File name:

New folder.rar

Full analysis: https://app.any.run/tasks/4d57f49e-a495-4fc8-8562-b863b3f55dd5
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 20, 2024, 13:59:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
sodinokibi
revil
upx
ransomware
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

6E913EE3C7DDC48874F59BF842B04882

SHA1:

D7898EAC2C77E222B25D4AF281DDA862DFC0E5E5

SHA256:

1854FBA91FEE5265875EE3B576D90FCC2375B6F27CB1B9A4F0470542DA985BCF

SSDEEP:

98304:nKyz0PuT89E2rLpUXzFEYiBCVKTp3Lp+Y9IHZBt530pQ7QpoSBjMk3CVDvsc1Yvh:W8g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3268)
      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • rar.exe (PID: 936)
      • cmd.exe (PID: 3556)
      • csiss.exe (PID: 3068)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 1680)

    • Changes the autorun value in the registry

      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • SODINOKIBI has been detected (YARA)

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 3556)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Deletes shadow copies

      • cmd.exe (PID: 656)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 656)

    • Sodinokibi ransom note is found

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Renames files like ransomware

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • cmd.exe (PID: 3556)
      • rar.exe (PID: 936)
      • csiss.exe (PID: 3068)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3556)
      • csiss.exe (PID: 3068)

    • Executing commands from a ".bat" file

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • scrcons.exe (PID: 2076)

    • Starts CMD.EXE for commands execution

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • cmd.exe (PID: 3556)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • scrcons.exe (PID: 2076)

    • Drops a self-deleting batch file

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)

    • Application launched itself

      • cmd.exe (PID: 3556)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2760)

    • Creates file in the systems drive root

      • cmd.exe (PID: 3556)
      • wscript.exe (PID: 1680)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • The process executes VB scripts

      • cmd.exe (PID: 3556)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3556)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3556)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 1680)

    • Reads security settings of Internet Explorer

      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads the Internet Settings

      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1680)

    • There is functionality for taking screenshot (YARA)

      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1904)

    • Creates files like ransomware instruction

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads settings of System Certificates

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Likely accesses (executes) a file from the Public directory

      • notepad.exe (PID: 3052)
      • notepad.exe (PID: 3248)

    • Runs shell command (SCRIPT)

      • scrcons.exe (PID: 2076)

    • Adds/modifies Windows certificates

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Get information on the list of running processes

      • cmd.exe (PID: 3696)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 3384)
      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • rar.exe (PID: 2524)
      • rar.exe (PID: 936)
      • csiss.exe (PID: 3068)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3384)
      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • 2735c6f530b33cbb73022c7dbf3db609b4e58cc11b0f4ef7bafa8db3dcb5587a.exe (PID: 3692)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • taskmgr.exe (PID: 2852)
      • notepad.exe (PID: 3052)
      • notepad.exe (PID: 3248)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3268)

    • Reads the machine GUID from the registry

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3384)
      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • rar.exe (PID: 936)
      • 2735c6f530b33cbb73022c7dbf3db609b4e58cc11b0f4ef7bafa8db3dcb5587a.exe (PID: 3692)
      • csiss.exe (PID: 3068)
      • rar.exe (PID: 2524)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Create files in a temporary directory

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads CPU info

      • csiss.exe (PID: 3068)

    • Reads Environment values

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • UPX packer has been detected

      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Reads product name

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Creates files in the program directory

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Dropped object may contain TOR URL's

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads the software policy settings

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads security settings of Internet Explorer

      • scrcons.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
175
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe wmpnscfg.exe no specs 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe 2735c6f530b33cbb73022c7dbf3db609b4e58cc11b0f4ef7bafa8db3dcb5587a.exe cmd.exe taskkill.exe no specs rar.exe csiss.exe rar.exe no specs taskkill.exe no specs cmd.exe no specs ping.exe no specs wscript.exe no specs cmd.exe no specs cacls.exe no specs attrib.exe no specs cacls.exe no specs cmd.exe no specs cmd.exe no specs cacls.exe no specs af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe #SODINOKIBI bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs THREAT eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs PhotoViewer.dll no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs unsecapp.exe no specs cmd.exe no specs taskmgr.exe no specs vssadmin.exe no specs vssvc.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs bcdedit.exe no specs bcdedit.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs notepad.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs notepad.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs scrcons.exe no specs taskmgr.exe no specs cmd.exe no specs tasklist.exe no specs find.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184"C:\Users\admin\Desktop\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe" C:\Users\admin\Desktop\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
240"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
240"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
400"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
444"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
540"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
596"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
656"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exebf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
684"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
764"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
24 863
Read events
24 727
Write events
67
Delete events
69

Modification events

(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3268) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\New folder.rar
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
19
Suspicious files
423
Text files
10
Unknown types
5

Dropped files

PID
Process
Filename
Type
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\0e1a377f553f0d77cf2cc59249fd5be61bfe2a0876983847889af05344feb771.exeexecutable
MD5:C4F972C6832DA97B0747978002A9377A
SHA256:0E1A377F553F0D77CF2CC59249FD5BE61BFE2A0876983847889AF05344FEB771
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exeexecutable
MD5:92E9C528AA262E5414F7820FB907B160
SHA256:BF43061A8849CE6AA78E82F830EBA1CD36F7E753594AEA195661AD9E8AEC63C7
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exeexecutable
MD5:52141A78ED6CB90E54323C53B21F65E0
SHA256:AF4C7751CDF031C03342E1FEA75118A6A98D7D07EC45370C737BACD6EF8E91FD
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\06b8930e96f03553211059b19a2c401b20acfa8df023a747e221fc31335bc6da.exeexecutable
MD5:EA39CFE733F3F346CA4EC8E42C83C143
SHA256:06B8930E96F03553211059B19A2C401B20ACFA8DF023A747E221FC31335BC6DA
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\4ff9d177ab7f59225cf385d3cedfd5dda9e582fb25c017009a564f55a0620de8.exeexecutable
MD5:9B83FA90F36FEF2E9B8D5BDEB46735F7
SHA256:4FF9D177AB7F59225CF385D3CEDFD5DDA9E582FB25C017009A564F55A0620DE8
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exeexecutable
MD5:39B7451CE472425DBE844449FD53F1C8
SHA256:EB5525FE87E563803654EF542943F5F2AA2F5FE6FCD24F92D588AB11ED8C9384
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\9a73476000ae855a7cabf10b4e0c5321fc95abb8708bd21de90366972c533e21.exeexecutable
MD5:87E794BB0710BA4E9728448DAC8EECC3
SHA256:9A73476000AE855A7CABF10B4E0C5321FC95ABB8708BD21DE90366972C533E21
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\6ebeb5807e795dc302e12f198b4a960e7e57c0885f14953bb94cfd8f818f79b6.exeexecutable
MD5:3B1E478E73BCCEE40B00E05B945186D0
SHA256:6EBEB5807E795DC302E12F198B4A960E7E57C0885F14953BB94CFD8F818F79B6
2524rar.exeC:\WINDOWS\ime\630\11.txt
MD5:
SHA256:
2524rar.exeC:\WINDOWS\ime\630\22.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
25
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
2.16.100.168:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.164.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3820
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?da622d6e3371815c
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11acddbe1ebd82b3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
2.16.100.168:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
1372
svchost.exe
2.16.164.99:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 2.16.100.168
  • 88.221.110.91
  • 199.232.210.172
  • 199.232.214.172
  • 23.50.131.200
  • 23.50.131.216
whitelisted
crl.microsoft.com
  • 2.16.164.99
  • 2.16.164.40
  • 2.16.164.33
  • 2.16.164.106
  • 2.16.164.66
  • 2.16.164.122
  • 2.16.164.115
  • 2.16.164.67
  • 2.16.164.96
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
515835216.3322.org
whitelisted
www.baidu.com
  • 103.235.46.96
  • 103.235.47.188
whitelisted
driver-updates-info.com
unknown
abulanov.com
  • 188.246.227.29
unknown
sealgrinderpt.com
  • 141.193.213.11
  • 141.193.213.10
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to 3322.org Domain
Process
Message
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
[DBG]
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
core_init() - Program initialization
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
[DBG]
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
start LPE (cve_2018_8453)
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
QgB5ACAAdABoAGUAIAB3AGEAeQAsACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGkAcwAgAHAAbwBzAHMAaQBiAGwAZQAgAHQAbwAgAHIAZQBjAG8AdgBlAHIAIAAoAHIAZQBzAHQAbwByAGUAKQAsACAAYgB1AHQAIAB5AG8AdQAgAG4AZQBlAGQAIAB0AG8AIABmAG8AbABsAG8AdwAgAG8AdQByACAAaQBuAHMAdAByAHUAYwB0AGkAbwBuAHMALgAgAE8AdABoAGUAcgB3AGkAcwBlACwAIAB5AG8AdQAgAGMAYQBuAHQAIAByAGUAdAB1AHIAbgAgAHkAbwB1AHIAIABkAGEAdABhACAAKABOAEUAVgBFAFIAKQAuAA0ACgANAAoAWwArAF0AIABXAGgAYQB0ACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAAWwArAF0ADQAKAA0ACgBJAHQAcwAgAGoAdQBzAHQAIABhACAAYgB1AHMAaQBuAGUAcwBzAC4AIABXAGUAIABhAGIAcwBvAGwAdQB0AGUAbAB5ACAAZABvACAAbgBvAHQAIABjAGEAcgBlACAAYQBiAG8AdQB0ACAAeQBvAHUAIABhAG4AZAAgAHkAbwB1AHIAIABkAGUAYQBsAHMALAAgAGUAeABjAGUAcAB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvACAAbgBvAHQAIABkAG8AIABvAHUAcgAgAHcAbwByAGsAIABhAG4AZAAgAGwAaQBhAGIAaQBsAGkAdABpAGUAcwAgAC0AIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAuACAASQB0AHMAIABuAG8AdAAgAGkAbgAgAG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMALgANAAoAVABvACAAYwBoAGUAYwBrACAAdABoAGUAIABhAGIAaQBsAGkAdAB5ACAAbwBmACAAcgBlAHQAdQByAG4AaQBuAGcAIABmAGkAbABlAHMALAAgAFkAbwB1ACAAcwBoAG8AdQBsAGQAIABnAG8AIAB0AG8AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALgAgAFQAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAGYAIAB5AG8AdQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAG8AdQByACAAcwBlAHIAdgBpAGMAZQAgAC0AIABmAG8AcgAgAHUAcwAsACAAaQB0AHMAIABkAG8AZQBzACAAbgBvAHQAIABtAGEAdAB0AGUAcgAuACAAQgB1AHQAIAB5AG8AdQAgAHcAaQBsAGwAIABsAG8AcwBlACAAeQBvAHUAcgAgAHQAaQBtAGUAIABhAG4AZAAgAGQAYQB0AGEALAAgAGMAYQB1AHMAZQAgAGoAdQBzAHQAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkALgAgAEkAbgAgAHAAcgBhAGMAdABpAHMAZQAgAC0AIAB0AGkAbQBlACAAaQBzACAAbQB1AGMAaAAgAG0AbwByAGUAIAB2AGEAbAB1AGEAYgBsAGUAIAB0AGgAYQBuACAAbQBvAG4AZQB5AC4ADQAKAA0ACgBbACsAXQAgAEgAbwB3ACAAdABvACAAZwBlAHQAIABhAGMAYwBlAHMAcwAgAG8AbgAgAHcAZQBiAHMAaQB0AGUAPwAgAFsAKwBdAA0ACgANAAoAWQBvAHUAIABoAGEAdgBlACAAdAB3AG8AIAB3AGEAeQBzADoADQAKAA0ACgAxACkAIABbAFIAZQBjAG8AbQBtAGUAbgBkAGUAZABdACAAVQBzAGkAbgBnACAAYQAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAhAA0ACgAgACAAYQApACAARABvAHcAbgBsAG8AYQBkACAAYQBuAGQAIABpAG4AcwB0AGEAbABsACAAVABPAFIAIABiAHIAbwB3AHMAZQByACAAZgByAG8AbQAgAHQAaABpAHMAIABzAGkAdABlADoAIABoAHQAdABwAHMAOgAvAC8AdABvAHIAcAByAG8AagBlAGMAdAAuAG8AcgBnAC8ADQAKACAAIABiACkAIABPAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGEAcABsAGUAYgB6AHUANAA3AHcAZwBhAHoAYQBwAGQAcQBrAHMANgB2AHIAYwB2ADYAegBjAG4AagBwAHAAawBiAHgAYgByADYAdwBrAGUAdABmADUANgBuAGYANgBhAHEAMgBuAG0AeQBvAHkAZAAuAG8AbgBpAG8AbgAvAHsAVQBJAEQAfQANAAoADQAKADIAKQAgAEkAZgAgAFQATwBSACAAYgBsAG8AYwBrAGUAZAAgAGkAbgAgAHkAbwB1AHIAIABjAG8AdQBuAHQAcgB5ACwAIAB0AHIAeQAgAHQAbwAgAHUAcwBlACAAVgBQAE4AIQAgAEIAdQB0ACAAeQBvAHUAIABjAGEAbgAgAHUAcwBlACAAbwB1AHIAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUALgAgAEYAbwByACAAdABoAGkAcwA6AA0ACgAgACAAYQApACAATwBwAGUAbgAgAHkAbwB1AHIAIABhAG4AeQAgAGIAcgBvAHcAcwBlAHIAIAAoAEMAaAByAG8AbQBlACwAIABGAGkAcgBlAGYAbwB4ACwAIABPAHAAZQByAGEALAAgAEkARQAsACAARQBkAGcAZQApAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGQAZQBjAHIAeQBwAHQAbwByAC4AdABvAHAALwB7AFUASQBEAH0ADQAKAA0ACgBXAGEAcgBuAGkAbgBnADoAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUAIABjAGEAbgAgAGIAZQAgAGIAbABvAGMAawBlAGQALAAgAHQAaABhAHQAcwAgAHcAaAB5ACAAZgBpAHIAcwB0ACAAdgBhAHIAaQBhAG4AdAAgAG0AdQBjAGgAIABiAGUAdAB0AGUAcgAgAGEAbgBkACAAbQBvAHIAZQAgAGEAdgBhAGkAbABhAGIAbABlAC4ADQAKAA0ACgBXAGgAZQBuACAAeQBvAHUAIABvAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlACwAIABwAHUAdAAgAHQAaABlACAAZgBvAGwAbABvAHcAaQBuAGcAIABkAGEAdABhACAAaQBuACAAdABoAGUAIABpAG4AcAB1AHQAIABmAG8AcgBtADoADQAKAEsAZQB5ADoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoARQB4AHQAZQBuAHMAaQBvAG4AIABuAGEAbQBlADoADQAKAA0ACgB7AEUAWABUAH0ADQAKAA0ACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQA
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
tAC0ADQAKAA0ACgAhACEAIQAgAEQAQQBOAEcARQBSACAAIQAhACEADQAKAEQATwBOAFQAIAB0AHIAeQAgAHQAbwAgAGMAaABhAG4AZwBlACAAZgBpAGwAZQBzACAAYgB5ACAAeQBvAHUAcgBzAGUAbABmACwAIABEAE8ATgBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcAIAB5AG8AdQByACAAZABhAHQAYQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAAtACAAaQB0AHMAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAZABhAG0AZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=","nname":"{EXT}-readme.txt","exp":true,"img":"QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA"}
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
[DBG]
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
cfg:{"pk":"YhYcc2btFBkDh3JGRMxbM9nqVx+Om1+OIUMlZNrevzU=","pid":"19","sub":"312","dbg":true,"fast":true,"wipe":true,"wht":{"fld":["application data","msocache","google","$windows.~bt","program files","perflogs","boot","tor browser","$windows.~ws","windows","mozilla","appdata","intel","programdata","$recycle.bin","system volume information","program files (x86)","windows.old"],"fls":["boot.ini","iconcache.db","ntldr","ntuser.dat","autorun.inf","ntuser.dat.log","bootfont.bin","thumbs.db","desktop.ini","ntuser.ini","bootsect.bak"],"ext":["exe"]},"wfld":["backup"],"prc":["oracle","mydesktopservice","dbeng50","msaccess","excel","msftesql","steam","tbirdconfig","isqlplussvc","thebat","mydesktopqos","sqbcoreservice","agntsvc","infopath","dbsnmp","sqlservr","sqlagent","visio","mysqld","ocomm","sqlwriter","winword","mysqld_opt","ocautoupds","powerpnt","xfssvccon","thebat64","firefoxconfig","sqlbrowser","onenote","mspub","wordpad","mysqld_nt","synctime","encsvc","thunderbird","outlook","ocssd"],"dmn":"abulanov.com;sealgrinderpt.com;brighthillgroup.com;hotelturbo.de;richardkershawwines.co.za;bajova.sk;clinic-beethovenstrasse-ag.ch;ebible.co;fixx-repair.com;bcmets.info;achetrabalhos.com;laaisterplakky.nl;espaciopolitica.com;mindsparkescape.com;lagschools.ng;tecleados.com;tweedekansenloket.nl;triavlete.com;luvinsburger.fr;sshomme.com;skidpiping.de;sachainchiuk.com;anleggsregisteret.no;funworx.de;saint-malo-developpement.fr;hnkns.com;victorvictoria.com;mrmac.com;ox-home.com;nuohous.com;relevantonline.eu;bourchier.org;jandhpest.com;lovetzuchia.com;webforsites.com;creohn.de;mayprogulka.ru;glas-kuck.de;istantidigitali.com;eshop.design;olry-cloisons.fr;mangimirossana.it;alaskaremote.com;hypogenforensic.com;alabamaroofingllc.com;ntinasfiloxenia.gr;lattalvor.com;bagaholics.in;verbouwingsdouche.nl;eatyoveges.com;hawthornsretirement.co.uk;harleystreetspineclinic.com;neolaiamedispa.com;claudiakilian.de;smarttourism.academy;soundseeing.net;koncept-m.ru;mike.matthies.de;basindentistry.com;arearugcleaningnyc.com;perfectgrin.com;belofloripa.be;diakonie-weitramsdorf-sesslach.de;schluesseldienste-hannover.de;descargandoprogramas.com;manzel.tn;reputation-medical.online;raeoflightmusic.com;nvisionsigns.com;jglconsultancy.com;barbaramcfadyenjewelry.com;prodentalblue.com;stabilisateur.fr;aidanpublishing.co.uk;janellrardon.com;magrinya.net;imaginekithomes.co.nz;kombi-dress.com;onesynergyinternational.com;tbalp.co.uk;boloria.de;kvetymichalovce.sk;landgoedspica.nl;digitale-elite.de;netadultere.fr;motocrosshideout.com;alltagsrassismus-entknoten.de;cp-bap.de;dreamvoiceclub.org;sochi-okna23.ru;stathmoulis.gr;anchelor.com;thepixelfairy.com;angelsmirrorus.com;nieuwsindeklas.be;vedsegaard.dk;ykobbqchicken.ca;hvitfeldt.dk;magnetvisual.com;pinkxgayvideoawards.com;baptistdistinctives.org;kosten-vochtbestrijding.be;luvbec.com;birthplacemag.com;nalliasmali.net;billigeflybilletter.dk;imajyuku-sozoku.com;gta-jjb.fr;nepressurecleaning.com;eyedoctordallas.com;chatterchatterchatter.com;irizar.com;muni.pe;2020hindsight.info;dayenne-styling.nl;thehovecounsellingpractice.co.uk;whoopingcrane.com;bluelakevision.com;mursall.de;globalcompliancenews.com;fazagostar.co;kryptos72.com;traitware.com;spectamarketingdigital.com.br;augen-praxisklinik-rostock.de;lollachiro.com;tzn.nu;phukienbepthanhdat.com;xn--billigafrgpatroner-stb.se;markseymourphotography.co.uk;curtsdiscountguns.com;sycamoregreenapts.com;grafikstudio-visuell.de;marmarabasin.com;bridalcave.com;terraflair.de;grupoexin10.com;drvoip.com;martha-frets-ceramics.nl;maxcube24.com.ua;bodymindchallenger.com;cops4causes.org;parksideseniorliving.net;juergenblaetz.de;catering.com;agrifarm.dk;rs-danmark.dk;n-newmedia.de;tutvracks.com;zwemofficial.nl;chainofhopeeurope.eu;lisa-poncon.fr;hensleymarketing.com;itheroes.dk;levencovka.ru;janmorgenstern.com;chatberlin.de;foerderverein-vatterschule.de;lesyeuxbleus.net;diverfiestas.com.es;brownswoodblog.com;skyscanner.ro;pankiss.ru;oraweb.net;haus-landliebe.de;transifer.fr;patriotcleaning.net;loysonbryan.com;mneti.ru;kellengatton.com;tradenavigator.ch;theintellect.edu.pk;chinowarehousespac
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
e.com;ramirezprono.com;julielusktherapy.com;hawaiisteelbuilding.com;trivselsguide.dk;bakingismyyoga.com;nationnewsroom.com;glende-pflanzenparadies.de;1deals.com;universelle.fr;palmecophilippines.com;noda.com.ua;baumfinancialservices.com;mollymccarthydesign.com;vitoriaecoturismo.com.br;invela.dk;opticahubertruiz.com;hotjapaneselesbian.com;ruggestar.ch;9nar.com;stoneridgemontessori.com;xtensifi.com;kamin-somnium.de;yvesdoin-aquarelles.fr;boomerslivinglively.com;mercadodelrio.com;johnstonmingmanning.com;wribrazil.com;sambaglow.com;slideevents.be;mikegoodfellow.co.uk;myplaywin3.com;leopoldineroux.com;leloupblanc.gr;denverwynkoopdentist.com;paardcentraal.nl;biketruck.de;rtc24.com;vipcarrental.ae;rattanwarehouse.co.uk;cormanmarketing.com;wyreforest.net;larchwoodmarketing.com;monstarrsoccer.com;expohomes.com;eafx.pro;thestudio.academy;salonlamar.nl;furland.ru;theboardroomafrica.com;optigas.com;fann.ru;chomiksy.net;dmlcpa.com;oexebusiness.com;mgimalta.com;signededenroth.dk;brisbaneosteopathic.com.au;bubbalucious.com;apmollerpension.com;akwaba-safaris.com;klapanvent.ru;pubcon.com;kelsigordon.com;dcc-eu.com;moira-cristescu.com;pokemonturkiye.com;sveneulberg.de;factoriareloj.com;precisetemp.com;stitch-n-bitch.com;latableacrepes-meaux.fr;switch-made.com;wordpress.idium.no;toranjtuition.org;silverbird.dk;sber-biznes.com;polynine.com;endstarvation.com;alharsunindo.com;cyberpromote.de;production-stills.co.uk;animalfood-online.de;bumbipdeco.site;opt4cdi.com;rhino-turf.com;pvandambv.nl;oncarrot.com;qandmmusiccenter.com;cotton-avenue.co.il;pisofare.co;molade.nl;memphishealthandwellness.com;campinglaforetdetesse.com;gosouldeep.com;dierenambulancealkmaar.nl;livedeveloper.com;jdscenter.com;sharonalbrightdds.com;holocine.de;jayfurnitureco.com;maryairbnb.wordpress.com;protoplay.ca;campusce.com;g2mediainc.com;radishallgood.com;morgansconsult.com;khtrx.com;kompresory-opravy.com;goddardleadership.org;berdonllp.com;aktivfriskcenter.se;liepertgrafikweb.at;profibersan.com;bratek-immobilien.de;promus.ca;atrgroup.it;guohedd.com;santastoy.store;qwikcoach.com;testitjavertailut.net;greatofficespaces.net;teamsegeln.ch;haard-totaal.nl;ayudaespiritualtamara.com;ivancacu.com;casinodepositors.com;lumturo.academy;beauty-traveller.com;limmortelyouth.com;humanviruses.org;schroederschoembs.com;keuken-prijs.nl;trainiumacademy.com;richardiv.com;sprintcoach.com;solidhosting.nl;skyboundnutrition.co.uk;denhaagfoodie.nl;muller.nl;rhino-storage.co.uk;gavelmasters.com;blucamp.com;pourlabretagne.bzh;pureelements.nl;mesajjongeren.nl;campusescalade.com;studionumerik.fr;betterce.com;mazift.dk;heuvelland-oaze.nl;krishnabrawijaya.com;sunsolutions.es;dibli.store;vvego.com;nexstagefinancial.com;ninjaki.com;acibademmobil.com.tr;jollity.hu;jax-interim-and-projectmanagement.com;hoteltantra.com;skooppi.fi;cssp-mediation.org;mensemetgesigte.co.za;cap29010.it;johnsonweekly.com;girlish.ae;delegationhub.com;bookingwheel.com;zuerich-umzug.ch;edrickennedymacfoy.com;naukaip.ru;teutoradio.de;pharmeko-group.com;animation-pro.co.uk;operativadigital.com;fire-space.com;palmenhaus-erfurt.de;slotenmakerszwijndrecht.nl;bavovrienden.nl;ketomealprep.academy;bescomedical.de;heimdalbygg.no;iron-mine.ru;domilivefurniture.com;poems-for-the-soul.ch;secrets-clubs.co.uk;ultimatelifesource.com;michal-s.co.il;dantreranch.com;outstandingminialbums.com;oportowebdesign.com;mariajosediazdemera.com;avtoboss163.ru:443;napisat-pismo-gubernatoru.ru:443;nauticmarine.dk;witraz.pl;clemenfoto.dk;internestdigital.com;forextimes.ru;mediogiro.com.ar;reizenmetkinderen.be;avisioninthedesert.com;rsidesigns.com;altocontatto.net;scholarquotes.com;look.academy;adabible.org;fotoslubna.com;endlessrealms.net;bohrlochversicherung.info;glennverschueren.be;duthler.nl;auberives-sur-vareze.fr;bringmehope.org;oththukaruva.com;astrographic.com;rapid5kloan.org;goeppinger-teppichreinigung.de;coachpreneuracademy.com;bonitabeachassociation.com;ronielyn.com;yourhappyevents.fr;jonnyhooley.com;karmeliterviertel.com;tilldeeke.de;activeterroristwarningcompany.com;photonag.com;biodentify.ai;natturestaurante.com.br;bcabattoirs.org;jefersonaless
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
andro.com;gurutechnologies.net;mariannelemenestrel.com;marcandy.com;publicompserver.de;ocduiblog.com;annenymus.com;carolynfriedlander.com;galaniuklaw.com;kryddersnapsen.dk;patassociation.com;fysiotherapierijnmond.nl;yourcosmicbeing.com;agenceassemble.fr;block-optic.com;so-sage.fr;prometeyagro.com.ua;mbuildinghomes.com;queertube.net;tatyanakopieva.ru;speakaudible.com;aquacheck.co.za;racefietsenblog.nl;gazelle-du-web.com;adaduga.info;buffdaddyblog.com;alpesiberie.com;der-stempelking.de;photographycreativity.co.uk;lgiwines.com;andermattswisswatches.ch;proffteplo.com;ravage-webzine.nl;janasfokus.com;fbmagazine.ru;leansupremegarcinia.net;devplus.be;mariamalmahdi.com;catalyseurdetransformation.com;satoblog.org;jobkiwi.com.ng;daveystownhouse.com;aciscomputers.com;tieronechic.com;cleanroomequipment.ie;xrresources.com;jacquesgarcianoto.com;leadforensics.com;eventosvirtualesexitosos.com;deduktia.fi;littlesaints.academy;zinnystar.com;airserviceunlimited.com;professionetata.com;smartspeak.com;pays-saint-flour.fr;otpusk.zp.ua;directique.com;direitapernambuco.com;cmeow.com;stressreliefadvice.com;encounter-p.net;ncjc.ca;volta.plus;easydental.ae;ilveshistoria.com;lapponiasafaris.com;rubyaudiology.com;tastevirginia.com;the-cupboard.co.uk;the5thquestion.com;electricianul.com;legundschiess.de;rentingwell.com;xn--ziinoapte-6ld.ro;mslp.org;encounter-p.net;wrinstitute.org;fta-media.com;omnicademy.com;startuplive.org;elex.is;orchardbrickwork.com;watchsale.biz;christopherhannan.com;rizplakatjaya.com;innovationgames-brabant.nl;dinecorp.com;fotoeditores.com;ludoil.it;oscommunity.de;voice2biz.com;aslog.fr;billyoart.com;ciga-france.fr;perceptdecor.com;ya-elka.ru;graygreenbiomedservices.com;louiedager.com;business-basic.de;azerbaycanas.com;broccolisoep.nl;sellthewrightway.com;pxsrl.it;kiraribeaute-nani.com;licensed-public-adjuster.com;selected-minds.de;skolaprome.eu;bluetenreich-brilon.de;111firstdelray.com;finnergo.eu;placermonticello.com;ronaldhendriks.nl;sololibrerie.it;peninggibadan.co.id;geitoniatonaggelon.gr;o2o-academy.com;die-immo-agentur.de;crestgood.com;parisschool.ru;charlesfrancis.photos;colored-shelves.com;amco.net.au;evsynthacademy.org;pro-gamer.pl;dinedrinkdetroit.com;alene.co;devus.de;weddingceremonieswithtim.com;focuskontur.com;bundan.com;boyfriendsgoal.site;therapybusinessacademy.com;jobscore.com;dennisverschuur.com;zumrutkuyutemel.com;sjtpo.org;mazzaropi.com.br;alexwenzel.de;goodboyscustom.com;nutriwell.com.sg;jmmartinezilustrador.com;suitesartemis.gr;kenmccallum.com;go.labibini.ch;jeanmonti.com;banksrl.co.za;jakubrybak.com;primemarineengineering.com;jaaphoekzema.nl;walterman.es;towelroot.co;techybash.com;kerstliedjeszingen.nl;mieleshopping.it;andreaskildegaard.dk;adedesign.com;elitkeramika-shop.com.ua;housesofwa.com;k-v-f.de;acb-gruppe.ch;carmel-york.com;lassocrm.com;saboboxtel.uk;supercarhire.co.uk;sweetz.fr;comoserescritor.com;stralsund-ansichten.de;ziliak.com;liveyourheartout.co;mamajenedesigns.com;metallbau-hartmann.eu;amyandzac.com;grancanariaregional.com;condormobile.fr;voetbalhoogeveen.nl;rvside.com;druktemakersheerenveen.nl;rename.kz;stage-infirmier.fr;iactechnologies.net;awag-blog.de;brinkdoepke.eu;brannbornfastigheter.se;circuit-diagramz.com;buonabitare.com;valiant-voice.com;mjk.digital;yayasanprimaunggul.org;o90.dk;theatre-embellie.fr;edvestors.org;craftron.com;turing.academy;richardmaybury.co.uk;narca.net;livelai.com;pansionatblago.ru;miscbo.it;vdolg24.online;subyard.com;ygallerysalonsoho.com:443;eksperdanismanlik.com;metriplica.academy;mahikuchen.com;agencewho-aixenprovence.fr;qrs-international.com;ingresosextras.online;nepal-pictures.com;rivermusic.nl;nrgvalue.com;unislaw-narty.pl;bayshoreelite.com;logosindustries.com;latteswithleslie.com;leijstrom.com;slotspinner.com;brunoimmobilier.com;ddmgen.com;makingmillionaires.net;innovationgames-brabant.nl;alattekniksipil.com;csaballoons.com;pixelhealth.net;laylavalentine.com;osn.ro;5pointpt.com;gratiocafeblog.wordpress.com;saberconcrete.com;sbit.ag;omegamarbella.com;annida.it;dr-vita.de;bg.szczecin.pl;biblica.com;motocrossplace.co.uk;triplettabordeaux.fr;christianschol
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New folder.rar