File name:

9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N

Full analysis: https://app.any.run/tasks/3d607bf9-3560-41c3-b217-2d6d1feeffca
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 03, 2024, 18:21:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

01C2DC073C679BBAE0FB900773333480

SHA1:

6044AC14F1151740A7B620093E292C2CE13CDE7C

SHA256:

9690483CFD27682B9178581DDC8599A5CA56374B76C1773E254FCE9CAAEAF0B6

SSDEEP:

1536:U6tQIrgv4qZhU7c5WnbQEbkGsgYvOjl7CRt2kB/DWHxp:U6CZ4qm/k8xs0kB/DWHx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)

    • Reads security settings of Internet Explorer

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Checks Windows Trust Settings

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Executable content was dropped or overwritten

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)

  • INFO

    • Creates files or folders in the user directory

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Reads the machine GUID from the registry

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Checks proxy server information

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Reads the computer name

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Checks supported languages

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Reads the software policy settings

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • Create files in a temporary directory

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
      • MIQWBUZ.exe (PID: 1804)

    • The process uses the downloaded file

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)

    • Process checks computer location settings

      • 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe (PID: 4072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:30 17:36:24+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 65536
InitializedDataSize: 118784
UninitializedDataSize: -
EntryPoint: 0x8230
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6n.exe taskkill.exe no specs conhost.exe no specs miqwbuz.exe

Process information

PID
CMD
Path
Indicators
Parent process
1804"C:\Users\admin\AppData\Local\Temp\SHellxonTT\MIQWBUZ.exe" C:\Users\admin\AppData\Local\Temp\SHellxonTT\MIQWBUZ.exe
9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\shellxontt\miqwbuz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4072"C:\Users\admin\Desktop\9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe" C:\Users\admin\Desktop\9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5284\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5828taskkill /f /im C:\Windows\SysWOW64\taskkill.exe9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
7 065
Read events
7 059
Write events
6
Delete events
0

Modification events

(PID) Process:(4072) 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4072) 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4072) 9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1804) MIQWBUZ.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1804) MIQWBUZ.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1804) MIQWBUZ.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
2
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
40729690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exeC:\Users\admin\AppData\Local\Temp\SHellxonTT\MIQWBUZ.exeexecutable
MD5:DB2C8910831DEF6622003793E624D89B
SHA256:A46485F32C904F0377B7D8AC95017A9788E4AEA73C5BA5A172A4B78744851C22
1804MIQWBUZ.exeC:\Users\admin\AppData\Local\Temp\SHellxonTT\dd.zipcompressed
MD5:63C7E50D9E7ACED8675C2075A1BA42C8
SHA256:11F06DF8DDEF7FAAF42AED0EC94ED660118B556DBE33DF6C4610C5727BA310E4
40729690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exeC:\Users\admin\Desktop\creationtext
MD5:19749B1E7BBA5CBA22F224EE553F19DF
SHA256:D6B6B715DFEF5C090D23550E3FF83366C283AF7C652A25E9F6CD29415BC21FF7
1804MIQWBUZ.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\DDML[1].zipcompressed
MD5:63C7E50D9E7ACED8675C2075A1BA42C8
SHA256:11F06DF8DDEF7FAAF42AED0EC94ED660118B556DBE33DF6C4610C5727BA310E4
40729690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\pxpu[1].exeexecutable
MD5:DB2C8910831DEF6622003793E624D89B
SHA256:A46485F32C904F0377B7D8AC95017A9788E4AEA73C5BA5A172A4B78744851C22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
8
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3524
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
59.47.225.55:443
https://vip.123pan.cn/1831488479/YP/dll/DDML.zip
unknown
compressed
60.6 Kb
GET
200
59.47.225.48:443
https://vip.123pan.cn/1831488479/YP/pxpu.exe
unknown
executable
156 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3524
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.24:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4072
9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N.exe
59.47.225.54:443
vip.123pan.cn
CHINATELECOM Liaoning Benxi MAN
CN
unknown
6944
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 92.123.104.24
  • 92.123.104.28
  • 92.123.104.30
  • 92.123.104.19
  • 92.123.104.18
  • 92.123.104.27
  • 92.123.104.31
  • 92.123.104.21
  • 92.123.104.29
whitelisted
google.com
  • 142.250.186.110
whitelisted
vip.123pan.cn
  • 59.47.225.54
  • 59.47.225.41
  • 59.47.225.48
  • 59.47.225.50
  • 59.47.225.56
  • 59.47.225.52
  • 59.47.225.42
  • 59.47.225.53
  • 59.47.225.57
  • 59.47.237.142
  • 59.47.225.55
unknown
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.189.173.5
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Packed Executable Download
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
9690483cfd27682b9178581ddc8599a5ca56374b76c1773e254fce9caaeaf0b6N