File name:

7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7

Full analysis: https://app.any.run/tasks/957e3156-4256-4417-bb10-c64ea853c6e6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 04, 2025, 08:20:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vmprotect
loader
exploit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

5073DDD629BEDFA2FDD954275F34FD6D

SHA1:

62BE8533575D7783E22C99C7FDC0C55B4EB4C1E8

SHA256:

7D57A8A56B0E8056C8D7C030CF59807759365D28AA8144B5589C70D51168AAB7

SSDEEP:

98304:qHQR/ZldRzFOEwHN83CtfcCZLZYhG5jILFOxj7yABsI+mnqBr5WI/RpJiusTbbDh:pk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)

    • Application was injected by another process

      • explorer.exe (PID: 5492)

    • EXPLOIT has been detected (SURICATA)

      • eventcreate.exe (PID: 7492)

    • Starts CMD.EXE for self-deleting

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)
      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • eventcreate.exe (PID: 7492)

    • Executable content was dropped or overwritten

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)
      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • HOSTNAME.EXE (PID: 4008)
      • eventcreate.exe (PID: 7492)

    • Reads security settings of Internet Explorer

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)
      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • eventcreate.exe (PID: 7492)

    • Application launched itself

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)

    • Creates files in the driver directory

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)

    • The process checks if it is being run in the virtual environment

      • explorer.exe (PID: 5492)
      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • HOSTNAME.EXE (PID: 4008)

    • The process creates files with name similar to system file names

      • HOSTNAME.EXE (PID: 4008)

    • Creates file in the systems drive root

      • eventcreate.exe (PID: 7492)

    • Process requests binary or script from the Internet

      • eventcreate.exe (PID: 7492)

    • Starts CMD.EXE for commands execution

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1660)

  • INFO

    • The sample compiled with chinese language support

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)

    • Creates files in the program directory

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)
      • HOSTNAME.EXE (PID: 4008)
      • eventcreate.exe (PID: 7492)

    • Process checks computer location settings

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)
      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)

    • Checks supported languages

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)
      • eventcreate.exe (PID: 7492)

    • Reads the computer name

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7812)
      • eventcreate.exe (PID: 7492)

    • Reads the machine GUID from the registry

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • eventcreate.exe (PID: 7492)

    • Checks proxy server information

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • eventcreate.exe (PID: 7492)
      • slui.exe (PID: 6108)

    • VMProtect protector has been detected

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • HOSTNAME.EXE (PID: 4008)
      • eventcreate.exe (PID: 7492)

    • Reads the software policy settings

      • 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe (PID: 7936)
      • slui.exe (PID: 6108)

    • Manual execution by a user

      • ctfmon.exe (PID: 7420)
      • regedt32.exe (PID: 7404)
      • eventcreate.exe (PID: 7492)

    • The sample compiled with english language support

      • HOSTNAME.EXE (PID: 4008)

    • Failed to create an executable file in Windows directory

      • explorer.exe (PID: 5492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:12 06:23:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 221696
InitializedDataSize: 356352
UninitializedDataSize: -
EntryPoint: 0xebd56
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 24.1.12.946
ProductVersionNumber: 24.1.12.946
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 24, 1, 12, 946
ProductVersion: 24, 1, 12, 946
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
14
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe poqexec.exe no specs hostname.exe conhost.exe no specs ctfmon.exe no specs regedt32.exe no specs #EXPLOIT eventcreate.exe conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1660"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\admin\Desktop\7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe"C:\Windows\SysWOW64\cmd.exe7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2340"C:\WINDOWS\system32\poqexec.exe"C:\Windows\System32\poqexec.exe7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Primitive Operations Queue Executor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\poqexec.exe
c:\windows\system32\ntdll.dll
4008"C:\WINDOWS\system32\HOSTNAME.EXE"C:\Windows\System32\HOSTNAME.EXE
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Hostname APP
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\hostname.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\psapi.dll
5492C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
5640timeout /t 1 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6108C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7036\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeeventcreate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7404"C:\Windows\Fonts\regedt32.exe"C:\Windows\Fonts\regedt32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor Utility
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\fonts\regedt32.exe
c:\windows\system32\ntdll.dll
7420"C:\Windows\Inf\ctfmon.exe"C:\Windows\INF\ctfmon.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\inf\ctfmon.exe
c:\windows\system32\ntdll.dll
Total events
9 237
Read events
9 222
Write events
15
Delete events
0

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010011000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000110000000000000062006F0072006E006200720061006E0064002E0070006E0067003E00200020000000140000000000000063006F0061007300740070007500720070006F00730065002E0070006E0067003E00200020000000180000000000000064006500630065006D006200650072006300610072006F006C0069006E0061002E007200740066003E002000200000001500000000000000640065007400610069006C0073006D0069006E007500740065002E007200740066003E002000200000001300000000000000660072006F006D00630065006E007400720061006C002E007200740066003E0020002000000011000000000000006C00690067006800740073006100760065002E007200740066003E00200020000000190000000000000070006500720066006F0072006D0061006E00630065006100720074006900730074002E0070006E0067003E00200020000000100000000000000073007700690074006300680063006F002E0070006E0067003E00200020000000480000000000000037006400350037006100380061003500360062003000650038003000350036006300380064003700630030003300300063006600350039003800300037003700350039003300360035006400320038006100610038003100340034006200350035003800390063003700300064003500310031003600380061006100620037002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001100000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000080401000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
CDB7C66700000000
(PID) Process:(7936) 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7936) 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7936) 7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7492) eventcreate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7492) eventcreate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7492) eventcreate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010010000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000110000000000000062006F0072006E006200720061006E0064002E0070006E0067003E00200020000000140000000000000063006F0061007300740070007500720070006F00730065002E0070006E0067003E00200020000000180000000000000064006500630065006D006200650072006300610072006F006C0069006E0061002E007200740066003E002000200000001500000000000000640065007400610069006C0073006D0069006E007500740065002E007200740066003E002000200000001300000000000000660072006F006D00630065006E007400720061006C002E007200740066003E0020002000000011000000000000006C00690067006800740073006100760065002E007200740066003E00200020000000190000000000000070006500720066006F0072006D0061006E00630065006100720074006900730074002E0070006E0067003E00200020000000100000000000000073007700690074006300680063006F002E0070006E0067003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001000000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700
Executable files
12
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
79367d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeC:\Windows\SysWOW64\drivers\lDsD3GZkngX.sysexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
78127d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeC:\ProgramData\Mx3xifB3Vg7.sysexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
79367d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeC:\Windows\SysWOW64\drivers\hpe9u9BJd2l9.kvzexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
7492eventcreate.exeC:\ProgramData\vcITIXnzGpUP.qcfexecutable
MD5:DF15188E8972240D7741928D63FE5481
SHA256:2797933BEA1BD39FC108ED4023B5CD0C3C46F2F7E13F0704D4A830511132A046
78127d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeC:\ProgramData\ksOoKnHOJf.wpvexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
79367d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeC:\Windows\SysWOW64\3aQQKDBx68UT.sysexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
7492eventcreate.exeC:\ProgramData\sWPwzExtqJqf.sysexecutable
MD5:DF15188E8972240D7741928D63FE5481
SHA256:2797933BEA1BD39FC108ED4023B5CD0C3C46F2F7E13F0704D4A830511132A046
79367d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeC:\Windows\SysWOW64\VJvYMTNVNV.imjexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
79367d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exeC:\Windows\RDlHT3qN0dyxo.sysexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
4008HOSTNAME.EXEC:\Program Files\eventcreate.exeexecutable
MD5:091FFA3893661C5597CA719F28EE03EA
SHA256:7CC501292377DC849A34214F017F62A7331F44F96BC6FE3E566253A9918BF811
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
33
DNS requests
12
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
GET
404
123.6.37.241:80
http://xcd.qgsq.space/pgm/mpr/c995ec7fd4f57c0d/31bd9b27a24e0be9.zip.md5.txt
unknown
malicious
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
GET
200
123.6.37.241:80
http://xcd.yycsl.top/pgm/mpr/c995ec7fd4f57c0d/31bd9b27a24e0be9.zip
unknown
malicious
7492
eventcreate.exe
GET
200
123.6.37.241:80
http://xcd.yycsl.top/cfg/cmc/ping.txt
unknown
malicious
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
GET
404
123.6.37.241:80
http://xcd.qgsq.space/pgm/mpr/c995ec7fd4f57c0d/31bd9b27a24e0be9.zip
unknown
malicious
7492
eventcreate.exe
GET
200
123.6.37.241:80
http://xcd.yycsl.top/cfg/cmc/ping.txt
unknown
malicious
GET
200
103.235.46.102:80
http://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=1.165.186.47&resource_id=6006&ie=utf8&oe=gbk&format=json
unknown
whitelisted
7492
eventcreate.exe
GET
200
123.6.37.241:80
http://xcd.yycsl.top/cfg/cmc/userchange.txt
unknown
malicious
7492
eventcreate.exe
GET
200
43.129.139.164:80
http://apps.game.qq.com/comm-htdocs/ip/get_ip.php
unknown
whitelisted
7492
eventcreate.exe
GET
200
123.6.37.241:80
http://xcd.yycsl.top/cfg/user/c995ec7fd4f57c0d/31bd9b27a24e0be9.json
unknown
malicious
7492
eventcreate.exe
GET
200
123.6.37.241:80
http://xcd.yycsl.top/cfg/pub/ms.json
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4784
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
223.6.6.6:443
dns.alidns.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
whitelisted
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
123.6.37.241:80
CHINA UNICOM China169 Backbone
CN
malicious
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
233.123.112.211:33886
unknown
7688
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7492
eventcreate.exe
123.6.37.241:80
CHINA UNICOM China169 Backbone
CN
malicious
7492
eventcreate.exe
43.129.139.164:80
apps.game.qq.com
Tencent Building, Kejizhongyi Avenue
SG
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
xcd.yycsl.top
unknown
dns.alidns.com
  • 223.6.6.6
  • 223.5.5.5
whitelisted
xcd.qgsq.space
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
apps.game.qq.com
  • 43.129.139.164
  • 43.129.138.220
whitelisted
sp1.baidu.com
  • 103.235.46.102
  • 103.235.46.115
whitelisted
map.baidu.com
  • 180.76.11.169
whitelisted

Threats

PID
Process
Class
Message
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7936
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
7492
eventcreate.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
7492
eventcreate.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
7492
eventcreate.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
7492
eventcreate.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
7492
eventcreate.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
7492
eventcreate.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7d57a8a56b0e8056c8d7c030cf59807759365d28aa8144b5589c70d51168aab7