File name:

Birely.zip

Full analysis: https://app.any.run/tasks/49527bc1-b7f0-4495-813b-c4e5bba1bc93
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 09:09:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neconyd
ransomware
birele
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

8DB2734F17511ADDB289117230F4941D

SHA1:

78D54710EF8869AC1FDCB3758A5A53158C129584

SHA256:

096113B6A7034DEB70BD47F644CD810AB415061F0DB2320B1F8555742F3400BB

SSDEEP:

3072:1OV8tieztV168Z7WNyfGVQvtaYf3QZuFjQ4afl6/:Mi/TmBG5jk36

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 4884)
      • 7pbgy.exe (PID: 6492)

    • Neconyd has been detected

      • c7pai617.exe (PID: 5900)

    • BIRELE has been detected (SURICATA)

      • c7pai617.exe (PID: 5900)

    • Connects to the CnC server

      • c7pai617.exe (PID: 5900)

  • SUSPICIOUS

    • Application launched itself

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6656)
      • 7pbgy.exe (PID: 3672)
      • c7pai617.exe (PID: 1812)

    • Executable content was dropped or overwritten

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 4884)
      • 7pbgy.exe (PID: 6492)

    • Executes application which crashes

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6656)
      • 7pbgy.exe (PID: 3672)
      • c7pai617.exe (PID: 1812)

    • Reads security settings of Internet Explorer

      • c7pai617.exe (PID: 5900)

    • Contacting a server suspected of hosting an CnC

      • c7pai617.exe (PID: 5900)

  • INFO

    • Checks supported languages

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6656)
      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 4884)
      • 7pbgy.exe (PID: 3672)
      • 7pbgy.exe (PID: 6492)
      • c7pai617.exe (PID: 1812)
      • c7pai617.exe (PID: 5900)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1068)
      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 4884)
      • 7pbgy.exe (PID: 6492)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1068)

    • Creates files or folders in the user directory

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 4884)
      • 7pbgy.exe (PID: 6492)
      • WerFault.exe (PID: 2468)
      • WerFault.exe (PID: 6404)
      • WerFault.exe (PID: 4844)
      • c7pai617.exe (PID: 5900)

    • Manual execution by a user

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6656)

    • Launching a file from a Registry key

      • 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 4884)
      • 7pbgy.exe (PID: 6492)

    • Reads the computer name

      • c7pai617.exe (PID: 5900)

    • Checks proxy server information

      • c7pai617.exe (PID: 5900)
      • WerFault.exe (PID: 6404)
      • WerFault.exe (PID: 2468)
      • WerFault.exe (PID: 4844)
      • slui.exe (PID: 3668)

    • Reads the software policy settings

      • WerFault.exe (PID: 4844)
      • WerFault.exe (PID: 2468)
      • WerFault.exe (PID: 6404)
      • slui.exe (PID: 3668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2025:06:21 08:08:26
ZipCRC: 0xfa917e38
ZipCompressedSize: 96714
ZipUncompressedSize: 131072
ZipFileName: 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
12
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 7pbgy.exe 7pbgy.exe c7pai617.exe werfault.exe werfault.exe #NECONYD c7pai617.exe werfault.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Birely.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1812C:\Users\admin\AppData\Roaming\c7pai617.exeC:\Users\admin\AppData\Roaming\c7pai617.exe
7pbgy.exe
User:
admin
Integrity Level:
MEDIUM
Description:
LKuds cl ssd
Exit code:
3221225622
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\appdata\roaming\c7pai617.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2468C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3672 -s 388C:\Windows\SysWOW64\WerFault.exe
7pbgy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3668C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3672C:\Users\admin\AppData\Roaming\7pbgy.exeC:\Users\admin\AppData\Roaming\7pbgy.exe
2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
MEDIUM
Description:
LKuds cl ssd
Exit code:
3221225622
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\appdata\roaming\7pbgy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4844C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1812 -s 320C:\Windows\SysWOW64\WerFault.exe
c7pai617.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4884C:\Users\admin\Desktop\2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\Desktop\2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
MEDIUM
Description:
LKuds cl ssd
Exit code:
0
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\desktop\2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5900C:\Users\admin\AppData\Roaming\c7pai617.exeC:\Users\admin\AppData\Roaming\c7pai617.exe
c7pai617.exe
User:
admin
Integrity Level:
MEDIUM
Description:
LKuds cl ssd
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\appdata\roaming\c7pai617.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6404C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6656 -s 400C:\Windows\SysWOW64\WerFault.exe
2025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
13 239
Read events
13 213
Write events
26
Delete events
0

Modification events

(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Birely.zip
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1068) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
Executable files
3
Suspicious files
10
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6404WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2025-06-21_c438b_ead193fd7d64cebe8b8de90ff17bb6b151a9_9327ac94_874467fb-9c08-4798-9e93-aa12a5ff4f86\Report.wer
MD5:
SHA256:
2468WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_7pbgy.exe_a57de02c7cdb5afd31ce21c2db2e154d5cffee2_ec7da068_dd5a5ae5-3c77-42c2-8a31-a3967a10ab50\Report.wer
MD5:
SHA256:
4844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_c7pai617.exe_453d728169f398a7ead38d3c364adf631a9dc66_8df3759a_58e31b9f-a69a-42ab-ac94-55ad4180907e\Report.wer
MD5:
SHA256:
2468WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER22B7.tmp.WERInternalMetadata.xmlxml
MD5:3BC01A496C9058A622B77AC1E093E260
SHA256:240B5280D28AC9B17A8212CB2D2D55D8E3C715CE7D32EB6BAC390F10C1F0BF04
48842025-06-21_c438ba2861bffd304967154b9c96aa98_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Roaming\7pbgy.exeexecutable
MD5:D1C457042A2E3ABD43358069E3475BAD
SHA256:AFCD5342EAB3C2807DFC40DD100DEE5CCF8514A165E564DB3190C1B671970661
4844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2325.tmp.xmlxml
MD5:AA6C166236D5053784D637FB6FF1623D
SHA256:6425F11B55161442063B88F5585832E86464116BCAC6CF6319275432C2857E48
6404WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER22A7.tmp.WERInternalMetadata.xmlxml
MD5:D7672169CE43EFBF37C330B34BCE93B6
SHA256:5F45B164454B17C8708770A30B9E70BD2B05FE9E35D634B4B96523EAB3CD6C51
2468WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER22D7.tmp.xmlxml
MD5:55F0F945554F42EDF53031A37D51DA17
SHA256:6515FABE56CD0864A0AB403D68A195CDD1617BE11F74C294B3B60E3D9466060C
4844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER22C5.tmp.dmpbinary
MD5:2A3F685864C52D343BA2032F613E893F
SHA256:F58D469E1200E3812DFFEC9A84AC46D8A4E3A0D8BB95DF2DE052CF2B91A3A7B7
4844WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2305.tmp.WERInternalMetadata.xmlxml
MD5:C487BB6146F1BBD4D5842B7BC9CF2543
SHA256:DB140347E759D326BB38041AC24A10605416E7A7850AF831532B8ACE1B46DFED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
48
DNS requests
36
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6320
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2612
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2612
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2468
WerFault.exe
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6404
WerFault.exe
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2468
WerFault.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6404
WerFault.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5900
c7pai617.exe
GET
200
52.27.79.221:80
http://ow5dirasuek.com/941/160.html
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4040
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2336
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6320
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6320
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.22
  • 20.190.160.128
  • 20.190.160.2
  • 20.190.160.4
  • 20.190.160.130
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.5
  • 20.190.160.20
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
crl.microsoft.com
  • 184.24.77.18
  • 184.24.77.28
  • 184.24.77.35
  • 184.24.77.19
  • 184.24.77.31
  • 184.24.77.36
  • 184.24.77.23
  • 184.24.77.24
  • 184.24.77.22
  • 184.25.50.8
  • 184.25.50.10
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
5900
c7pai617.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
5900
c7pai617.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
5900
c7pai617.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Birely.zip