File name:

xd_protected.exe

Full analysis: https://app.any.run/tasks/b1ecb932-2b08-467b-808e-d4140ff03591
Verdict: Malicious activity
Analysis date: May 16, 2025, 16:26:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

E2C6B0690BA51DCA5B9F204C501A0872

SHA1:

13074B95CFF9012D565F2D8DDDE7024E4D24733B

SHA256:

970898A4351860D43DA0AABF21E853DC5F27A0DE305A17FB4E6755ED9EF65A0A

SSDEEP:

98304:skIp1fh0tyEpso6vJgiBBUOX1f5i51hnHoIjHXuPHYRgrsTUtQzOwtRV5sIVdVIi:muc8Ke2kQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4988)
      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 4180)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 7280)
      • cmd.exe (PID: 8004)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 856)
      • cmd.exe (PID: 5392)
      • cmd.exe (PID: 1244)

    • Changes settings for real-time protection

      • powershell.exe (PID: 6272)
      • powershell.exe (PID: 7776)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 4268)
      • powershell.exe (PID: 7240)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7332)
      • powershell.exe (PID: 2984)

    • Adds path to the Windows Defender exclusion list

      • xd_protected.exe (PID: 2316)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 5392)
      • xd_protected.exe (PID: 7432)

  • SUSPICIOUS

    • Reads the BIOS version

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4988)
      • cmd.exe (PID: 7728)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4988)
      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 4180)
      • cmd.exe (PID: 1244)
      • cmd.exe (PID: 7280)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 8004)
      • cmd.exe (PID: 856)
      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 5392)

    • Script disables Windows Defender's behavior monitoring

      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 8004)

    • Reads security settings of Internet Explorer

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Starts CMD.EXE for commands execution

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 5392)

    • Connects to unusual port

      • xd_protected.exe (PID: 2316)

  • INFO

    • Auto-launch of the file from Registry key

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Reads the computer name

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Process checks computer location settings

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Checks supported languages

      • xd_protected.exe (PID: 2316)
      • xd_protected.exe (PID: 7432)

    • Manual execution by a user

      • xd_protected.exe (PID: 7432)

    • Themida protector has been detected

      • xd_protected.exe (PID: 2316)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6872)
      • powershell.exe (PID: 7332)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 4268)
      • powershell.exe (PID: 6272)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 7776)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 1096)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6272)
      • powershell.exe (PID: 6872)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 7776)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 7332)
      • powershell.exe (PID: 4268)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 1096)

    • Reads the machine GUID from the registry

      • xd_protected.exe (PID: 2316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:16 16:04:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 841216
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x682058
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: xd.exe
LegalCopyright:
OriginalFileName: xd.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
40
Malicious processes
12
Suspicious processes
8

Behavior graph

Click at the process to see the details
start xd_protected.exe cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs xd_protected.exe cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\WINDOWS\SysWOW64\cmd.exe" /C powershell -Command "Set-MpPreference -DisableIOAVProtection $true"C:\Windows\SysWOW64\cmd.exe
xd_protected.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1096powershell -Command "Set-MpPreference -DisableBlockAtFirstSeen $true"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1244"C:\WINDOWS\SysWOW64\cmd.exe" /C powershell -Command "Set-MpPreference -DisableIOAVProtection $true"C:\Windows\SysWOW64\cmd.exe
xd_protected.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2140"C:\WINDOWS\SysWOW64\cmd.exe" /C powershell -Command "Set-MpPreference -DisableBehaviorMonitoring $true"C:\Windows\SysWOW64\cmd.exe
xd_protected.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268"C:\WINDOWS\SysWOW64\cmd.exe" /C powershell -Command "Set-MpPreference -DisableBlockAtFirstSeen $true"C:\Windows\SysWOW64\cmd.exe
xd_protected.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2316"C:\Users\admin\Desktop\xd_protected.exe" C:\Users\admin\Desktop\xd_protected.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\xd_protected.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
2420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2984powershell -Command "Set-MpPreference -DisableScriptScanning $true"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4180"C:\WINDOWS\SysWOW64\cmd.exe" /C powershell -Command "Set-MpPreference -DisableBlockAtFirstSeen $true"C:\Windows\SysWOW64\cmd.exe
xd_protected.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
67 255
Read events
67 253
Write events
2
Delete events
0

Modification events

(PID) Process:(2316) xd_protected.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:xd_protected
Value:
C:\Users\admin\Desktop\xd_protected.exe
(PID) Process:(7432) xd_protected.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:xd_protected
Value:
C:\Users\admin\Desktop\xd_protected.exe
Executable files
0
Suspicious files
1
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
6272powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1jftphlw.x01.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6272powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qoa2t5js.vw1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6272powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ydkfh5qn.bq2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wn1z15uf.y1o.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_buinyalf.htf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mqfhxheg.hej.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qbkknpf3.j4t.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ohbtpu4.jv5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qrz5bldm.lrj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6272powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ift0b11q.uba.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
54
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7864
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2316
xd_protected.exe
3.127.181.115:15610
5.tcp.eu.ngrok.io
AMAZON-02
DE
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.52.120.96
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.67
  • 40.126.31.131
  • 20.190.159.75
  • 40.126.31.1
  • 40.126.31.129
  • 40.126.31.3
  • 20.190.159.64
whitelisted
5.tcp.eu.ngrok.io
  • 3.127.181.115
  • 18.158.58.205
malicious
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
2196
svchost.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xd_protected.exe