File name:

b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe

Full analysis: https://app.any.run/tasks/6781a341-3014-4239-a5c5-4345bb8ece06
Verdict: Malicious activity
Threats:

Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.

Malware Trends Tracker     >>>
Analysis date: February 21, 2025, 07:47:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
fog
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

A4E7B94C88A041D5E9983A704053F01C

SHA1:

725F40D1005E3CD734F4C525DAD397C0B60B016B

SHA256:

1A3B37F51E8C24D7A1A8310B3FDBEB1192F7380C2029659A44B291A5DAEE5B33

SSDEEP:

3072:1YFo8vAah9C54UMC9DcNQtffGvH8+R6ntAGLQ:1YhAlJDcNQt2v8uQQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3544)
      • net.exe (PID: 5256)

    • FOG has been detected (YARA)

      • b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe (PID: 3092)

  • SUSPICIOUS

    • Starts NET.EXE to manage network resources

      • cmd.exe (PID: 2928)
      • net.exe (PID: 6096)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 5876)

    • Starts CMD.EXE for commands execution

      • b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe (PID: 3092)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 520)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 5392)

    • Lists all scheduled tasks in specific format

      • schtasks.exe (PID: 4188)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 3172)

    • Get information on the list of running processes

      • cmd.exe (PID: 2972)
      • b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe (PID: 3092)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • cmd.exe (PID: 2728)

    • Creates file in the systems drive root

      • b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe (PID: 3092)

  • INFO

    • Checks supported languages

      • b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe (PID: 3092)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 520)

    • Reads the computer name

      • b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe (PID: 3092)

    • Reads the machine GUID from the registry

      • b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe (PID: 3092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:29 10:50:13+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 65024
InitializedDataSize: 41472
UninitializedDataSize: -
EntryPoint: 0x10c50
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
47
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #FOG b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs systeminfo.exe no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs hostname.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs arp.exe no specs cmd.exe no specs conhost.exe no specs netstat.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
520cmd.exe /c systeminfoC:\Windows\SysWOW64\cmd.exeb24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
520route printC:\Windows\SysWOW64\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\route.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
640systeminfoC:\Windows\SysWOW64\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1200\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1224cmd.exe /c hostnameC:\Windows\SysWOW64\cmd.exeb24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1224ipconfig /allC:\Windows\SysWOW64\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1512netsh firewall show stateC:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1616C:\WINDOWS\system32\net1 usersC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
48 292
Read events
48 290
Write events
2
Delete events
0

Modification events

(PID) Process:(132) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31163444
(PID) Process:(132) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
132TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:37CEBAF6BAADB51A0009834371DFA4DE
SHA256:85BE5390DF9AEDC8BDD2F9DE2367B864C32909B1EBC42DC8CD6C2A1BAE61D413
3092b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exeC:\Users\admin\Desktop\DbgLog.systext
MD5:703BA160CCE42BA043833103709B3A25
SHA256:47B7B2C78E7D3B65AC3AB695E4CA3B98FD884893C4A99853D8BFC98C159EBFE9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
15
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1356
svchost.exe
GET
200
2.16.164.128:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1356
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4308
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1356
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1356
svchost.exe
2.16.164.128:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1356
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1356
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.74.206
whitelisted
crl.microsoft.com
  • 2.16.164.128
  • 2.16.164.120
  • 2.16.164.107
  • 2.16.164.98
  • 2.16.164.99
  • 2.16.164.89
  • 2.16.164.9
  • 2.16.164.122
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b24680596a9a113f95535f526930b5415382c102cd5753d7392e780cdea0ed63.exe