Malware analysis Verstecki.exe Malicious activity | ANY.RUN

Add for printing

File name:	Verstecki.exe
Full analysis:	https://app.any.run/tasks/3f024777-e717-49d7-ad36-e02f73fbd21c
Verdict:	Malicious activity
Analysis date:	May 19, 2025, 17:36:08
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	8C516CA608030E3E1D61375730B2AA99
SHA1:	EE0DC02BCDD62F324AC14EB6F966BE17E0E5A203
SHA256:	1ACBE118B66EE76B74276EBA29BD044CE4F080F8D359E59D231E8DC3AACFFB2D
SSDEEP:	12288:EjV8Uox9oUFydRxsQPyhv7qtoc3J851Jq//mq//06Kz6Ei:rAY5qtPJ85PnLPzDi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Verstecki.exe (PID: 6668)
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
  - sysproxy.exe (PID: 812)
  - sysproxy.exe (PID: 5116)
  - sysproxy.exe (PID: 5132)
  - sysproxy.exe (PID: 5172)
  - sysproxy.exe (PID: 5084)
- Executable content was dropped or overwritten
  - Verstecki.exe (PID: 6668)
- Reads Microsoft Outlook installation path
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
- Reads Internet Explorer settings
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
- Checks for external IP
  - proxy.exe (PID: 4424)
  - svchost.exe (PID: 2196)
  - proxy.exe (PID: 2552)
- Connects to unusual port
  - proxy.exe (PID: 2552)
- Starts CMD.EXE for commands execution
  - proxy.exe (PID: 2552)
- Executing commands from a ".bat" file
  - proxy.exe (PID: 2552)
INFO
- Reads the computer name
  - Verstecki.exe (PID: 6668)
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
  - sysproxy.exe (PID: 5116)
  - sysproxy.exe (PID: 5132)
  - sysproxy.exe (PID: 812)
  - sysproxy.exe (PID: 5172)
  - sysproxy.exe (PID: 5084)
- Create files in a temporary directory
  - Verstecki.exe (PID: 6668)
- Process checks computer location settings
  - Verstecki.exe (PID: 6668)
  - proxy.exe (PID: 2552)
- Checks supported languages
  - Verstecki.exe (PID: 6668)
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
  - sysproxy.exe (PID: 812)
  - sysproxy.exe (PID: 5116)
  - sysproxy.exe (PID: 5172)
  - sysproxy.exe (PID: 5084)
  - sysproxy.exe (PID: 5132)
- Reads the machine GUID from the registry
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
- Creates files or folders in the user directory
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
- Checks proxy server information
  - proxy.exe (PID: 4424)
  - proxy.exe (PID: 2552)
  - sysproxy.exe (PID: 5116)
  - sysproxy.exe (PID: 812)
  - slui.exe (PID: 2420)
  - sysproxy.exe (PID: 5132)
  - sysproxy.exe (PID: 5172)
  - sysproxy.exe (PID: 5084)
- Manual execution by a user
  - WinRAR.exe (PID: 6540)
  - notepad.exe (PID: 5384)
  - proxy.exe (PID: 2552)
  - notepad.exe (PID: 7152)
  - notepad.exe (PID: 2320)
  - notepad.exe (PID: 2064)
  - notepad.exe (PID: 6072)
  - notepad.exe (PID: 3796)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6540)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 5384)
  - notepad.exe (PID: 7152)
  - notepad.exe (PID: 2320)
  - notepad.exe (PID: 2064)
  - notepad.exe (PID: 6072)
  - notepad.exe (PID: 3796)
- Reads the software policy settings
  - slui.exe (PID: 5972)
  - slui.exe (PID: 2420)
- Disables trace logs
  - sysproxy.exe (PID: 5116)
  - sysproxy.exe (PID: 812)
  - sysproxy.exe (PID: 5132)
  - sysproxy.exe (PID: 5172)
  - sysproxy.exe (PID: 5084)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:06:11 09:16:47+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	201728
InitializedDataSize:	79872
UninitializedDataSize:	-
EntryPoint:	0x1eef0
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

159

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

812

sysproxy on 38.137.179.244 999

C:\Users\admin\Desktop\Verstecki\sysproxy.exe

—

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\verstecki\sysproxy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

900

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

2064

"C:\WINDOWS\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\Verstecki\on.bat

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

2136

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Verstecki\off.bat" "

C:\Windows\SysWOW64\cmd.exe

—

proxy.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2320

"C:\WINDOWS\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\Verstecki\off.bat

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

2420

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2552

"C:\Users\admin\Desktop\Verstecki\proxy.exe"

C:\Users\admin\Desktop\Verstecki\proxy.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

proxy

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\verstecki\proxy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

3180

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Verstecki\off.bat" "

C:\Windows\SysWOW64\cmd.exe

—

proxy.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3796

"C:\WINDOWS\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\Verstecki\off.bat

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

Add for printing

Total events

7 154

Read events

7 124

Write events

Delete events

Modification events


(PID) Process:	(4424) proxy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4424) proxy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4424) proxy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4424) proxy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:	write	Name:	Version
Value: WS not running
(PID) Process:	(4424) proxy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(4424) proxy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFavoritesInitialSelection
Value:
(PID) Process:	(4424) proxy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFeedsInitialSelection
Value:
(PID) Process:	(6540) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6540) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6540) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6668	Verstecki.exe	C:\Users\admin\AppData\Local\Temp\Verstecki\off.bat		text
		MD5:D6A72512B7299CD617C46921DE2E3E57	SHA256:839B3CC35C26B6BD03A15A1CB9DCD663CF18E40408233270F609C87DB40A1BB4
6668	Verstecki.exe	C:\Users\admin\AppData\Local\Temp\Verstecki\proxy.exe		executable
		MD5:E54AE14A6A56FD181A3D46CAC0FFEAF6	SHA256:0A758D1B371979D5B53DC9A5D566F756BB52BC7B4AAD22A851CEE11AC2DCC906
4424	proxy.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\line[1].txt		text
		MD5:A39AAE7B7D3FEBB7A7454F93AE1C3702	SHA256:14C5EE1E0802556D3D1C4BE8E60C9AF27624561F5B5461E21C2D66D52D445510
6540	WinRAR.exe	C:\Users\admin\Desktop\Verstecki\off.bat		text
		MD5:D6A72512B7299CD617C46921DE2E3E57	SHA256:839B3CC35C26B6BD03A15A1CB9DCD663CF18E40408233270F609C87DB40A1BB4
6540	WinRAR.exe	C:\Users\admin\Desktop\Verstecki\proxy.exe		executable
		MD5:E54AE14A6A56FD181A3D46CAC0FFEAF6	SHA256:0A758D1B371979D5B53DC9A5D566F756BB52BC7B4AAD22A851CEE11AC2DCC906
6540	WinRAR.exe	C:\Users\admin\Desktop\Verstecki\sysproxy.exe		executable
		MD5:380D58A33FAF71547FB97C3FC12A38A9	SHA256:A918AA182DD57A545B0416E406432A6D09D1232AA0C33A0969DCD39A432D0D6B
2552	proxy.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\line[1].txt		text
		MD5:A39AAE7B7D3FEBB7A7454F93AE1C3702	SHA256:14C5EE1E0802556D3D1C4BE8E60C9AF27624561F5B5461E21C2D66D52D445510
6668	Verstecki.exe	C:\Users\admin\AppData\Local\Temp\Verstecki\on.bat		text
		MD5:829C4553AC0215C7CC76BB5FA9C01B26	SHA256:7E225A2D5C51769C400CCD13B75F01C675317CE560F662699121D60160E5A110
6668	Verstecki.exe	C:\Users\admin\AppData\Local\Temp\Verstecki\sysproxy.exe		executable
		MD5:380D58A33FAF71547FB97C3FC12A38A9	SHA256:A918AA182DD57A545B0416E406432A6D09D1232AA0C33A0969DCD39A432D0D6B
2552	proxy.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\line[2].txt		text
		MD5:A39AAE7B7D3FEBB7A7454F93AE1C3702	SHA256:14C5EE1E0802556D3D1C4BE8E60C9AF27624561F5B5461E21C2D66D52D445510

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4424	proxy.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=8721	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2552	proxy.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=8721	unknown	—	—	whitelisted
2552	proxy.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=8721	unknown	—	—	whitelisted
2552	proxy.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=8721	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.216.77.22:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4424	proxy.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
crl.microsoft.com	23.216.77.22 23.216.77.16 23.216.77.13 23.216.77.20 23.216.77.10 23.216.77.11 23.216.77.18 23.216.77.19 23.216.77.15	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.186.174	whitelisted
ip-api.com	208.95.112.1	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
login.live.com	20.190.159.75 40.126.31.67 20.190.159.131 40.126.31.130 20.190.159.2 20.190.159.129 20.190.159.73 40.126.31.2	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
4424	proxy.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2552	proxy.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2552	proxy.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2552	proxy.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com

Add for printing

No debug info

General Info

Verstecki.exe

8C516CA608030E3E1D61375730B2AA99

EE0DC02BCDD62F324AC14EB6F966BE17E0E5A203

1ACBE118B66EE76B74276EBA29BD044CE4F080F8D359E59D231E8DC3AACFFB2D

12288:EjV8Uox9oUFydRxsQPyhv7qtoc3J851Jq//mq//06Kz6Ei:rAY5qtPJ85PnLPzDi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Checks for external IP

Connects to unusual port

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

INFO

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Checks supported languages

Reads the machine GUID from the registry

Creates files or folders in the user directory

Checks proxy server information

Manual execution by a user

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the software policy settings

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings