File name:

New folder.rar

Full analysis: https://app.any.run/tasks/4d57f49e-a495-4fc8-8562-b863b3f55dd5
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 20, 2024, 13:59:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
sodinokibi
revil
upx
ransomware
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

6E913EE3C7DDC48874F59BF842B04882

SHA1:

D7898EAC2C77E222B25D4AF281DDA862DFC0E5E5

SHA256:

1854FBA91FEE5265875EE3B576D90FCC2375B6F27CB1B9A4F0470542DA985BCF

SSDEEP:

98304:nKyz0PuT89E2rLpUXzFEYiBCVKTp3Lp+Y9IHZBt530pQ7QpoSBjMk3CVDvsc1Yvh:W8g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3268)
      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • cmd.exe (PID: 3556)
      • rar.exe (PID: 936)
      • csiss.exe (PID: 3068)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 1680)

    • Changes the autorun value in the registry

      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • SODINOKIBI has been detected (YARA)

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Sodinokibi ransom note is found

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 656)

    • Renames files like ransomware

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Deletes shadow copies

      • cmd.exe (PID: 656)

    • Actions looks like stealing of personal data

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • cmd.exe (PID: 3556)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • rar.exe (PID: 936)
      • cmd.exe (PID: 3556)
      • csiss.exe (PID: 3068)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Executing commands from a ".bat" file

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • scrcons.exe (PID: 2076)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3556)
      • csiss.exe (PID: 3068)

    • Starts CMD.EXE for commands execution

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • cmd.exe (PID: 3556)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • scrcons.exe (PID: 2076)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2760)

    • Drops a self-deleting batch file

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)

    • The process executes VB scripts

      • cmd.exe (PID: 3556)

    • Creates file in the systems drive root

      • cmd.exe (PID: 3556)
      • wscript.exe (PID: 1680)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Application launched itself

      • cmd.exe (PID: 3556)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3556)

    • Reads security settings of Internet Explorer

      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Reads the Internet Settings

      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3556)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1680)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 1680)

    • There is functionality for taking screenshot (YARA)

      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Creates files like ransomware instruction

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Likely accesses (executes) a file from the Public directory

      • notepad.exe (PID: 3052)
      • notepad.exe (PID: 3248)

    • Reads settings of System Certificates

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1904)

    • Runs shell command (SCRIPT)

      • scrcons.exe (PID: 2076)

    • Get information on the list of running processes

      • cmd.exe (PID: 3696)

    • Adds/modifies Windows certificates

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

  • INFO

    • Reads the computer name

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • wmpnscfg.exe (PID: 3384)
      • rar.exe (PID: 936)
      • rar.exe (PID: 2524)
      • csiss.exe (PID: 3068)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Reads the machine GUID from the registry

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Create files in a temporary directory

      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3384)
      • 2735c6f530b33cbb73022c7dbf3db609b4e58cc11b0f4ef7bafa8db3dcb5587a.exe (PID: 3692)
      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • rar.exe (PID: 936)
      • rar.exe (PID: 2524)
      • csiss.exe (PID: 3068)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3384)
      • 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe (PID: 2952)
      • 2735c6f530b33cbb73022c7dbf3db609b4e58cc11b0f4ef7bafa8db3dcb5587a.exe (PID: 3692)
      • af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe (PID: 184)
      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)
      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)
      • taskmgr.exe (PID: 2852)
      • notepad.exe (PID: 3052)
      • notepad.exe (PID: 3248)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3268)

    • Reads CPU info

      • csiss.exe (PID: 3068)

    • UPX packer has been detected

      • eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe (PID: 2400)

    • Reads Environment values

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads product name

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Dropped object may contain TOR URL's

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads the software policy settings

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Creates files in the program directory

      • bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe (PID: 3820)

    • Reads security settings of Internet Explorer

      • scrcons.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
175
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe wmpnscfg.exe no specs 921fa8549370a1eea760515665e8079220693aa3f463260a6f4caacfd7f1024f.exe 2735c6f530b33cbb73022c7dbf3db609b4e58cc11b0f4ef7bafa8db3dcb5587a.exe cmd.exe taskkill.exe no specs rar.exe csiss.exe rar.exe no specs taskkill.exe no specs cmd.exe no specs ping.exe no specs wscript.exe no specs cmd.exe no specs cacls.exe no specs attrib.exe no specs cacls.exe no specs cmd.exe no specs cmd.exe no specs cacls.exe no specs af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe #SODINOKIBI bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs THREAT eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs PhotoViewer.dll no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs unsecapp.exe no specs cmd.exe no specs taskmgr.exe no specs vssadmin.exe no specs vssvc.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs bcdedit.exe no specs bcdedit.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs notepad.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs notepad.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs scrcons.exe no specs taskmgr.exe no specs cmd.exe no specs tasklist.exe no specs find.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184"C:\Users\admin\Desktop\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe" C:\Users\admin\Desktop\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
240"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
240"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
400"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
444"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
540"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
596"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
656"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exebf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
684"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
764"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exeeb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
24 863
Read events
24 727
Write events
67
Delete events
69

Modification events

(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3268) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\New folder.rar
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
19
Suspicious files
423
Text files
10
Unknown types
5

Dropped files

PID
Process
Filename
Type
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\c9fec93cb4a2849a2f9129507daae602e27659ff1f77e05c30b38ccd1e822f40.exeexecutable
MD5:F6DCAEAC14BE0A094FF36F2589245C98
SHA256:C9FEC93CB4A2849A2F9129507DAAE602E27659FF1F77E05C30B38CCD1E822F40
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exeexecutable
MD5:92E9C528AA262E5414F7820FB907B160
SHA256:BF43061A8849CE6AA78E82F830EBA1CD36F7E753594AEA195661AD9E8AEC63C7
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\af4c7751cdf031c03342e1fea75118a6a98d7d07ec45370c737bacd6ef8e91fd.exeexecutable
MD5:52141A78ED6CB90E54323C53B21F65E0
SHA256:AF4C7751CDF031C03342E1FEA75118A6A98D7D07EC45370C737BACD6EF8E91FD
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\2735c6f530b33cbb73022c7dbf3db609b4e58cc11b0f4ef7bafa8db3dcb5587a.exeexecutable
MD5:771E4E7697A5D0537EDD8702E1EA6666
SHA256:2735C6F530B33CBB73022C7DBF3DB609B4E58CC11B0F4EF7BAFA8DB3DCB5587A
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\6ebeb5807e795dc302e12f198b4a960e7e57c0885f14953bb94cfd8f818f79b6.exeexecutable
MD5:3B1E478E73BCCEE40B00E05B945186D0
SHA256:6EBEB5807E795DC302E12F198B4A960E7E57C0885F14953BB94CFD8F818F79B6
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80.exeexecutable
MD5:99E2B579A030E251D4036DB28E048C90
SHA256:DC788044BA918463DDEA34C1128C9F4DA56E0778E582AE9ABDEB15FDBCC57E80
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\0e1a377f553f0d77cf2cc59249fd5be61bfe2a0876983847889af05344feb771.exeexecutable
MD5:C4F972C6832DA97B0747978002A9377A
SHA256:0E1A377F553F0D77CF2CC59249FD5BE61BFE2A0876983847889AF05344FEB771
3268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3268.29692\eb5525fe87e563803654ef542943f5f2aa2f5fe6fcd24f92d588ab11ed8c9384.exeexecutable
MD5:39B7451CE472425DBE844449FD53F1C8
SHA256:EB5525FE87E563803654EF542943F5F2AA2F5FE6FCD24F92D588AB11ED8C9384
2524rar.exeC:\WINDOWS\ime\630\11.txt
MD5:
SHA256:
2524rar.exeC:\WINDOWS\ime\630\22.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
25
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
2.16.100.168:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.164.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3820
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?da622d6e3371815c
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11acddbe1ebd82b3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
2.16.100.168:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
1372
svchost.exe
2.16.164.99:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 2.16.100.168
  • 88.221.110.91
  • 199.232.210.172
  • 199.232.214.172
  • 23.50.131.200
  • 23.50.131.216
whitelisted
crl.microsoft.com
  • 2.16.164.99
  • 2.16.164.40
  • 2.16.164.33
  • 2.16.164.106
  • 2.16.164.66
  • 2.16.164.122
  • 2.16.164.115
  • 2.16.164.67
  • 2.16.164.96
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
515835216.3322.org
whitelisted
www.baidu.com
  • 103.235.46.96
  • 103.235.47.188
whitelisted
driver-updates-info.com
unknown
abulanov.com
  • 188.246.227.29
unknown
sealgrinderpt.com
  • 141.193.213.11
  • 141.193.213.10
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to 3322.org Domain
Process
Message
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
[DBG]
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
core_init() - Program initialization
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
[DBG]
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
start LPE (cve_2018_8453)
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
QgB5ACAAdABoAGUAIAB3AGEAeQAsACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGkAcwAgAHAAbwBzAHMAaQBiAGwAZQAgAHQAbwAgAHIAZQBjAG8AdgBlAHIAIAAoAHIAZQBzAHQAbwByAGUAKQAsACAAYgB1AHQAIAB5AG8AdQAgAG4AZQBlAGQAIAB0AG8AIABmAG8AbABsAG8AdwAgAG8AdQByACAAaQBuAHMAdAByAHUAYwB0AGkAbwBuAHMALgAgAE8AdABoAGUAcgB3AGkAcwBlACwAIAB5AG8AdQAgAGMAYQBuAHQAIAByAGUAdAB1AHIAbgAgAHkAbwB1AHIAIABkAGEAdABhACAAKABOAEUAVgBFAFIAKQAuAA0ACgANAAoAWwArAF0AIABXAGgAYQB0ACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAAWwArAF0ADQAKAA0ACgBJAHQAcwAgAGoAdQBzAHQAIABhACAAYgB1AHMAaQBuAGUAcwBzAC4AIABXAGUAIABhAGIAcwBvAGwAdQB0AGUAbAB5ACAAZABvACAAbgBvAHQAIABjAGEAcgBlACAAYQBiAG8AdQB0ACAAeQBvAHUAIABhAG4AZAAgAHkAbwB1AHIAIABkAGUAYQBsAHMALAAgAGUAeABjAGUAcAB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvACAAbgBvAHQAIABkAG8AIABvAHUAcgAgAHcAbwByAGsAIABhAG4AZAAgAGwAaQBhAGIAaQBsAGkAdABpAGUAcwAgAC0AIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAuACAASQB0AHMAIABuAG8AdAAgAGkAbgAgAG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMALgANAAoAVABvACAAYwBoAGUAYwBrACAAdABoAGUAIABhAGIAaQBsAGkAdAB5ACAAbwBmACAAcgBlAHQAdQByAG4AaQBuAGcAIABmAGkAbABlAHMALAAgAFkAbwB1ACAAcwBoAG8AdQBsAGQAIABnAG8AIAB0AG8AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALgAgAFQAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAGYAIAB5AG8AdQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAG8AdQByACAAcwBlAHIAdgBpAGMAZQAgAC0AIABmAG8AcgAgAHUAcwAsACAAaQB0AHMAIABkAG8AZQBzACAAbgBvAHQAIABtAGEAdAB0AGUAcgAuACAAQgB1AHQAIAB5AG8AdQAgAHcAaQBsAGwAIABsAG8AcwBlACAAeQBvAHUAcgAgAHQAaQBtAGUAIABhAG4AZAAgAGQAYQB0AGEALAAgAGMAYQB1AHMAZQAgAGoAdQBzAHQAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkALgAgAEkAbgAgAHAAcgBhAGMAdABpAHMAZQAgAC0AIAB0AGkAbQBlACAAaQBzACAAbQB1AGMAaAAgAG0AbwByAGUAIAB2AGEAbAB1AGEAYgBsAGUAIAB0AGgAYQBuACAAbQBvAG4AZQB5AC4ADQAKAA0ACgBbACsAXQAgAEgAbwB3ACAAdABvACAAZwBlAHQAIABhAGMAYwBlAHMAcwAgAG8AbgAgAHcAZQBiAHMAaQB0AGUAPwAgAFsAKwBdAA0ACgANAAoAWQBvAHUAIABoAGEAdgBlACAAdAB3AG8AIAB3AGEAeQBzADoADQAKAA0ACgAxACkAIABbAFIAZQBjAG8AbQBtAGUAbgBkAGUAZABdACAAVQBzAGkAbgBnACAAYQAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAhAA0ACgAgACAAYQApACAARABvAHcAbgBsAG8AYQBkACAAYQBuAGQAIABpAG4AcwB0AGEAbABsACAAVABPAFIAIABiAHIAbwB3AHMAZQByACAAZgByAG8AbQAgAHQAaABpAHMAIABzAGkAdABlADoAIABoAHQAdABwAHMAOgAvAC8AdABvAHIAcAByAG8AagBlAGMAdAAuAG8AcgBnAC8ADQAKACAAIABiACkAIABPAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGEAcABsAGUAYgB6AHUANAA3AHcAZwBhAHoAYQBwAGQAcQBrAHMANgB2AHIAYwB2ADYAegBjAG4AagBwAHAAawBiAHgAYgByADYAdwBrAGUAdABmADUANgBuAGYANgBhAHEAMgBuAG0AeQBvAHkAZAAuAG8AbgBpAG8AbgAvAHsAVQBJAEQAfQANAAoADQAKADIAKQAgAEkAZgAgAFQATwBSACAAYgBsAG8AYwBrAGUAZAAgAGkAbgAgAHkAbwB1AHIAIABjAG8AdQBuAHQAcgB5ACwAIAB0AHIAeQAgAHQAbwAgAHUAcwBlACAAVgBQAE4AIQAgAEIAdQB0ACAAeQBvAHUAIABjAGEAbgAgAHUAcwBlACAAbwB1AHIAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUALgAgAEYAbwByACAAdABoAGkAcwA6AA0ACgAgACAAYQApACAATwBwAGUAbgAgAHkAbwB1AHIAIABhAG4AeQAgAGIAcgBvAHcAcwBlAHIAIAAoAEMAaAByAG8AbQBlACwAIABGAGkAcgBlAGYAbwB4ACwAIABPAHAAZQByAGEALAAgAEkARQAsACAARQBkAGcAZQApAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGQAZQBjAHIAeQBwAHQAbwByAC4AdABvAHAALwB7AFUASQBEAH0ADQAKAA0ACgBXAGEAcgBuAGkAbgBnADoAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUAIABjAGEAbgAgAGIAZQAgAGIAbABvAGMAawBlAGQALAAgAHQAaABhAHQAcwAgAHcAaAB5ACAAZgBpAHIAcwB0ACAAdgBhAHIAaQBhAG4AdAAgAG0AdQBjAGgAIABiAGUAdAB0AGUAcgAgAGEAbgBkACAAbQBvAHIAZQAgAGEAdgBhAGkAbABhAGIAbABlAC4ADQAKAA0ACgBXAGgAZQBuACAAeQBvAHUAIABvAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlACwAIABwAHUAdAAgAHQAaABlACAAZgBvAGwAbABvAHcAaQBuAGcAIABkAGEAdABhACAAaQBuACAAdABoAGUAIABpAG4AcAB1AHQAIABmAG8AcgBtADoADQAKAEsAZQB5ADoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoARQB4AHQAZQBuAHMAaQBvAG4AIABuAGEAbQBlADoADQAKAA0ACgB7AEUAWABUAH0ADQAKAA0ACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQA
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
tAC0ADQAKAA0ACgAhACEAIQAgAEQAQQBOAEcARQBSACAAIQAhACEADQAKAEQATwBOAFQAIAB0AHIAeQAgAHQAbwAgAGMAaABhAG4AZwBlACAAZgBpAGwAZQBzACAAYgB5ACAAeQBvAHUAcgBzAGUAbABmACwAIABEAE8ATgBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcAIAB5AG8AdQByACAAZABhAHQAYQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAAtACAAaQB0AHMAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAZABhAG0AZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=","nname":"{EXT}-readme.txt","exp":true,"img":"QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA"}
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
[DBG]
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
cfg:{"pk":"YhYcc2btFBkDh3JGRMxbM9nqVx+Om1+OIUMlZNrevzU=","pid":"19","sub":"312","dbg":true,"fast":true,"wipe":true,"wht":{"fld":["application data","msocache","google","$windows.~bt","program files","perflogs","boot","tor browser","$windows.~ws","windows","mozilla","appdata","intel","programdata","$recycle.bin","system volume information","program files (x86)","windows.old"],"fls":["boot.ini","iconcache.db","ntldr","ntuser.dat","autorun.inf","ntuser.dat.log","bootfont.bin","thumbs.db","desktop.ini","ntuser.ini","bootsect.bak"],"ext":["exe"]},"wfld":["backup"],"prc":["oracle","mydesktopservice","dbeng50","msaccess","excel","msftesql","steam","tbirdconfig","isqlplussvc","thebat","mydesktopqos","sqbcoreservice","agntsvc","infopath","dbsnmp","sqlservr","sqlagent","visio","mysqld","ocomm","sqlwriter","winword","mysqld_opt","ocautoupds","powerpnt","xfssvccon","thebat64","firefoxconfig","sqlbrowser","onenote","mspub","wordpad","mysqld_nt","synctime","encsvc","thunderbird","outlook","ocssd"],"dmn":"abulanov.com;sealgrinderpt.com;brighthillgroup.com;hotelturbo.de;richardkershawwines.co.za;bajova.sk;clinic-beethovenstrasse-ag.ch;ebible.co;fixx-repair.com;bcmets.info;achetrabalhos.com;laaisterplakky.nl;espaciopolitica.com;mindsparkescape.com;lagschools.ng;tecleados.com;tweedekansenloket.nl;triavlete.com;luvinsburger.fr;sshomme.com;skidpiping.de;sachainchiuk.com;anleggsregisteret.no;funworx.de;saint-malo-developpement.fr;hnkns.com;victorvictoria.com;mrmac.com;ox-home.com;nuohous.com;relevantonline.eu;bourchier.org;jandhpest.com;lovetzuchia.com;webforsites.com;creohn.de;mayprogulka.ru;glas-kuck.de;istantidigitali.com;eshop.design;olry-cloisons.fr;mangimirossana.it;alaskaremote.com;hypogenforensic.com;alabamaroofingllc.com;ntinasfiloxenia.gr;lattalvor.com;bagaholics.in;verbouwingsdouche.nl;eatyoveges.com;hawthornsretirement.co.uk;harleystreetspineclinic.com;neolaiamedispa.com;claudiakilian.de;smarttourism.academy;soundseeing.net;koncept-m.ru;mike.matthies.de;basindentistry.com;arearugcleaningnyc.com;perfectgrin.com;belofloripa.be;diakonie-weitramsdorf-sesslach.de;schluesseldienste-hannover.de;descargandoprogramas.com;manzel.tn;reputation-medical.online;raeoflightmusic.com;nvisionsigns.com;jglconsultancy.com;barbaramcfadyenjewelry.com;prodentalblue.com;stabilisateur.fr;aidanpublishing.co.uk;janellrardon.com;magrinya.net;imaginekithomes.co.nz;kombi-dress.com;onesynergyinternational.com;tbalp.co.uk;boloria.de;kvetymichalovce.sk;landgoedspica.nl;digitale-elite.de;netadultere.fr;motocrosshideout.com;alltagsrassismus-entknoten.de;cp-bap.de;dreamvoiceclub.org;sochi-okna23.ru;stathmoulis.gr;anchelor.com;thepixelfairy.com;angelsmirrorus.com;nieuwsindeklas.be;vedsegaard.dk;ykobbqchicken.ca;hvitfeldt.dk;magnetvisual.com;pinkxgayvideoawards.com;baptistdistinctives.org;kosten-vochtbestrijding.be;luvbec.com;birthplacemag.com;nalliasmali.net;billigeflybilletter.dk;imajyuku-sozoku.com;gta-jjb.fr;nepressurecleaning.com;eyedoctordallas.com;chatterchatterchatter.com;irizar.com;muni.pe;2020hindsight.info;dayenne-styling.nl;thehovecounsellingpractice.co.uk;whoopingcrane.com;bluelakevision.com;mursall.de;globalcompliancenews.com;fazagostar.co;kryptos72.com;traitware.com;spectamarketingdigital.com.br;augen-praxisklinik-rostock.de;lollachiro.com;tzn.nu;phukienbepthanhdat.com;xn--billigafrgpatroner-stb.se;markseymourphotography.co.uk;curtsdiscountguns.com;sycamoregreenapts.com;grafikstudio-visuell.de;marmarabasin.com;bridalcave.com;terraflair.de;grupoexin10.com;drvoip.com;martha-frets-ceramics.nl;maxcube24.com.ua;bodymindchallenger.com;cops4causes.org;parksideseniorliving.net;juergenblaetz.de;catering.com;agrifarm.dk;rs-danmark.dk;n-newmedia.de;tutvracks.com;zwemofficial.nl;chainofhopeeurope.eu;lisa-poncon.fr;hensleymarketing.com;itheroes.dk;levencovka.ru;janmorgenstern.com;chatberlin.de;foerderverein-vatterschule.de;lesyeuxbleus.net;diverfiestas.com.es;brownswoodblog.com;skyscanner.ro;pankiss.ru;oraweb.net;haus-landliebe.de;transifer.fr;patriotcleaning.net;loysonbryan.com;mneti.ru;kellengatton.com;tradenavigator.ch;theintellect.edu.pk;chinowarehousespac
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
e.com;ramirezprono.com;julielusktherapy.com;hawaiisteelbuilding.com;trivselsguide.dk;bakingismyyoga.com;nationnewsroom.com;glende-pflanzenparadies.de;1deals.com;universelle.fr;palmecophilippines.com;noda.com.ua;baumfinancialservices.com;mollymccarthydesign.com;vitoriaecoturismo.com.br;invela.dk;opticahubertruiz.com;hotjapaneselesbian.com;ruggestar.ch;9nar.com;stoneridgemontessori.com;xtensifi.com;kamin-somnium.de;yvesdoin-aquarelles.fr;boomerslivinglively.com;mercadodelrio.com;johnstonmingmanning.com;wribrazil.com;sambaglow.com;slideevents.be;mikegoodfellow.co.uk;myplaywin3.com;leopoldineroux.com;leloupblanc.gr;denverwynkoopdentist.com;paardcentraal.nl;biketruck.de;rtc24.com;vipcarrental.ae;rattanwarehouse.co.uk;cormanmarketing.com;wyreforest.net;larchwoodmarketing.com;monstarrsoccer.com;expohomes.com;eafx.pro;thestudio.academy;salonlamar.nl;furland.ru;theboardroomafrica.com;optigas.com;fann.ru;chomiksy.net;dmlcpa.com;oexebusiness.com;mgimalta.com;signededenroth.dk;brisbaneosteopathic.com.au;bubbalucious.com;apmollerpension.com;akwaba-safaris.com;klapanvent.ru;pubcon.com;kelsigordon.com;dcc-eu.com;moira-cristescu.com;pokemonturkiye.com;sveneulberg.de;factoriareloj.com;precisetemp.com;stitch-n-bitch.com;latableacrepes-meaux.fr;switch-made.com;wordpress.idium.no;toranjtuition.org;silverbird.dk;sber-biznes.com;polynine.com;endstarvation.com;alharsunindo.com;cyberpromote.de;production-stills.co.uk;animalfood-online.de;bumbipdeco.site;opt4cdi.com;rhino-turf.com;pvandambv.nl;oncarrot.com;qandmmusiccenter.com;cotton-avenue.co.il;pisofare.co;molade.nl;memphishealthandwellness.com;campinglaforetdetesse.com;gosouldeep.com;dierenambulancealkmaar.nl;livedeveloper.com;jdscenter.com;sharonalbrightdds.com;holocine.de;jayfurnitureco.com;maryairbnb.wordpress.com;protoplay.ca;campusce.com;g2mediainc.com;radishallgood.com;morgansconsult.com;khtrx.com;kompresory-opravy.com;goddardleadership.org;berdonllp.com;aktivfriskcenter.se;liepertgrafikweb.at;profibersan.com;bratek-immobilien.de;promus.ca;atrgroup.it;guohedd.com;santastoy.store;qwikcoach.com;testitjavertailut.net;greatofficespaces.net;teamsegeln.ch;haard-totaal.nl;ayudaespiritualtamara.com;ivancacu.com;casinodepositors.com;lumturo.academy;beauty-traveller.com;limmortelyouth.com;humanviruses.org;schroederschoembs.com;keuken-prijs.nl;trainiumacademy.com;richardiv.com;sprintcoach.com;solidhosting.nl;skyboundnutrition.co.uk;denhaagfoodie.nl;muller.nl;rhino-storage.co.uk;gavelmasters.com;blucamp.com;pourlabretagne.bzh;pureelements.nl;mesajjongeren.nl;campusescalade.com;studionumerik.fr;betterce.com;mazift.dk;heuvelland-oaze.nl;krishnabrawijaya.com;sunsolutions.es;dibli.store;vvego.com;nexstagefinancial.com;ninjaki.com;acibademmobil.com.tr;jollity.hu;jax-interim-and-projectmanagement.com;hoteltantra.com;skooppi.fi;cssp-mediation.org;mensemetgesigte.co.za;cap29010.it;johnsonweekly.com;girlish.ae;delegationhub.com;bookingwheel.com;zuerich-umzug.ch;edrickennedymacfoy.com;naukaip.ru;teutoradio.de;pharmeko-group.com;animation-pro.co.uk;operativadigital.com;fire-space.com;palmenhaus-erfurt.de;slotenmakerszwijndrecht.nl;bavovrienden.nl;ketomealprep.academy;bescomedical.de;heimdalbygg.no;iron-mine.ru;domilivefurniture.com;poems-for-the-soul.ch;secrets-clubs.co.uk;ultimatelifesource.com;michal-s.co.il;dantreranch.com;outstandingminialbums.com;oportowebdesign.com;mariajosediazdemera.com;avtoboss163.ru:443;napisat-pismo-gubernatoru.ru:443;nauticmarine.dk;witraz.pl;clemenfoto.dk;internestdigital.com;forextimes.ru;mediogiro.com.ar;reizenmetkinderen.be;avisioninthedesert.com;rsidesigns.com;altocontatto.net;scholarquotes.com;look.academy;adabible.org;fotoslubna.com;endlessrealms.net;bohrlochversicherung.info;glennverschueren.be;duthler.nl;auberives-sur-vareze.fr;bringmehope.org;oththukaruva.com;astrographic.com;rapid5kloan.org;goeppinger-teppichreinigung.de;coachpreneuracademy.com;bonitabeachassociation.com;ronielyn.com;yourhappyevents.fr;jonnyhooley.com;karmeliterviertel.com;tilldeeke.de;activeterroristwarningcompany.com;photonag.com;biodentify.ai;natturestaurante.com.br;bcabattoirs.org;jefersonaless
bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7.exe
andro.com;gurutechnologies.net;mariannelemenestrel.com;marcandy.com;publicompserver.de;ocduiblog.com;annenymus.com;carolynfriedlander.com;galaniuklaw.com;kryddersnapsen.dk;patassociation.com;fysiotherapierijnmond.nl;yourcosmicbeing.com;agenceassemble.fr;block-optic.com;so-sage.fr;prometeyagro.com.ua;mbuildinghomes.com;queertube.net;tatyanakopieva.ru;speakaudible.com;aquacheck.co.za;racefietsenblog.nl;gazelle-du-web.com;adaduga.info;buffdaddyblog.com;alpesiberie.com;der-stempelking.de;photographycreativity.co.uk;lgiwines.com;andermattswisswatches.ch;proffteplo.com;ravage-webzine.nl;janasfokus.com;fbmagazine.ru;leansupremegarcinia.net;devplus.be;mariamalmahdi.com;catalyseurdetransformation.com;satoblog.org;jobkiwi.com.ng;daveystownhouse.com;aciscomputers.com;tieronechic.com;cleanroomequipment.ie;xrresources.com;jacquesgarcianoto.com;leadforensics.com;eventosvirtualesexitosos.com;deduktia.fi;littlesaints.academy;zinnystar.com;airserviceunlimited.com;professionetata.com;smartspeak.com;pays-saint-flour.fr;otpusk.zp.ua;directique.com;direitapernambuco.com;cmeow.com;stressreliefadvice.com;encounter-p.net;ncjc.ca;volta.plus;easydental.ae;ilveshistoria.com;lapponiasafaris.com;rubyaudiology.com;tastevirginia.com;the-cupboard.co.uk;the5thquestion.com;electricianul.com;legundschiess.de;rentingwell.com;xn--ziinoapte-6ld.ro;mslp.org;encounter-p.net;wrinstitute.org;fta-media.com;omnicademy.com;startuplive.org;elex.is;orchardbrickwork.com;watchsale.biz;christopherhannan.com;rizplakatjaya.com;innovationgames-brabant.nl;dinecorp.com;fotoeditores.com;ludoil.it;oscommunity.de;voice2biz.com;aslog.fr;billyoart.com;ciga-france.fr;perceptdecor.com;ya-elka.ru;graygreenbiomedservices.com;louiedager.com;business-basic.de;azerbaycanas.com;broccolisoep.nl;sellthewrightway.com;pxsrl.it;kiraribeaute-nani.com;licensed-public-adjuster.com;selected-minds.de;skolaprome.eu;bluetenreich-brilon.de;111firstdelray.com;finnergo.eu;placermonticello.com;ronaldhendriks.nl;sololibrerie.it;peninggibadan.co.id;geitoniatonaggelon.gr;o2o-academy.com;die-immo-agentur.de;crestgood.com;parisschool.ru;charlesfrancis.photos;colored-shelves.com;amco.net.au;evsynthacademy.org;pro-gamer.pl;dinedrinkdetroit.com;alene.co;devus.de;weddingceremonieswithtim.com;focuskontur.com;bundan.com;boyfriendsgoal.site;therapybusinessacademy.com;jobscore.com;dennisverschuur.com;zumrutkuyutemel.com;sjtpo.org;mazzaropi.com.br;alexwenzel.de;goodboyscustom.com;nutriwell.com.sg;jmmartinezilustrador.com;suitesartemis.gr;kenmccallum.com;go.labibini.ch;jeanmonti.com;banksrl.co.za;jakubrybak.com;primemarineengineering.com;jaaphoekzema.nl;walterman.es;towelroot.co;techybash.com;kerstliedjeszingen.nl;mieleshopping.it;andreaskildegaard.dk;adedesign.com;elitkeramika-shop.com.ua;housesofwa.com;k-v-f.de;acb-gruppe.ch;carmel-york.com;lassocrm.com;saboboxtel.uk;supercarhire.co.uk;sweetz.fr;comoserescritor.com;stralsund-ansichten.de;ziliak.com;liveyourheartout.co;mamajenedesigns.com;metallbau-hartmann.eu;amyandzac.com;grancanariaregional.com;condormobile.fr;voetbalhoogeveen.nl;rvside.com;druktemakersheerenveen.nl;rename.kz;stage-infirmier.fr;iactechnologies.net;awag-blog.de;brinkdoepke.eu;brannbornfastigheter.se;circuit-diagramz.com;buonabitare.com;valiant-voice.com;mjk.digital;yayasanprimaunggul.org;o90.dk;theatre-embellie.fr;edvestors.org;craftron.com;turing.academy;richardmaybury.co.uk;narca.net;livelai.com;pansionatblago.ru;miscbo.it;vdolg24.online;subyard.com;ygallerysalonsoho.com:443;eksperdanismanlik.com;metriplica.academy;mahikuchen.com;agencewho-aixenprovence.fr;qrs-international.com;ingresosextras.online;nepal-pictures.com;rivermusic.nl;nrgvalue.com;unislaw-narty.pl;bayshoreelite.com;logosindustries.com;latteswithleslie.com;leijstrom.com;slotspinner.com;brunoimmobilier.com;ddmgen.com;makingmillionaires.net;innovationgames-brabant.nl;alattekniksipil.com;csaballoons.com;pixelhealth.net;laylavalentine.com;osn.ro;5pointpt.com;gratiocafeblog.wordpress.com;saberconcrete.com;sbit.ag;omegamarbella.com;annida.it;dr-vita.de;bg.szczecin.pl;biblica.com;motocrossplace.co.uk;triplettabordeaux.fr;christianschol
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New folder.rar