File name:

1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe

Full analysis: https://app.any.run/tasks/31a6e807-ac5d-4f70-9c97-bdc1f99d1a19
Verdict: Malicious activity
Threats:

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Analysis date: April 15, 2025, 17:56:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cryptbot
ahk
loader
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

00199AAC9400A4F9793169130094C4CC

SHA1:

AEAB187366C367E9ED2F46EF463BC7292ECC8B0F

SHA256:

1BF7CDB7E9E4BB12B05FAC24D3B5E8756A0055898934C0AFACB08E3B469E4A74

SSDEEP:

98304:yfLIQ/yuqAPLksDVLrNe3CxkXi4nVfeL7jF1y3tnuxHrO4LqYHQzSR+vQpHrD4be:qkQBf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • AHK has been detected (YARA)

      • VC_redist.x64.exe (PID: 4560)
    • CRYPTBOT has been detected (YARA)

      • VC_redist.x64.exe (PID: 4560)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe (PID: 6184)
    • Executable content was dropped or overwritten

      • 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe (PID: 6184)
    • There is functionality for taking screenshot (YARA)

      • 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe (PID: 6184)
      • VC_redist.x64.exe (PID: 4560)
    • Multiple wallet extension IDs have been found

      • VC_redist.x64.exe (PID: 4560)
  • INFO

    • Reads the computer name

      • 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe (PID: 6184)
      • VC_redist.x64.exe (PID: 4560)
    • Create files in a temporary directory

      • 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe (PID: 6184)
    • Process checks computer location settings

      • 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe (PID: 6184)
    • Checks supported languages

      • 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe (PID: 6184)
      • VC_redist.x64.exe (PID: 4560)
    • Detects AutoHotkey samples (YARA)

      • VC_redist.x64.exe (PID: 4560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CryptBot

(PID) Process(4560) VC_redist.x64.exe
C2 (1)eihxv18sr.top
Strings (364)HttpOpenRequestA
Files
VirtualFreeEx
GetObjectA
calloc
free
IsWow64Process
GdipCreateBitmapFromHBITMAP
ExtractFilesA
InternetOpenUrlW
PathFileExistsW
WinHttpConnect
GdipSaveImageToStream
GetModuleFileNameW
SleepEx
End.txt
RmStartSession
WinHttpReadData
OpenThread
CopyFileExW
FindFirstFileNameW
advpack.dll
gdi32.dll
wprintf
GetCurrentDirectoryA
WinHttpQueryOption
WinHttpReadDataEx
RegQueryInfoKeyA
DuplicateHandle
FindFirstFileW
InternetReadFile
"encrypted_key":"
CreateDirectoryW
Others
InternetReadFileExA
SetFilePointer
WinHttpOpenRequest
LoadLibraryExW
System Error
wnsprintfA
\CVVyMZntUg
MoveFileA
FindClose
MessageBoxA
closesocket
LoadLibraryW
SaveImageToStream
WideCharToMultiByte
urlmon.dll
CreateFileMappingW
SystemTimeToFileTime
LocalAlloc
ws2_32.dll
DeleteFileW
GetDriveTypeA
Temp
CreateDCA
rstrtmgr.dll
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
msvcrt.dll
CopyFileA
GetThreadId
SHAnsiToUnicode
GetTempPathW
StrStrIA
GetFileInformationByHandle
_snwprintf
GetProcessHeap
accept
GetLocaleInfoW
IStream_Size
GdiplusShutdown
SetErrorMode
cabinet.dll
atoi
GetExitCodeThread
MoveFileW
kernel32.dll
clock
RegEnumKeyExA
wsprintfA
VirtualFree
SHCreateMemStream
ShellExecuteA
$CREEN.JPEG
ntdll.dll
ExpandEnvironmentStringsA
BitBlt
malloc
FCIFlushFolder
winhttp.dll
GdipGetImageEncoders
GET
PathIsDirectoryW
URLOpenBlockingStreamA
GetTempPathA
GetFileAttributesW
WinHttpCrackUrl
URLDownloadToFileW
IsBadReadPtr
URLDownloadToFileA
VirtualAllocEx
isspace
GetTimeZoneInformation
CreateProcessA
GetTickCount
CreateRemoteThread
GetCurrentDirectoryW
TerminateProcess
LoadLibraryExA
RegQueryInfoKeyW
User's Computer Information.txt
recvfrom
/v1/upload.php
abs
ScreenShot.jpeg
WinHttpOpen
RemoveDirectoryA
GetVolumeInformationA
GdipSaveImageToFile
MultiByteToWideChar
GetConsoleMode
sprintf_s
Sleep
SHGetFolderPathW
SHGetFolderPathA
Process32NextW
StrStrIW
FindNextFileA
PathFileExistsA
HeapSize
MoveFileExA
GetObjectW
GetLogicalDriveStringsA
WinHttpQueryHeaders
DeleteObject
SelectObject
HeapCreate
VirtualProtect
ExitProcess
ole32.dll
GetSystemInfo
sprintf
GetModuleFileNameExW
advapi32.dll
SetFilePointerEx
FileTimeToDosDateTime
wnsprintfW
GetEnvironmentVariableW
GetCurrentThread
CloseHandle
DPAPI
GetCurrentProcess
RegOpenKeyExA
RegEnumKeyExW
NULL
GetModuleFileNameA
ExitThread
ReleaseDC
PathIsDirectoryA
ComSpec
CopyFileExA
_snwprintf_s
RmRegisterResources
GetModuleFileNameExA
HttpQueryInfoW
IStream_Reset
QueryPerformanceCounter
IStream_Read
GetLastError
_wtoi
HttpSendRequestA
RegQueryValueExA
HttpSendRequestW
GetFileAttributesExW
analforeverlovyu.top
CreateCompatibleBitmap
GetCommandLineA
HeapFree
vswprintf
CreateDCW
Process32FirstA
GetTempFileNameW
An error occurred while starting the application (0xc000007b). To exit the application, click OK.
vsnprintf
GetDiskFreeSpaceExA
IsWow64Process2
VirtualAlloc
winsqlite3.dll
GetSystemMetrics
HttpQueryInfoA
WriteConsoleW
GetTickCount64
RemoveDirectoryW
FCIDestroy
SHUnicodeToAnsi
GetModuleHandleA
CreateMutexA
CopyFileW
ExtractFilesW
shell32.dll
FindNextFileW
WSACleanup
MoveFileExW
FindNextFileNameW
swprintf
GetVolumeInformationW
URLOpenBlockingStreamW
MessageBoxW
GetNativeSystemInfo
CreateFileW
listen
InternetCrackUrlA
VirtualProtectEx
/index.php
InternetCloseHandle
/gate.php
wininet.dll
DeleteFileA
GetKeyboardLayoutList
GetComputerNameW
CreateToolhelp32Snapshot
DeleteDC
curl/8.0.1
RmGetList
\ServiceData
WriteConsoleA
POST
GetUserDefaultLocaleName
InternetConnectW
Desktop
CreateDirectoryA
FindNextFileNameA
GetEnvironmentVariableA
inet_addr
EnumDisplaySettingsW
HeapAlloc
CreateFileMappingA
GdipLoadImageFromFile
InternetOpenA
_vscwprintf
bind
LoadLibraryA
ShellExecuteW
GdiplusStartup
HTTPS
GetProcessId
GetDriveTypeW
GetSystemWow64DirectoryW
GetDiskFreeSpaceExW
CreateProcessW
GetProcAddress
DISPLAY
Process32FirstW
FileTimeToSystemTime
CryptUnprotectData
Process32NextA
GetCommandLineW
WinHttpAddRequestHeaders
ExpandEnvironmentStringsW
printf
\ServiceData\Clip.au3
GetSystemDirectoryW
HeapReAlloc
Apps
GetDIBits
GetFileSize
GetUserNameA
crypt32.dll
Extract
socket
Content-Length: %lu
_vscprintf
WinExec
realloc
WinHttpCloseHandle
swprintf_s
RtlGetVersion
user32.dll
GetModuleHandleExW
UserProfile
WinHttpSetOption
CoUninitialize
WaitForSingleObject
FindFirstFileExW
GetLocaleInfoA
RegOpenKeyExW
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
CreateFileA
CreateStreamOnHGlobal
GetFileAttributesExA
MapViewOfFile
_swprintf
GetBitmapBits
FindFirstFileNameA
GetDeviceCaps
FCIFlushCabinet
Browsers
\ServiceData\Clip.exe
FindFirstFileA
Wallets
CreateCompatibleDC
InternetOpenW
eihxv18sr.top
CreateMutexW
HTTP
InternetConnectA
InternetReadFileExW
GetTempFileNameA
ReadConsoleW
ReadConsoleA
LocalAppData
GetComputerNameA
gdiplus.dll
GetSystemDirectoryA
log.txt
LocalFree
WinHttpReceiveResponse
Debug.txt
strtod
AppData
wsprintfW
GetLocalTime
GetSystemWow64DirectoryA
EnumDisplaySettingsA
WSAGetLastError
GdipGetImageEncodersSize
ReadFile
GlobalMemoryStatusEx
/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
CoInitialize
_snprintf
GetLogicalDriveStringsW
WriteFile
RegCloseKey
RmEndSession
LkgwUi
/zip.php
UserID.txt
ReleaseMutex
UnmapViewOfFile
InternetCrackUrlW
FCICreate
CreateThread
GetFileAttributesA
send
WSAStartup
htons
InternetOpenUrlA
WinHttpSendRequest
FCIAddFile
GetModuleHandleExA
CreateRemoteThreadEx
OpenProcess
recv
GetFileSizeEx
FindFirstFileExA
GetModuleHandleW
FreeLibrary
RegQueryValueExW
GetUserNameW
HttpOpenRequestW
StretchBlt
shlwapi.dll
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:03 07:51:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 214528
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0x21d50
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe #CRYPTBOT vc_redist.x64.exe no specs sppextcomobj.exe no specs slui.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4560"C:\Users\admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
CryptBot
(PID) Process(4560) VC_redist.x64.exe
C2 (1)eihxv18sr.top
Strings (364)HttpOpenRequestA
Files
VirtualFreeEx
GetObjectA
calloc
free
IsWow64Process
GdipCreateBitmapFromHBITMAP
ExtractFilesA
InternetOpenUrlW
PathFileExistsW
WinHttpConnect
GdipSaveImageToStream
GetModuleFileNameW
SleepEx
End.txt
RmStartSession
WinHttpReadData
OpenThread
CopyFileExW
FindFirstFileNameW
advpack.dll
gdi32.dll
wprintf
GetCurrentDirectoryA
WinHttpQueryOption
WinHttpReadDataEx
RegQueryInfoKeyA
DuplicateHandle
FindFirstFileW
InternetReadFile
"encrypted_key":"
CreateDirectoryW
Others
InternetReadFileExA
SetFilePointer
WinHttpOpenRequest
LoadLibraryExW
System Error
wnsprintfA
\CVVyMZntUg
MoveFileA
FindClose
MessageBoxA
closesocket
LoadLibraryW
SaveImageToStream
WideCharToMultiByte
urlmon.dll
CreateFileMappingW
SystemTimeToFileTime
LocalAlloc
ws2_32.dll
DeleteFileW
GetDriveTypeA
Temp
CreateDCA
rstrtmgr.dll
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
msvcrt.dll
CopyFileA
GetThreadId
SHAnsiToUnicode
GetTempPathW
StrStrIA
GetFileInformationByHandle
_snwprintf
GetProcessHeap
accept
GetLocaleInfoW
IStream_Size
GdiplusShutdown
SetErrorMode
cabinet.dll
atoi
GetExitCodeThread
MoveFileW
kernel32.dll
clock
RegEnumKeyExA
wsprintfA
VirtualFree
SHCreateMemStream
ShellExecuteA
$CREEN.JPEG
ntdll.dll
ExpandEnvironmentStringsA
BitBlt
malloc
FCIFlushFolder
winhttp.dll
GdipGetImageEncoders
GET
PathIsDirectoryW
URLOpenBlockingStreamA
GetTempPathA
GetFileAttributesW
WinHttpCrackUrl
URLDownloadToFileW
IsBadReadPtr
URLDownloadToFileA
VirtualAllocEx
isspace
GetTimeZoneInformation
CreateProcessA
GetTickCount
CreateRemoteThread
GetCurrentDirectoryW
TerminateProcess
LoadLibraryExA
RegQueryInfoKeyW
User's Computer Information.txt
recvfrom
/v1/upload.php
abs
ScreenShot.jpeg
WinHttpOpen
RemoveDirectoryA
GetVolumeInformationA
GdipSaveImageToFile
MultiByteToWideChar
GetConsoleMode
sprintf_s
Sleep
SHGetFolderPathW
SHGetFolderPathA
Process32NextW
StrStrIW
FindNextFileA
PathFileExistsA
HeapSize
MoveFileExA
GetObjectW
GetLogicalDriveStringsA
WinHttpQueryHeaders
DeleteObject
SelectObject
HeapCreate
VirtualProtect
ExitProcess
ole32.dll
GetSystemInfo
sprintf
GetModuleFileNameExW
advapi32.dll
SetFilePointerEx
FileTimeToDosDateTime
wnsprintfW
GetEnvironmentVariableW
GetCurrentThread
CloseHandle
DPAPI
GetCurrentProcess
RegOpenKeyExA
RegEnumKeyExW
NULL
GetModuleFileNameA
ExitThread
ReleaseDC
PathIsDirectoryA
ComSpec
CopyFileExA
_snwprintf_s
RmRegisterResources
GetModuleFileNameExA
HttpQueryInfoW
IStream_Reset
QueryPerformanceCounter
IStream_Read
GetLastError
_wtoi
HttpSendRequestA
RegQueryValueExA
HttpSendRequestW
GetFileAttributesExW
analforeverlovyu.top
CreateCompatibleBitmap
GetCommandLineA
HeapFree
vswprintf
CreateDCW
Process32FirstA
GetTempFileNameW
An error occurred while starting the application (0xc000007b). To exit the application, click OK.
vsnprintf
GetDiskFreeSpaceExA
IsWow64Process2
VirtualAlloc
winsqlite3.dll
GetSystemMetrics
HttpQueryInfoA
WriteConsoleW
GetTickCount64
RemoveDirectoryW
FCIDestroy
SHUnicodeToAnsi
GetModuleHandleA
CreateMutexA
CopyFileW
ExtractFilesW
shell32.dll
FindNextFileW
WSACleanup
MoveFileExW
FindNextFileNameW
swprintf
GetVolumeInformationW
URLOpenBlockingStreamW
MessageBoxW
GetNativeSystemInfo
CreateFileW
listen
InternetCrackUrlA
VirtualProtectEx
/index.php
InternetCloseHandle
/gate.php
wininet.dll
DeleteFileA
GetKeyboardLayoutList
GetComputerNameW
CreateToolhelp32Snapshot
DeleteDC
curl/8.0.1
RmGetList
\ServiceData
WriteConsoleA
POST
GetUserDefaultLocaleName
InternetConnectW
Desktop
CreateDirectoryA
FindNextFileNameA
GetEnvironmentVariableA
inet_addr
EnumDisplaySettingsW
HeapAlloc
CreateFileMappingA
GdipLoadImageFromFile
InternetOpenA
_vscwprintf
bind
LoadLibraryA
ShellExecuteW
GdiplusStartup
HTTPS
GetProcessId
GetDriveTypeW
GetSystemWow64DirectoryW
GetDiskFreeSpaceExW
CreateProcessW
GetProcAddress
DISPLAY
Process32FirstW
FileTimeToSystemTime
CryptUnprotectData
Process32NextA
GetCommandLineW
WinHttpAddRequestHeaders
ExpandEnvironmentStringsW
printf
\ServiceData\Clip.au3
GetSystemDirectoryW
HeapReAlloc
Apps
GetDIBits
GetFileSize
GetUserNameA
crypt32.dll
Extract
socket
Content-Length: %lu
_vscprintf
WinExec
realloc
WinHttpCloseHandle
swprintf_s
RtlGetVersion
user32.dll
GetModuleHandleExW
UserProfile
WinHttpSetOption
CoUninitialize
WaitForSingleObject
FindFirstFileExW
GetLocaleInfoA
RegOpenKeyExW
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
CreateFileA
CreateStreamOnHGlobal
GetFileAttributesExA
MapViewOfFile
_swprintf
GetBitmapBits
FindFirstFileNameA
GetDeviceCaps
FCIFlushCabinet
Browsers
\ServiceData\Clip.exe
FindFirstFileA
Wallets
CreateCompatibleDC
InternetOpenW
eihxv18sr.top
CreateMutexW
HTTP
InternetConnectA
InternetReadFileExW
GetTempFileNameA
ReadConsoleW
ReadConsoleA
LocalAppData
GetComputerNameA
gdiplus.dll
GetSystemDirectoryA
log.txt
LocalFree
WinHttpReceiveResponse
Debug.txt
strtod
AppData
wsprintfW
GetLocalTime
GetSystemWow64DirectoryA
EnumDisplaySettingsA
WSAGetLastError
GdipGetImageEncodersSize
ReadFile
GlobalMemoryStatusEx
/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
CoInitialize
_snprintf
GetLogicalDriveStringsW
WriteFile
RegCloseKey
RmEndSession
LkgwUi
/zip.php
UserID.txt
ReleaseMutex
UnmapViewOfFile
InternetCrackUrlW
FCICreate
CreateThread
GetFileAttributesA
send
WSAStartup
htons
InternetOpenUrlA
WinHttpSendRequest
FCIAddFile
GetModuleHandleExA
CreateRemoteThreadEx
OpenProcess
recv
GetFileSizeEx
FindFirstFileExA
GetModuleHandleW
FreeLibrary
RegQueryValueExW
GetUserNameW
HttpOpenRequestW
StretchBlt
shlwapi.dll
4756C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4776"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6184"C:\Users\admin\AppData\Local\Temp\1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe" C:\Users\admin\AppData\Local\Temp\1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
760
Read events
760
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
61841bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exeexecutable
MD5:55A6592AD4D5B5B7F872EBAC29DE8148
SHA256:63BD278B15D42D85EBD1B7C1E2C204031D2B6308E1E127626EF01C0B5E994098
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3300
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3300
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2112
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.163
  • 23.48.23.164
  • 23.48.23.160
  • 23.48.23.174
  • 23.48.23.173
  • 23.48.23.159
  • 23.48.23.166
  • 23.48.23.169
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.5
  • 40.126.32.136
  • 20.190.160.128
  • 20.190.160.66
  • 20.190.160.130
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
eihxv18sr.top
malicious
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info