File name:

fan.exe

Full analysis: https://app.any.run/tasks/225b9e78-6bdd-4105-aa13-d530d932f25e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 02, 2025, 15:45:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
everything
tool
mimic
ransomware
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

D425A0D55F6DA520603F11CB881F1D01

SHA1:

F29B678C120F3F0CE7620BBADA2FDEC74641C90E

SHA256:

6C1438DBC31ABE78FC66969AC22774D908F49A5310075CABED819DCC593809D1

SSDEEP:

98304:ZDQPps2E6S1RNJ31LawGx8lh6fPEXPYKzUyvtHLjAJ7MY2E8Oig7wQW439xFcOaF:khunY3UsHybV5eBi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • rt3x.exe (PID: 5720)

    • Known privilege escalation attack

      • dllhost.exe (PID: 6820)

    • MIMIC has been detected (YARA)

      • srtcjm.exe (PID: 4268)
      • srtcjm.exe (PID: 8128)
      • srtcjm.exe (PID: 6464)
      • srtcjm.exe (PID: 8156)

    • MIMIC mutex has been found

      • srtcjm.exe (PID: 4268)
      • srtcjm.exe (PID: 6464)
      • srtcjm.exe (PID: 8128)

    • Executing a file with an untrusted certificate

      • DC.exe (PID: 7788)
      • DC.exe (PID: 5820)
      • DC.exe (PID: 496)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1120)
      • powershell.exe (PID: 5364)
      • powershell.exe (PID: 2332)

    • Disables the Shutdown in the Start menu

      • srtcjm.exe (PID: 4268)

    • Changes image file execution options

      • srtcjm.exe (PID: 4268)

    • UAC/LUA settings modification

      • srtcjm.exe (PID: 4268)

    • Changes powershell execution policy (Bypass)

      • srtcjm.exe (PID: 4268)

    • Disables Windows Defender

      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)
      • DC.exe (PID: 5820)

    • Creates or modifies Windows services

      • DC.exe (PID: 5820)

    • Using BCDEDIT.EXE to modify recovery options

      • srtcjm.exe (PID: 4268)

    • RANSOMWARE has been detected

      • srtcjm.exe (PID: 4268)

    • Deletes shadow copies

      • srtcjm.exe (PID: 4268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fan.exe (PID: 1672)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • srtcjm.exe (PID: 4268)

    • Drops 7-zip archiver for unpacking

      • fan.exe (PID: 1672)
      • rt3x.exe (PID: 5720)

    • There is functionality for taking screenshot (YARA)

      • fan.exe (PID: 1672)
      • Everything.exe (PID: 7280)

    • Starts CMD.EXE for commands execution

      • fan.exe (PID: 1672)
      • srtcjm.exe (PID: 4268)

    • Creates or modifies Windows services

      • srtcjm.exe (PID: 4268)

    • Creates file in the systems drive root

      • srtcjm.exe (PID: 4268)

    • Application launched itself

      • srtcjm.exe (PID: 4268)
      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)

    • Reads security settings of Internet Explorer

      • fan.exe (PID: 1672)
      • ShellExperienceHost.exe (PID: 7396)

    • Executing commands from ".cmd" file

      • fan.exe (PID: 1672)

    • The executable file from the user directory is run by the CMD process

      • DC.exe (PID: 7788)

    • Uses powercfg.exe to modify the power settings

      • srtcjm.exe (PID: 4268)

    • Starts POWERSHELL.EXE for commands execution

      • srtcjm.exe (PID: 4268)

    • Executes as Windows Service

      • wbengine.exe (PID: 6240)
      • vds.exe (PID: 7448)

    • Start notepad (likely ransomware note)

      • srtcjm.exe (PID: 4268)

  • INFO

    • Checks supported languages

      • fan.exe (PID: 1672)
      • 7za.exe (PID: 7152)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • gui40.exe (PID: 2560)
      • Everything.exe (PID: 7280)
      • srtcjm.exe (PID: 4268)
      • srtcjm.exe (PID: 8128)
      • srtcjm.exe (PID: 8156)
      • DC.exe (PID: 7788)
      • srtcjm.exe (PID: 6464)
      • ShellExperienceHost.exe (PID: 7396)
      • DC.exe (PID: 496)
      • DC.exe (PID: 5820)

    • The sample compiled with english language support

      • fan.exe (PID: 1672)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • srtcjm.exe (PID: 4268)

    • Reads the computer name

      • fan.exe (PID: 1672)
      • 7za.exe (PID: 7152)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • srtcjm.exe (PID: 4268)
      • gui40.exe (PID: 2560)
      • Everything.exe (PID: 7280)
      • srtcjm.exe (PID: 8128)
      • srtcjm.exe (PID: 8156)
      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)
      • srtcjm.exe (PID: 6464)
      • ShellExperienceHost.exe (PID: 7396)
      • DC.exe (PID: 5820)

    • Create files in a temporary directory

      • 7za.exe (PID: 5364)
      • fan.exe (PID: 1672)
      • DC.exe (PID: 7788)

    • Launch of the file from Registry key

      • rt3x.exe (PID: 5720)

    • Creates files or folders in the user directory

      • rt3x.exe (PID: 5720)
      • srtcjm.exe (PID: 4268)
      • gui40.exe (PID: 2560)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6820)

    • EVERYTHING mutex has been found

      • Everything.exe (PID: 7280)

    • Reads the machine GUID from the registry

      • gui40.exe (PID: 2560)
      • rt3x.exe (PID: 5720)

    • Reads the software policy settings

      • slui.exe (PID: 5528)
      • slui.exe (PID: 5556)

    • Confuser has been detected (YARA)

      • gui40.exe (PID: 2560)

    • Checks proxy server information

      • slui.exe (PID: 5556)

    • Process checks computer location settings

      • fan.exe (PID: 1672)

    • Reads mouse settings

      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)
      • DC.exe (PID: 5820)

    • SQLite executable

      • srtcjm.exe (PID: 4268)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1120)
      • powershell.exe (PID: 5364)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 19456
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
230
Monitored processes
84
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start fan.exe 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe rt3x.exe CMSTPLUA #MIMIC srtcjm.exe gui40.exe no specs everything.exe no specs cmd.exe no specs conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs #MIMIC srtcjm.exe no specs #MIMIC srtcjm.exe no specs #MIMIC srtcjm.exe no specs dc.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs shellexperiencehost.exe no specs systray.exe no specs dc.exe dc.exe no specs systray.exe no specs systray.exe no specs bcdedit.exe no specs bcdedit.exe no specs conhost.exe no specs conhost.exe no specs wbadmin.exe no specs wbadmin.exe no specs conhost.exe no specs conhost.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs everything.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs notepad.exe no specs xdel.exe no specs conhost.exe no specs systray.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Local\30E75C14-766F-21EB-CDC5-C449E055904E\DC.exe" /SYS 1C:\Users\admin\AppData\Local\30E75C14-766F-21EB-CDC5-C449E055904E\DC.exe
DC.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\30e75c14-766f-21eb-cdc5-c449e055904e\dc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewbadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244wbadmin.exe DELETE SYSTEMSTATEBACKUPC:\Windows\System32\wbadmin.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
4294967293
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1268powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0C:\Windows\System32\powercfg.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1276powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1532C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
2147945463
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
1672"C:\Users\admin\AppData\Local\Temp\fan.exe" C:\Users\admin\AppData\Local\Temp\fan.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\fan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewbadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 316
Read events
23 162
Write events
134
Delete events
20

Modification events

(PID) Process:(5720) rt3x.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:srtcjm
Value:
"C:\Users\admin\AppData\Local\30E75C14-766F-21EB-CDC5-C449E055904E\srtcjm.exe"
(PID) Process:(6820) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HidePowerOptions
Value:
1
(PID) Process:(4268) srtcjm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HidePowerOptions
Value:
1
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:shutdownwithoutlogon
Value:
0
(PID) Process:(4268) srtcjm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoClose
Value:
1
Executable files
51
Suspicious files
133
Text files
79
Unknown types
39

Dropped files

PID
Process
Filename
Type
1672fan.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
MD5:
SHA256:
1672fan.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7za.exeexecutable
MD5:B93EB0A48C91A53BDA6A1A074A4B431E
SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything2.initext
MD5:51014C0C06ACDD80F9AE4469E7D30A9E
SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7k-3.exeexecutable
MD5:1634C3868A05CA8ECA33741DAB61D640
SHA256:D3F3F6E227E0054A25CD4EFB09FAAA89EA3F889AF222879A58E785C5B1FF5EAB
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\2puff.exeexecutable
MD5:323F2F7932CAC2B1EB7E59D5D32BFB2A
SHA256:DAA1265A76C3136BAE7A6D93D08C9FC79E60D3D06E7F12AB244EDF3F9992E209
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ENC_default_1705705867_default_1705705867_2024-01-20_00-11-55=EncryptedDATA.exeexecutable
MD5:BA3EB6EABBE44FBEF9AE250FA92EC3DF
SHA256:9B3D9D00C64D1A1FC09E76604E97E55FF804F4A243CB856A45FC05BF0F3869A7
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7puf.exeexecutable
MD5:EACFE37948184653662841FA604DE301
SHA256:19E5C9DC544086000C4A10B2C7397DE4B99D5852FE00640F0ABE78127EEAD8C2
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\globrs2.exeexecutable
MD5:1398DB7D3DB5CC8A252AED0C78312314
SHA256:A968B89D2273A71A80C4A6736100287C9BF6E915937B7E542A3092D1CB8FAD8B
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\1407Pb.exeexecutable
MD5:FEECCA1BAAF75EEABB4E66F8BAE6AF86
SHA256:939AC65F6ECF906D6EEFEAEB11FBB1BD05515D51B2DC252FA23D6D5721FA7254
1672fan.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.exeexecutable
MD5:C44487CE1827CE26AC4699432D15B42A
SHA256:4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
33
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2340
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7556
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.68
  • 20.190.160.130
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.128
  • 40.126.32.72
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fan.exe