File name:

fan.exe

Full analysis: https://app.any.run/tasks/225b9e78-6bdd-4105-aa13-d530d932f25e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 02, 2025, 15:45:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
everything
tool
mimic
ransomware
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

D425A0D55F6DA520603F11CB881F1D01

SHA1:

F29B678C120F3F0CE7620BBADA2FDEC74641C90E

SHA256:

6C1438DBC31ABE78FC66969AC22774D908F49A5310075CABED819DCC593809D1

SSDEEP:

98304:ZDQPps2E6S1RNJ31LawGx8lh6fPEXPYKzUyvtHLjAJ7MY2E8Oig7wQW439xFcOaF:khunY3UsHybV5eBi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • rt3x.exe (PID: 5720)

    • Known privilege escalation attack

      • dllhost.exe (PID: 6820)

    • MIMIC has been detected (YARA)

      • srtcjm.exe (PID: 4268)
      • srtcjm.exe (PID: 6464)
      • srtcjm.exe (PID: 8156)
      • srtcjm.exe (PID: 8128)

    • MIMIC mutex has been found

      • srtcjm.exe (PID: 4268)
      • srtcjm.exe (PID: 6464)
      • srtcjm.exe (PID: 8128)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1120)
      • powershell.exe (PID: 5364)
      • powershell.exe (PID: 2332)

    • Changes image file execution options

      • srtcjm.exe (PID: 4268)

    • Changes powershell execution policy (Bypass)

      • srtcjm.exe (PID: 4268)

    • UAC/LUA settings modification

      • srtcjm.exe (PID: 4268)

    • Disables the Shutdown in the Start menu

      • srtcjm.exe (PID: 4268)

    • Disables Windows Defender

      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)
      • DC.exe (PID: 5820)

    • Executing a file with an untrusted certificate

      • DC.exe (PID: 5820)
      • DC.exe (PID: 496)
      • DC.exe (PID: 7788)

    • Creates or modifies Windows services

      • DC.exe (PID: 5820)

    • RANSOMWARE has been detected

      • srtcjm.exe (PID: 4268)

    • Using BCDEDIT.EXE to modify recovery options

      • srtcjm.exe (PID: 4268)

    • Deletes shadow copies

      • srtcjm.exe (PID: 4268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fan.exe (PID: 1672)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • srtcjm.exe (PID: 4268)

    • Drops 7-zip archiver for unpacking

      • fan.exe (PID: 1672)
      • rt3x.exe (PID: 5720)

    • Reads security settings of Internet Explorer

      • fan.exe (PID: 1672)
      • ShellExperienceHost.exe (PID: 7396)

    • There is functionality for taking screenshot (YARA)

      • fan.exe (PID: 1672)
      • Everything.exe (PID: 7280)

    • Executing commands from ".cmd" file

      • fan.exe (PID: 1672)

    • Starts CMD.EXE for commands execution

      • fan.exe (PID: 1672)
      • srtcjm.exe (PID: 4268)

    • Creates file in the systems drive root

      • srtcjm.exe (PID: 4268)

    • Application launched itself

      • srtcjm.exe (PID: 4268)
      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)

    • Creates or modifies Windows services

      • srtcjm.exe (PID: 4268)

    • The executable file from the user directory is run by the CMD process

      • DC.exe (PID: 7788)

    • Starts POWERSHELL.EXE for commands execution

      • srtcjm.exe (PID: 4268)

    • Uses powercfg.exe to modify the power settings

      • srtcjm.exe (PID: 4268)

    • Executes as Windows Service

      • vds.exe (PID: 7448)
      • wbengine.exe (PID: 6240)

    • Start notepad (likely ransomware note)

      • srtcjm.exe (PID: 4268)

  • INFO

    • The sample compiled with english language support

      • fan.exe (PID: 1672)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • srtcjm.exe (PID: 4268)

    • Checks supported languages

      • 7za.exe (PID: 7152)
      • fan.exe (PID: 1672)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • Everything.exe (PID: 7280)
      • srtcjm.exe (PID: 4268)
      • srtcjm.exe (PID: 8128)
      • srtcjm.exe (PID: 8156)
      • DC.exe (PID: 7788)
      • gui40.exe (PID: 2560)
      • srtcjm.exe (PID: 6464)
      • DC.exe (PID: 496)
      • DC.exe (PID: 5820)
      • ShellExperienceHost.exe (PID: 7396)

    • Reads the computer name

      • fan.exe (PID: 1672)
      • 7za.exe (PID: 7152)
      • 7za.exe (PID: 5364)
      • rt3x.exe (PID: 5720)
      • gui40.exe (PID: 2560)
      • Everything.exe (PID: 7280)
      • srtcjm.exe (PID: 4268)
      • srtcjm.exe (PID: 8156)
      • ShellExperienceHost.exe (PID: 7396)
      • srtcjm.exe (PID: 6464)
      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)
      • DC.exe (PID: 5820)
      • srtcjm.exe (PID: 8128)

    • Create files in a temporary directory

      • 7za.exe (PID: 5364)
      • fan.exe (PID: 1672)
      • DC.exe (PID: 7788)

    • Reads the machine GUID from the registry

      • rt3x.exe (PID: 5720)
      • gui40.exe (PID: 2560)

    • Launch of the file from Registry key

      • rt3x.exe (PID: 5720)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6820)

    • Creates files or folders in the user directory

      • srtcjm.exe (PID: 4268)
      • gui40.exe (PID: 2560)
      • rt3x.exe (PID: 5720)

    • EVERYTHING mutex has been found

      • Everything.exe (PID: 7280)

    • Process checks computer location settings

      • fan.exe (PID: 1672)

    • Confuser has been detected (YARA)

      • gui40.exe (PID: 2560)

    • Reads the software policy settings

      • slui.exe (PID: 5528)
      • slui.exe (PID: 5556)

    • Checks proxy server information

      • slui.exe (PID: 5556)

    • Reads mouse settings

      • DC.exe (PID: 7788)
      • DC.exe (PID: 496)
      • DC.exe (PID: 5820)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5364)
      • powershell.exe (PID: 1120)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2332)

    • SQLite executable

      • srtcjm.exe (PID: 4268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 19456
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
230
Monitored processes
84
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start fan.exe 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe rt3x.exe CMSTPLUA #MIMIC srtcjm.exe gui40.exe no specs everything.exe no specs cmd.exe no specs conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs #MIMIC srtcjm.exe no specs #MIMIC srtcjm.exe no specs #MIMIC srtcjm.exe no specs dc.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs shellexperiencehost.exe no specs systray.exe no specs dc.exe dc.exe no specs systray.exe no specs systray.exe no specs bcdedit.exe no specs bcdedit.exe no specs conhost.exe no specs conhost.exe no specs wbadmin.exe no specs wbadmin.exe no specs conhost.exe no specs conhost.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs everything.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs notepad.exe no specs xdel.exe no specs conhost.exe no specs systray.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Local\30E75C14-766F-21EB-CDC5-C449E055904E\DC.exe" /SYS 1C:\Users\admin\AppData\Local\30E75C14-766F-21EB-CDC5-C449E055904E\DC.exe
DC.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\30e75c14-766f-21eb-cdc5-c449e055904e\dc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewbadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244wbadmin.exe DELETE SYSTEMSTATEBACKUPC:\Windows\System32\wbadmin.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
4294967293
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1268powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0C:\Windows\System32\powercfg.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1276powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.exesrtcjm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1532C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
2147945463
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
1672"C:\Users\admin\AppData\Local\Temp\fan.exe" C:\Users\admin\AppData\Local\Temp\fan.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\fan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewbadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 316
Read events
23 162
Write events
134
Delete events
20

Modification events

(PID) Process:(5720) rt3x.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:srtcjm
Value:
"C:\Users\admin\AppData\Local\30E75C14-766F-21EB-CDC5-C449E055904E\srtcjm.exe"
(PID) Process:(6820) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HidePowerOptions
Value:
1
(PID) Process:(4268) srtcjm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HidePowerOptions
Value:
1
(PID) Process:(4268) srtcjm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:shutdownwithoutlogon
Value:
0
(PID) Process:(4268) srtcjm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoClose
Value:
1
Executable files
51
Suspicious files
133
Text files
79
Unknown types
39

Dropped files

PID
Process
Filename
Type
1672fan.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
MD5:
SHA256:
1672fan.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
1672fan.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.exeexecutable
MD5:C44487CE1827CE26AC4699432D15B42A
SHA256:4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.initext
MD5:742C2400F2DE964D0CCE4A8DABADD708
SHA256:2FEFB69E4B2310BE5E09D329E8CF1BEBD1F9E18884C8C2A38AF8D7EA46BD5E01
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\1407Pb.exeexecutable
MD5:FEECCA1BAAF75EEABB4E66F8BAE6AF86
SHA256:939AC65F6ECF906D6EEFEAEB11FBB1BD05515D51B2DC252FA23D6D5721FA7254
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\global_options.inibinary
MD5:26F59BB93F02D5A65538981BBC2DA9CC
SHA256:14F93A82D99CD2BF3DA0ABA73B162A7BB183EDED695CFFFF47A05C1290D2A2FA
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\16-01.exeexecutable
MD5:75718BA80C31861E26F9113B11E63805
SHA256:030260D1CDE64FAD6957D2FD357014E38E01129326D23F237A4CADA7A7DFEF53
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7k-3.exeexecutable
MD5:1634C3868A05CA8ECA33741DAB61D640
SHA256:D3F3F6E227E0054A25CD4EFB09FAAA89EA3F889AF222879A58E785C5B1FF5EAB
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\gui40.exeexecutable
MD5:57850A4490A6AFD1EF682EB93EA45E65
SHA256:31FEFF32D23728B39ED813C1E7DC5FE6A87DCD4D10AA995446A8C5EB5DA58615
53647za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\globrs2.exeexecutable
MD5:1398DB7D3DB5CC8A252AED0C78312314
SHA256:A968B89D2273A71A80C4A6736100287C9BF6E915937B7E542A3092D1CB8FAD8B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
33
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2340
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7556
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.68
  • 20.190.160.130
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.128
  • 40.126.32.72
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fan.exe