File name:

MasculineUnban_EARLY_BETA.exe

Full analysis: https://app.any.run/tasks/b90d8a13-478b-4391-9479-c88badcdab26
Verdict: Malicious activity
Analysis date: May 16, 2025, 15:35:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amifldrv64-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

ACAFC89FE5F6EFE9701AE037A7FF3690

SHA1:

7AC0C75C25129FCDA88AB4F3D3C8EB5BEB38D45F

SHA256:

E18FF240D3D8A5773515E6E61FA119D909530FD232DAD719A479CC44842BD1A4

SSDEEP:

98304:v0RzFU1J9HrOcFbOuSeORxedrjRFHOXonqpWvWc2QDtBH0a+U+WhNWg+hwyJQ0li:FCmDVzPNyS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)

    • Antivirus name has been found in the command line (generic signature)

      • reset2-Hardware Rescan after Adapter reset.exe (PID: 4696)
      • cmd.exe (PID: 864)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)

    • Executable content was dropped or overwritten

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)

    • Process drops legitimate windows executable

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)

    • Executing commands from a ".bat" file

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 4696)

    • The process creates files with name similar to system file names

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)

    • The executable file from the user directory is run by the CMD process

      • extd.exe (PID: 6040)
      • extd.exe (PID: 7148)
      • extd.exe (PID: 6728)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 4696)

    • Starts CMD.EXE for commands execution

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)
      • cmd.exe (PID: 5304)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 4696)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5304)

    • Application launched itself

      • cmd.exe (PID: 5304)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 1812)

    • Manipulates environment variables

      • powershell.exe (PID: 6132)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5304)

  • INFO

    • Create files in a temporary directory

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 4696)

    • Checks supported languages

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)
      • extd.exe (PID: 6040)
      • extd.exe (PID: 7148)
      • extd.exe (PID: 6728)
      • reset2-Hardware Rescan after Adapter reset.exe (PID: 4696)
      • devcon.exe (PID: 4608)

    • Creates files or folders in the user directory

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)

    • The sample compiled with english language support

      • MasculineUnban_EARLY_BETA.exe (PID: 6480)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:07:30 08:52:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 92672
InitializedDataSize: 6263296
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
25
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT masculineunban_early_beta.exe conhost.exe no specs cmd.exe no specs extd.exe no specs extd.exe no specs extd.exe no specs reset2-hardware rescan after adapter reset.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs devcon.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs masculineunban_early_beta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864"C:\WINDOWS\sysnative\cmd" /c "C:\Users\admin\AppData\Local\Temp\C1FA.tmp\C1FB.tmp\C1FC.bat "C:\Users\admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe""C:\Windows\System32\cmd.exereset2-Hardware Rescan after Adapter reset.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
904"C:\Users\admin\AppData\Local\Temp\MasculineUnban_EARLY_BETA.exe" C:\Users\admin\AppData\Local\Temp\MasculineUnban_EARLY_BETA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\masculineunban_early_beta.exe
c:\windows\system32\ntdll.dll
960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMasculineUnban_EARLY_BETA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164C:\WINDOWS\system32\cmd.exe /c powershell $env:firmware_typeC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1676C:\WINDOWS\system32\cmd.exe /S /D /c" echo."C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1760C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1812C:\WINDOWS\system32\cmd.exe /c powershell Confirm-SecureBootUEFIC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereset2-Hardware Rescan after Adapter reset.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2692powershell Confirm-SecureBootUEFIC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4040findstr /C:"True" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
9 302
Read events
9 301
Write events
1
Delete events
0

Modification events

(PID) Process:(6712) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Power
Operation:writeName:HiberbootEnabled
Value:
0
Executable files
16
Suspicious files
1
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\1-RUNFIRST.exeexecutable
MD5:6FBE881F1D6480E2E15D3EBE0F493D2D
SHA256:49B84540D5B4B8D2344C25EDB042E216592DD1DC78A5C00F2AD9457442C4581C
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Local\Temp\BCBA.tmp\BCBB.tmp\BCBC.battext
MD5:1FF9320EF924E1E92D09F88E35E949DC
SHA256:4E5A6C2219E513FD707259C63B50B0A469EFF2E211951F5536B54CA715C17F9E
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Local\Temp\BCBA.tmp\BCBB.tmp\extd.exeexecutable
MD5:C14CE13AB09B4829F67A879D735A10A1
SHA256:EF2699BA677FCDB8A3B70A711A59A5892D8439E108E3AC4D27A7F946C4D01A4A
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\doh.txttext
MD5:CC3D2AA67E142AC72004123118D551A9
SHA256:A32D90C40E283B3F1DA8482452FC566A9BCB7F0A309451D4BA7844FD1EBC3D39
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\Cleaner8.exeexecutable
MD5:3546548BE0B0940C52EC881D48404818
SHA256:DEC2A16531A09D05F1AE64A21C35D53CEC5998BE22C16A88B2E8B4A36878DB9A
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\dd.dllexecutable
MD5:CBE4163CAAB5AE09FA1E03B87B491380
SHA256:E982CB681DD366D5F83FA3C17C2E1929611479507C9247D063E47ACE0C971ACA
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\cleanerOLD1.exeexecutable
MD5:59A7CE7A4D30E28E6BC356263693EB98
SHA256:390257A0360C025E42F0DB4C4826C3EA192E99A68C7AFCC548A8956F828F6379
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\AppleCleaner.exeexecutable
MD5:DA2176757B2FEAD6539243B42057CB3C
SHA256:1A62ED192FF4A7BD746FA24C8D7CD96578A4C7E9F0D4A6651A2A3D0BAFF9C433
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\DevManView.exeexecutable
MD5:A40C2A412F6900609E130B81C3388FAE
SHA256:921005D00F7BB55B4DD73A4D81D777BA1AF3C65DD53BAE0E06D8526586F5794A
6480MasculineUnban_EARLY_BETA.exeC:\Users\admin\AppData\Roaming\1-cleaner.battext
MD5:94380E226AFD2EF08D4847986EFFA082
SHA256:F5C0FE7711A2AF390FEB6D8CEE4E2C7D52FEFB5047DE05EF905AF887698CDD1D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5376
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5376
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.216.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.216.77.35
  • 23.216.77.7
  • 23.216.77.11
  • 23.216.77.5
  • 23.216.77.4
  • 23.216.77.10
  • 23.216.77.41
  • 23.216.77.42
  • 23.216.77.34
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.71
  • 40.126.31.0
  • 40.126.31.129
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.4
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MasculineUnban_EARLY_BETA.exe