File name:

2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop

Full analysis: https://app.any.run/tasks/eaee51c5-1a84-4cd4-b7ca-825cdebf8c76
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 04:07:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

8CF049D3D623461ADD8CBBF24908D9C2

SHA1:

49832B9E7491D4B803E0E1B159388C6D46A89E24

SHA256:

DDB4A061B43D585098BC1612807EAF3BDBA90F8748594F0A461B360278B85165

SSDEEP:

49152:XFxUhnky7BM7W88988Nt5KBBDhzsf9hS1Sx5F2b35tZOP3E/4VhH3QLBf8XcHZ8K:3Uhnkyi8qDpsVhS1Sx5HPznWnNHq8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 6688)

  • SUSPICIOUS

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)

    • Starts itself from another location

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 6688)

    • Reads security settings of Internet Explorer

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 868)
      • mldxkh.exe (PID: 6688)
      • 869913.exe (PID: 6940)
      • 981972.exe (PID: 6220)
      • 923138.exe (PID: 3048)
      • 059110.exe (PID: 2356)
      • 692198.exe (PID: 7424)
      • 083802.exe (PID: 7588)
      • 673417.exe (PID: 7704)
      • 668664.exe (PID: 7784)
      • 955662.exe (PID: 7860)
      • 445274.exe (PID: 7940)
      • 671257.exe (PID: 8016)
      • 727439.exe (PID: 8136)
      • 708680.exe (PID: 3396)
      • 195478.exe (PID: 7616)
      • 595382.exe (PID: 5772)
      • 722515.exe (PID: 7788)
      • 019513.exe (PID: 7868)
      • 631374.exe (PID: 7304)
      • 032679.exe (PID: 7972)
      • 388851.exe (PID: 8032)
      • 400917.exe (PID: 6772)
      • 781647.exe (PID: 7180)
      • 414283.exe (PID: 7240)
      • 702072.exe (PID: 7636)
      • 440033.exe (PID: 7356)
      • 037063.exe (PID: 7736)
      • 930504.exe (PID: 6948)
      • 942178.exe (PID: 7228)
      • 825429.exe (PID: 7928)
      • 796916.exe (PID: 1760)
      • 271502.exe (PID: 7940)
      • 601031.exe (PID: 756)
      • 043179.exe (PID: 480)
      • 338177.exe (PID: 6360)
      • 594382.exe (PID: 8032)
      • 211427.exe (PID: 8188)
      • 751947.exe (PID: 7620)
      • 834498.exe (PID: 1880)
      • 980370.exe (PID: 7736)
      • 378094.exe (PID: 3972)
      • 269203.exe (PID: 7824)
      • 604277.exe (PID: 2356)
      • 991065.exe (PID: 6796)
      • 894415.exe (PID: 1760)
      • 398714.exe (PID: 7996)
      • 885532.exe (PID: 5824)
      • 417284.exe (PID: 7868)
      • 812945.exe (PID: 6176)
      • 931695.exe (PID: 4324)
      • 068128.exe (PID: 6320)

    • Executable content was dropped or overwritten

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 6688)

    • Application launched itself

      • mldxkh.exe (PID: 868)
      • 869913.exe (PID: 6940)
      • 981972.exe (PID: 6220)
      • 923138.exe (PID: 3048)
      • 059110.exe (PID: 2356)
      • 781647.exe (PID: 7180)
      • 692198.exe (PID: 7424)
      • 083802.exe (PID: 7588)
      • 673417.exe (PID: 7704)
      • 668664.exe (PID: 7784)
      • 955662.exe (PID: 7860)
      • 445274.exe (PID: 7940)
      • 671257.exe (PID: 8016)
      • 727439.exe (PID: 8136)
      • 708680.exe (PID: 3396)
      • 195478.exe (PID: 7616)
      • 595382.exe (PID: 5772)
      • 631374.exe (PID: 7304)
      • 722515.exe (PID: 7788)
      • 032679.exe (PID: 7972)
      • 388851.exe (PID: 8032)
      • 019513.exe (PID: 7868)
      • 414283.exe (PID: 7240)
      • 702072.exe (PID: 7636)
      • 400917.exe (PID: 6772)
      • 930504.exe (PID: 6948)
      • 440033.exe (PID: 7356)
      • 037063.exe (PID: 7736)
      • 942178.exe (PID: 7228)
      • 825429.exe (PID: 7928)
      • 796916.exe (PID: 1760)
      • 271502.exe (PID: 7940)
      • 043179.exe (PID: 480)
      • 338177.exe (PID: 6360)
      • 594382.exe (PID: 8032)
      • 601031.exe (PID: 756)
      • 211427.exe (PID: 8188)
      • 751947.exe (PID: 7620)
      • 834498.exe (PID: 1880)
      • 980370.exe (PID: 7736)
      • 378094.exe (PID: 3972)
      • 604277.exe (PID: 2356)
      • 991065.exe (PID: 6796)
      • 894415.exe (PID: 1760)
      • 269203.exe (PID: 7824)
      • 417284.exe (PID: 7868)
      • 398714.exe (PID: 7996)
      • 931695.exe (PID: 4324)
      • 812945.exe (PID: 6176)
      • 885532.exe (PID: 5824)
      • 068128.exe (PID: 6320)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 7056)

    • Searches for installed software

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)

    • Executing commands from a ".bat" file

      • explorer.exe (PID: 6960)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 6960)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 6688)

  • INFO

    • The sample compiled with chinese language support

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 6688)

    • Create files in a temporary directory

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 6688)

    • Reads the computer name

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 868)
      • mldxkh.exe (PID: 6688)
      • 869913.exe (PID: 6940)
      • 981972.exe (PID: 6220)
      • 923138.exe (PID: 3048)
      • 059110.exe (PID: 2356)
      • 781647.exe (PID: 7180)
      • identity_helper.exe (PID: 7216)
      • 692198.exe (PID: 7424)
      • 083802.exe (PID: 7588)
      • 668664.exe (PID: 7784)
      • 955662.exe (PID: 7860)
      • 673417.exe (PID: 7704)
      • 445274.exe (PID: 7940)
      • 671257.exe (PID: 8016)
      • 727439.exe (PID: 8136)
      • 708680.exe (PID: 3396)
      • 195478.exe (PID: 7616)
      • 595382.exe (PID: 5772)
      • 722515.exe (PID: 7788)
      • 019513.exe (PID: 7868)
      • 631374.exe (PID: 7304)
      • 032679.exe (PID: 7972)
      • 388851.exe (PID: 8032)
      • 400917.exe (PID: 6772)
      • 414283.exe (PID: 7240)
      • 702072.exe (PID: 7636)
      • 930504.exe (PID: 6948)
      • 440033.exe (PID: 7356)
      • 037063.exe (PID: 7736)
      • 942178.exe (PID: 7228)
      • 825429.exe (PID: 7928)
      • 796916.exe (PID: 1760)
      • 601031.exe (PID: 756)
      • 271502.exe (PID: 7940)
      • 043179.exe (PID: 480)
      • 338177.exe (PID: 6360)
      • 594382.exe (PID: 8032)
      • 211427.exe (PID: 8188)
      • 751947.exe (PID: 7620)
      • 980370.exe (PID: 7736)
      • 834498.exe (PID: 1880)
      • 378094.exe (PID: 3972)
      • 604277.exe (PID: 2356)
      • 991065.exe (PID: 6796)
      • 894415.exe (PID: 1760)
      • 269203.exe (PID: 7824)
      • 417284.exe (PID: 7868)
      • 398714.exe (PID: 7996)
      • 885532.exe (PID: 5824)
      • 812945.exe (PID: 6176)
      • 931695.exe (PID: 4324)
      • 068128.exe (PID: 6320)

    • Checks supported languages

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 868)
      • mldxkh.exe (PID: 6688)
      • 869913.exe (PID: 6940)
      • 981972.exe (PID: 6220)
      • 869913.exe (PID: 1100)
      • 981972.exe (PID: 6292)
      • 923138.exe (PID: 3048)
      • 923138.exe (PID: 5172)
      • 059110.exe (PID: 7072)
      • 781647.exe (PID: 7180)
      • 692198.exe (PID: 7424)
      • 083802.exe (PID: 7588)
      • 781647.exe (PID: 7276)
      • 692198.exe (PID: 7468)
      • identity_helper.exe (PID: 7216)
      • 673417.exe (PID: 7704)
      • 673417.exe (PID: 7748)
      • 668664.exe (PID: 7784)
      • 668664.exe (PID: 7832)
      • 083802.exe (PID: 7632)
      • 955662.exe (PID: 7904)
      • 955662.exe (PID: 7860)
      • 445274.exe (PID: 7940)
      • 671257.exe (PID: 8060)
      • 708680.exe (PID: 3396)
      • 445274.exe (PID: 7984)
      • 727439.exe (PID: 8136)
      • 671257.exe (PID: 8016)
      • 727439.exe (PID: 7384)
      • 708680.exe (PID: 6164)
      • 195478.exe (PID: 7616)
      • 595382.exe (PID: 5772)
      • 195478.exe (PID: 7588)
      • 059110.exe (PID: 2356)
      • 631374.exe (PID: 7304)
      • 722515.exe (PID: 7788)
      • 019513.exe (PID: 7868)
      • 722515.exe (PID: 7880)
      • 595382.exe (PID: 7712)
      • 631374.exe (PID: 516)
      • 032679.exe (PID: 7972)
      • 388851.exe (PID: 8032)
      • 032679.exe (PID: 7100)
      • 388851.exe (PID: 8064)
      • 400917.exe (PID: 6772)
      • 019513.exe (PID: 7968)
      • 414283.exe (PID: 7240)
      • 702072.exe (PID: 7636)
      • 702072.exe (PID: 5644)
      • 400917.exe (PID: 8188)
      • 414283.exe (PID: 8148)
      • 037063.exe (PID: 5992)
      • 930504.exe (PID: 6948)
      • 930504.exe (PID: 1560)
      • 440033.exe (PID: 7356)
      • 037063.exe (PID: 7736)
      • 796916.exe (PID: 1760)
      • 796916.exe (PID: 7872)
      • 942178.exe (PID: 7228)
      • 825429.exe (PID: 7928)
      • 942178.exe (PID: 3488)
      • 440033.exe (PID: 7808)
      • 271502.exe (PID: 3160)
      • 601031.exe (PID: 756)
      • 825429.exe (PID: 7964)
      • 271502.exe (PID: 7940)
      • 043179.exe (PID: 480)
      • 338177.exe (PID: 6360)
      • 043179.exe (PID: 2716)
      • 338177.exe (PID: 8116)
      • 594382.exe (PID: 8032)
      • 594382.exe (PID: 1704)
      • 601031.exe (PID: 8052)
      • 211427.exe (PID: 7320)
      • 211427.exe (PID: 8188)
      • 751947.exe (PID: 7620)
      • 834498.exe (PID: 1880)
      • 751947.exe (PID: 7656)
      • 378094.exe (PID: 3972)
      • 980370.exe (PID: 7736)
      • 834498.exe (PID: 7740)
      • 980370.exe (PID: 3112)
      • 378094.exe (PID: 1216)
      • 604277.exe (PID: 2356)
      • 991065.exe (PID: 7220)
      • 894415.exe (PID: 1760)
      • 894415.exe (PID: 7052)
      • 269203.exe (PID: 7824)
      • 604277.exe (PID: 4752)
      • 991065.exe (PID: 6796)
      • 417284.exe (PID: 7868)
      • 269203.exe (PID: 2028)
      • 417284.exe (PID: 7928)
      • 398714.exe (PID: 7996)
      • 398714.exe (PID: 7944)
      • 885532.exe (PID: 1868)
      • 931695.exe (PID: 4324)
      • 931695.exe (PID: 8024)
      • 812945.exe (PID: 6176)
      • 812945.exe (PID: 8064)
      • 068128.exe (PID: 6320)
      • 885532.exe (PID: 5824)
      • 068128.exe (PID: 5848)

    • Process checks computer location settings

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • mldxkh.exe (PID: 868)
      • mldxkh.exe (PID: 6688)
      • 869913.exe (PID: 6940)
      • 981972.exe (PID: 6220)
      • 923138.exe (PID: 3048)
      • 059110.exe (PID: 2356)
      • 781647.exe (PID: 7180)
      • 692198.exe (PID: 7424)
      • 083802.exe (PID: 7588)
      • 668664.exe (PID: 7784)
      • 673417.exe (PID: 7704)
      • 955662.exe (PID: 7860)
      • 445274.exe (PID: 7940)
      • 671257.exe (PID: 8016)
      • 727439.exe (PID: 8136)
      • 708680.exe (PID: 3396)
      • 195478.exe (PID: 7616)
      • 595382.exe (PID: 5772)
      • 722515.exe (PID: 7788)
      • 019513.exe (PID: 7868)
      • 631374.exe (PID: 7304)
      • 032679.exe (PID: 7972)
      • 388851.exe (PID: 8032)
      • 414283.exe (PID: 7240)
      • 702072.exe (PID: 7636)
      • 400917.exe (PID: 6772)
      • 930504.exe (PID: 6948)
      • 037063.exe (PID: 7736)
      • 440033.exe (PID: 7356)
      • 942178.exe (PID: 7228)
      • 825429.exe (PID: 7928)
      • 796916.exe (PID: 1760)
      • 271502.exe (PID: 7940)
      • 601031.exe (PID: 756)
      • 043179.exe (PID: 480)
      • 338177.exe (PID: 6360)
      • 211427.exe (PID: 8188)
      • 751947.exe (PID: 7620)
      • 834498.exe (PID: 1880)
      • 980370.exe (PID: 7736)
      • 378094.exe (PID: 3972)
      • 604277.exe (PID: 2356)
      • 991065.exe (PID: 6796)
      • 894415.exe (PID: 1760)
      • 269203.exe (PID: 7824)
      • 398714.exe (PID: 7996)
      • 417284.exe (PID: 7868)
      • 885532.exe (PID: 5824)
      • 931695.exe (PID: 4324)
      • 812945.exe (PID: 6176)
      • 594382.exe (PID: 8032)
      • 068128.exe (PID: 6320)

    • Checks proxy server information

      • 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe (PID: 3864)
      • slui.exe (PID: 2292)

    • Reads the machine GUID from the registry

      • mldxkh.exe (PID: 6688)

    • Application launched itself

      • msedge.exe (PID: 1080)
      • msedge.exe (PID: 6504)

    • Creates files or folders in the user directory

      • mldxkh.exe (PID: 6688)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6960)

    • Reads Environment values

      • identity_helper.exe (PID: 7216)

    • Reads the software policy settings

      • slui.exe (PID: 2292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:17 08:34:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 368640
InitializedDataSize: 1241088
UninitializedDataSize: -
EntryPoint: 0x4fd00
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.6.1.1
ProductVersionNumber: 5.6.1.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 5.6.1.1
FileDescription:
ProductName:
ProductVersion: 5.6.1.1
CompanyName:
LegalCopyright:
Comments: 本程序使用易语言编写(http://www.dywt.com.cn)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
271
Monitored processes
136
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLACKMOON 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe mldxkh.exe no specs #BLACKMOON mldxkh.exe 869913.exe no specs 869913.exe no specs 981972.exe no specs 981972.exe no specs msedge.exe no specs explorer.exe no specs msedge.exe explorer.exe no specs cmd.exe no specs conhost.exe no specs 923138.exe no specs 923138.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 059110.exe no specs 059110.exe no specs msedge.exe no specs msedge.exe no specs 781647.exe no specs identity_helper.exe no specs identity_helper.exe no specs 781647.exe no specs msedge.exe no specs 692198.exe no specs 692198.exe no specs msedge.exe no specs 083802.exe no specs 083802.exe no specs msedge.exe no specs 673417.exe no specs 673417.exe no specs 668664.exe no specs 668664.exe no specs 955662.exe no specs 955662.exe no specs 445274.exe no specs 445274.exe no specs 671257.exe no specs 671257.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 727439.exe no specs 727439.exe no specs msedge.exe no specs 708680.exe no specs 708680.exe no specs 195478.exe no specs 195478.exe no specs 595382.exe no specs 595382.exe no specs slui.exe 631374.exe no specs 631374.exe no specs 722515.exe no specs 722515.exe no specs 019513.exe no specs 019513.exe no specs 032679.exe no specs 032679.exe no specs 388851.exe no specs 388851.exe no specs 400917.exe no specs 400917.exe no specs msedge.exe no specs 414283.exe no specs 414283.exe no specs msedge.exe no specs 702072.exe no specs 702072.exe no specs msedge.exe no specs 037063.exe no specs 037063.exe no specs 930504.exe no specs 930504.exe no specs 440033.exe no specs 440033.exe no specs msedge.exe no specs 796916.exe no specs 796916.exe no specs 942178.exe no specs 942178.exe no specs 825429.exe no specs 825429.exe no specs 271502.exe no specs 271502.exe no specs msedge.exe no specs 601031.exe no specs 601031.exe no specs 594382.exe no specs 594382.exe no specs 043179.exe no specs 043179.exe no specs 338177.exe no specs 338177.exe no specs 211427.exe no specs 211427.exe no specs 751947.exe no specs 751947.exe no specs msedge.exe no specs 834498.exe no specs 834498.exe no specs 980370.exe no specs 980370.exe no specs 378094.exe no specs 378094.exe no specs 604277.exe no specs 604277.exe no specs 991065.exe no specs 991065.exe no specs msedge.exe no specs 894415.exe no specs 894415.exe no specs 269203.exe no specs 269203.exe no specs msedge.exe no specs 417284.exe no specs 417284.exe no specs 398714.exe no specs 398714.exe no specs 885532.exe no specs 885532.exe no specs 931695.exe no specs 931695.exe no specs 812945.exe no specs 812945.exe no specs 068128.exe no specs 068128.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Users\admin\AppData\Roaming\Download\043179.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\043179.exemldxkh.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\043179.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
516"C:\Users\admin\AppData\Roaming\Download\631374.exe" C:\Users\admin\AppData\Roaming\Download\631374.exe631374.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\631374.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
756"C:\Users\admin\AppData\Roaming\Download\601031.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\601031.exemldxkh.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\601031.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
868"C:\Users\admin\AppData\Local\Temp\mldxkh.exe" /jscxyxztjklC:\Users\admin\AppData\Local\Temp\mldxkh.exe2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mldxkh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://hao.360.cn/?src=lm&ls=n6abbbb598cC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1100"C:\Users\admin\AppData\Roaming\Download\869913.exe" C:\Users\admin\AppData\Roaming\Download\869913.exe869913.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\869913.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1216"C:\Users\admin\AppData\Roaming\Download\378094.exe" C:\Users\admin\AppData\Roaming\Download\378094.exe378094.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\378094.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1560"C:\Users\admin\AppData\Roaming\Download\930504.exe" C:\Users\admin\AppData\Roaming\Download\930504.exe930504.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\930504.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1704"C:\Users\admin\AppData\Roaming\Download\594382.exe" C:\Users\admin\AppData\Roaming\Download\594382.exe594382.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\594382.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
27 102
Read events
27 076
Write events
26
Delete events
0

Modification events

(PID) Process:(3864) 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(3864) 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3864) 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6504) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3864) 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3864) 2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1080) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1080) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6504) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
1
(PID) Process:(6504) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
62
Suspicious files
190
Text files
50
Unknown types
2

Dropped files

PID
Process
Filename
Type
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF178637.TMP
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF178647.TMP
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF178647.TMP
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF178647.TMP
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF178656.TMP
MD5:
SHA256:
6504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
332
TCP/UDP connections
237
DNS requests
211
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2792
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2792
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1750478847&lafgdate=0
unknown
binary
1.47 Kb
whitelisted
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
564 b
whitelisted
GET
200
104.126.37.169:443
https://copilot.microsoft.com/c/api/user/eligibility
unknown
binary
25 b
whitelisted
3460
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:R1Zu6DApnC3l2Fi7YIgo4aTw0EuNu5RxFOpg_4rae7Y&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2792
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2792
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
dt.hebchengjiu.com
unknown
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 52.123.243.78
  • 52.123.243.208
  • 52.123.243.207
  • 52.123.243.90
  • 52.123.243.67
  • 52.123.224.69
  • 52.123.243.202
  • 52.123.243.222
whitelisted
hao.360.cn
  • 101.198.2.134
whitelisted
copilot.microsoft.com
  • 104.126.37.169
  • 104.126.37.136
whitelisted
hao.360.com
  • 106.63.24.67
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_8cf049d3d623461add8cbbf24908d9c2_elex_icedid_stop