File name:

HAKPYTKA.exe

Full analysis: https://app.any.run/tasks/be59308e-f616-455f-8d42-45b984704140
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: July 04, 2024, 08:28:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
rat
njrat
bladabindi
remote
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

9814ABBDBE367EC137F8B8343220DEF8

SHA1:

338F121E293F6C4C71C7796D3D843BA75082AA13

SHA256:

1A95E485F4AE28B3526839F632E2D199D0652BA9E05215138A8E6FC9DF0299AC

SSDEEP:

98304:8M0F9QmUW4UrfoMME7uI8XDoONARVo09XciApiK2lkqsYBJ5O0su6vxOo5O3V1Yj:2AVAGbeGJnzXG8InQreXfw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • temp.exe (PID: 884)
      • system.exe (PID: 4052)
      • C.exe (PID: 4216)
      • appdata.exe (PID: 4084)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Create files in the Startup directory

      • kiler.exe (PID: 608)

    • Uses Task Scheduler to run other applications

      • kiler.exe (PID: 608)

    • Connects to the CnC server

      • kiler.exe (PID: 608)

    • Changes the autorun value in the registry

      • kiler.exe (PID: 608)

    • NJRAT has been detected (SURICATA)

      • kiler.exe (PID: 608)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • C.exe (PID: 4216)
      • appdata.exe (PID: 4084)
      • temp.exe (PID: 884)
      • system.exe (PID: 4052)
      • kiler.exe (PID: 4024)

    • Reads security settings of Internet Explorer

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • appdata.exe (PID: 4084)
      • C.exe (PID: 4216)
      • system.exe (PID: 4052)
      • temp.exe (PID: 884)
      • kiler.exe (PID: 4024)

    • Application launched itself

      • HAKPYTKA.exe (PID: 5988)

    • The process creates files with name similar to system file names

      • HAKPYTKA.exe (PID: 3680)

    • Executable content was dropped or overwritten

      • HAKPYTKA.exe (PID: 3680)
      • system.exe (PID: 4052)
      • temp.exe (PID: 884)
      • appdata.exe (PID: 4084)
      • C.exe (PID: 4216)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Starts CMD.EXE for commands execution

      • HAKPYTKA.exe (PID: 3680)
      • kiler.exe (PID: 4024)

    • Executing commands from a ".bat" file

      • HAKPYTKA.exe (PID: 3680)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4072)

    • Uses TASKKILL.EXE to kill process

      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Executes application which crashes

      • TRXLoader.exe (PID: 4800)
      • TRXLoader.exe (PID: 5100)

    • Checks Windows Trust Settings

      • kiler.exe (PID: 4024)

    • Creates file in the systems drive root

      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Process drops legitimate windows executable

      • kiler.exe (PID: 4024)

    • Starts itself from another location

      • kiler.exe (PID: 4024)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 3968)

    • Connects to unusual port

      • kiler.exe (PID: 608)

    • Contacting a server suspected of hosting an CnC

      • kiler.exe (PID: 608)

    • The process executes via Task Scheduler

      • kiler.exe (PID: 4092)

  • INFO

    • Reads the computer name

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • TRXLoader.exe (PID: 5100)
      • appdata.exe (PID: 4084)
      • C.exe (PID: 4216)
      • temp.exe (PID: 884)
      • system.exe (PID: 4052)
      • TRXLoader.exe (PID: 4800)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Checks supported languages

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • C.exe (PID: 4216)
      • system.exe (PID: 4052)
      • temp.exe (PID: 884)
      • appdata.exe (PID: 4084)
      • kiler.exe (PID: 4024)
      • TRXLoader.exe (PID: 4800)
      • TRXLoader.exe (PID: 5100)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Process checks computer location settings

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • C.exe (PID: 4216)
      • system.exe (PID: 4052)
      • appdata.exe (PID: 4084)
      • temp.exe (PID: 884)
      • kiler.exe (PID: 4024)

    • Creates files or folders in the user directory

      • appdata.exe (PID: 4084)
      • WerFault.exe (PID: 4072)
      • WerFault.exe (PID: 4256)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Create files in a temporary directory

      • temp.exe (PID: 884)
      • kiler.exe (PID: 4024)

    • Reads the machine GUID from the registry

      • TRXLoader.exe (PID: 4800)
      • TRXLoader.exe (PID: 5100)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Reads the software policy settings

      • kiler.exe (PID: 4024)
      • WerFault.exe (PID: 4072)
      • WerFault.exe (PID: 4256)

    • Creates files in the program directory

      • kiler.exe (PID: 4024)

    • Checks proxy server information

      • kiler.exe (PID: 4024)
      • WerFault.exe (PID: 4256)
      • WerFault.exe (PID: 4072)

    • .NET Reactor protector has been detected

      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Reads Environment values

      • kiler.exe (PID: 608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:12 10:17:07+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.33
CodeSize: 288768
InitializedDataSize: 158208
UninitializedDataSize: -
EntryPoint: 0x32ee0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
42
Malicious processes
4
Suspicious processes
5

Behavior graph

Click at the process to see the details
start hakpytka.exe no specs hakpytka.exe c.exe appdata.exe temp.exe system.exe cmd.exe no specs conhost.exe no specs trxloader.exe THREAT kiler.exe timeout.exe no specs timeout.exe no specs trxloader.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs werfault.exe werfault.exe THREAT kiler.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs choice.exe no specs taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs kiler.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
608"C:\Users\admin\AppData\Local\Temp\kiler.exe" C:\Users\admin\AppData\Local\Temp\kiler.exe
kiler.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\kiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
884"C:\WINDOWS\temp.exe" C:\Windows\temp.exe
HAKPYTKA.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\temp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
1120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\admin\AppData\Local\Temp\kiler.exeC:\Windows\SysWOW64\schtasks.exekiler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1228choice /C Y /N /D Y /T 5 C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
1300taskkill /f im Wireshark.exeC:\Windows\SysWOW64\taskkill.exekiler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1348TASKKILL /F /IM wscript.exeC:\Windows\SysWOW64\taskkill.exekiler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\BlockproviderComponentweb\FlrU2Sw3hI88Kq0oMKFqlJBcKKk7.vbe" C:\Windows\SysWOW64\wscript.exeappdata.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
39 240
Read events
38 994
Write events
235
Delete events
11

Modification events

(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4216) C.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(4216) C.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
14
Suspicious files
22
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
3680HAKPYTKA.exeC:\WINDOWS\appdata.exeexecutable
MD5:84D84C88F059DCC80C8B8269BDA163D0
SHA256:0813184D94537F7F52E27A48733CE01AB3F8A40C807F8B1E3E876A0857270B98
4084appdata.exeC:\Users\admin\AppData\Roaming\BlockproviderComponentweb\intoHostDhcp.exeexecutable
MD5:EBEA30762188CB4EC53D42B823DA84A8
SHA256:95B36CD14B6D331231621B6BDA3B9F6048A13117B18703D22BEBBFB27679A278
884temp.exeC:\Users\admin\AppData\Local\Temp\BlockproviderComponentweb\intoHostDhcp.exeexecutable
MD5:EA1BAF36ABDAE7C13DA34CF669381555
SHA256:94A055255ECF22E9757017169BC2E4AC0D1F74E6C5F3C2A971D70021B32A0AA4
4052system.exeC:\ProviderwebRuntimebrokerDll\AzoUH9rmryPf4YVykgERWga1ZsG.vbebinary
MD5:4A854CAD3F93B3E5C68443BEDD1F8DE1
SHA256:C21E88D44EB247AB02667E37DE05D2E10ECC27BDFDC0F380778494570B5377DB
4216C.exeC:\BlockproviderComponentweb\intoHostDhcp.exeexecutable
MD5:27841ACA7FD6DB17F1EF54790B644997
SHA256:ED71D3A8E1AD249FB66AF4A667722134408588718974254AF108FF78F1157C9D
4216C.exeC:\BlockproviderComponentweb\LzYuX9pzQxeIw.vbevbe
MD5:AC65A75F2EE29BCA1CED3F4279F35192
SHA256:B0EBC32DAFA29A57B91C73AC0B89242DA68D40CD470C262D4CC0361BA0CD8B95
884temp.exeC:\Users\admin\AppData\Local\Temp\BlockproviderComponentweb\rLN2CzC2BGDm0saFwwqZ.vbevbe
MD5:C6E17F78EF2CAB853BAA01A81F114972
SHA256:25F85A5BCAED5FADFBA4B5368F224468E602E8991225B1FC2176CEC26672CD81
4256WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TRXLoader.exe_cad5a43cf4f261bafa7f54a998ad9dc8435e7dc9_cf265bcb_dd7c4a7a-f611-48e3-bc97-76e87fac1017\Report.wer
MD5:
SHA256:
4072WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TRXLoader.exe_cad5a43cf4f261bafa7f54a998ad9dc8435e7dc9_cf265bcb_e161279d-ac07-42de-a407-e8fbdb02c426\Report.wer
MD5:
SHA256:
4256WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\TRXLoader.exe.4800.dmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
40
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3800
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1972
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3868
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3800
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1972
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3868
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4024
kiler.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAkF68Ngw5AQizn%2FeDnSocM%3D
unknown
unknown
4024
kiler.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
unknown
unknown
4024
kiler.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4024
kiler.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3868
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
3800
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1972
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3800
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1972
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
3868
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
3800
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1972
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3868
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 104.119.109.218
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
crl4.digicert.com
  • 192.229.221.95
whitelisted
crl3.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.168
  • 2.23.209.166
  • 2.23.209.160
  • 2.23.209.149
  • 2.23.209.156
  • 2.23.209.167
  • 2.23.209.162
  • 2.23.209.173
  • 2.23.209.150
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted
20.ip.gl.ply.gg
  • 147.185.221.20
malicious

Threats

PID
Process
Class
Message
608
kiler.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HAKPYTKA.exe