File name:

HAKPYTKA.exe

Full analysis: https://app.any.run/tasks/be59308e-f616-455f-8d42-45b984704140
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: July 04, 2024, 08:28:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
rat
njrat
bladabindi
remote
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

9814ABBDBE367EC137F8B8343220DEF8

SHA1:

338F121E293F6C4C71C7796D3D843BA75082AA13

SHA256:

1A95E485F4AE28B3526839F632E2D199D0652BA9E05215138A8E6FC9DF0299AC

SSDEEP:

98304:8M0F9QmUW4UrfoMME7uI8XDoONARVo09XciApiK2lkqsYBJ5O0su6vxOo5O3V1Yj:2AVAGbeGJnzXG8InQreXfw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • temp.exe (PID: 884)
      • appdata.exe (PID: 4084)
      • system.exe (PID: 4052)
      • C.exe (PID: 4216)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Create files in the Startup directory

      • kiler.exe (PID: 608)

    • Uses Task Scheduler to run other applications

      • kiler.exe (PID: 608)

    • Connects to the CnC server

      • kiler.exe (PID: 608)

    • NJRAT has been detected (SURICATA)

      • kiler.exe (PID: 608)

    • Changes the autorun value in the registry

      • kiler.exe (PID: 608)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • C.exe (PID: 4216)
      • temp.exe (PID: 884)
      • appdata.exe (PID: 4084)
      • system.exe (PID: 4052)
      • kiler.exe (PID: 4024)

    • Reads the date of Windows installation

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • appdata.exe (PID: 4084)
      • C.exe (PID: 4216)
      • temp.exe (PID: 884)
      • system.exe (PID: 4052)
      • kiler.exe (PID: 4024)

    • Application launched itself

      • HAKPYTKA.exe (PID: 5988)

    • The process creates files with name similar to system file names

      • HAKPYTKA.exe (PID: 3680)

    • Executable content was dropped or overwritten

      • HAKPYTKA.exe (PID: 3680)
      • appdata.exe (PID: 4084)
      • system.exe (PID: 4052)
      • C.exe (PID: 4216)
      • temp.exe (PID: 884)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Executing commands from a ".bat" file

      • HAKPYTKA.exe (PID: 3680)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4072)

    • Uses TASKKILL.EXE to kill process

      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Executes application which crashes

      • TRXLoader.exe (PID: 4800)
      • TRXLoader.exe (PID: 5100)

    • Checks Windows Trust Settings

      • kiler.exe (PID: 4024)

    • Process drops legitimate windows executable

      • kiler.exe (PID: 4024)

    • Creates file in the systems drive root

      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Starts itself from another location

      • kiler.exe (PID: 4024)

    • Starts CMD.EXE for commands execution

      • kiler.exe (PID: 4024)
      • HAKPYTKA.exe (PID: 3680)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 3968)

    • Contacting a server suspected of hosting an CnC

      • kiler.exe (PID: 608)

    • Connects to unusual port

      • kiler.exe (PID: 608)

    • The process executes via Task Scheduler

      • kiler.exe (PID: 4092)

  • INFO

    • Checks supported languages

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • appdata.exe (PID: 4084)
      • C.exe (PID: 4216)
      • system.exe (PID: 4052)
      • temp.exe (PID: 884)
      • kiler.exe (PID: 4024)
      • TRXLoader.exe (PID: 4800)
      • TRXLoader.exe (PID: 5100)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Process checks computer location settings

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • appdata.exe (PID: 4084)
      • C.exe (PID: 4216)
      • temp.exe (PID: 884)
      • system.exe (PID: 4052)
      • kiler.exe (PID: 4024)

    • Reads the computer name

      • HAKPYTKA.exe (PID: 5988)
      • HAKPYTKA.exe (PID: 3680)
      • temp.exe (PID: 884)
      • appdata.exe (PID: 4084)
      • system.exe (PID: 4052)
      • C.exe (PID: 4216)
      • TRXLoader.exe (PID: 4800)
      • TRXLoader.exe (PID: 5100)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)
      • kiler.exe (PID: 4092)

    • Create files in a temporary directory

      • temp.exe (PID: 884)
      • kiler.exe (PID: 4024)

    • Creates files or folders in the user directory

      • appdata.exe (PID: 4084)
      • WerFault.exe (PID: 4072)
      • kiler.exe (PID: 4024)
      • WerFault.exe (PID: 4256)
      • kiler.exe (PID: 608)

    • Reads the machine GUID from the registry

      • TRXLoader.exe (PID: 4800)
      • TRXLoader.exe (PID: 5100)
      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Reads the software policy settings

      • kiler.exe (PID: 4024)
      • WerFault.exe (PID: 4072)
      • WerFault.exe (PID: 4256)

    • Checks proxy server information

      • kiler.exe (PID: 4024)
      • WerFault.exe (PID: 4256)
      • WerFault.exe (PID: 4072)

    • .NET Reactor protector has been detected

      • kiler.exe (PID: 4024)
      • kiler.exe (PID: 608)

    • Creates files in the program directory

      • kiler.exe (PID: 4024)

    • Reads Environment values

      • kiler.exe (PID: 608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:12 10:17:07+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.33
CodeSize: 288768
InitializedDataSize: 158208
UninitializedDataSize: -
EntryPoint: 0x32ee0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
42
Malicious processes
4
Suspicious processes
5

Behavior graph

Click at the process to see the details
start hakpytka.exe no specs hakpytka.exe c.exe appdata.exe temp.exe system.exe cmd.exe no specs conhost.exe no specs trxloader.exe THREAT kiler.exe timeout.exe no specs timeout.exe no specs trxloader.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs werfault.exe werfault.exe THREAT kiler.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs choice.exe no specs taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs kiler.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
608"C:\Users\admin\AppData\Local\Temp\kiler.exe" C:\Users\admin\AppData\Local\Temp\kiler.exe
kiler.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\kiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
884"C:\WINDOWS\temp.exe" C:\Windows\temp.exe
HAKPYTKA.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\temp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
1120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\admin\AppData\Local\Temp\kiler.exeC:\Windows\SysWOW64\schtasks.exekiler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1228choice /C Y /N /D Y /T 5 C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
1300taskkill /f im Wireshark.exeC:\Windows\SysWOW64\taskkill.exekiler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1348TASKKILL /F /IM wscript.exeC:\Windows\SysWOW64\taskkill.exekiler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\BlockproviderComponentweb\FlrU2Sw3hI88Kq0oMKFqlJBcKKk7.vbe" C:\Windows\SysWOW64\wscript.exeappdata.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
39 240
Read events
38 994
Write events
235
Delete events
11

Modification events

(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5988) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3680) HAKPYTKA.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4216) C.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(4216) C.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
14
Suspicious files
22
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
3680HAKPYTKA.exeC:\WINDOWS\TRXLoader.exeexecutable
MD5:34C74DE92902C31E066659A644B18E1D
SHA256:0B58A2BED7D9D44E29AD6988250456C49863A23ADEB9B5AB59763352187104B3
3680HAKPYTKA.exeC:\WINDOWS\appdata.exeexecutable
MD5:84D84C88F059DCC80C8B8269BDA163D0
SHA256:0813184D94537F7F52E27A48733CE01AB3F8A40C807F8B1E3E876A0857270B98
4216C.exeC:\BlockproviderComponentweb\kgYQjc5wMwWoy72lIZmtjG.battext
MD5:275C1FEC53C667C33472FDD3A336079D
SHA256:66B8E4E4726570EE50E6E41B0FFCB7E52747F6FDB6BF49C99FC394C0A1313322
3680HAKPYTKA.exeC:\WINDOWS\bat.battext
MD5:78882687E53597231C9F3D7934BDF9E8
SHA256:00152452AF8EE061522A67570238605F9C2E1D41A92BD49FD8E476F8E824CF1A
3680HAKPYTKA.exeC:\WINDOWS\kiler.exeexecutable
MD5:8BB7F3314FFB6329E0A2E94489DF2579
SHA256:77D822158965FE6C07D02D6FD22590F2FD5B67B0FB2F1F0B080BF8F627687C63
4052system.exeC:\ProviderwebRuntimebrokerDll\izzFCRaGHOKZ.battext
MD5:F64D91A4C4737107AC4613DD1825CADD
SHA256:19B411874DDCBF12CC16C3973FA928EE5E63098E77A5404D2CCFE0349A93326D
884temp.exeC:\Users\admin\AppData\Local\Temp\BlockproviderComponentweb\LIutJGC3.battext
MD5:95247E3C0133B8CEEA5251032B5CCCB5
SHA256:41BA08221F6A9180A7117CB6CD5B6E16979D43FC050EBBFAA226FB31BFA12868
4256WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TRXLoader.exe_cad5a43cf4f261bafa7f54a998ad9dc8435e7dc9_cf265bcb_dd7c4a7a-f611-48e3-bc97-76e87fac1017\Report.wer
MD5:
SHA256:
4072WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TRXLoader.exe_cad5a43cf4f261bafa7f54a998ad9dc8435e7dc9_cf265bcb_e161279d-ac07-42de-a407-e8fbdb02c426\Report.wer
MD5:
SHA256:
4256WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\TRXLoader.exe.4800.dmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
40
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1972
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3800
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1972
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4024
kiler.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
unknown
unknown
3868
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4024
kiler.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAkF68Ngw5AQizn%2FeDnSocM%3D
unknown
unknown
4024
kiler.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4024
kiler.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
unknown
4024
kiler.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
unknown
unknown
4024
kiler.exe
GET
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3868
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
3800
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1972
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3800
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1972
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
3868
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
3800
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1972
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3868
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 104.119.109.218
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
crl4.digicert.com
  • 192.229.221.95
whitelisted
crl3.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.168
  • 2.23.209.166
  • 2.23.209.160
  • 2.23.209.149
  • 2.23.209.156
  • 2.23.209.167
  • 2.23.209.162
  • 2.23.209.173
  • 2.23.209.150
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted
20.ip.gl.ply.gg
  • 147.185.221.20
malicious

Threats

PID
Process
Class
Message
608
kiler.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HAKPYTKA.exe