File name:

28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad

Full analysis: https://app.any.run/tasks/e6df49a5-8005-414a-8d1e-4fbdf537409c
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 20:55:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
snake
keylogger
stealer
telegram
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

948A8F01FCA4EECDDBCB1C20B26A0A53

SHA1:

F1254C7C3A1051C4624072C07F725AA62FF4A316

SHA256:

28D6A2E755F646875E1ED22B6E8443E074E2FA7730D4F202FFE21C48DB789FAD

SSDEEP:

49152:atNtm2+bHSew2K1bitJ4Cg20gDq7ES2f7zf7dk4gqbmyMqOtWEpy04Y2nPulaHaP:0N82eyriJ4Cg2e1Sf5k4gkBkWEp14YQi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • Steals credentials from Web Browsers

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Application launched itself

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Checks Windows Trust Settings

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • The process creates files with name similar to system file names

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Executable content was dropped or overwritten

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • Checks for external IP

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)
      • svchost.exe (PID: 2192)

    • The process verifies whether the antivirus software is installed

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

  • INFO

    • Checks supported languages

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)
      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Reads the computer name

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)
      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Creates files or folders in the user directory

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)
      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • Checks proxy server information

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • The sample compiled with english language support

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Create files in a temporary directory

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 3820)

    • Reads the machine GUID from the registry

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • Disables trace logs

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)

    • Attempting to use instant messaging service

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)
      • svchost.exe (PID: 2192)

    • Reads the software policy settings

      • 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe (PID: 6892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:24:36+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x34a5
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.5.0.0
ProductVersionNumber: 1.5.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: pleurosaurus obfuscates
CompanyName: mangler bronchia bedrevne
FileDescription: privatbil efterhaandsoplysning
FileVersion: 1.5.0.0
InternalName: supraocular tailorizes.exe
LegalCopyright: blindlandings
OriginalFileName: supraocular tailorizes.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe #SNAKEKEYLOGGER 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
3820"C:\Users\admin\AppData\Local\Temp\28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe" C:\Users\admin\AppData\Local\Temp\28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
explorer.exe
User:
admin
Company:
mangler bronchia bedrevne
Integrity Level:
MEDIUM
Description:
privatbil efterhaandsoplysning
Exit code:
0
Version:
1.5.0.0
Modules
Images
c:\users\admin\appdata\local\temp\28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6892"C:\Users\admin\AppData\Local\Temp\28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe" C:\Users\admin\AppData\Local\Temp\28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
User:
admin
Company:
mangler bronchia bedrevne
Integrity Level:
MEDIUM
Description:
privatbil efterhaandsoplysning
Version:
1.5.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\appdata\local\temp\28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
1 585
Read events
1 564
Write events
21
Delete events
0

Modification events

(PID) Process:(3820) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_CURRENT_USER\Stormskadeserstatninger\Uninstall\Trsteprmie\kartoflerne
Operation:writeName:trsteges
Value:
0
(PID) Process:(3820) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CLI\Start
Operation:writeName:CLI start
Value:
2
(PID) Process:(3820) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5
(PID) Process:(3820) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::SetFilePointer(i r5, i 13101 , i 0,i 0)
(PID) Process:(3820) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::VirtualAlloc(i 0,i 59514880, i 0x3000, i 0x40)p.r2
(PID) Process:(3820) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
kernel32::ReadFile(i r5, i r2, i 59514880,*i 0, i 0)
(PID) Process:(3820) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Service
Operation:writeName:System_Check
Value:
user32::EnumWindows(i r2 ,i 0)
(PID) Process:(6892) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6892) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6892) 28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
14
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
689228d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:23A4081904D6717CFEFD1E54F4F8464B
SHA256:05D984C9511AE87AE4ADC3813089BF7882AA86FD5B14B0548AD1BDD37BA0124D
689228d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0binary
MD5:2EDC5D8108D77867CC44FC543A7ED28C
SHA256:EC271CD4AF88C445F105DA938641271A13E0C8144FD9BCD4823D03EEE719E56C
689228d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
689228d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:6DB9CC68066CA0796832157F4547A15E
SHA256:0F0D3345D315A20864FE62F0214E245C74E5F9FBD5E5CE6E30D74255A8D08963
689228d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:92B839135741069B05829B07B6F3F3FB
SHA256:4AE12FEDBB424DA1938E2BF5B343DC175D9CDAAFD4123715BE68DDA9BB2F18C5
382028d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\Local\Iw\Osteocele.Tirbinary
MD5:9E47063807062051CA0A82BD7A4F10BE
SHA256:79D66FF49DB8E9E21D963393FEFC4F3E5139EEB212B7F53220A66D2B145BD7D6
382028d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\Local\Iw\Sensuousnesses.opkbinary
MD5:A4340182CDDD2EC1F1480360218343F9
SHA256:B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
382028d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\Local\Iw\14-scaled.jpgimage
MD5:5C727AE28F0DECF497FBB092BAE01B4E
SHA256:77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
689228d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_8C0D12F01B5D981AACF8BFC375CA0F2Bbinary
MD5:CE271484F84D7DBAD46BA8244F2AE216
SHA256:A6B1D553FFBBEFD66C266B7AB788A6A37201896E8CF77E0D4BD4746CB5482BFF
382028d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exeC:\Users\admin\AppData\Local\Iw\Kbmandsskole.strbinary
MD5:4D1D72CFC5940B09DFBD7B65916F532E
SHA256:479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
38
DNS requests
24
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6916
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6916
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6892
28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
GET
200
142.250.181.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0
unknown
whitelisted
6892
28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
GET
200
142.250.181.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj
unknown
whitelisted
6892
28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
6892
28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
6892
28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1684
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
google.com
  • 142.250.185.238
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.73
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad