File name:

b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb

Full analysis: https://app.any.run/tasks/6f915f7d-3c68-4d73-8a81-66c45acb0f38
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 25, 2025, 19:10:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
vmprotect
loader
exploit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

25374A6DFAB7A2E55A3D9D9BD2921DA3

SHA1:

EAF4DC49765F1725CDDE936367C95025713C4D2F

SHA256:

B3B6194A6B038BBBF44C96AA73E1B435DCD2245D5AA83E6399218B3032D5FFFB

SSDEEP:

24576:T9QlO3s2dToMx1gzzo98Ky/etGkpVVUrR2+aJBJU7uam+:T9QlT2dToMx1gzzo98Ky/etGkpPUrsdc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • explorer.exe (PID: 4772)
      • rdrleakdiag.exe (PID: 7064)

    • Runs injected code in another process

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • sdiagnhost.exe (PID: 6528)

    • EXPLOIT has been detected (SURICATA)

      • rdrleakdiag.exe (PID: 7064)

    • Starts CMD.EXE for self-deleting

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)
      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • sdiagnhost.exe (PID: 6528)
      • rdrleakdiag.exe (PID: 7064)
      • explorer.exe (PID: 4772)

    • Reads security settings of Internet Explorer

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)
      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)

    • Drops a system driver (possible attempt to evade defenses)

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)
      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)

    • Application launched itself

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)

    • Creates files in the driver directory

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4772)
      • rdrleakdiag.exe (PID: 7064)

    • The process creates files with name similar to system file names

      • explorer.exe (PID: 4772)

    • Process drops legitimate windows executable

      • explorer.exe (PID: 4772)

    • The process checks if it is being run in the virtual environment

      • sdiagnhost.exe (PID: 6528)
      • explorer.exe (PID: 4772)
      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)

    • Process requests binary or script from the Internet

      • rdrleakdiag.exe (PID: 7064)

    • Creates or modifies Windows services

      • rdrleakdiag.exe (PID: 7064)

    • Starts CMD.EXE for commands execution

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)

    • Connects to the server without a host name

      • rdrleakdiag.exe (PID: 7064)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1760)

  • INFO

    • Checks supported languages

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)
      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)

    • The sample compiled with chinese language support

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)

    • Creates files in the program directory

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)
      • explorer.exe (PID: 4772)
      • rdrleakdiag.exe (PID: 7064)

    • Reads the computer name

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)
      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)

    • Process checks computer location settings

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 2708)
      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)

    • Checks proxy server information

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)
      • slui.exe (PID: 5172)

    • VMProtect protector has been detected

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • sdiagnhost.exe (PID: 6528)
      • rdrleakdiag.exe (PID: 7064)

    • Reads the machine GUID from the registry

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)

    • Reads the software policy settings

      • b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe (PID: 5600)
      • rdrleakdiag.exe (PID: 7064)
      • slui.exe (PID: 5172)

    • The sample compiled with english language support

      • explorer.exe (PID: 4772)
      • sdiagnhost.exe (PID: 6528)

    • Failed to create an executable file in Windows directory

      • explorer.exe (PID: 4772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:01 17:05:40+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 229376
InitializedDataSize: 358400
UninitializedDataSize: -
EntryPoint: 0xf78bf
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 24.1.12.946
ProductVersionNumber: 24.1.12.946
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 24, 1, 12, 946
ProductVersion: 24, 1, 12, 946
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe slui.exe sdiagnhost.exe rdrleakdiag.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\admin\Desktop\b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe"C:\Windows\SysWOW64\cmd.exeb3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1944timeout /t 1 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2708"C:\Users\admin\Desktop\b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe" C:\Users\admin\Desktop\b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
24, 1, 12, 946
Modules
Images
c:\users\admin\desktop\b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4772C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
5172C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5600"C:\Users\admin\Desktop\b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe" C:\Users\admin\Desktop\b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
24, 1, 12, 946
Modules
Images
c:\users\admin\desktop\b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6528"C:\WINDOWS\system32\sdiagnhost.exe"C:\Windows\System32\sdiagnhost.exe
b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Scripted Diagnostics Native Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7064"C:\Windows\Logs\rdrleakdiag.exe"C:\Windows\Logs\rdrleakdiag.exe
winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Resource Leak Diagnostic
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\logs\rdrleakdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
Total events
13 076
Read events
13 063
Write events
13
Delete events
0

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000001200000000000000630061006E0061006400610073006F006D0065002E007200740066003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000061006E006200750074002E007200740066003E00200020000000120000000000000061006E007300680069007000700069006E0067002E007200740066003E00200020000000110000000000000063006F006E007400610069006E00730075002E007200740066003E002000200000001A0000000000000063006F006E0074007200610063007400630061006C00690066006F0072006E00690061002E0070006E0067003E00200020000000120000000000000066006900670075007200650066006100630065002E006A00700067003E002000200000000D000000000000006A0075006C00790071002E0070006E0067003E0020002000000013000000000000006D006100780064006500630065006D006200650072002E0070006E0067003E002000200000001500000000000000720075006E006E0069006E006700670072006F007500700073002E006A00700067003E00200020000000110000000000000073006F006E0066006F006C006C006F0077002E006A00700067003E0020002000000012000000000000007500730069006E006700730069006E00630065002E0070006E0067003E00200020000000480000000000000062003300620036003100390034006100360062003000330038006200620062006600340034006300390036006100610037003300650031006200340033003500640063006400320032003400350064003500610061003800330065003600330039003900320031003800620033003000330032006400350066006600660062002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
CA495C6800000000
(PID) Process:(5600) b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5600) b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5600) b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7064) rdrleakdiag.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\udpCtrl
Operation:writeName:nevaee
Value:
kfmiebjazex
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000001200000000000000630061006E0061006400610073006F006D0065002E007200740066003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000061006E006200750074002E007200740066003E00200020000000120000000000000061006E007300680069007000700069006E0067002E007200740066003E00200020000000110000000000000063006F006E007400610069006E00730075002E007200740066003E002000200000001A0000000000000063006F006E0074007200610063007400630061006C00690066006F0072006E00690061002E0070006E0067003E00200020000000120000000000000066006900670075007200650066006100630065002E006A00700067003E002000200000000D000000000000006A0075006C00790071002E0070006E0067003E0020002000000013000000000000006D006100780064006500630065006D006200650072002E0070006E0067003E002000200000001500000000000000720075006E006E0069006E006700670072006F007500700073002E006A00700067003E00200020000000110000000000000073006F006E0066006F006C006C006F0077002E006A00700067003E0020002000000012000000000000007500730069006E006700730069006E00630065002E0070006E0067003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700
Executable files
15
Suspicious files
1
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
5600b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exeC:\Windows\SysWOW64\aZRbFc7AlSa.sysexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
2708b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exeC:\ProgramData\DmxuJ8ACZiIA7h.sysexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
5600b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exeC:\Windows\SysWOW64\drivers\OTHZtsqONPu.sysexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
7064rdrleakdiag.exeC:\Windows\System32\drivers\V5vils9xIGu.sysexecutable
MD5:DF15188E8972240D7741928D63FE5481
SHA256:2797933BEA1BD39FC108ED4023B5CD0C3C46F2F7E13F0704D4A830511132A046
7064rdrleakdiag.exeC:\fyqVDlM.sysexecutable
MD5:899112F33D6B2E8A7927F5E1CF8539CC
SHA256:9AF7523FEAA52ACF242C271CFCE1C51029FEFE30C191C5DBD0DE38EDB19CB98B
7064rdrleakdiag.exeC:\Windows\System32\drivers\kFEimaOTuyw.sysexecutable
MD5:49F697723E8FB28B3FD8407B2D163968
SHA256:366CBCFCFE9E662F3A1C1F3439264EB5AFE15263D5F875C39FB2D9AAD5F7C52A
7064rdrleakdiag.exeC:\Windows\5EsIXXgRE.sysexecutable
MD5:899112F33D6B2E8A7927F5E1CF8539CC
SHA256:9AF7523FEAA52ACF242C271CFCE1C51029FEFE30C191C5DBD0DE38EDB19CB98B
7064rdrleakdiag.exeC:\Windows\INF\display.PNFbinary
MD5:62887E3F2C67C748F05C629DB62182A4
SHA256:1B686CFC6E98A6034A28BA9BE22C190723467365477E75A18A78104A26554CE9
7064rdrleakdiag.exeC:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\4969C2.catcat
MD5:B1402AEE4DA2C2C4BD75A13355EDB8FD
SHA256:C0CF2449A246485D6150EE47CF35601A666DAA14C1D2FC01B1BC29AB5FDA6E2C
2708b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exeC:\ProgramData\XZTBmBjwk1ej.vonexecutable
MD5:B78512A09B506B7AF9EA08D64FF16E08
SHA256:91BD0ECB80D5CE3FAFDA7BDA4A092F7BEEFFF012F07C458A0056CA6363E7E3B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
75
TCP/UDP connections
69
DNS requests
27
Threats
32

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7132
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7132
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=xcd.yycsl.top&type=1
unknown
binary
479 b
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7132
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7132
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
xcd.yycsl.top
malicious
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 23.48.23.153
  • 23.48.23.167
  • 23.48.23.156
  • 23.48.23.157
  • 23.48.23.150
  • 23.48.23.158
  • 23.48.23.148
  • 23.48.23.159
  • 23.48.23.162
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
dns.alidns.com
  • 223.5.5.5
  • 223.6.6.6
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.128
  • 40.126.31.0
  • 20.190.159.130
  • 40.126.31.129
  • 40.126.31.130
  • 20.190.159.64
whitelisted
xcd.seaya.site
unknown
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
5600
b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5600
b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5600
b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5600
b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
7064
rdrleakdiag.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
7064
rdrleakdiag.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
7064
rdrleakdiag.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
7064
rdrleakdiag.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
7064
rdrleakdiag.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b3b6194a6b038bbbf44c96aa73e1b435dcd2245d5aa83e6399218b3032d5fffb