File name:

6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe

Full analysis: https://app.any.run/tasks/542688b1-b253-433d-9212-c8f68d471755
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: September 14, 2024, 18:38:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
sodinokibi
revil
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

44C753ED1FAEC948B0D98BC9BA047469

SHA1:

1AA2D575752DCFA73EA8BD2FA666E18588BE353C

SHA256:

6628DE7FFBBE168A4FA9FF0A1A29B54E88A32E5963DB0DD1AEA4B80102C8CE01

SSDEEP:

6144:zona6Yqyo8L8aGub62Vi4fd2mgwSQMtI:ziYqD840fdL6tt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SODINOKIBI has been detected (YARA)

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)

    • Renames files like ransomware

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 3176)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 6296)

    • Starts POWERSHELL.EXE for commands execution

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 752)

    • Application launched itself

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 3176)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 6296)

    • Base64-obfuscated command line is found

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 752)

    • BASE64 encoded PowerShell command has been detected

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 752)

    • Creates file in the systems drive root

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2268)

  • INFO

    • Checks supported languages

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 3176)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 6296)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 752)

    • Reads the computer name

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 3176)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 752)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 6296)

    • The process uses the downloaded file

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 3176)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 6296)

    • Process checks computer location settings

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 3176)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 6296)

    • Creates files in the program directory

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6796)

    • Manual execution by a user

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 6296)

    • Create files in a temporary directory

      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 964)
      • 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe (PID: 752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:02:11 20:03:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 97280
InitializedDataSize: 72704
UninitializedDataSize: -
EntryPoint: 0x10ae9
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe no specs #SODINOKIBI 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe powershell.exe no specs conhost.exe no specs unsecapp.exe no specs vssvc.exe no specs rundll32.exe no specs 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe no specs 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
752"C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe" C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
964"C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe" C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2268C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3176"C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe" C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4192powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6296"C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe" C:\Users\admin\AppData\Local\Temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6576C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6796powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
9 675
Read events
9 669
Write events
6
Delete events
0

Modification events

(PID) Process:(964) 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GitForWindows
Operation:writeName:aaH
Value:
31610082D3961B047CF53D07CE4D4F43EAE8AA37DB3BD9688094656A40FA0826
(PID) Process:(964) 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GitForWindows
Operation:writeName:fdle
Value:
9D8B365E5CA934567D41F2A99431FBEAF57F7D7672ECF5140B01627F8B0F3828
(PID) Process:(964) 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GitForWindows
Operation:writeName:1TfXk
Value:
FB00C9AFADCE55CEB0C7EA811818CDDA9B4CC3720B9E05D4C2AA1F9605123D44185010FCF96042C92567CA0582DF79251E0D0FB6136A5FA7AE98C4162345EFCAAF6E652606F7E77973FB00576D1520DF44C2536E913E3CD8
(PID) Process:(964) 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GitForWindows
Operation:writeName:2YEdLY
Value:
6A33A2EB9DC9E02C183E543D10E08AA2E4DC9F5082114CADAB0AAB0495251699FA190DD3AAA8D5347691F4F989CDFC24F0F002411F542A84D341F7F57A1EEB3B24F08B561231FC51349D457F288FD4CD62C8E64A0FC52072
(PID) Process:(964) 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GitForWindows
Operation:writeName:AaZW1s3
Value:
.nq5rl3p382
(PID) Process:(964) 6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GitForWindows
Operation:writeName:QaUXNv2P
Value:
0DBA23CD4927E21FF451B286C37979E07466299EE10754E3CF38697A6196975DA8C20BCA162D19BD3A4B8343C2D0DB23F427273D3896A70407A494D301E16EF4B59E742B976F123081D0D3C846A990E7A575EBFD744E575D023A9857EF2B22FDDBE20768902D389E24C549FB820CB9E71854CA601906E4F612F8A21D59B29663A8B9FE299DF98B5D964A26A2FB365246EB21AD39BA30A65F35928C8BC3AF5D60843F0A6BA7314C4EFEC853A672D0C6A1A259A3BFB663512C6D604B1FED86DFD50671898DE2BBCD1D5CCD5A5A2CB58F2859B3A4D93E67CD4A79BA53D12DC9C9EACD3286E49624B94BFACC97A1B96ED84BB3CBEC163E6A4102404CB269D9257306680C9A877E1291A4D018393F9CFC438798E75C8AF366D43F9B0322D674BD27E38F04072C9F219A7E40E4256217E5B574016957AC20B0DAD1436DFBD6A5A99B157DAEC1FF8583ABBFFFB7407658350521AFCAF2835EF6F3B2FEDAC7B26E516409C9BDACCDE228A5FE098EEFFEC11A31A15D4E02C1472FE48AF18456EFDED4BCA45B0EE28B98D9908340635D3EBCB9D54D0831EA07D26C242CF56D28076EE04799FDF0447C089C7223BAF5256AEA239E2B95AB9D52DD85F552CFFA36F2406D3D48AAC8F46C7787C476155042319944BB16EC17BA2F4AD77F136F21D683CA723DEBA0F6D50ADFDF787F656892F10C8C9E9922EA4068C55FBBF13D1468583DB0846A57E1FA2D8AB4A34DEAD82AD4698714315C0B49B50B542E3C3F99E724B6DA4F7B721E8A9562B4D76AFA060644C973783DFE217CB6BB1BEA99BD2865494AA6E735C62695BFB4B3C4E9A27577572A00FDBF195912624F445C8854463DB5041CAA930841D0353E5A9F4ECE0EDE3BCFEE01A9711B9D10B37695F0DD26834C89731908E283DF2E68AF71C15E145E6B610C5D3BA80CCE6A3ED1B9327B13CBD4DBC42EA61D11E5C372C6CA706BD66ECF0411C3658244F78A1062C854E0F43415CF34F0F27675EC2AEBF571CBE3F4445BD3A8A8D4E350DA7FD716843F65226059CD45D00EC6D72A7B59DE8AFCBD8622972EF1534F1CC1E33001231E02B7A35A851EBDCA4285AF67F702F338A1C71C5FA0E6FA70E542809A8FAD84576A3FC782055EEC9B404F99E6EB5FC943CCB633AF9E9465F363D04BEAC39C4974ECADFB425FE57B57B4C1F7C5189A9FCD40CF5867AD68661899C2D41EC28DBA096618A024EE42C6AA7499C74405A6990135AC426669348D54023E596D240D799AB8547F847FB545C0CFFD3D4CB7E74A640EA39AE007A531270CAF1E121B443B718AE17315580CB5258275C657415EA76384074B688EB375631D66D952CBBC04AAF361BC85E35364E260BF389CF081F183A3362A40DE9884838245E4DCC2A2BC78C17266A37DF334631CD109606A0D12CE3230432B431CA4F62BFF4F
Executable files
0
Suspicious files
224
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
6796powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_djofhade.woj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\BOOTNXT.nq5rl3p382binary
MD5:CB651B5562688F5E0990194F0496373C
SHA256:CDD7808248662CF557DB8CB832002509DFA6BB1B8B926FA9035E4A7582D761A9
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\BOOTNXTbinary
MD5:CB651B5562688F5E0990194F0496373C
SHA256:CDD7808248662CF557DB8CB832002509DFA6BB1B8B926FA9035E4A7582D761A9
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\Program Files\nq5rl3p382-readme.txtbinary
MD5:738275AF4E2A9AB9E5E203130EED52D0
SHA256:8D93F5E48C88799E19D19839506C7F5F6A201D5E1F350903F9DA32A29D00DC11
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\Users\nq5rl3p382-readme.txtbinary
MD5:738275AF4E2A9AB9E5E203130EED52D0
SHA256:8D93F5E48C88799E19D19839506C7F5F6A201D5E1F350903F9DA32A29D00DC11
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\Program Files (x86)\nq5rl3p382-readme.txtbinary
MD5:738275AF4E2A9AB9E5E203130EED52D0
SHA256:8D93F5E48C88799E19D19839506C7F5F6A201D5E1F350903F9DA32A29D00DC11
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\bootTel.datbinary
MD5:831B8D31B3479D8A310FCF43BDCFF54C
SHA256:EFA5797DD00FC3FD8C1D5895D8E788E6D5221F67B83D761744F9498B0A5EB474
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\Recovery\nq5rl3p382-readme.txtbinary
MD5:738275AF4E2A9AB9E5E203130EED52D0
SHA256:8D93F5E48C88799E19D19839506C7F5F6A201D5E1F350903F9DA32A29D00DC11
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\$WinREAgent\Rollback.xmlbinary
MD5:343B3C182D0CF9B866E1E7579D877684
SHA256:9F154225BDFC109231FE9D52F4E2AC6821DE270CB327CDA62EAB48BF19D78F21
9646628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exeC:\$WinREAgent\Rollback.xml.nq5rl3p382binary
MD5:343B3C182D0CF9B866E1E7579D877684
SHA256:9F154225BDFC109231FE9D52F4E2AC6821DE270CB327CDA62EAB48BF19D78F21
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
88
DNS requests
61
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7008
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6808
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2660
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6808
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5164
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8699fac5-cf38-4f97-a2f8-fb1e47f5e54e?P1=1726550199&P2=404&P3=2&P4=kP1w1NUMKdVS2V2Uct8JNT5JPM4Zlel4h4Zj9C0ydsYo9m5FNScklrZtnG7%2bMh07c0xAmDe2vF6R56d9nQ%2b%2f0w%3d%3d
unknown
whitelisted
5164
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8699fac5-cf38-4f97-a2f8-fb1e47f5e54e?P1=1726550199&P2=404&P3=2&P4=kP1w1NUMKdVS2V2Uct8JNT5JPM4Zlel4h4Zj9C0ydsYo9m5FNScklrZtnG7%2bMh07c0xAmDe2vF6R56d9nQ%2b%2f0w%3d%3d
unknown
whitelisted
5164
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8699fac5-cf38-4f97-a2f8-fb1e47f5e54e?P1=1726550199&P2=404&P3=2&P4=kP1w1NUMKdVS2V2Uct8JNT5JPM4Zlel4h4Zj9C0ydsYo9m5FNScklrZtnG7%2bMh07c0xAmDe2vF6R56d9nQ%2b%2f0w%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6420
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7008
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7008
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2660
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2660
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.bing.com
  • 184.86.251.18
  • 184.86.251.16
  • 184.86.251.22
  • 184.86.251.21
  • 184.86.251.25
  • 184.86.251.28
  • 184.86.251.17
  • 184.86.251.20
  • 184.86.251.19
  • 184.86.251.7
  • 184.86.251.5
  • 184.86.251.30
  • 184.86.251.4
  • 184.86.251.8
  • 184.86.251.24
whitelisted
r.bing.com
  • 184.86.251.17
  • 184.86.251.22
  • 184.86.251.28
  • 184.86.251.24
  • 184.86.251.21
  • 184.86.251.20
  • 184.86.251.15
  • 184.86.251.14
  • 184.86.251.4
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe