File name:

c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe

Full analysis: https://app.any.run/tasks/1f3965a4-07d9-4d96-852a-2fccdc5fe737
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 06:11:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

478252B69EB277456C75B7C096CC6C2D

SHA1:

1627F2E253BA3C7A60980DD80413E73C323156F4

SHA256:

C6FF18A10CCAD11583F63995C7C7A2A908F38C5FA97921C0FACF5CF60BAE0165

SSDEEP:

98304:97C6ybrco7dyxSnkES5ZrskmW+SeS15xHt/ED4W5u54RV9Wspo2ymRhZNBRCV/1L:KI9aLXEknWqecJSl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Reads security settings of Internet Explorer

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Executable content was dropped or overwritten

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Connects to unusual port

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Uses NSLOOKUP.EXE to check DNS info

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • There is functionality for taking screenshot (YARA)

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

  • INFO

    • Reads the computer name

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • The sample compiled with chinese language support

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Reads the machine GUID from the registry

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Checks supported languages

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Create files in a temporary directory

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)

    • Checks proxy server information

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)
      • slui.exe (PID: 3872)

    • Reads the software policy settings

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)
      • slui.exe (PID: 3872)

    • UPX packer has been detected

      • c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe (PID: 5240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (24.4)
.exe | Win64 Executable (generic) (21.6)
.exe | UPX compressed Win32 Executable (21.2)
.exe | Win32 EXE Yoda's Crypter (20.8)
.dll | Win32 Dynamic Link Library (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:04 15:44:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 2473984
InitializedDataSize: 7503872
UninitializedDataSize: -
EntryPoint: 0x22e50f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 39.1.6.25
ProductVersionNumber: 39.1.6.25
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 39.1.6.25
FileDescription: 凯迪软件视频批量剪辑
ProductName: 凯迪软件视频批量剪辑
ProductVersion: 39.1.6.25
CompanyName: 凯迪软件
LegalCopyright: 凯迪软件
Comments: 凯迪软件视频批量剪辑
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs slui.exe c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Users\admin\Desktop\c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe" C:\Users\admin\Desktop\c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeexplorer.exe
User:
admin
Company:
凯迪软件
Integrity Level:
MEDIUM
Description:
凯迪软件视频批量剪辑
Exit code:
3221226540
Version:
39.1.6.25
Modules
Images
c:\users\admin\desktop\c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1636\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2116nslookup -qt=TXT url.kefuwx.kaidi.cc 114.114.114.114C:\Windows\SysWOW64\nslookup.exe
c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2528\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3840nslookup -qt=TXT url.pay.kaidi.cc 114.114.114.114C:\Windows\SysWOW64\nslookup.exe
c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3872C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4552nslookup -qt=TXT api.getip.kaidi.cc 114.114.114.114C:\Windows\SysWOW64\nslookup.exe
c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5240"C:\Users\admin\Desktop\c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe" C:\Users\admin\Desktop\c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
explorer.exe
User:
admin
Company:
凯迪软件
Integrity Level:
HIGH
Description:
凯迪软件视频批量剪辑
Version:
39.1.6.25
Modules
Images
c:\users\admin\desktop\c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
8 017
Read events
8 015
Write events
2
Delete events
0

Modification events

(PID) Process:(5240) c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeKey:HKEY_CURRENT_USER\SOFTWARE\kaidisoft
Operation:writeName:jqm
Value:
27272124282321222428285323272951542626275655292752252227522053558A89D3A61
(PID) Process:(5240) c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
Executable files
2
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
5240c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeC:\Users\admin\Documents\kdbq.dlltext
MD5:DC97D4DFB437CC5B8D75C1C396A60404
SHA256:6E271041E48F7DE693E8D08FEAEE622C4C8B0F4A5FBCF8F42F617E041F7544BB
5240c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeC:\Users\admin\Desktop\ÊÓƵÅúÁ¿ÖÆ×÷ϵͳ£¨Ô­mv£©.lnklnk
MD5:73B2714D0DAF8D0B89A46AE36C7A9B0D
SHA256:9AE0A922705F4D3B0C5021C6F0B19178A4A6EC96477EFF555C775969F1D2ED52
5240c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeC:\kaidisoft\mvh\c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeexecutable
MD5:478252B69EB277456C75B7C096CC6C2D
SHA256:C6FF18A10CCAD11583F63995C7C7A2A908F38C5FA97921C0FACF5CF60BAE0165
5240c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exeC:\Users\admin\AppData\Local\Temp\E2EECore.3.5.241231.dllexecutable
MD5:748A6D4AF7EA571B9760C718822CD4AB
SHA256:EAEF25459EF08B8AC5BADE805702F346599C1E22AFB41D47DDA3E935E7ADE522
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
47
DNS requests
40
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2428
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2428
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
43.175.152.66:443
https://article.biliimg.com/bfs/new_dyn/91dacc35c1a04e9bfaa5f48b3c26bab2435435666.png
unknown
unknown
5240
c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
GET
200
154.41.93.241:80
http://up.cps5.com/dl/kd.json
unknown
unknown
5240
c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
GET
200
154.41.93.241:80
http://up.cps5.com/gonggao.json
unknown
unknown
5240
c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe
GET
200
154.41.93.241:80
http://up.cps5.com/mvh/index.json
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2428
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2428
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2428
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
api.cps5.com
  • 106.55.172.132
unknown
up.cps5.com
  • 154.41.93.241
  • 154.41.93.240
unknown
114.114.114.114.in-addr.arpa
unknown
article.biliimg.com
  • 43.152.26.149
  • 43.174.109.87
  • 43.152.29.101
  • 43.152.27.98
  • 43.152.29.72
  • 43.152.28.43
  • 43.152.26.151
  • 43.152.26.142
  • 43.175.152.62
  • 43.152.26.238
  • 43.174.109.95
  • 43.175.152.66
  • 43.174.109.182
  • 43.174.109.94
  • 43.152.26.110
unknown
url.pay.kaidi.cc
unknown
url.kefuwx.kaidi.cc
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
3840
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3840
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2116
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2116
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7004
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7004
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
4552
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
4552
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6780
nslookup.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c6ff18a10ccad11583f63995c7c7a2a908f38c5fa97921c0facf5cf60bae0165.exe