdf.exe
A Network Trojan was detected
ET MALWARE SVCStealer 4.4 CnC Task Checkin (POST)
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M1
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ComboToolByMrRoot.exe