File name:

MultiBloX.exe

Full analysis: https://app.any.run/tasks/a164f61c-9232-4a26-8b0c-edacb032b4f6
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: June 07, 2025, 17:22:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
roblox
evasion
discord
exfiltration
stealer
ims-api
generic
miner
auto-sch
pastebin
winring0x64-sys
vuln-driver
wmi-base64
amsi-bypass
upx
xmrig
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

26C1FC28DBD1340864E00FD014AD0754

SHA1:

62ACAB958694592228FCA034552F3245CCED01D6

SHA256:

D28BE1DE10E23ED4F158254AE022940C67FF8E9C84C6C1242C1E92E2571C5098

SSDEEP:

1536:GsisqWUW73d1X1LMdPOnyZT8yQscdQwVcl:UssWbd1aBp7WQqY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealers network behavior

      • MultiBloX.exe (PID: 3268)

    • Attempting to use instant messaging service

      • MultiBloX.exe (PID: 3268)

    • Executing a file with an untrusted certificate

      • $OEUFmnr.exe (PID: 6644)
      • $OEUFmnr.exe (PID: 7348)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 8092)
      • cmd.exe (PID: 8116)

    • Vulnerable driver has been detected

      • $OEUFmnr.exe (PID: 6644)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6560)

    • Runs injected code in another process

      • powershell.exe (PID: 6560)

    • Application was injected by another process

      • dllhost.exe (PID: 3364)

    • XMRIG has been detected (YARA)

      • svchost.exe (PID: 5512)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • MultiBloX.exe (PID: 3268)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • MultiBloX.exe (PID: 3268)

    • The process connected to a server suspected of theft

      • MultiBloX.exe (PID: 3268)

    • Reads security settings of Internet Explorer

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)

    • Executable content was dropped or overwritten

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)
      • $OEUFmnr.exe (PID: 6644)

    • Reads the date of Windows installation

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)

    • Starts POWERSHELL.EXE for commands execution

      • 4sevoq4t.i4dv.exe (PID: 1472)
      • $OEUFmnr.exe (PID: 7348)

    • Stops a currently running service

      • sc.exe (PID: 7960)
      • sc.exe (PID: 2340)
      • sc.exe (PID: 5280)
      • sc.exe (PID: 2416)
      • sc.exe (PID: 5812)

    • Starts CMD.EXE for commands execution

      • 4sevoq4t.i4dv.exe (PID: 1472)

    • Process drops legitimate windows executable

      • 4sevoq4t.i4dv.exe (PID: 1472)

    • Starts SC.EXE for service management

      • $OEUFmnr.exe (PID: 6644)

    • Drops a system driver (possible attempt to evade defenses)

      • $OEUFmnr.exe (PID: 6644)

    • Uses powercfg.exe to modify the power settings

      • $OEUFmnr.exe (PID: 6644)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 6560)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 6560)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • Connects to unusual port

      • svchost.exe (PID: 5512)
      • $OEUFnon.exe (PID: 7948)
      • $OEUFoui.exe (PID: 7612)

    • Starts process via Powershell

      • powershell.exe (PID: 6132)

    • Executing commands from a ".bat" file

      • 4sevoq4t.i4dv.exe (PID: 1472)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 7776)

    • Possibly patching Antimalware Scan Interface function (YARA)

      • $OEUFoui.exe (PID: 7612)
      • $OEUFnon.exe (PID: 7948)
      • dllhost.exe (PID: 3364)

    • Executes application which crashes

      • cmd.exe (PID: 1244)

  • INFO

    • Reads the computer name

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)
      • ImageFile_InExile.exe (PID: 6980)

    • Reads the machine GUID from the registry

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)
      • ImageFile_InExile.exe (PID: 6980)

    • ROBLOX mutex has been found

      • MultiBloX.exe (PID: 3268)

    • Checks supported languages

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)
      • $OEUFmnr.exe (PID: 6644)
      • $OEUFmnr.exe (PID: 7348)
      • ImageFile_InExile.exe (PID: 6980)

    • Disables trace logs

      • MultiBloX.exe (PID: 3268)
      • $OEUFoui.exe (PID: 7612)
      • $OEUFnon.exe (PID: 7948)

    • Reads the software policy settings

      • MultiBloX.exe (PID: 3268)
      • $OEUFoui.exe (PID: 7612)
      • $OEUFnon.exe (PID: 7948)
      • slui.exe (PID: 3032)

    • Reads Environment values

      • MultiBloX.exe (PID: 3268)

    • Attempting to use instant messaging service

      • MultiBloX.exe (PID: 3268)
      • svchost.exe (PID: 2196)

    • Create files in a temporary directory

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)
      • $OEUFmnr.exe (PID: 6644)

    • Process checks computer location settings

      • MultiBloX.exe (PID: 3268)
      • 4sevoq4t.i4dv.exe (PID: 1472)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1188)
      • powershell.exe (PID: 2800)
      • powershell.exe (PID: 5736)
      • powershell.exe (PID: 7320)
      • powershell.exe (PID: 6132)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1188)
      • powershell.exe (PID: 7320)
      • powershell.exe (PID: 5736)
      • powershell.exe (PID: 2800)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 1188)
      • powershell.exe (PID: 5736)
      • powershell.exe (PID: 2800)
      • powershell.exe (PID: 7320)

    • Checks proxy server information

      • MultiBloX.exe (PID: 3268)
      • $OEUFoui.exe (PID: 7612)
      • $OEUFnon.exe (PID: 7948)
      • slui.exe (PID: 3032)

    • The sample compiled with japanese language support

      • $OEUFmnr.exe (PID: 6644)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • cmd.exe (PID: 1176)

    • Manual execution by a user

      • $OEUFoui.exe (PID: 7900)
      • $OEUFmnr.exe (PID: 7348)
      • $OEUFnon.exe (PID: 7600)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6560)

    • Found Base64 encoded reference to WMI classes (YARA)

      • $OEUFoui.exe (PID: 7612)
      • $OEUFnon.exe (PID: 7948)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7776)

    • UPX packer has been detected

      • svchost.exe (PID: 5512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3268) MultiBloX.exe
Discord-Webhook-Tokens (1)1335218279366525032/aGslE3hndw_Ygd-IAGvHPq_HTZKBikgcTzM8HbadsT4takBsk3eIDp5JgxmKXmnB-aSc
Discord-Info-Links
1335218279366525032/aGslE3hndw_Ygd-IAGvHPq_HTZKBikgcTzM8HbadsT4takBsk3eIDp5JgxmKXmnB-aSc
Get Webhook Infohttps://discord.com/api/webhooks/1335218279366525032/aGslE3hndw_Ygd-IAGvHPq_HTZKBikgcTzM8HbadsT4takBsk3eIDp5JgxmKXmnB-aSc
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2092:10:15 17:53:54+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 55296
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0xf742
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: MultiBloX
FileVersion: 1.0.0.0
InternalName: MultiBloX.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: MultiBloX.exe
ProductName: MultiBloX
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
62
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start multiblox.exe svchost.exe 4sevoq4t.i4dv.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs $oeufoui.exe $oeufnon.exe THREAT $oeufmnr.exe sc.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs cmd.exe conhost.exe no specs conhost.exe no specs sc.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs imagefile_inexile.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs #XMRIG svchost.exe conhost.exe no specs $oeufoui.exe no specs $oeufmnr.exe no specs powershell.exe no specs conhost.exe no specs $oeufnon.exe no specs dllhost.exe cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs werfault.exe no specs slui.exe multiblox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
680C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-ac 0C:\Windows\System32\powercfg.exe$OEUFmnr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$OEUFmnr" /tr '"C:\WINDOWS\SysWOW64\$OEUFmnr.exe"' & exitC:\Windows\System32\cmd.exe
4sevoq4t.i4dv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1188"powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe4sevoq4t.i4dv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1244C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\p4orddnt.qej.bat""C:\Windows\System32\cmd.exe
4sevoq4t.i4dv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
1472"C:\Users\admin\AppData\Local\Temp\4sevoq4t.i4dv.exe" C:\Users\admin\AppData\Local\Temp\4sevoq4t.i4dv.exe
MultiBloX.exe
User:
admin
Integrity Level:
HIGH
Description:
Initializer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\4sevoq4t.i4dv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1672"C:\Users\admin\Desktop\MultiBloX.exe" C:\Users\admin\Desktop\MultiBloX.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MultiBloX
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\multiblox.exe
c:\windows\system32\ntdll.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
52 029
Read events
51 955
Write events
71
Delete events
3

Modification events

(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3268) MultiBloX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MultiBloX_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
6
Suspicious files
11
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
3268MultiBloX.exeC:\Users\admin\AppData\Local\Temp\ini_t_image.tmpbinary
MD5:31E4F0596D833FC58C5D1F79A06ADAB6
SHA256:DEB815FC9FF838085574FB5B01F62AF53C9F007BF018DBD30FD703D680AF86FD
3268MultiBloX.exeC:\Users\admin\AppData\Local\Temp\vi1_imagefile.tmpbinary
MD5:0EE01C647824229419FF886862670A39
SHA256:CE880EA0AB35E734F52B11A8BAAFEAD80E4F82CF0DA8E7C9A6F925502BA64BCB
1188powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivebinary
MD5:9A867A1AAE0923736AA157E1AF6E3B58
SHA256:96DBCD976F2281B27E8AE3A8F6E4F5515B6449253D4B777DCB79A7AD574AF239
1188powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_owvqdqvg.c33.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7320powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1di3tm2m.bgc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3268MultiBloX.exeC:\Users\admin\AppData\Local\Temp\4sevoq4t.i4dv.exeexecutable
MD5:2A099FDBB178A0BD9F894BDB00A826FD
SHA256:F96DD2C3804189D1D25FF504D1BF3CC363B03135B96C19BA9FC05F1923AF7770
5736powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cupwfu3x.ar3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5736powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_peo1c5ql.4ff.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
14724sevoq4t.i4dv.exeC:\Windows\SysWOW64\$OEUFmnr.exeexecutable
MD5:91FDBF753EFD03EE2EA5DE5F9B4CCAD5
SHA256:05E2C6A4098436CF775F8C25E87828675CC45AB5EAD86E13BDD7FCD262DB6B4D
2800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_41jcvrle.tho.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
43
DNS requests
17
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
34.160.111.145:443
https://ifconfig.me/
unknown
html
10.0 Kb
shared
GET
302
140.82.121.3:443
https://github.com/MlSVPCQ44/GibberishThings/releases/download/gibber/mnr.RAWencrypt
unknown
8008
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
162.159.136.232:443
https://discord.com/api/webhooks/1335218279366525032/aGslE3hndw_Ygd-IAGvHPq_HTZKBikgcTzM8HbadsT4takBsk3eIDp5JgxmKXmnB-aSc
unknown
binary
69 b
whitelisted
GET
302
140.82.121.3:443
https://github.com/MlSVPCQ44/GibberishThings/releases/download/gibber/v2.RAWencrypt
unknown
GET
302
140.82.121.3:443
https://github.com/MlSVPCQ44/GibberishThings/releases/download/gibber/rtk.RAWencrypt
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
302
140.82.121.3:443
https://github.com/MlSVPCQ44/GibberishThings/releases/download/gibber/init.RAWencrypt
unknown
GET
302
140.82.121.3:443
https://github.com/MlSVPCQ44/GibberishThings/releases/download/gibber/v1.RAWencrypt
unknown
GET
200
172.67.25.94:443
https://pastebin.com/raw/mb7bHmGn
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
8008
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
8008
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
8008
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3268
MultiBloX.exe
34.160.111.145:443
ifconfig.me
GOOGLE
US
shared
3268
MultiBloX.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
whitelisted
3268
MultiBloX.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
3268
MultiBloX.exe
185.199.110.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ifconfig.me
  • 34.160.111.145
shared
discord.com
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.138.232
  • 162.159.128.233
  • 162.159.136.232
whitelisted
github.com
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
whitelisted
pool.supportxmr.com
  • 141.94.96.71
  • 141.94.96.144
  • 141.94.96.195
whitelisted
pastebin.com
  • 104.22.69.199
  • 172.67.25.94
  • 104.22.68.199
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
3268
MultiBloX.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL/TLS Certificate (ifconfig .me)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3268
MultiBloX.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
3268
MultiBloX.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
3268
MultiBloX.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
Misc activity
ET HUNTING Discord WebHook Activity M1 (Contains Key, content)
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MultiBloX.exe