File name:

MasculineUnban_EARLY_BETA.exe

Full analysis: https://app.any.run/tasks/3935c949-abb2-4222-a7de-f0bee3b55d47
Verdict: Malicious activity
Analysis date: May 16, 2025, 15:33:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amifldrv64-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

ACAFC89FE5F6EFE9701AE037A7FF3690

SHA1:

7AC0C75C25129FCDA88AB4F3D3C8EB5BEB38D45F

SHA256:

E18FF240D3D8A5773515E6E61FA119D909530FD232DAD719A479CC44842BD1A4

SSDEEP:

98304:v0RzFU1J9HrOcFbOuSeORxedrjRFHOXonqpWvWc2QDtBH0a+U+WhNWg+hwyJQ0li:FCmDVzPNyS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)

    • Antivirus name has been found in the command line (generic signature)

      • reset2-Hardware Rescan after Adapter reset.exe (PID: 6148)
      • cmd.exe (PID: 6244)

    • Executing a file with an untrusted certificate

      • Volumeid64.exe (PID: 1912)

    • Changes the autorun value in the registry

      • AppleCleaner.exe (PID: 4336)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)

    • Drops a system driver (possible attempt to evade defenses)

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)

    • The process creates files with name similar to system file names

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)

    • Starts CMD.EXE for commands execution

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 6148)
      • cmd.exe (PID: 5720)
      • AppleCleaner.exe (PID: 4336)

    • Executing commands from a ".bat" file

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 6148)
      • cmd.exe (PID: 5720)

    • Executable content was dropped or overwritten

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)

    • The executable file from the user directory is run by the CMD process

      • extd.exe (PID: 5960)
      • extd.exe (PID: 5596)
      • extd.exe (PID: 516)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 6148)
      • AppleCleaner.exe (PID: 4336)
      • Volumeid64.exe (PID: 1912)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5720)
      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 4172)

    • Application launched itself

      • cmd.exe (PID: 5720)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 4336)

    • Stops a currently running service

      • sc.exe (PID: 6108)
      • sc.exe (PID: 7052)
      • sc.exe (PID: 2092)
      • sc.exe (PID: 4728)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5720)
      • cmd.exe (PID: 4172)

    • Manipulates environment variables

      • powershell.exe (PID: 5008)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 2644)
      • cmd.exe (PID: 1616)
      • cmd.exe (PID: 744)
      • cmd.exe (PID: 4464)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 4172)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 2644)

    • Uses WMIC.EXE

      • cmd.exe (PID: 4172)

    • Uses WMIC.EXE to obtain volume information

      • cmd.exe (PID: 4172)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 960)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 4172)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 4172)

    • Accesses system license id via WMI (SCRIPT)

      • WMIC.exe (PID: 4200)

    • Accesses current user name via WMI (SCRIPT)

      • WMIC.exe (PID: 1132)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4172)

    • Accesses computer name via WMI (SCRIPT)

      • WMIC.exe (PID: 4620)

    • Starts NET.EXE to manage network resources

      • cmd.exe (PID: 4172)
      • net.exe (PID: 2904)
      • net.exe (PID: 6808)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 4172)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 4172)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 4172)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 4172)

    • Uses WMIC.EXE to obtain memory chip information

      • cmd.exe (PID: 4172)

    • Hides command output

      • cmd.exe (PID: 1616)
      • cmd.exe (PID: 4464)
      • cmd.exe (PID: 744)

    • Reads the BIOS version

      • AppleCleaner.exe (PID: 4336)

    • Reads the Windows owner or organization settings

      • AppleCleaner.exe (PID: 4336)

    • Detected use of alternative data streams (AltDS)

      • AppleCleaner.exe (PID: 4336)

  • INFO

    • Checks supported languages

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)
      • extd.exe (PID: 5960)
      • extd.exe (PID: 5596)
      • extd.exe (PID: 516)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 6148)
      • devcon.exe (PID: 2564)
      • AppleCleaner.exe (PID: 4336)
      • Volumeid64.exe (PID: 1912)
      • identity_helper.exe (PID: 7840)

    • Create files in a temporary directory

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 6148)

    • The sample compiled with english language support

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)

    • Creates files or folders in the user directory

      • MasculineUnban_EARLY_BETA.exe (PID: 5056)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5988)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4724)
      • WMIC.exe (PID: 4112)
      • WMIC.exe (PID: 1228)
      • WMIC.exe (PID: 736)
      • WMIC.exe (PID: 4300)
      • WMIC.exe (PID: 960)
      • WMIC.exe (PID: 4200)
      • WMIC.exe (PID: 1132)
      • WMIC.exe (PID: 4728)
      • WMIC.exe (PID: 2800)
      • WMIC.exe (PID: 4620)
      • WMIC.exe (PID: 1240)
      • WMIC.exe (PID: 2772)
      • WMIC.exe (PID: 1388)
      • WMIC.exe (PID: 1040)
      • WMIC.exe (PID: 5228)
      • WMIC.exe (PID: 1056)
      • WMIC.exe (PID: 6272)
      • WMIC.exe (PID: 4336)

    • Reads Windows Product ID

      • reg.exe (PID: 4272)
      • AppleCleaner.exe (PID: 4336)

    • Process checks whether UAC notifications are on

      • AppleCleaner.exe (PID: 4336)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 2140)

    • Reads the time zone

      • AppleCleaner.exe (PID: 4336)

    • Reads the computer name

      • identity_helper.exe (PID: 7840)
      • AppleCleaner.exe (PID: 4336)

    • Application launched itself

      • msedge.exe (PID: 2984)
      • msedge.exe (PID: 7052)

    • Reads Environment values

      • AppleCleaner.exe (PID: 4336)
      • identity_helper.exe (PID: 7840)

    • Reads the machine GUID from the registry

      • AppleCleaner.exe (PID: 4336)

    • Manual execution by a user

      • msedge.exe (PID: 7052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:07:30 08:52:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 92672
InitializedDataSize: 6263296
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
316
Monitored processes
182
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start THREAT masculineunban_early_beta.exe conhost.exe no specs cmd.exe no specs extd.exe no specs extd.exe no specs extd.exe no specs reset2-hardware rescan after adapter reset.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs devcon.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs ping.exe no specs find.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs net.exe no specs findstr.exe no specs net1.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs net.exe no specs findstr.exe no specs net1.exe no specs getmac.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs volumeid64.exe no specs applecleaner.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe no specs masculineunban_early_beta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516C:\Users\admin\AppData\Local\Temp\B9EB.tmp\B9EC.tmp\extd.exe "/center" "" "" "" "" "" "" "" "" C:\Users\admin\AppData\Local\Temp\B9EB.tmp\B9EC.tmp\extd.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\b9eb.tmp\b9ec.tmp\extd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
672reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
672REG QUERY HKLM\SOFTWARE\Microsoft\SQMClient /v MachineIdC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
684reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
728reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /va /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
732reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
736wmic logicaldisk get volumeserialnumberC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
744reg query "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
744C:\WINDOWS\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1C:\Windows\System32\cmd.exeAppleCleaner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
812findstr /C:"Full Computer name"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
21 980
Read events
21 825
Write events
150
Delete events
5

Modification events

(PID) Process:(5556) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Power
Operation:writeName:HiberbootEnabled
Value:
0
(PID) Process:(2800) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:EpicGamesLauncher
Value:
(PID) Process:(2564) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName
Operation:writeName:ComputerName
Value:
19529
(PID) Process:(6488) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
Operation:writeName:ComputerName
Value:
30499
(PID) Process:(1912) Volumeid64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Sysinternals\VolumeID
Operation:writeName:EulaAccepted
Value:
1
(PID) Process:(2040) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2040) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2040) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2040) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2984) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
Executable files
25
Suspicious files
212
Text files
53
Unknown types
1

Dropped files

PID
Process
Filename
Type
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Local\Temp\B9EB.tmp\B9EC.tmp\extd.exeexecutable
MD5:C14CE13AB09B4829F67A879D735A10A1
SHA256:EF2699BA677FCDB8A3B70A711A59A5892D8439E108E3AC4D27A7F946C4D01A4A
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\1-cleaner.battext
MD5:94380E226AFD2EF08D4847986EFFA082
SHA256:F5C0FE7711A2AF390FEB6D8CEE4E2C7D52FEFB5047DE05EF905AF887698CDD1D
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Local\Temp\B9EB.tmp\B9EC.tmp\B9ED.battext
MD5:E1B05D54655CB15573784BB2B4C6B691
SHA256:8F4058ADA426F29710437D2BB78A68C989FA9A506769C694BC945CE57EEF75AC
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\Cleaner8.exeexecutable
MD5:3546548BE0B0940C52EC881D48404818
SHA256:DEC2A16531A09D05F1AE64A21C35D53CEC5998BE22C16A88B2E8B4A36878DB9A
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\1-RUNFIRST.exeexecutable
MD5:6FBE881F1D6480E2E15D3EBE0F493D2D
SHA256:49B84540D5B4B8D2344C25EDB042E216592DD1DC78A5C00F2AD9457442C4581C
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\doh.txttext
MD5:CC3D2AA67E142AC72004123118D551A9
SHA256:A32D90C40E283B3F1DA8482452FC566A9BCB7F0A309451D4BA7844FD1EBC3D39
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\AppleCleaner.exeexecutable
MD5:DA2176757B2FEAD6539243B42057CB3C
SHA256:1A62ED192FF4A7BD746FA24C8D7CD96578A4C7E9F0D4A6651A2A3D0BAFF9C433
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\moreCLEANhardware.exeexecutable
MD5:F0774075F208E06CB4FA5449720A9BCE
SHA256:D6624BDB30189E618CBCAF195A06CC6A20BAA114C727B301319864E8B3366A9E
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\1-spoofer.battext
MD5:6BAAF74862BD68849ADC91B8160E5DF3
SHA256:AD5A2EF7ED4ED98186AE7E6F32FD58D5E7321989A6427D73002A474ED9968DA6
5056MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\cleanerOLD1.exeexecutable
MD5:59A7CE7A4D30E28E6BC356263693EB98
SHA256:390257A0360C025E42F0DB4C4826C3EA192E99A68C7AFCC548A8956F828F6379
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
41
DNS requests
42
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5552
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5552
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5552
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5552
SIHClient.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5552
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.4
  • 23.216.77.39
  • 23.216.77.7
  • 23.216.77.25
  • 23.216.77.31
  • 23.216.77.41
  • 23.216.77.6
  • 23.216.77.43
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
www.google.com
  • 142.250.186.164
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
applecheats.cc
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.32.1
unknown

Threats

PID
Process
Class
Message
6436
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6436
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6436
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6436
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6436
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MasculineUnban_EARLY_BETA.exe