File name:

Paysafecard_bekommen.exe

Full analysis: https://app.any.run/tasks/b933733c-519e-446a-966f-e12cc23c7583
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 19:24:51
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
rat
orcus
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

796A2A42325218585C3376753AD59972

SHA1:

53DA2671FB13C1A9895C20A928172DF26D18F526

SHA256:

4D04D42CFE479FEED8D1B6DEABE90BC92C5B1DED049329093C821447DF16594B

SSDEEP:

24576:5sQ3d3P51k22nQE7Wj6wogps/+LLjhvdUUgiWNVYdrZlI0AilFEvxHiW6s:5sKd3P51k22nQE7Wj6wogps/+L/hbWNC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Orcus is detected

      • Paysafecard_bekommen.exe (PID: 2692)
      • Paysafecard_bekommen.exe (PID: 948)
      • Orcus.exe (PID: 3408)
      • Orcus.exe (PID: 1084)

    • ORCUS has been detected (YARA)

      • Orcus.exe (PID: 1084)

    • Changes the autorun value in the registry

      • Orcus.exe (PID: 1084)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • csc.exe (PID: 868)
      • csc.exe (PID: 2188)
      • Paysafecard_bekommen.exe (PID: 948)

    • Reads the Internet Settings

      • Paysafecard_bekommen.exe (PID: 2692)
      • Paysafecard_bekommen.exe (PID: 948)

    • Reads the date of Windows installation

      • Paysafecard_bekommen.exe (PID: 2692)
      • Paysafecard_bekommen.exe (PID: 948)

    • Reads security settings of Internet Explorer

      • Paysafecard_bekommen.exe (PID: 2692)
      • Paysafecard_bekommen.exe (PID: 948)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Paysafecard_bekommen.exe (PID: 948)

    • Application launched itself

      • Paysafecard_bekommen.exe (PID: 2692)

    • Starts itself from another location

      • Paysafecard_bekommen.exe (PID: 948)

    • Connects to unusual port

      • Orcus.exe (PID: 1084)

    • There is functionality for taking screenshot (YARA)

      • Orcus.exe (PID: 1084)

  • INFO

    • Reads the machine GUID from the registry

      • Paysafecard_bekommen.exe (PID: 2692)
      • cvtres.exe (PID: 2612)
      • csc.exe (PID: 868)
      • csc.exe (PID: 2188)
      • cvtres.exe (PID: 5952)
      • Paysafecard_bekommen.exe (PID: 948)
      • Orcus.exe (PID: 1084)
      • Orcus.exe (PID: 3408)

    • Checks supported languages

      • Paysafecard_bekommen.exe (PID: 2692)
      • csc.exe (PID: 868)
      • cvtres.exe (PID: 2612)
      • Paysafecard_bekommen.exe (PID: 948)
      • cvtres.exe (PID: 5952)
      • csc.exe (PID: 2188)
      • Orcus.exe (PID: 3408)
      • Orcus.exe (PID: 1084)

    • Create files in a temporary directory

      • Paysafecard_bekommen.exe (PID: 2692)
      • cvtres.exe (PID: 2612)
      • csc.exe (PID: 868)
      • Paysafecard_bekommen.exe (PID: 948)
      • cvtres.exe (PID: 5952)
      • csc.exe (PID: 2188)

    • Reads the computer name

      • Paysafecard_bekommen.exe (PID: 2692)
      • Paysafecard_bekommen.exe (PID: 948)
      • Orcus.exe (PID: 3408)
      • Orcus.exe (PID: 1084)

    • Creates files or folders in the user directory

      • Paysafecard_bekommen.exe (PID: 2692)
      • Orcus.exe (PID: 3408)

    • Creates files in the program directory

      • Paysafecard_bekommen.exe (PID: 948)

    • Manual execution by a user

      • Orcus.exe (PID: 3408)

    • Launch of the file from Registry key

      • Orcus.exe (PID: 1084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Orcus

(PID) Process(1084) Orcus.exe
C2 (1)91.218.65.24:10134
Keys
AESfa9e1429db4b657edbcde9be2c1960aa74305077e2a592c01c9aaa2e98ad14db
Salt
Options
AutostartBuilderProperty
AutostartMethodRegistry
TaskSchedulerTaskNameOrcus
TaskHighestPrivilegestrue
RegistryHiddenStarttrue
RegistryKeyNameSystem
TryAllAutostartMethodsOnFailtrue
ChangeAssemblyInformationBuilderProperty
ChangeAssemblyInformationtrue
AssemblyTitlepaysafecard
AssemblyDescriptionnull
AssemblyCompanyNamenull
AssemblyProductNamenull
AssemblyCopyrightnull
AssemblyTrademarksnull
AssemblyProductVersion1.0.0.0
AssemblyFileVersion1.0.0.0
ChangeCreationDateBuilderProperty
IsEnabledfalse
NewCreationDate2019-06-09T21:34:41
ChangeIconBuilderProperty
ChangeIcontrue
IconPathC:\Users\Administrator\Downloads\paysafe-card.ico
ClientTagBuilderProperty
ClientTagnull
DataFolderBuilderProperty
Path%appdata%\Orcus
DefaultPrivilegesBuilderProperty
RequireAdministratorRightsfalse
DisableInstallationPromptBuilderProperty
IsDisabledfalse
FrameworkVersionBuilderProperty
FrameworkVersionNET35
HideFileBuilderProperty
HideFiletrue
InstallationLocationBuilderProperty
Path%programfiles%\Orcus\Orcus.exe
InstallBuilderProperty
Installtrue
KeyloggerBuilderProperty
IsEnabledtrue
MutexBuilderProperty
Mutexfd6ceba7b8b64b48a497798c7a31c837
ProxyBuilderProperty
ProxyOptionNone
ProxyAddressnull
ProxyPort1080
ProxyType2
ReconnectDelayProperty
Delay10000
RequireAdministratorPrivilegesInstallerBuilderProperty
RequireAdministratorPrivilegestrue
RespawnTaskBuilderProperty
IsEnabledfalse
TaskNameOrcus Respawner
ServiceBuilderProperty
Installfalse
SetRunProgramAsAdminFlagBuilderProperty
SetFlagfalse
WatchdogBuilderProperty
IsEnabledfalse
NameOrcusWatchdog.exe
WatchdogLocationAppData
PreventFileDeletionfalse
Plugins (0)
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:06:09 19:42:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 920064
InitializedDataSize: 11264
UninitializedDataSize: -
EntryPoint: 0xe299e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: paysafecard
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Orcus.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
111
Monitored processes
10
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ORCUS paysafecard_bekommen.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs #ORCUS paysafecard_bekommen.exe csc.exe conhost.exe no specs cvtres.exe no specs #ORCUS orcus.exe #ORCUS orcus.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\p6ejog5m.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
Paysafecard_bekommen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.9157 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcp_win.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcr80.dll
c:\windows\system32\ucrtbase.dll
948"C:\Users\admin\Desktop\Paysafecard_bekommen.exe" /waitC:\Users\admin\Desktop\Paysafecard_bekommen.exe
Paysafecard_bekommen.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\paysafecard_bekommen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1084"C:\Program Files\Orcus\Orcus.exe" C:\Program Files\Orcus\Orcus.exe
Paysafecard_bekommen.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
Modules
Images
c:\program files\orcus\orcus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Orcus
(PID) Process(1084) Orcus.exe
C2 (1)91.218.65.24:10134
Keys
AESfa9e1429db4b657edbcde9be2c1960aa74305077e2a592c01c9aaa2e98ad14db
Salt
Options
AutostartBuilderProperty
AutostartMethodRegistry
TaskSchedulerTaskNameOrcus
TaskHighestPrivilegestrue
RegistryHiddenStarttrue
RegistryKeyNameSystem
TryAllAutostartMethodsOnFailtrue
ChangeAssemblyInformationBuilderProperty
ChangeAssemblyInformationtrue
AssemblyTitlepaysafecard
AssemblyDescriptionnull
AssemblyCompanyNamenull
AssemblyProductNamenull
AssemblyCopyrightnull
AssemblyTrademarksnull
AssemblyProductVersion1.0.0.0
AssemblyFileVersion1.0.0.0
ChangeCreationDateBuilderProperty
IsEnabledfalse
NewCreationDate2019-06-09T21:34:41
ChangeIconBuilderProperty
ChangeIcontrue
IconPathC:\Users\Administrator\Downloads\paysafe-card.ico
ClientTagBuilderProperty
ClientTagnull
DataFolderBuilderProperty
Path%appdata%\Orcus
DefaultPrivilegesBuilderProperty
RequireAdministratorRightsfalse
DisableInstallationPromptBuilderProperty
IsDisabledfalse
FrameworkVersionBuilderProperty
FrameworkVersionNET35
HideFileBuilderProperty
HideFiletrue
InstallationLocationBuilderProperty
Path%programfiles%\Orcus\Orcus.exe
InstallBuilderProperty
Installtrue
KeyloggerBuilderProperty
IsEnabledtrue
MutexBuilderProperty
Mutexfd6ceba7b8b64b48a497798c7a31c837
ProxyBuilderProperty
ProxyOptionNone
ProxyAddressnull
ProxyPort1080
ProxyType2
ReconnectDelayProperty
Delay10000
RequireAdministratorPrivilegesInstallerBuilderProperty
RequireAdministratorPrivilegestrue
RespawnTaskBuilderProperty
IsEnabledfalse
TaskNameOrcus Respawner
ServiceBuilderProperty
Installfalse
SetRunProgramAsAdminFlagBuilderProperty
SetFlagfalse
WatchdogBuilderProperty
IsEnabledfalse
NameOrcusWatchdog.exe
WatchdogLocationAppData
PreventFileDeletionfalse
Plugins (0)
1160\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2188"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\itfqwghx.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
Paysafecard_bekommen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.9157 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcr80.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\msvcrt.dll
2612C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES5951.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5950.tmp"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.9680 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcr80.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2692"C:\Users\admin\Desktop\Paysafecard_bekommen.exe" C:\Users\admin\Desktop\Paysafecard_bekommen.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\paysafecard_bekommen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3408"C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\orcus\orcus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
5672\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5952C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES7E2E.tmp" "c:\Users\admin\AppData\Local\Temp\CSC7E2D.tmp"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.9680 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
1 511
Read events
1 493
Write events
18
Delete events
0

Modification events

(PID) Process:(2692) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2692) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2692) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2692) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(948) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(948) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(948) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(948) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(948) Paysafecard_bekommen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D28010000BD0E0C47735D584D9CEDE91E22E23282290100006078A409B011A54DAFA526D86198A7801302000060B81DB4E464D2119906E49FADC173CAD40100000114020000000000C000000000000046BF020000
(PID) Process:(1084) Orcus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System
Value:
"C:\Program Files\Orcus\Orcus.exe"
Executable files
3
Suspicious files
5
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
868csc.exeC:\Users\admin\AppData\Local\Temp\p6ejog5m.outtext
MD5:3777DE410A1105DF05C06DB0261424D8
SHA256:90E8E9EC01C8C1A92CE0DBECB8FCDB42A138CF80CA2FD06CED6E71D27F1AC258
2692Paysafecard_bekommen.exeC:\Users\admin\AppData\Local\Temp\p6ejog5m.0.cstext
MD5:A59BD4AB1E0DF53582D9F74CAD1EDBC0
SHA256:4CC7C2C13D1534340F61412312B8E2E7BBEC52D4A8003BAD4AB27F766BE5DB64
868csc.exeC:\Users\admin\AppData\Local\Temp\CSC5950.tmpbinary
MD5:282E3A8EF3E0F428C53538034A5F14C0
SHA256:5B3DC68011ABC968FF5351D8AEF0E956216F9898651B5A2C6564094061C6D3ED
2692Paysafecard_bekommen.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Paysafecard_bekommen.exe.logtext
MD5:7055D791013082485EA6F118CB552462
SHA256:4C8848096B86351CA097A6B94C33E5FC6CEAE75DFA85964A0F8C784F81785173
948Paysafecard_bekommen.exeC:\Windows\assembly\Desktop.inibinary
MD5:F7F759A5CD40BC52172E83486B6DE404
SHA256:A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C
948Paysafecard_bekommen.exeC:\Users\admin\AppData\Local\Temp\itfqwghx.0.cstext
MD5:C36D190FBFD7F1720A8D9B1512829702
SHA256:9E6910B31017F8230FB8AF32EDC7F0F6D837540D247BF3EDA620E6C2A1CBE126
948Paysafecard_bekommen.exeC:\Users\admin\AppData\Local\Temp\itfqwghx.cmdlinetext
MD5:B074F7945BB6176753DB886626AC984F
SHA256:E6F6479748AB0C76EC9F4ED7CD8A170FCF88B82424E7705D7B6AE645FBFF3670
2188csc.exeC:\Users\admin\AppData\Local\Temp\itfqwghx.dllexecutable
MD5:D66202EA187AB659808EEAE90C471DD1
SHA256:BFC0A51910D90939AF564C750AF0529555CA08D20332A0CB693028D799432CFC
2188csc.exeC:\Users\admin\AppData\Local\Temp\CSC7E2D.tmpbinary
MD5:FA9C263C49D7209423DD9AFF76656846
SHA256:68DC483822E4CE0D8E10A9D95FC150F5704B169CFA1C06CF166ADE5B245B84D7
5952cvtres.exeC:\Users\admin\AppData\Local\Temp\RES7E2E.tmpbinary
MD5:1F405D27CE742B12570455B7C5379EBC
SHA256:71D459170B2800D136B6D8A9ED6608FF9209F879DF48D125B475D897526D02C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
29
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
23.212.222.21:443
https://fs.microsoft.com/fs/windows/config.json
unknown
POST
200
20.191.45.158:443
https://checkappexec.microsoft.com/windows/shell/actions
unknown
binary
182 b
whitelisted
1352
svchost.exe
GET
200
184.24.77.4:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2576
smartscreen.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aa7b47d57d7a5f18
unknown
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
unknown
whitelisted
GET
200
23.212.222.21:443
https://fs.microsoft.com/fs/windows/config.json
unknown
binary
55 b
whitelisted
POST
200
20.189.173.6:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?364df18d80c9fc5b
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6fdd1136c0f80710
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
184.24.77.4:80
Akamai International B.V.
DE
unknown
2576
smartscreen.exe
20.56.187.20:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2576
smartscreen.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
4632
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4132
svchost.exe
23.212.222.21:443
fs.microsoft.com
AKAMAI-AS
AU
whitelisted
2776
svchost.exe
51.104.15.252:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
1084
Orcus.exe
91.218.65.24:10134
SYNLINQ
DE
unknown
2768
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
checkappexec.microsoft.com
  • 20.56.187.20
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.4
  • 20.190.160.66
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.128
  • 20.190.160.17
  • 40.126.32.133
whitelisted
fs.microsoft.com
  • 23.212.222.21
whitelisted
v10.events.data.microsoft.com
  • 51.104.15.252
whitelisted
self.events.data.microsoft.com
  • 52.182.143.215
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Paysafecard_bekommen.exe